polonus
February 20, 2011, 2:11pm
1
Hi, this was/is still being detected by Trend Micro - Webreputation as “This URL is currently still listed as malicious”
http://www.mywot.com/en/scorecard/virginantivirus.com 4 instances of red (malicious content)
Avast detects this as Fake-AV-GF : http://www.virustotal.com/file-scan/report.html?id=60d509a36dfdb6f77619678b85e3cad15464064197e713423afbdb892fd2e766-1298209207
When I go there with malzilla I am confronted with the script, see image attached below.
According to a google search the address is now at a domain parking page? See the attached thumbnail GIF? And so has this threat now gone?
Please comment?
polonus
Pondus
February 20, 2011, 2:42pm
2
The fake scanner is still there
Wepawet say benign
http://wepawet.iseclab.org/view.php?hash=314cef975ebe74b69a18dda4b55f94ea&t=1298211931&type=js
Sucuri say Clean
Unmaskparasites say Suspicious
http://www.UnmaskParasites.com/security-report/?page=www.virginantivirus.com
but if you click on the red suspicious then google say not dangeorus for the last 90days
??? ??? ???
and the downloaded FakeAV
VirusTotal - AntiSpyWareSetup.exe - 0/43
http://www.virustotal.com/file-scan/report.html?id=629ebf10660e1f490c22f809108fb5fabbb2f54aa9d0bb525fe447ba1c5c52c1-1298212610
MalwareBytes detect it as Trojan.fakeAlert
system
February 20, 2011, 2:43pm
3
The threat is still there. If I go to that site without Avast Web Shield, I still get the rogue/fake av scan and I’m prompted to accept the bogus download. I’ve reported it to stopbadware.org with the Firefox “Report Web Forgery” feature.
polonus
February 20, 2011, 2:54pm
4
Hi Pondus and Alan Baxter,
You are both right, and thanks for confirming this. The roque AV is still at that address, just scanned using jsunpack and it says: virginantivirus dot com/ suspicious and the info on the Google search page about a domain parking page is irrelevant and might be deliberately confusing to invite clicks. So good it is being blocked by the avast webshield,
This information can be found at the bottom of the virustotal analysis page:
http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml and http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
So an overall 0 /43 (0.0%) result but something suspicious definitely detected there,
polonus
Pondus
February 20, 2011, 3:07pm
5
Reported to Google http://www.google.com/safebrowsing/report_badware/
and the sample is in avast mailbox
OBS: Norton SafeWeb say clean, there is even a picture of the fake scanner ;D
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.virginantivirus.com
edit: Norton safe web now detect it
Asyn
February 20, 2011, 3:43pm
6
Report 2011-02-20 16:48:25 (GMT 1)
IP Address 76.76.116.171
IP Hostname reverse-mtl-76-76-109-171.gogax.com
IP Country CA
AS Number N/A
AS Name N/A
Detections 2 / 26 (8 %)
Status SUSPICIOUS
http://www.malwaredomainlist.com/mdl.php?search=76.76.116.171
http://www.mywot.com/en/scorecard/76.76.116.171
polonus
February 20, 2011, 4:25pm
7
Hi Asyn,
Exactly so, good you checked on the URL, then we find this here:
http://support.clean-mx.de/clean-mx/viruses?virusname=JS:FakeAV-GF
and the scumware org scan shows: http://www.scumware.org/report/76.76.116.171
and there are some more where that came from, see:
http://amada.abuse.ch/?search=76.76.116.171
polonus
Safezone does not like it either
system
February 20, 2011, 7:03pm
10
Well, that is just the webshield monitoring the safezone browser
system
February 20, 2011, 11:03pm
11
The exploit would die with javascript disabled.
Norton Safeweb seems to report two threats from that domain, not clean. Added after?
By the way, LinkScanner blocks it (Don’t be too harsh on me. I’m just stating that it does. ;D) -http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS= http://virginantivirus.com
polonus
February 20, 2011, 11:40pm
12
The scumreport gives ten instances from that URL: http://www.scumware.org/report/76.76.116.171
Norton Safe Web also gives this: MSIE FakeAV Notification Alert
Locatie: hxtp://virginantivirus.com/?id=06abQDYx but that is another detection,
and not Trojan.JS.Fraud.bg
And here another 5 instances of the same threat:
http://amada.abuse.ch/?search=76.76.116.171
If the malware site is being validated you get: Errors found while checking this document:
Line 16, Column 28, Damage not well-formed (invalid token) …
see: http://rexbd.net/validator/index.php?url=virginantivirus.com
pol