Black Hat SEO and Rogue Antivirus p.3

The silent threat: Black Hat SEO and Rogue Antivirus AntivirusPlus ZlKon Malware drop - liveinternetmarketingltd.com READ THIS page if you need more information In addition to fake scanner domain, recent research also reveal that several sites are registered through "EVOPLUS LTD" with the information as follow: Registrant: Live Internet Marketing Limited ****@liveinternetmarketingltd.com attn: Private Registrations 5285 Decarie Boulevard #100 Montreal, QC H3W3C2 Canada +1-514-371-5650 Domain Name: LIVEINTERNETMARKETINGLTD.COM Registrar: EVOPLUS LTD Whois Server: whois.evonames.com Referral URL: http://www.evonames.com Name Server: NS1.LIVEINTERNETMARKETINGLTD.COM Name Server: NS2.LIVEINTERNETMARKETINGLTD.COM Status: clientDeleteProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 27-mar-2009 Creation Date: 20-feb-2009 Expiration Date: 20-feb-2010 Registered Through: AdvancedHosters.com (http://www.AdvancedHosters.com) ****************************** Looking on google show absolutely no web presence apart from malware and pornography websites: For "liveinternetmarketingltd": Malware domain drop and pornography websites For "Live Internet Marketing Limited": Pornography websites For "liveinternetmarketingltd.com": Pornography websites and malware domain found by Malware Domain List. Looking on malwaredomainlist show 23 sites with the registrant information "liveinternetmarketingltd.com". Some domain have been added to the list below: antivirus-plus-new.com antivirusplussite.com bestinternetexamine.com bestnetcheckonline.com bestwebexamine.com downloadantivirusplus.com easynetcheckonline.com easywebchecklive.com easywebexamine.com easywebscanlive.com internethomecheck.com linkcanlive.com linkcanonline.com linkcanpro.com myantivirusplus.com myinternetexamine.com onlinescanweb.com rapldhsare.com safeyouthnet.com security-check-center.com securesoftinternet.com theantivirusplus.com websecurecheck.com websmartcheck.com websportscheck.com yourinternetexamine.com yournetascertain.com yournetcheckonline.com yournetcheckonline.com yourwebexamine.com yourwebscanlive.com yourwebscanpro.com ********************** SUSPENDED domain Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM antivirusplus.biz *** antivirusplus2009.net Symantec Result Registration Service Provided By: HIGH QUALITY HOST COMPANY *** avplus2009.com Symantec Result PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** internet-check.net PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** traffchecking.com Registration Service Provided By: ERDOMAIN.COM Registrant: uebochek - Luhansk Oblast,01001 - UA - uebochek@gmail.com ********************** ACTIVE domain *** av-plus-support.com PrivacyProtect - Registration Service Provided By: ERDOMAIN.COM *** antivirusplussite.com has a fake error page which redirect to downloadantivirusplus.com/buy.php?id= downloadantivirusplus.com is also hosted on the same IP at ZlKon, also registered by "Live Internet Marketing Limited" and the fraudulent payment page is on the domain below: https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert= 209.8.25.204 - ns1.secure-plus-payments.com Registration Service Provided By: RESELLERCLUB Registrant: Globo inc John Sparck (sparck000@mail.com) South reg, 14 st, 3 Atoll ,3290867 BB Tel. +27.221994 "Globo inc" include: antivirus--plus.com, plus-antivirus.com (Already suspended) ********************** Looking on spamhaus also reveal newp-digital.com webspywareremover2009.com cure-soft.com [63.219.177.210] innovagest2000s.com secure-softwaretools.com [207.226.175.124] ********************** Host on 94.247.2.215 [hs.2-215.zlkon.lv] AS12553 AS12553 PCEXPRESS-AS "DATORU EXPRESS SERVISS" Ltd. Some screenshot
Analysis:
	File info: installer_1.exe             File size 666112 bytes     MD5 03a1e599d66c64cd11eb5f20d3645767                     Anubis: Report     ThreatExpert: Report     VirusTotal: Report             First received 03.27.2009 17:40:50 (CET)     Results 17/38 (44.74%)             Alias: Trojan.Win32.FakeXPA!IK a-squared       TR/Crypt.XPACK.Gen Antivir       SHeur2.YCE AVG       (Suspicious) - DNAScan CAT-QuickHeal       Trojan.DownLoad.33473 DrWeb       Trojan-Downloader.Win32.Delf.swq F-Secure       W32/FakeAV.NW!tr Fortinet       Trojan.Win32.FakeXPA Ikarus       Trojan-Downloader.Win32.Delf.swq Kaspersky       Generic Downloader.x McAfee       Generic Downloader.x McAfee       Trojan.Crypt.XPACK.Gen McAfee-GW-Edition       TrojanDownloader:Win32/Renos.BAO Microsoft       Suspicious File Panda       Troj/FakeAV-NW Sophos       Trojan.Fakeavalert.B Sunbelt       Trojan Horse Symantec   We can see on this post that the file downloaded two or three days after is updated with a new code.
Result when running:
	HTTP Request: 94.247.2.215 [hs.2-215.zlkon.lv] GET: myantivirusplus.com/install/AntivirusPlus.exe GET: myantivirusplus.com/install/InternetExplorer.dll GET: myantivirusplus.com/cfg/dmns.cfg   File info: AntivirusPlus.exe             File size 1435136 bytes     MD5 f0bc697765f31bd431e776387aca2c7f                     Anubis: Report     VirusTotal: First Report     VirusTotal: Second Report             First received 03.27.2009 14:17:34 (CET)     Results Result: 7/39 (17.95%)             Second time 03.30.2009 05:23:52 (CET)     Results Result: 12/39 (30.77%)     New info Prevx             Alias: Trojan.Win32.FakeXPA!IK       FakeAlert       Trojan.Win32.FakeXPA       Trojan:Win32/FakePlus     File info: InternetExplorer.dll             File size 442368 bytes     MD5 8e428574cb9e4f680d1e28fe3ca673e8                     VirusTotal: First Report     VirusTotal: Second Report             First received 03.24.2009 16:12:30 (CET)     Results Result: 20/39 (51.29%)             Second time 03.30.2009 05:23:52 (CET)     Results Result: 20/39 (51.29%)             Alias: Trojan.Win32.FraudPack.ify       Trojan.Win32.FakeAV.iy       Trojan.Win32.FakeXPA       Trojan:Win32/FakePlus
Screenshot: