Posted by Steve Espino on January 22, 2010
I received an unlikely Yahoo! IM from a long time friend with whom I have not been in contact with for quite a long time.
Af first I thought, wow this would be a good time to catch up.
She buzzed me and asked me if I was busy, then gave me a URL to try out very quickly and tell her what the results tell me.
Well, here’s the screenshot:
The link was: hxxp://freakyloverresults.com
At this time I was already suspicious about the whole thing. So I tried out the link in a controlled environment. There were a series of redirections and my browser was redirected to:
hxxp://www.acaipowermax.com
It seems that whoever I was talking to was not my friend (possibly a bot). She might have been a victim of a phishing scam, and her Yahoo! IM account was being used as part of this social engineering tactic in order execute the Acai Berry spam which has been bugging people for ages.
This one was a bit harmless as the whole exercise was just another form of spam. But as always, I would like to remind everyone to be careful of clicking links, even if they come from people you know.
Posted in Uncategorized | Tagged: social engineering, acaipowermax.com, Acai Berry, freakyloveresults.com, yahoo im spam | Leave a Comment »
Posted by Steve Espino on December 8, 2009
Privacy Center, Privacy Components and Safety Center are some of the aliases used by this family of scareware that hide under the guise of a fake Windows 7 Action Center.
The scareware installer uses the filename win_protection_update.exe and once installed, this scareware displays fake scan results in an attempt to convince unsuspecting users into buying the fake software.
A lifetime license for this fake app amounts to a hefty $79.95 plus $19.95 for “Premium Support”.
Here are some domains related to distributing this attack:
software-scaner-online.com
scaner-online-malware.biz
PC Tools Spyware Doctor with Antivirus detects this scareware as RogueAntiSpyware.PrivacyCenter.AJ.
Posted in Rogue Apps | Tagged: fake, fake alert, fake app, fake av, Fake Windows 7 Action Center, fakealert, PC Tools, Privacy Center, Privacy Components, PrivacyCenter, rogue, rogue app, rogue av, rogue domain, RogueAntiSpyware.PrivacyCenter.AJ, Safety Center, scaner-online-malware.biz, scareware, SDAV, software-scaner-online.com, Spyware Doctor, Spyware Doctor with AntiVirus, Windows 7 | Leave a Comment »
Posted by Steve Espino on December 7, 2009
Here’s another porn site distributing malware under the guise of video codecs:
hxxp://adultsvideo.cn/
Unsuspecting users wanting to view the adult videos are tricked into downloading and installing the fake codec.
The fake codec can be downloaded from this url:
hxxp://freebigutilites.com/ActiveX-Video-Codec.45092.exe
The server spits out files that have different MD5s each time.
ThreatExpert report here
PC Tools Spyware Doctor with Antivirus detects this fake codec as Trojan.FakeAlert.
Posted in Malicious Intent | Tagged: adultsvideo.cn, fake codec, fake VAC, fakealert, freebigutilites.com, porn | Leave a Comment »
Posted by Steve Espino on November 6, 2009
PC Tools’ award winning Spyware Doctor with AntiVirus 2010 has done it again, earning a rating of 4.5 out of 5 stars as reviewed by How-to Geek.
Spyware Doctor with Antivirus is a top-rated malware, spyware & virus removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, viruses, keyloggers, spybots and tracking threats. Spyware Doctor’s advanced Intelliguard technology only alerts users on a true spyware and virus detection. Spyware Doctor with Antivirus has the most advanced update feature that continually improves its spyware and virus fighting capabilities on a daily basis. As spyware gets more complex in order to avoid detection, Spyware Doctor responds with new technology to stay one step ahead.
More details here.
Posted in Uncategorized | Tagged: How-to Geek, PC Tools, SDAV, Spyware Doctor, Spyware Doctor with AntiVirus 2010 | Leave a Comment »
Posted by Steve Espino on November 3, 2009
MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users, which PC Tools Spyware Doctor with Antivirus aptly detects as RogueAntiSpyware.MaCatte
This scareware has been seen to be using a bogus My Computer online scan similar to ones we’ve seen here, here and here.
The online scan can be seen on this url:
hxxp://proscan5.info/25/26-088wLzQzL1EzL==
The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.
Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk
Unsuspecting users are set back from their hard-earned money by a hefty $99.
Stay away from these rogue apps.
Posted in Uncategorized | Tagged: fake app, fake av, MaCatte, MaCatte Antivirus, macatte.com, McAfee, PC Tools, proscan5.info, rogue app, rogue av, RogueAntiSpyware.MaCatte, scareware, security, Spyware Doctor, Spyware Doctor with AntiVirus | 2 Comments »
Posted by Steve Espino on October 20, 2009
Sysinternals has recently released Disk2vhd that “simplifies the migration of physical systems into virtual machines (p2v).”
Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs)
More here.
Posted in Tools | Tagged: Disk2vhd, Hyper-V, p2v, Virtual Hard Disk, Virtual PC | Leave a Comment »
Posted by Steve Espino on October 16, 2009
This just in: on 15th October 2009, Spyware Doctor with AntiVirus 2010 wins PC Mag Editor’s Choice award!
The latest Spyware Doctor proved effective in every area of malware removal and blocking. It’s a great product.
The award-winning Spyware Doctor with AntiVirus 2010 can be downloaded here.
Posted in Uncategorized | Tagged: PC Mag Editor's Choice, pctools, Spyware Doctor, Spyware Doctor with AntiVirus 2010 | Leave a Comment »
Posted by Steve Espino on October 15, 2009
Here are some screenshots of the members of this scareware family:
![[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362](http://r3v3rs3e.files.wordpress.com/2009/10/gickr-com_6c803672-8a5f-25e4-5109-31b55ebdf362.gif?w=450&h=332 "[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362")
Beware of these rouge apps.
Posted in Rogue Apps | Tagged: rogue app, rogue av, security, Sysguard, TrustCop, TrustNinja, Winifighter, WiniShield | Leave a Comment »
Posted by Steve Espino on October 13, 2009
Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.
Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.
Sample junk files are the following:
%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl
Here are some domains participating in this campain:
securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com
Unsuspecting users get set back by $49.95 from their hard-earned money.
PC Tools Spyware Doctor protects your computers from the scum of the universe (the digital universe) and aptly detects TrustFighter as RogueAntiSpyware.Winifighter.
Posted in Rogue Apps | Tagged: bestmalwaredetect.com, Malware Research Centre, MRC, pcprotectzone.com, rogue app, rogue av, RogueAntiSpyware.Winifighter, scareware, security, securityadjust.com, securityannounce.com, theatypxdd.net, TrustFighter, trustfighter.com, Winifighter | Leave a Comment »
Posted by Steve Espino on September 25, 2009
The analysts at the PC Tools Malware Research Centre have been receiving bogus emails claiming to be coming from Microsoft:
…public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.
We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm
They seem to be compromized websites being used by the bad guys in order to facilitate this attack.
The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html
The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a file named update09.exe, which PC Tools Spyware Doctor with Antivirus detects as Trojan-Spy.Zbot.YETH.
Interestingly enough, this attack uses 0xc0.0xdc.0×6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.
The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\
More here.
Posted in Malicious Intent | Tagged: 0xc0.0xdc.0x6e.0xe4, 192.220.110.22, fake microsoft update, lowsec, mail1.e-corecorporation.com, Malware Research Centre, microsoftupdate.html, sdra64.exe, security, sinel.com, Spyware Doctor, summit102.summitdesign.net, tmp.exe, Trojan-Spy.Zbot.YETH, update09.exe, Zbot | Leave a Comment »
