[SOLVED] Fake AV/Rogue (avastfrance.com)

Reported by an user in the German section. (hxxp://wxw.avastfrance.com/)
The site distributes a fake AV (Rogue), using avast’s name…!!!

Report 2011-03-16 13:15:53 (GMT 1)
Website avastfrance.com
Domain Hash 4d6e81c523fad80972e4e15ff80ec385
IP Address 174.123.72.226 [SCAN]
IP Hostname e2.48.7bae.static.theplanet.com
IP Country US (United States)
AS Number 21844
AS Name THEPLANET-AS - ThePlanet.com Internet Service…
Detections 7 / 18 (39 %)
Status DANGEROUS

Avast already detect the executuble but not the site,i reported this site in one of my posts but no1 seemed to see it,anyway.

Already in hpHosts detection:
http://hosts-file.net/?s=avastfrance.com&x=35&y=9

http://forum.avast.com/index.php?topic=73785.0

Well, the site should be blocked, asap…!!!
asyn

Of course!!

It is by MBAM as well:
IP-BLOCK 174.123.72.226 (Type: outgoing, Port: 52612, Process: avastsvc.exe)

Thanks for the info about hpHosts and Mbam, Kenny…!
Still, we want avast to block it, too. :wink:
asyn

Hi Asyn,

Send a mail to avast that the following links should be detected:
So called Bad Anchor link here: hxtp://www.avastfrance.com/
See: http://www.virustotal.com/file-scan/report.html?id=9b8fbd43137dd84905e1b8b37e05de58b00484470c429127ba86fbd2c4d9221f-1300284565
0/ 43 (0.0%)
and PremiumSMSScan, here: htxp://www.avastfrance.com/dl/Avast-antivirus-francais.exe ,detected as NSIS:FakeInst-L by avast
See: http://xylibox.blogspot.com/2011/03/hoaxsms-fake-installer-avast-avast.html
Site should be flagged: http://deletemalware.blogspot.com/2011/03/fake-avast-antivirus-avast-antivirus.html
It is also in here: http://malc0de.com/database/
Reported on March 13th:
011/03/13_19:26 www. avastfrance.com/dl/Avast-antivirus-francais.exe 174. 123. 72. 226 e2. 48. 7bae.static.theplanet.com. fake av Whois Privacy Protection Service, Inc. / xfwryksrx AT whoisprivacyprotect.com 21844
I do not know whether it is still alive? These issues are sometimes rather short-lived as soon as they are being found up,

polonus

Thanks, pol…!! :slight_smile:
asyn

Still undetected? ???huh

Contact avast! however there’s no option to report false negatives :frowning:

Yes and that is something which needs to be included in the list.

Though you could try and misuse the report false alert on a website, by reporting in the text input ‘Your Message’ window that it is a malicious site which isn’t detected by either the network or web shields.

I tend to send an email to the usual virus (at) avast (dot) com address, with ‘Undetected Malware - Network Shield’ in the subject and details in the email body, no need for a sample.

Site gets blocked now, so I put this to solved.
asyn