Another fake-av site detected..

Hi malware fighters,

Another fake av site detected: versusspywareguard.com
Threat Name: HTTP Fake Antivirus WebPage Request 2
Location: htxp://6de46b37e.versusspywareguard.com/stream1/cacnpr/fhlcnalhnd/fcllfmfhdl.html

Threat Name: HTTP Fake Antivirus WebPage Request 2
Location: htxp://0639945.versusspywareguard.com/stream1/cafm/phddqcmrcc/fcllfmfral.html

Another source to look at from secubox labs: http://internetpol.fr/mw/

polonus

Hi malware fighters,

Another fake av site:rodaco.org
Domain Hash 94f43071befdbcaf02482e09e2a7a3ef
IP Address 66.96.131.89 [SCAN]
IP Hostname 89.131.96.66.static.eigbox.net
IP Country US (United States)
AS Number 29873
AS Name BIZLAND-SD - The Endurance International Group

:
Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://rodaco.org/vlruf.php?pageid=april%20fools%20day%20history

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=auhsd

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=cesar%20chavez%20biography

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=fledgling%20foundation

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://rodaco.org/vlruf.php?pageid=siohvaughn%20wade%20std

polonus

Hi malware fighters,

And another one of the fake av drive-by-downloads detected here:

Threats found: 6
Here is a complete list:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=7+11+locator

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=anthony+morrow

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=dani+jarque

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=dream+15

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://angrystot.com/press/?showc=flugtag

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://angrystot.com/press/?showc=gary+air+show

polonus

Hi malware fighters,

Another one from Moldova:
Threats found: 58
Here a sample of them:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=baby-shower-4u.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=bluehillsmoto.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=comnicity.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=donsrcmodels.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=earlsauction.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=helix-x.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kalpulli.org&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3D%EF%BB%BFThe%2BTwilight%2BSaga%3A%2BEclipse

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=kwzone.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://lariska12.osa.pl/in.php?t=cc&d=30-06-2010_t_0107_08&h=marylandvisiontherapy.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fnum%3D100%26sourceid%3Dchrome%26ie%3DUTF-8%26q%3Declipse%2Bpremiere

Virus

Threats found: 1 Analyzed this trojan further below…
Here is a complete list:
Threat Name: Downloader avast detects as Win32:Downloader-ECU now as Win32:Downloader-ECU [Trj]
Location: htxp://zhengshu.osa.pl/zhengshu/zhengshuw.exe (other file is zhengshu.exe)
Infected with Mal/Downldr-AL
经过扫描,其中 0/6 款杀毒软件检测到zhengshuw[1].exe 含有病毒木马及可疑风险! … 文件百科提供的内容不够完善?立即去论坛讨论zhengshuw[1].exe >>
htxp://58.251.57.206/down?cid=3D228BFFBDF06C63A04E66BA3D14FB880FE1E892&t=2&fmt=&usrinput=%E6%9A%B4%E9%A3%8E%E5%BD%B1%E9%9F%B3&dt=2018000&ps=0_0&rt=0kbs&plt=0&spd=9
Is in this list: http://malwarepatrol.com.br/cgi/submit?action=list_mcf
http://www.prevx.com/filenames/719191126558992567-X1/ZHENGSHU.EXE.html
and
http://scanner.novirusthanks.org/analysis/35d82b779d33dd59129769d614465b86/emhlbmdzaHV3LmV4ZQ==/

See: http://wepawet.iseclab.org/view.php?hash=40910560e9eb16905f511b33a1355c7f&t=1279382964&type=js
and
http://www.virustotal.com/analisis/9469a349c50038c798801a0ba64d42f5e8c699c62a37c3d06f23db905e848018-1279279124

pol

Hi malware fighters,

  Drive-By Downloads   

Threats found: 25
Here is a sample:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=roy%20williams%20youtube

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=s1%20homes

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=schnepf%20farms%20twitter

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=sertraline%20and%20alcohol

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20ep%201

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=shukufuku%20no%20campanella%20tv

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=stella%20marie%20ray

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=watch%20one%20piece

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://barbolafuneralchapel.com/cbyrt.php?off=world%20cup%20finals

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://barbolafuneralchapel.com/cbyrt.php?off=www.applegiftgiveaway.info

Might have been removed!

polonus

Hi malware fighters,

Another one here: Threats found: 1
Here is a complete list:
Threat Name: Trojan.FakeAV
Location: htxp://trafok.in/modulesetup70700.exe

A dangerous website according to several sources: http://www.urlvoid.com/scan/trafok.in
Mazilla found this:

With the avast shield that gave a JS:ScriptDC-inf[Trj] warning for a malware download,

And another one here:
hreat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=charlie%20wilsons%20war%20wiki

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=cydia%20ipad

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=dickssportinggoods%20application

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=endhiran%20trailer

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=jailbreakme%202010

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=kristen%20mcmenamy%20gray%20hair

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20imdb

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=mitzi%20kapture%20movies

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=the%20joe%20schmo%20show

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://utu974.com/sgfsj.php?on=yani%20tseng%20caddie

See: http://www.urlvoid.com/scan/utu974.com

polonus

VirusTotal - modulesetup70700.exe - 11/42
http://www.virustotal.com/analisis/ef3df69693dc5906ee2b88e4ae134ff74eeb99298d19c27bde9367ef05cf8260-1281125582

and it is already in avast inbox… :wink:

Hi malware fighters,

Another one here:
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=care%20credit%20providers

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=dickssportinggoods%20in%20store%20coupons

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=ernesto%20miranda%20grave

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=hansen%20clarke%20michigan

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=haskell%20invitational%20monmouth%20park

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=mine%20lyrics

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=quintuplets%20blog

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://wisneski.net/woaoc.php?a=quintuplets%20dionne

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://wisneski.net/woaoc.php?a=santa%20monica%20college%20nursing

Threat Name: HTTP Fake AV Redirect Request
Location: hxtp://wisneski.net/woaoc.php?a=unigo%20emory

Re: http://www.urlvoid.com/scan/wisneski.net

polonus

One more for your collection:

fotonpl.co.cc/a/exe.exe

The family form the above post:

fotonpl.co.cc/a/l.php

Hi malware fighters,

Another fake av detected here: Threat Name: Trojan.FakeAV avast detects as Win32:Trojan-gen
Location: htxp://abodeflash-vol33.co.tv/om/ms.php
The site is infested with Mal/FakeAV-CX
Re: http://www.threatexpert.com/report.aspx?md5=57b1187f07968de0f2e203b70d972c5f
Chinese security info on this malcode: http://www.antivirus365.org/PCAntivirus/14112.html
http://vscan.urlvoid.com/analysis/670d26f0bda43fba8d3bdbf7f3442ffa/bXMtcGhw/

polonus

Hi another fake-av here:

Total threats found: Drive-By Downloads

Threats found: 27
e.g.
Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=seamless%20web%20backgrounds

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=sean%20foley%20swing%20coach

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=showboat%20texas%20city

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=sonoma%20state%20university%20jobs

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=superhead%20video%20vixen%20book

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=ted%20stevens%20international%20airport

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=ted%20stevens%20wiki

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=trevor%20ariza%20nba

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=true%20blood%20season%203%20episode%208%20megavideo

Threat Name: HTTP Fake AV Redirect Request
Location: htxp://alamito.com/swwrz.php?m=west%20end%20shows

polonus

Detected e.g.: htxp://trafficplaza.co.uk/images/images/media/msg=8044.html
infected with JS/Tenia.b
and 366 other threats on mentioned domain:
See: http://www.virustotal.com/url-scan/report.html?id=3a6bb172f4a466cd37ef42c6fb8b827d-1300468922
See: http://www.virustotal.com/file-scan/report.html?id=9b11d70c2b1fccb35ad61f79529a2696a06f1d4b86cf1575c59ea3a78ef3a40f-1300472576
Unmasked parasites gives: Last time suspicious content has been found at this site, was on 2011-03-15.
Malicious software includes 8 scripting exploits.
This generic detection covers obfuscated scripts in which malicious iFrames is appended to the end of a HTML page, i.e. after the < /HTML > tag.
Malicious software has been hosted on 1 domain, e.g. clint-eastwood dot cn/.

This site was hosted on 1 network including AS29671 (SERVAGE),

computer symptoms upon infection are:
Unexpected connection to the unsafe domains frequently,
New added Registry keys files detailed or Registry modification,
System always crash for no man-made reason at all,
The memory of your System reduces unusually,

polonus

This one is not being detected, see over one hundred instances of Fake AV Website 5,
see: http://safeweb.norton.com/report/show?name=kylesheart.com
scanned this one at virustotal: htxp://kylesheart.com/zcobm.php?on=tekstovi%20pjesama
accompanying file scan: http://www.virustotal.com/file-scan/report.html?id=674faded451ce38bea28854cb4b4eb3790cd728dcc02b4eff07e181e9f511b68-1301086476
also see: http://safeweb.norton.com/buzz

polonus

Hi folks,

Another fake-av not detected by avast, resides here: htxp://ksu-antispyware.co.cc/fast-scan/
Detected here: http://www.virustotal.com/url-scan/report.html?id=7069774e14deabae6eaade4b11b85163-1302459072
file analysis, 3/ 42 (7.1%)
http://www.virustotal.com/file-scan/report.html?id=4536e20094bf07f94b28f9892997ea339387fb3fc4e0713e50c8793c0f873caf-1302466596
See Wepawet analysis: benign, but has a big hunk of obfuscated code,
ksu-antispyware.co.cc/fast-scan/
This online html scrambler obfuscater was being used: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php

polonus

Hi folks,

Further info on: htxp://ksu-antispyware.co.cc/fast-scan/
Initially most likely “TROJAN.HTML.FRAUD!IK” will not appear because it is in IE temp. location,
but it will reveal itself with the proper cleansing routine…

Detected here by both Emisift and Ikarus, see: http://vscan.urlvoid.com/analysis/b76bcbe66e85fda63615359905b06bdc/ZmFzdC1zY2Fu/

Site is blacklisted here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ksu-antispyware.co.cc
and here as infected with Fake App Attack: Fake AV Notification Alert:
http://safeweb.norton.com/report/show?url=ksu-antispyware.co.cc

pol

See this analysis,

Suspicious: http://wepawet.iseclab.org/view.php?hash=d04433f971bfd8deefd0b9219a9a5c49&t=1302716752&type=js
Anubis report: http://anubis.iseclab.org/?action=result&task_id=1e848af371b5bec44a91fe827a1c5df39
See: http://www.virustotal.com/url-scan/report.html?id=91c838a06b3f196fa77983e640fd5b8b-1302716668
Not detected: http://www.virustotal.com/file-scan/report.html?id=cd9231daff32df82fb1894655cec052f20da2d5fe5d7e3a9c91ecc9160dc0d86-1302723871

polonus

New variants for the Antispy2011setup.exe

htxp://protectinstallxpvirusnow.com
htxp://protectxpscanvirus.com

Both are redirected from ads and Avast does not detect them. ran into it twice on 2 seperate websites

I get a 404 on both of those…

Do you have the files, to add to the chest and send to avast?

The sites may have been brought down or changed.

When i got redirected to the site i got a prompt if i want to run or save Antispy2011setup.exe after it did the fake virus scan.