Hi

AIS blocks this URL: hxxp://www.google.com/imgres?imgurl=http://wrfava.bay.livefilestore.com/y1ptdfExWs8MHZxF-ItYDtphSLG8AulO3AUyqIZYWYt52QBlF53thS6BoLgaGT6eZxJ--XplArwm4w&imgrefurl=http://randgbookkeeping.com/.cache/%3Fp%3Dlazy-town-girl&usg=__CtlaXi90O2h5ZOcrnhcgi6xH8b4=&h=400&w=267&sz=40&hl=en&start=0&zoom=1&tbnid=5WVWtiZW6dR9UM:&tbnh=151&tbnw=100&ei=9ApPTYStONGeOqGgvNcP&prev=/images%3Fq%3Dlazy%2Btown%2Bgirl%26um%3D1%26hl%3Den%26sa%3DX%26biw%3D1280%26bih%3D814%26tbs%3Disch:1&um=1&itbs=1&iact=rc&dur=1003&oei=9ApPTYStONGeOqGgvNcP&esq=1&page=1&ndsp=28&ved=1t:429,r:3,s:0&tx=55&ty=59

Threat:JS:ScriptIP-inf [Trj]

Only Avast and GData detectes this url as threat- http://www.virustotal.com/file-scan/report.html?id=901e159b18a4f571a0e47998b034ebe2fab2cbca261a24bf7f2d1bce47850d56-1297026337

FP maybe or not?

Thank you. Lep pozdrav

Hello,
this is a correct detection, there is a redirect to site with fakeAV.

Thank you for your answer.

Have a nice day. Lep dan

VirusTotal - AntiSpyWareSetup.exe - 7/43
http://www.virustotal.com/file-scan/report.html?id=9e0b0c8e45cb4d03a5d4eb87ae460bc3c2bee0c6d3d0ca10a017bd9b4062b747-1297079947

Ahh…my pc is infected ahhhh run away…

…wait, this is linux, where did the windows filesystem comefrom ;D ;D ;D

Right now, I have flashing icons on supposed infected disc drives…

All joking aside, glad that avast blocks the site.

Interestingly, the downloaded file, that this website throws at you repeatedly, is different from the one that pondus has scanned…I suppose this highlights the problems when trying to add detections of fake avs, since the ones sent out change.

Since the file is different to the one scaned by pondus, (VT link) I would suggest watching the site for all files that come from it…

Will be sent to avast from the chest.

Scott

LoL…well that was amusing…except the part where I almost spit coffee on my keyboard from laughing ;D

Scott I really hope you didn,t download this FakeAV just beacuse I asked “I this URL contain virus or not”.

Bye. Lep pozdrav

I only did it in a linux Virtual machine, and was looking to submit the file to avast.

The only problem is now, that my ipod is infected as well apparently ;D ;D ;D

Since the file is different to the one scaned by pondus, (VT link) I would suggest watching the site for all files that come from it...

Tested 10 samples from that URL, and they all got same MD5 as the sample scanned by spgSCOTT

so if the MD5 changes…how often?

That is interesting, I assumed that it would throw out different ones…maybe it is simply when they upload newer versions…

or the change is once a day?..will try a new sample tomorrow

New sample and new MD5 this morning

VirusTotal - MD5 : 720f0627ab1725c93820547df283f45c
http://www.virustotal.com/file-scan/report.html?id=01304a49a3b65a29c1edf021667c4eb33ec1a11cf246af89b5208de7242f95c7-1297147977

Hi

Avast lab team add detection for AntSpyWareSetup.exe,now AIS detects this FakeAV as Win32:Rootkit-gen[Rtk]

Thank you Avast team/lab team

Bye Lep dan

are avast find the virus yet?

Yes.

The link is still alive and New MD5 again

VirusTotal - MD5 : f3ee395b4be13739a874d55e8760a51c
http://www.virustotal.com/file-scan/report.html?id=9178902ed296b22dabc26e81c3997ce0e214f43fc0017d8e4c43d5189ab060f4-1297190070

http://www.virustotal.com/file-scan/report.html?id=9178902ed296b22dabc26e81c3997ce0e214f43fc0017d8e4c43d5189ab060f4-1297240345

this link say avast still not find it,

this one avast find, that means different MD5 hash