stabilityinetscan: Zlkon Malware Drop Fake AV

stabilityinetscan.com - Rogueware browser hijacker - Zlkon Malware Drop Another site which promote "Internet Antivirus Pro" a rogue application also called SystemSecurity or WinWebSecurity. The FAKE scanner display fake alerts stating that you are infected with Admess trojan (tcpservice.exe), zserv.Transponder.Trojan (ZServ.dll) and some other malware. Site screenshot: Template 1: stabilityinetscan.com/ Template 2: stabilityinetscan.com/scan.php?affid=01990 Fake messages: Windows Security Center Virus (I-Worm.Trojan.b) was found on your computer! Click 'OK' to install System Security Antivirus. Windows Security Center recommends you to install System Security Antivirus. Fake Windows Security Center: Security Essentials: To help protect your computer, make sure the four security essentials below are marked On or OK - Firewall is set to "On" - Automatic updating is set to "Not automatic" - Malware protection and "Other Security Settings" are set to "Check Settings"
Analysis:
	Site URLs:               HTML stabilityinetscan.com/scan.php?affid=01990     SWF/Flash stabilityinetscan.com/load.swf?&p=0&t=_self&u=download.php?affid=x           Anubis: Report                     Site URLs: stabilityinetscan.com/download.php       stabilityinetscan.com/download.php?affid=01990             Response Headers             (Status-Line):HTTP/1.1 200 OK Date:Fri, 20 Mar 2009 xx:xx:xx GMT Server:Apache/2 X-Powered-By:PHP/5.2.6 Cache-Control:public, must-revalidate Pragma:hack Content-Length:57894 Content-Disposition:attachment; filename="install.exe" Content-Transfer-Encoding:binary Keep-Alive:timeout=1, max=100 Connection:Keep-Alive Content-Type:application/octet-stream                     File info: install.exe             File size 57894 bytes     MD5 631cb675d5094b14bbf13ac5218506f2                     VirusTotal: Report             First received 03.20.2009 08:33:18 (CET)     Results 26/39 (66.67%)             PE Info ( base data ) entrypointaddress.: 0x28230 timedatestamp.....: 0x49bf47e1 (Tue Mar 17 06:49:05 2009) machinetype.......: 0x14c (I386)             Prevx Result             Alias: FraudTool.Win32.SystemSecurity       Win32/Winwebsec       SystemSecurity       Cryp_FakeAV-11
Result when running:
	HTTP Request: 94.247.3.3 [hs.3-3.zlkon.lv] GET: stabilityinetscan.com/install/ws.zip   File info: SystemSecurity.exe             File size 2206720 bytes     MD5 4b65f1e719f85ee082d5108fbdf2ea00                     VirusTotal: First Report     VirusTotal: Reanalysed             First received 03.18.2009 02:31:35 (CET)     Results Result: 16/39 (41.03%)             Second time 03.20.2009 08:51:04 (CET)     Results 22/39 (56.42%)     New info Prevx             Alias: FraudTool.Win32.SystemSecurity       Win32/Winwebsec       Mal/FakeAV
Application screenshot:
Domain sharing IP with stabilityinetscan.com
	We can see more domain previously served for malware drop with robtex graph