Redirect to FAKE AV

SHA256:
68f5a70bcb23f858d22edf718ff8fdc7877d2f80a2763c7dc31716d44210db8d
SHA1:
e96a38db8481a8783e1c1b5decd3bb11bbf29742
MD5:
61f904af1ec2788003961f188b56fac8
File size:
2.0 MB ( 2107090 bytes )
File name:
setup.zip
File type:
ZIP
Detection ratio:
2 / 42
Analysis date:
2012-03-31 01:21:45 UTC ( 0 minutes ago )

Danger fake av here: hxxp://klikklik.jino.ru/temp.php

Edit that link and make it say Hxxp.________.Cxm. we wouldnt want anyone to be infected now. Are you infected with it?

ThreatExpert
http://www.threatexpert.com/report.aspx?md5=e10bf50ae855b4581d46393aaa5d0a73

Hello, is that they study and added it to the basis of virus, thank you. ;D

Good find: http://zulu.zscaler.com/submission/show/ed28a884091e409b89d9a7d425e8303e-1333196327
Hope that Pondus has sent it to virus at avast dot com, else it seems no longer redirecting…
The redirect to fake av seems not only closed, but dead since 2012-03-12 19:05:34
That is how shortlived these threats may be found to exist as from: 2012-03-12 17:30:0 to 2012-03-12 19:05:34 Thats just over 1 1/2 hours.
This one has been closed also: htxp://illoha.jino.ru/index.php So watch out for domains on that IP: 81.177.140.92
and that autonomous system:
Sitevet info:
AS Name: RTCOMM-AS OJSC RTComm.RU
IPs allocated: 463616
Blacklisted URLs: 888

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? Yes
…exploit servers? Yes
…Current Events? Yes

polonus

One question before this topic dies…

Why does it create new registry keys that hold names of many antivirus processes such as ashQuick. Does rewriting them erase the value thus causing problems?