Beware of “Anti-Virus-1″ - Another Fake Anti-virus in Town

Beware of “Anti-Virus-1″ - Another Fake Anti-virus in Town
http://feedproxy.google.com/~r/askVG/~3/CWqu17L0xtQ/

Attention please! There is a new adware “Anti-Virus-1”. Its a fake anti-virus program which looks like Windows default “Security Center”. Here is what the “Panda Labs” says: It is designed to simulate a scan of the computer, supposedly detecting thousands of strains of (non-existent) malware. The end aim is to sell users a pay version of the […]

Visit AskVG.com for full article.


Thanks for posting this information, Tech. :slight_smile:


Hi Tech,

It is rogue av scanner galore now:

There is a new kid on the block, called ThreatNuker
Who wants to block the ThreatNuker CLSID-s can do this through the following controls:
(Source: Symantec)

HKEY_CLASSES_ROOT\CLSID{1334158E-0314-405F-84E2-504815415812}
HKEY_CLASSES_ROOT\CLSID{9A1D3451-03D2-AADD-034E-35D42B5B1B27}

Who has SpywareBlaster can also block these CLSID-s. To do so start up SpywareBlaster, then go to Tools, then to Custom Blocking. Click now Add-item, add the name of this malware and enter OK.
Now copy and paste in the following path ( the {} and zeros in between are already given, you can remove these):

{1334158E-0314-405F-84E2-504815415812}
{9A1D3451-03D2-AADD-034E-35D42B5B1B27}

Tag the new items, then click on the button: Protect Against Checked Items. The red colour of the new items will turn into black text. Now you know these controls are disabled making ThreatNuker can no longer be silently installed. Before av vendors come up with new signatures against this malware blocking these CLSID-s is a good option for the time being.

And why oh why?
This is no great surprise, because it is a fake NOD/and a couple of other scanners going around as
malware, so the real ones will not flag them (Kaspersky’s for instance…).

Analysis:
ThreatNuker uses: Nullsoft PiMP Stub [Nullsoft PiMP SFX]
Krypto: A single DWORD (“polynomial”) used to compute CRC32

ASCII Strings: hxxp://pastebin.com/d7534e48a

Striking piece of code:
xe....open....KERNEL32.dll....GetDiskFreeSpaceExA.%u.%u%s%s...\*.*.....[..[Rename]....\wininit.ini....%s=%s...MoveFileExA.%d..C:\Program Files....ProgramFilesDir.Software\Microsoft\Windows\CurrentVersion...CommonFilesDir..\Microsoft\Internet Explorer\Quick

Well, the file is encrypted by all means, try to Hex the installer of this piece of sh^t3…

see removal instructions as added txt.file
pol

Am I reading correctly that avast should protect us against these nasties and improve detection? ???

im not sure if i should try the spyware and firewall test i didnt wanna be infected if its didnt detect it :S (eicar is easy its a simple virus lol)