Malware Web Threats: SystemSecurity2009 spread new variants

Sunday, March 22, 2009

SystemSecurity2009 spread new variants - Fake Admess.Trojan

SystemSecurity2009 WinWebSecurity Spyware spread new variants

A few days ago, the famous WinWebSecurity (SystemSecurity2009) appear to
spread new variants. This rogue application install Internet Antivirus Pro a fake antispyware.

READ THIS page if you need more information

New sites on March 27

Site screenshot:

(redirectors: goscanplan.com)

fusescan4.com [March 24]
linescan6.com [March 25]
scan4any.com
scan4lite.com
scan4true.com
slotscan4.com [March 25]
wayscan4.com [March 24]

Fake Trojan-IM.Win32.Faker.a Alert - Internet Antivirus Pro Warning:

Trojan-IM.Win32.Faker.a
Virus.Win32.Faker.a
Trojan.PSW.BAT.Cunter

scan4lite.com Fake message: Trojan-IM.Win32.Faker.a

Fake messages:

scan4lite.com Fake Security Warning Message

Serious security and privacy threats found on your computer.

It may damage your files or steal your personal and financial information.

Click "OK" to start downloading CRITICAL security software update.

Other template:

greatvirusscan.com (March 1)
internetsafetyexamine.com (March 26)
internetsafetyskim.com (March 23)
myinternetexamine.com (March 26)
onlinescandetect.com (March 27)
scanalertspage.com
scanbaseonline.com (April 1)
securityexamine.com (March 30)
protectionskim.com
protectionexamine.com (March 26)
runpcscannow.com (March 30)
safetyscansite.com (March 23)
securityscanguide.com (April 1)
thestabilityinternet.com (March 23)
yourstabilitysystem.com (March 23)
yourinternetexamine.com (March 26)
youronlinestability.com (March 26)
wwwprotectionreads.com (March 25)
wwwprotectionread.com (March 21)
webnetsafety.com

Fake Scanner:

http://safetyscanworld.com/scan.php?affid=01990
http://scanalertspage.com/scan.php?affid=01990
http://thestabilityinternet.com/scan.php
http://yourstabilitysystem.com/scan.php?affid=08055
http://webnetsafety.com/scan.php?affid=01990
http://wwwsecurityread.com/scan.php?affid=01990
Redirector for wwwsecurityread.com (onlinedetect.com) Analysis

Same as stabilityinetscan.com here

Fake messages:

Warning!!! Your computer contains various signs of viruses and malware
programs presence.
Your system requires immediate anti viruses check!
System Security will perform a quick and free scanning of your PC
for viruses and malicious programs.

Your computer remains infected by viruses!
They can cause data loss and file damages and need to be
cured as soon as possible.
Return to System Security and download it secure to your PC

This program is potentially dangerous for your system.
Trojan-Downloader stealing passwords, credit cards and
other personal information from your computer.

You need to remove this threat as soon as possible!

Email-Worm.Win32.Net
Email-Worm.Win32.Myd
Trojan-Downloader.Win

Fake Windows Security Alert:

Admess.Trojan
zserv.Transponder.Trojan
Wstart.TrojanDownloader

Other sites:

getscanonline.com - ThreatExpert
onlinesafetyscansite.com - ThreatExpert
onlinescandetect.com - ThreatExpert
protectionexamine.com - ThreatExpert
protectionskim.com - ThreatExpert
runpcscannow.com - ThreatExpert
safetyscansite.com - TreathExpert
safetyscanworld.com - ThreatExpert
scanalertspage.com - ThreatExpert
scanbaseonline.com - ThreatExpert
securityexamine.com - ThreatExpert
securityscanguide.com - ThreatExpert
securityscansite.com - ThreatExpert
thestabilityinternet.com - ThreatExpert
youronlinestability.com - ThreatExpert
yourstabilitysystem.com - ThreatExpert
wwwprotectionread.com - ThreatExpert
wwwprotectionreads.com - ThreatExpert
wwwsecurityread.com - ThreatExpert
webnetsafety.com - ThreatExpert
xprotect.us - ThreatExpert

Analysis of scan4lite.com, scan4any.com, scan4true.com, openscan4.com:

Site URLs:	hxxp://www.scan4lite.com/22/?uid=keyin
	hxxp://scan4lite.com/download/install.php
	hxxp://www.scan4any.com/22/?uid=keyin
	hxxp://scan4any.com/download/install.php

File info:	install.exe

File size	40448 bytes
MD5	b5e3df07d5963928552015bdf202465f

ThreatExpert:	Report for InternetAntivirusPro
Anubis:	Report
VirusTotal:	Report

First received	03.24.2009 06:14:11 (CET)
Results	7/39 (17.95%)

Alias:	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Gen:Trojan.Heur.TDSS.2040BFAFAF	Bitdefender
	Suspicious file	eSafe
	Gen:Trojan.Heur.TDSS.2040BFAFAF	GData
	Trojan-Downloader.Win32.Renos.AQ	Ikraus
	VirTool:Win32/Obfuscator.DQ	Microsoft
	Trojan.Win32.Tdss.qxr (v)	Sunbelt
	Trojan-Downloader.Win32.Renos.AQ (Sig-Id:380322)	Ikarus Virus Scanner



Site URLs:	hxxp://scan4true.com/22/?uid=keyin
	hxxp://scan4true.com/download/install.php
	hxxp://openscan4.com/22/?uid=keyin
	hxxp://openscan4.com/download/install.php

Redirection:	Found on goscanway.com for scan4true.com [Analysis]

File info:	install.exe

File size	40960 bytes
MD5	ae744b601d2889e55fa507c297a47b16

ThreatExpert:	Report for Rootkit.Win32.TDSS
ThreatExpert:	ThreatExpert Report for install.exe [openscan4.com]
Anubis:	Anubis Report for install.exe [openscan4.com]
VirusTotal:	VirusTotal Report for install.exe [openscan4.com]

First received	03.25.2009 05:51:39 (CET)
Results	6/40 (15.00%)

Alias:	Trojan.Win32.FakeSpyguard!IK	a-squared
	Suspicious file	eSafe
	Packed.Win32.Tdss.f	F-Secure
	Trojan.Win32.FakeSpyguard	Ikarus
	Packed.Win32.Tdss.f	Kaspersky
	Trojan:Win32/InternetAntivirus	Microsoft



Site URLs:	hxxp://fusescan4.com/22/?uid=keyin
	hxxp://fusescan4.com/download/install.php
	http://scanfuse4.com/22/?uid=keyin
	http://scanfuse4.com/download/install.php
	hxxp://scanopen4.com/22/?uid=keyin
	hxxp://scanopen4.com/download/install.php
	hxxp://wayscan4.com/22/?uid=keyin
	hxxp://wayscan4.com/download/install.php

File info:	install.exe

File size	40448 bytes
MD5	c2863c37df25478a66986734e08143ea

Anubis:	Anubis Report
VirusTotal:	VirusTotal Report

First received	03.25.2009 15:08:26 (CET)
Results	4/40 (10.00%)

Alias:	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Suspicious file	eSafe
	Trojan-Downloader.Win32.Renos.AQ	Ikarus
	Trojan:Win32/InternetAntivirus	Microsoft

VirusTotal:	VirusTotal Second Report

Reanalysed	03.25.2009 23:19:58 (CET)
	10/40 (25.00%)

Alias:	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	FakeAlert.IN	AVG
	Trojan.DownLoad.26790	DrWeb
	Suspicious File	eSafe
	Trojan-Downloader.Win32.Renos	Ikarus
	Trojan-Downloader.Win32.FraudLoad.dyi	Kaspersky
	Generic!Artemis	McAfee+Artemis
	Trojan.LooksLike.PCK.Tdss	McAfee-GW-Edition
	Trojan:Win32/InternetAntivirus	Microsoft
	Mal/TDSSPack-A	Sophos



Site URLs:	hxxp://linescan6.com/22/?uid=keyin
	hxxp://linescan6.com/download/install.php

File info:	install.exe

File size	40448 bytes
MD5	01c7559c1ffb94c7f48c3c7ceaee1742

VirusTotal:	VirusTotal Report

First received	03.25.2009 19:23:37 (CET)
Results	4/40 (10.00%)

Alias:	SecurityRisk.Downldr	[Symantec]
	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Suspicious file	eSafe
	Trojan-Downloader.Win32.Renos.AQ	Ikarus
	Trojan:Win32/InternetAntivirus	Microsoft



Site URLs:	hxxp://slotscan4.com/22/?uid=keyin
	hxxp://slotscan4.com/download/install.php

File info:	install.exe

File size	40448 bytes
MD5	0f4a296648be81e091348115ef03620a

VirusTotal:	VirusTotal Report

First received	03.25.2009 19:25:43 (CET)
Results	4/40 (10.00%)

Alias:	SecurityRisk.Downldr	[Symantec]
	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Suspicious file	eSafe
	Trojan-Downloader.Win32.Renos.AQ	Ikarus
	Trojan:Win32/InternetAntivirus	Microsoft



Site URLs:	hxxp://home6scan.com/22/?uid=keyin
	hxxp://home6scan.com/download/install.php



File info:	RegCureSetup_RW.exe
File info:	install.exe

File size	40960 bytes
MD5	805d2e58e045471056b0bb7376b5b276

Anubis:	Anubis Report
VirusTotal:	VirusTotal Report 1
VirusTotal:	VirusTotal Report 2

First received	03.26.2009 22:50:25 (CET)
Results	6/39 (15.39%)

Alias:	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Suspicious file	eSafe
	Trojan-Downloader.Win32.Renos.AQ	Ikarus
	Generic!Artemis	McAfee+Artemis
	Trojan.Dldr.LooksLike.FraudLoad	McAfee-GW-Edition
	Trojan:Win32/InternetAntivirus	Microsoft



Site URLs:	hxxp://scanlist4.com/22/?uid=keyin
	hxxp://scanlist4.com/download/install.php

File info:	install.exe

File size	40448 bytes
MD5	bcfede07fc9834bab8c114af357bd559

Anubis:	Anubis Report
VirusTotal:	VirusTotal Report

First received	03.26.2009 22:50:25 (CET)
Results	6/39 (15.39%)

Alias:	Trojan-Downloader.Win32.Renos.AQ!IK	a-squared
	Suspicious file	eSafe
	Trojan-Downloader.Win32.Renos.AQ	Ikarus
	Trojan.Dldr.LooksLike.FraudLoad	McAfee-GW-Edition
	VirTool:Win32/Obfuscator.DQ	Microsoft

Result when running:

HTTP Request: 78.159.101.27:80- [in4ik.com]
Request: GET /download/InternetAntivirusPro.exe

Analysis of yourstabilitysystem.com, protectionexamine.com:

Site URLs:	yourstabilitysystem.com/download.php?affid=00000
	yourstabilitysystem.com/load.swf?&p=0&t=_self&u= download.php?affid=..



File info:	install.exe

File size	106536 bytes
MD5	3866b483ba93922bd6c07327c2c93b74



ThreatExpert	Other source
ThreatExpert:	Report
Anubis:	Report
VirusTotal:	Report
Prevx:	Report

First received	03.24.2009 10:11:44 (CET)
Results	Result: 10/39 (25.64%)

Alias:	Trojan-Dropper.Agent!IK	a-squared
	FakeAler.II	AVG
	Suspicious file	eSafe
	Rogue:W32/Winwebsec.C	F-Secure
	PECompact	Kaspersky
	Program:Win32/Winwebsec	Microsoft
	Medium Risk Malware	Prevx
	Trojan.Win32.FakeAV.ik	Rising
	Mal/FakeAV-AD	Sophos
	Trojan-Dropper.Agent (Sig-Id:315644)	Ikarus Virus Scanner



Site URLs:	hxxp://protectionexamine.com
	hxxp://protectionexamine.com/download.php

File info:	install.exe

File size	121894 bytes
MD5	05a446ef1a99d872a7cae5061ab8c6bc

VirusTotal:	VirusTotal Report
Anubis:	Anubis Report
ThreatExpert:	ThreatExpert Report

First received	03.26.2009 03:53:02 (CET)
Results	17/40 (42.5%)

Alias:	ADSPY/AdSpy.Gen	Antivir
	FakeAlert.II	AVG
	(Suspicious) - DNAScan	CAT-QuickHeal
	Trojan.Fakealert.4123	DrWeb
	Suspicious File	eSafe
	PECompact	F-Secure
	PECompact	Kaspersky
	Ad-Spyware.AdSpy.Gen	McAfee-GW-Edition
	Program:Win32/Winwebsec	Microsoft
	Win32/Adware.SystemSecurity	NOD32
	Adware/SystemSecurity	Panda
	Medium Risk Malware	Prevx1
	Trojan.Win32.FakeAV.ik	Rising
	Mal/FakeAV-AD	Sophos
	Downloader.MisleadApp	Symantec
	PAK_Generic.001	Trend Micro
	Hoax.Win32.SystemSecurity	VBA32

	Prevx: 02419843.EXE



	Site URLs:	hxxp://myinternetexamine.com
		hxxp://yourinternetexamine.com/installer_1.exe

	File info:	installer_1.exe

	File size	546816 bytes
	MD5	916e0f7aef7f1ea6308fa886d41ed750

	VirusTotal:	VirusTotal Report
	ThreatExpert:	ThreatExpert Report

	First received	03.25.2009 17:40:43 (CET)
	Results	15/40 (37.50%)

	Alias:	Trojan.Renos

Result when running:

Same image below

HTTP Request: 209.44.126.14:80 - [yourstabilitysystem.com]
Request: GET /install/ws.zip

	File info:	ws.zip

	File size	486912 bytes
	MD5	98c4ef71de9efbe243e8456a9896525a



	VirusTotal:	Report

	First received	03.24.2009 10:35:59 (CET)
	Results	Result: 9/39 (25%)

	Alias:	FakeAlert.II [AVG]
		Suspicious File [eSafe]
		Program:Win32/Winwebsec [Microsoft]

Analysis after decompression of ws.zip

	File info:	av.exe
		av.glu (config file)

	File size	486912 bytes
	MD5	98c4ef71de9efbe243e8456a9896525a



	VirusTotal:	Report

	First received	03.23.2009 16:30:10 (CET)
	Results	Result: 5/39 (12.82%)

	Alias:	FakeAlert.II [AVG]
		Suspicious File [eSafe]
		Program:Win32/Winwebsec [Microsoft]

Result for protectionexamine.com

Same image below

HTTP Request: 94.247.3.3:80 - [protectionexamine.com] ZlKon
Request: GET /install/ws.zip

	File info:	ws.zip

	File size	393512 bytes
	MD5	130bd371cebd991641496329afc8aa60



	VirusTotal:	Report

	First received	03.26.2009 04:10:33 (CET)
	Results	Result: 13/40 (32.5%)

	Alias:	Generic.Win32.Malware!IK [a-squared]
		TR/Fake.SysSec [Antivir]
		FakeAlert.II [AVG]
		Suspicious File [eSafe]
		PECompact [F-Secure]
		Generic.Win32.Malware [Ikarus]
		PECompact [Kaspersky]
		Generic!Artemis [McAfee+Artemis]
		Trojan.Fake.SysSec [McAfee-GW-Edition]
		Program:Win32/Winwebsec [Microsoft]
		Adware/SystemSecurity [Panda]
		Trojan.Fakeavalert [Symantec]
		Hoax.Win32.SystemSecurity [VBA32]

Analysis after decompression of ws.zip

	File info:	av.exe
		av.glu (config file)

	File size	522240 bytes
	MD5	565d30af7e1a42cdb859ae60c290b064



	VirusTotal:	Report

	First received	03.25.2009 17:06:13 (CET)
	Results	Result: 7/39 (17.95%)

	Alias:	TR/Fake.SysSec [Antivir]
		FakeAlert.II [AVG]
		Suspicious File [eSafe]
		PECompact [F-Secure]
		PECompact [Kaspersky]
		Trojan.Fake.SysSec [McAfee-GW-Edition]
		Program:Win32/Winwebsec [Microsoft]

Analysis of protectionskim.com:

	Site URLs:	protectionskim.com/download.php?affid=00000



	File info:	install.exe

	File size	94127bytes
	MD5	cede29db9fdae662c59d6a01da7a85f3



	ThreatExpert	Other source
	ThreatExpert:	Report
	Anubis:	Report
	VirusTotal:	Report

	First received	03.21.2009 16:00:04 (CET)
	Results	12/39 (66.67%)

	Alias:	W32/FakeAV.8074!tr
		Trojan-Downloader.Win32.FraudLoad.vmtk
		SHeur2.WXJ
		TR/Crypt.XPACK.Gen
		Sus/FakeAV-A
		Trojan-Dropper.Agent (Sig-Id:315644) [Ikarus Virus Scanner]

Result when running:

HTTP Request: 209.44.126.22:80 - [protectionskim.com]
Request: GET /install/ws.zip

	File info:	av.exe
		av.glu (config file)

	File size	315392 bytes
	MD5	f54d79a2fb5e0b21a4caf6cbe165b839



	ThreatExpert	Other source - av.exe
	VirusTotal:	Report

	First received	03.22.2009 00:02:45 (CET)
	Results	Result: 2/39 (41.03%)

	Alias:	(Suspicious) - DNAScan [CAT-QuickHeal]
		Suspicious File [eSafe]
		Win32.FraudLoad.vmsd [Kaspersky]

Analysis of scanalertspage.com:

	Site URLs:	scanalertspage.com/download.php?affid=00000



	File info:	install.exe

	File size	94767 bytes
	MD5	5da9957ea446494a800fa772c1cac5ba



	ThreatExpert	Other source
	ThreatExpert:	Report
	Anubis:	Report
	VirusTotal:	Report

	First received	03.22.2009 10:25:32 (CET)
	Results	9/39 (23.08%)

	Alias:	SHeur2.WXJ
		Trojan-Downloader.Win32.FraudLoad.dxh
		Sus/FakeAV-A
		Trojan-Dropper.Agent (Sig-Id:315644) [Ikarus Virus Scanner]

Result when running:

HTTP Request: 209.44.126.14:80 - [scanalertspage.com]
Request: GET /install/ws.zip

	File info:	av.exe
		av.glu (config file)

	File size	315392 bytes
	MD5	f54d79a2fb5e0b21a4caf6cbe165b839



	VirusTotal:	Report

	First received	03.22.2009 00:02:45 (CET)
	Results	Result: 3/39 (41.03%)

	Alias:	(Suspicious) - DNAScan [CAT-QuickHeal]
		Suspicious File [eSafe]
		Win32.FraudLoad.vmsd [Kaspersky]

Analysis of webnetsafety.com:

	Site URLs:	webnetsafety.com/download.php?affid=00000



	File info:	install.exe

	File size	94765bytes
	MD5	23d7d57fa37c5882cb9a4fcf0652615d



	ThreatExpert	Other source
	ThreatExpert:	Report
	Anubis:	Report
	VirusTotal:	Report

	First received	03.22.2009 10:25:32 (CET)
	Results	9/39 (23.08%)

	Alias:	SHeur2.WXJ
		Trojan-Downloader.Win32.FraudLoad.dxh
		Sus/FakeAV-A
		Trojan-Dropper.Agent (Sig-Id:315644) [Ikarus Virus Scanner]

Result when running:

HTTP Request: 94.247.3.74:80 - [webnetsafety.com]
Request: GET /install/ws.zip

	File info:	av.exe
		av.glu (config file)

	File size	315392 bytes
	MD5	f54d79a2fb5e0b21a4caf6cbe165b839



	VirusTotal:	Report

	First received	03.22.2009 00:02:45 (CET)
	Results	Result: 3/39 (41.03%)

	Alias:	(Suspicious) - DNAScan [CAT-QuickHeal]
		Suspicious File [eSafe]
		Win32.FraudLoad.vmsd [Kaspersky]

Application screenshot:

Malware Web Threat Research

Active attacks: LATEST ADDITIONS

78.129.166.166
Malware drop

my-xtube.com
free-porn-host.com
xmovies-central.com
top-porn-tubes.com
my-fuck-movies.com
youtube-xmovies.com
yourporn-xmovies.com
209.44.126.22
Malware drop: Fake Antivirus

websecuritypolice.com
futureinternetsecurity.com
websecuritybureau.com
techsecurityscan.com
securityexamination.com
webbrowsersecurity.com
onlinebrandsecuritys.com
209.44.126.241
Malware drop: Fake Antivirus

freeforscanpc.com
xvirusdescan.com
trustedwebsecurity.com
allowedwebsurfing.com
truevirusshield.com
greatscansecurity.com
216.240.143.7
Malware drop

better-tube-show.com
hot-tube-area.com
megacooltubes2009.com
91.212.132.11
Malware drop

xmovies-host.com
porn-tube-host.com
91.212.65.54
Malware drop

sdfv-programs.com
91.212.65.55
Malware drop: Fake Antivirus

thesecurityscan.com
91.207.61.37
Malware drop

googleanalytlcs.net
google-analytlcs.com
pornorawa.com
209.44.126.102
Malware drop: Fake Antivirus

star4scan.info
scanfan4.info
scanstar4.info
scanray4.info
scanmix4.info
scanmini4.info
scanatom4.info
209.44.126.102
Malware drop: Fake Antivirus

ray4scan.info
scanmix4.info
206.53.61.74
Malware drop: Fake Antivirus

virussweeperpro.com
update1.virusshieldpro.com
206.53.61.76
Malware drop: Fake Antivirus

virussweeper-scan.net
206.53.61.76
Malware drop: Fake Antivirus

virusshield-scanvirus.net
194.165.4.77
Fraudulent Payment for Rogue AV

securebill09.com/pp/
194.165.4.77
Fraudulent Payment for Rogue AV

winpcdefender09.com
194.165.4.140
Fraudulent Payment for Rogue AV

iantivirus-pro.com
iantiviruspro.com
91.212.65.55
Malware drop: WinWebSecurity

webeyesecurity.com
209.44.126.102
Malware drop: Fake Antivirus

scan4fan.info
fan4scan.info
lux4scan.info
atom4scan.info
scan4mini.info
scan4mix.info
mini4scan.info
scanline6.info
209.44.126.102
Malware drop: Fake Antivirus

scan4star.info
scan4ray.info
scan4atom.info
38.105.19.27
Malware drop: Fake Antivirus

scan6open.com
open6scan.com
scan6fuse.com
fusescan6.com
78.159.115.216
Malware drop: Fake Antivirus

way6scan.com
fuse6scan.com
91.212.65.54
Malware drop

kxc-softwaresportal.com
cls-softwares.com
slk-softwareportal.com2
212.95.58.156
Malware drive-by-download

berusimcom.com
95.129.144.236
Malware drop: Fake Antivirus

winpc-antivirus.com
freewebmypcscan.com
91.212.41.110
Malware drive-by-download

islandtravet.cn
clubmillionswow.cn
litefront.cn
liteauction.cn
melodynew.cn
zyne4ka.com
workfuse.cn
apprecearlyrock.com
91.212.41.96
Malware drive-by-download

goldrushclub.cn
schoolh.cn
designroots.cn
housevisual.cn
rainfinish.cn
bookadorable.cn
91.212.65.55
Malware drop: WinWebSecurity

onlinesecurityhost.com
justwebsecurity.com
globalsecurityscan.com
onlinebrandsecurity.com
internetsafetyexamine.com
youronlinestability.com
78.159.115.215
Malware drop

line4scan.info
scanline4.info
scan4log.info
log4scan.info
logscan4.info
list6scan.com
209.44.126.102
Malware drop: Fake Antivirus

fanscan4.com
starscan4.com
rayscan4.com
mixscan4.com
mixscan4.com
miniscan4.com
209.44.126.102
Malware drop: Fake Antivirus

scan4lux.info
way4scan.info
wayscan4.info
scan4way.info
scanway4.info
main4scan.info
mainscan4.info
scanmain4.info
209.44.126.102
Malware drop: Fake Antivirus

scan4main.info
scan4zoom.info
scan4true.info
scan4user.info
scan4way.info
scantrue4.info

truescan4.info
userscan4.info
wayscan4.info
209.44.126.102
Malware drop: Fake Antivirus

zoomscan4.info
scanmega4.info
scan4mega.info
mega4scan.info
scan4mix.com
scanray4.com
scan4ray.com
ray4scan.com
78.159.115.215
Malware drop: Fake Antivirus

gechscan.info
scangech.info
scangechscan.info
scanscangech.info
freescangech.info
freegechscan.info
gescanch.info
gechscannow.info
78.159.115.215
Malware drop: Fake Antivirus

gescanchnow.info
nowscangech.info
scan4lite.info
scanlite4.info
lite4scan.info
litescan4.info
scan4list.info
scanlist4.info
78.159.115.215
Malware drop: Fake Antivirus

list4scan.info
listscan4.info
lead4scan.info
scan4lead.info
linescan4.info
livescan4.info
scan4line.info
scan4list.info
78.159.115.215
Malware drop

goscanarea.com
goscanelite.com
goscanfile.com
goscanfix.com
goscangoal.com
goscankey.com
goscanmeta.com
goscanmore.com
78.159.115.215
Malware drop

goscannote.com
goscantop.com
goscanwork.com
goareascan.com
goelitescan.com
gofilescan.com
gofixscan.com
gogoalscan.com
78.159.115.215
Malware drop

gokeyscan.com
gometascan.com
gomorescan.com
scanlive4.info
cogech.com
geninch.com
stagech.com
85.17.189.183
IFRAME Attack

firstplumb.info
38.113.1.102
IFRAME Attack

antivirus.vc
209.44.100.58
IFRAME Attack

travelto.uz.ua
209.44.126.241
Malware drop: Fake Antivirus

updateyoursecurity.com
78.129.166.166
Malware drop: Fake Codec

free-xxx-central.com
free-tube-video-central.net
xtube-xmovie.com
porn-tube-movies.com
194.165.4.77
Malware drop

tubeontvgl.com/scan/
tubeontvgl.com/tube/
litetubevideoz.com/scan/
litetubevideoz.com/tube/
loyalvideoz.com/tube/
loyalvideoz.com/scan/
loyal-porno.com/tube/
loyal-porno.com/scan/
194.165.4.77
Malware drop

truepornvideo.com/scan/
truepornvideo.com/tube/
truepornupload.com
videoporntrue.com
64.20.33.156
Malware drop: Fake Antivirus

step6scan.info
stepscan6.info
scanstep6.info
scan6step.info
scan6ray.info
ray6scan.info
fuse6scan.info
fusescan6.info
64.20.33.156
Malware drop: Fake Antivirus

scan6fuse.info
scan6star.info
scanfuse6.info
star6scan.info
195.88.80.41
Malware drop

ded-softportal.com
63.146.2.92
Malware drop

any4scan.info
anyscan4.info
atom4scan.com
atomscan4.com
base4scan.info
basescan4.info
bestscan4.info
bestscan7.com
63.146.2.92
Malware drop

data4scan.info
datascan4.info
easy4scan.info
easyscan4.info
ever4scan.info
everscan4.info
fast4scan.info
fastscan4.info
63.146.2.92
Malware drop

fuse4scan.info
fusescan4.info
goareascan.com
goscanarea.com
gomindscan.com
goscanatom.com
in4st.com
in4tk.com
63.146.2.92
Malware drop

gate4scan.info
gatescan4.info
scan4gate.com
scangate4.info
63.146.2.92
Malware drop

lux4scan.com
luxscan4.com
new7scan.com
newscan4.info
plus4scan.info
plusscan4.info
scan4any.info
scan4atom.com
63.146.2.92
Malware drop

scan4base.info
scan4data.info
scan4easy.info
scan4ever.info
scan4fast.info
scan4fuse.info
scan4list.com
scan4star.com
63.146.2.92
Malware drop

scan7new.com
scanany4.info
scanbase4.info
scanbest4.info
scandata4.info
scaneasy4.info
scanever4.info
scanfast4.info
63.146.2.92
Malware drop

scanfuse4.info
scanmix4.com
scannew4.info
scanplus4.info
scansafe4.info
scanstar4.com
scantool4.info
scanuser4.info
63.146.2.92
Malware drop

home4scan.info
scan4home.info
scanhome4.info
scanzoom4.info
star4scan.com
tool4scan.info
user4scan.info
zoom4scan.info
209.44.126.22
Malware drop: WinWebSecurity

socialsecurityscan.com
thefullvirusscan.com
66.96.252.199
Malware drop: Fake Antivirus

scan4now.info
scannow4.info
now4scan.info
nowscan4.info
scan4tool.info
toolscan4.info
scan4step.info
scanstep4.info
66.96.252.199
Malware drop: Fake Antivirus

scan4safe.info
safescan4.info
scansafe4.info
safe4scan.info
66.96.252.199
Malware drop: Fake Antivirus

gonotescan.com
goscanwork.com
step4scan.info
stepscan4.info
open4scan.info
openscan4.info
scan4open.info
scanopen4.info
69.10.52.11
Malware drop

scan5best.info
scanbest5.info
best5scan.info
bestscan5.info
scan5live.info
live5scan.info
fast5scan.com
66.101.58.54
Malware drop

gotopscan.com
91.207.61.48
Malware drop

wovens.info
216.195.35.99
Drive-by-downloads

seaarch.info/in.cgi?2&group=5
209.44.126.14
Malware drop: Fake Antivirus

allvirusscannow.com
bastvirusscan.com
fullsecurityaction.com
topwinsystemscan.com
totalvirushield.com
totalsystemguard.com
truevirusscan.com
yourpcshield.com
209.44.126.15
NS for malware domain

ns1.ahuliard.com
ns2.ahuliard.com
ns1.moregreatsites.com
ns2.moregreatsites.com
94.247.2.123
Malware drop: Fake Antivirus

avscanonline.com
66.206.17.32
Malware drop

leadscan6.info
listscan6.com
list6scan.info
listscan6.info
litescan6.info
scanlead6.info
scan6list.info
scanlist6.info
66.206.17.32
Malware drop

scan6lead.info
scanlite6.info
scan6line.info
66.206.17.29
Malware drop

in6sd.com
in6iq.com
216.32.83.110
Malware drop

delshiktds.com
gozbest.net
64.92.170.128
Malware drop

myhealtharea.cn
zbesttds.com
64.92.170.129
Malware drop

myhealtharea.net
209.44.126.14
Malware drop: WinWebSecurity

bastvirusscan.com
pcguardscan.com
fastsecurityscan.com
fastviruscleaner.com
firstscansecurity.com
myfirstsecurityscan.com
systemvirusscan.com
totalvirusdestroyer.com
69.10.52.12
Malware drop

fast5scan.com
gowithscan.com
easy5scan.com
goscanlux.com
live5scan.info
new5scan.info
scan5best.info
69.10.52.12
Malware drop

scan5live.info
scan5new.info
78.159.118.229
Malware drop

gomodescan.com
66.206.17.28
Malware drop

base6scan.info
lead6scan.info
leadscan6.info
justscan6.info
just6scan.info
scanbest6.info
scantrue6.com
stepscan6.com
66.206.17.28
Malware drop

scan6data.info
scan6ever.info
scanever6.info
home6scan.info
scanjust6.info
scan6just.info
goscanlux.com
scandata6.com
66.206.17.28
Malware drop

scandata6.info
scan4data.info
scandata4.info
scanmini6.info
scan6lead.info
scanlead6.info
scan6line.info
scan6list.info
66.206.17.28
Malware drop

base6scan.info
justscan6.info
scan6user.com
scanbest6.info
scantrue6.com
stepscan6.com
step6scan.com
scan6user.com
66.206.17.28
Malware drop

scan6fan.info
scanlist6.info
scanlite6.info
gomixscan.com
goonlyscan.com
209.44.126.29
IFRAME Attack

individualpeople.biz
85.17.189.183
IFRAME Attack

firstplumb.info
88.214.202.224
IFRAME Attack

jafarcompany.biz
211.95.73.189
Malware drop

dlsg09.com
dlsgd3.com
getsgd3.com
getsysgd09.com
gomaldef092.com
gosgd3.com
211.95.73.189
Malware drop

scan.systemcleaner22.com
spywareremover21.com
systemguard2009.com
195.88.81.93
Malware drop

top-scanner-av-4pc.com
scan-anti-spy-av.com
scan-antispyware-4pc.com
msscanner-top-pc.com
msscan-files-antivir.com
msscanner-files-av.com
195.88.81.74
Malware drop

files.scanner-antispy-av-files.com
206.53.61.74
Malware drop

ms-load-top-files.com
virussweeper-scan.com/?p
extraantivir.com
87.248.163.58
IFrame

beebest.cn
stopgam.cn
87.248.163.58
Malware drop

098765.com/in.php
999666999.com/in.php
berrousmark2009.com/in.php
massmarker2009.com/in.php
74.125.45.100
Malware drop

goscanhigh.com
195.88.81.37
Malware drop

pro-scanner-av-pc.com
195.88.81.74
Malware drop

scanner-antispy-av-files.com
66.197.154.199
Malware drop: InternetAntivirusPro

anyscan6.info
atom6scan.info
scan6data.com
gofanscan.com
goscanfan.com
goscanstar.com
goscanmini.com
goscanlite.com
66.197.154.199
Malware drop: InternetAntivirusPro

scan6base.info
gominiscan.com
scanbase6.info
gofanscan.com
scanbest6.com
scan6fast.com
any6scan.com
true6scan.com
66.197.154.199
Malware drop

scan6atom.info
scanany6.info
goscanmix.com
209.44.126.14
Malware drop: Fake Antivirus

anytoplikedsite.com
trustsecurityshield.com
topsecurity4you.com
cleanyourpcspace.com
fullsecurityshield.com
greatsecurityshield.com
topsecurityapp.com
fullandtotalsecurity.com
209.44.126.14
Malware drop: Fake Antivirus

securityscan4you.com
securitytopagent.com
checkonlinesecurity.com
inetsecuritycenter.com
scanprotectiononline.com
todaybestscan.com
greatsecurityshield.com
mytoplikedsite.com
78.159.101.22
Malware drop: Fake Antivirus

tool4scan.info
174.142.113.206
Malware drop

best-click-av1.info
download.best-click-av1.info
195.88.81.12
Malware drop

super-top-scan-pro.com
dl.super-top-scan-pro.com
78.26.179.239
Malware drop

anispy-storage-ms.com
dl.anispy-storage-ms.com
84.16.227.223
Malware drop

theonlinesecurityscan.com
zerocleaner.com
195.88.80.207
Malware drop

int.proreportms1.com
195.88.81.93
Malware drop

msscanner-top-av.com
78.26.179.137
Malware drop

files.load-ms-av-soft.com
78.26.179.239
Malware drop

dl.anispy-storage-ms.com
94.247.2.215
Malware drop: AntivirusPlus

av-plus-support.com
bestexaminedisease.cn
freecoverstore.cn
friskdiseaselive.cn
yourfriskdisease.cn
bestdefenselive.cn
bigprotectionlive.cn
bigcoverlive.cn
94.247.2.215
Malware drop: AntivirusPlus

bestcountedantivirus.com
countedantiviruspro.com
myplusantiviruspro.com
addedantivirusonline.com
ascertaindiseasepro.cn
easyserviceprotection.cn
bestcover4u.cn
94.247.2.215
Malware drop: AntivirusPlus

addedantivirusstore.com
addedantiviruslive.com
realantivirusplus.com
yourguardstore.cn
myplusantiviruslive.com
94.247.3.4
NS for attack websites

ns1.webwedesecurity.com
94.247.3.5
NS for attack websites

ns2.webwedesecurity.com
91.212.65.10
Malware drop (Forum XSS)

free-web-scaners.info
trucount3000.com

Italian IP
User:jecknic
Mail: sdertreqw@mail.ru
194.165.4.77
Malware drop

uploadmoviez.com
winpcdown9.com
winpcdown10.com
winpcdown99.exe
92.38.0.41
Malware drop

winpcdown09.com
72.167.121.94
Attack website

tds.ibestadult.info
64.69.32.220
Malware drop

av-pro-check.com
scan-check-pro.com
ms-antiviral-scan-av.com
91.212.41.111
Attack website

lemmydislikes.com
greenhistory.cn
aabg.yrapyatnica.com
91.212.41.119
Attack website

tixwagoq.cn
91.212.65.7
Attack website

paylayos.cn
67.15.192.26
New ATTACK 06-apr: IFRAME

host02.digitaleffex.net
67.15.192.127
New ATTACK 06-apr: IFRAME

ecom.rarebreedfootwear.com
67.15.192.127
New ATTACK 06-apr: IFRAME

islandtravets.cn/in.cgi?6
67.15.192.127
NS for attack websites

ns1.freednshostway.com
ns2.freednshostway.com
ns3.freednshostway.com
ns4.freednshostway.com
ns5.freednshostway.com
67.15.192.127
NS for attack websites

ns1.basicstechnology.com
ns2.basicstechnology.com
ns3.basicstechnology.com
222.186.9.187
Malware drop rogue av

darksideddl.com
secureserver1.cc
secureserver2.cc
secureserver3.cc
secureserver4.cc
secureserver5.cc

67.215.245.9
Malware drop rogue av

totalmalwareprotection.com
totalvirusprotection.com
83.133.123.166
Malware drop rogue av

setup.xpvirusprotection.com/
setup.xpvirusprotection2009.com
66.197.154.198
Malware drop: WinWebSecurity

lite6scan.com
scanany6.com
datascan6.com
goscandata.com
truescan6.com
anyscan6.com
scan6tool.com
stepscan6.com
94.247.2.74
Zlkon Malware drop

hot-girl-sex-tube.com
ms-antiviruschecker.com
ms-antiviruschecker.com
sex-super-tube-site.com
sysantivirstorage.com
94.247.2.85
Zlkon Malware drop

ms-downloadsav.com
pro-antispy-scan.com
94.247.2.132
Zlkon Malware drop

sysantivir-checker.com
94.247.2.212
Zlkon Malware drop

servicedm.cn
94.247.2.48
Zlkon Malware drop

privatesecuritycenter.com

94.247.2.53
Zlkon Malware drop

sysantivir-checker.com
94.247.2.x
Exploits/LuckySploit

94.247.2.48
94.247.2.50
94.247.2.157
94.247.2.195
94.247.2.x
Zlkon Malware TDSS

94.247.2.95
94.247.2.107
94.247.2.157
LuckySploit

gogo2me.net
78.26.179.131
Malware drop

antiviruschecker-ms.net
best-tube-home.com
cool-sext-tube-site.com
msantivirus-checker.com
nanochecker-av.com
78.26.179.132
Malware drop

scan.avnanocheck.com
78.26.179.240
Malware drop

best-as-tube.com
hot-sex-scanner.com
sex-scanner-pro.com
64.69.32.220
Malware drop

antispywarecheck2009.com
antispywarecheck-2009.com
antispywarechecker-2009.com
av-pro-check.com
best-sex-scanner.com
hot-tube-ass.com
64.69.42.139
Malware drop

antispywarechecker2009.com
hot-tube-super-sex.com
ms-checker-best-av.com
64.69.32.228
Malware drop

sysantivirchecker.com
94.247.2.215
Malware drop: AntivirusPlus

bigdefense2u.cn
myascertainpoison.cn
easyaddedantivirus.com
easyincomeprotection.cn
easydefenseonline.cn
examineillnesslive.cn
yourguardpro.cn
yourcountedantivirus.com
94.247.2.215
Malware drop: AntivirusPlus

addedantiviruspro.com
bestfriskviruslive.cn
94.247.2.215
Malware drop: Antivirus2010

easyaddedantivirus.com
easypersonalprotection.cn
freedefenseforyou.cn
mycheckdiseasepro.cn
mycheckdiseasestore.cn
mydefense4u.cn
mydefense4you.cn
myguardforyou.cn
213.163.65.10
Malware drop: AntivirusPlus

iloveyourbrain.com
94.247.2.215
NS for Malware domain

ns1.pubilcnameserver7.com
94.247.2.216
NS for Malware domain

ns2.pubilcnameserver7.com
209.44.126.15
NS for Malware domain

ns1.fuckmoneycash.com
209.44.126.16
NS for Malware domain

ns2.fuckmoneycash.com
94.247.3.40
Malware drop: Antivirus2009

antivirusonlineproscanner.com
fastantimalwarescan.com
94.247.3.40
Malware drop

whereismat.cn
falloutneferwin.cn
tabletpccomputing.cn
whreismyplugnplay.cn
fastantimalwarescan.com
94.247.2.84
Malware drop

files.msas2009dl.com
94.247.2.215
Malware drop: Antivirus2010

newguard4u.cn
newguard4you.cn
refugepro.cn
yourguard4you.cn
myourguardforyou.cn
yourguardonline.cn
yourguardpro.cn
209.44.126.14
Malware drop: WinWebSecurity

mytopvirusscan.com
thegreatsecurity.com
topsoftscanner.com
upyoursecurity.com
213.163.65.10
Malware drop: Fake Codec

tubeloyaln.com
66.197.154.198
Malware drop: WinWebSecurity

litescan6.com
scan6main.com
scan6safe.com
userscan6.com
scan6zoom.com
megascan6.com
nowscan6.com
scan6plus.info
66.197.154.198
Malware drop: WinWebSecurity

goscanside.com
scan6zoom.com
megascan6.com
nowscan6.com
scan6plus.info
78.159.101.27
Malware drop: WinWebSecurity

gohighscan.com
goscanplan.com
78.159.101.27
Malware drop: AntivirusPlus

best4scan.info
new4scan.info
pro4scan.info
scan4live.info
scan4pro.info
goscanlist.com
goscanplan.com
78.159.101.37
Malware drop: WinWebSecurity

fusescan4.com
openscan4.com
scanslot4.com
78.159.101.14
Malware drop: WinWebSecurity

fuse4scan.com
scanfuse4.com
scanlist4.com
scanopen4.com
wayscan4.com
78.159.101.27
Malware drop: WinWebSecurity

scan4plus.info
gofullscan.com
list4scan.com
scan4true.com
scan4open.com
in4iz.com
in4co.com
in4ik.com
78.159.101.27
Malware drop: WinWebSecurity

any4scan.com
scan4way.com
78.159.101.43
Malware drop: WinWebSecurity

slotscan4.com
78.159.101.44
Malware drop: WinWebSecurity

scanstep4.com
78.159.101.55
Malware drop: WinWebSecurity

scan4data.com
78.159.101.66
Malware drop: WinWebSecurity

scan4fuse.com
scan4lite.com
gotimescan.com
slot4scan.com
69.10.52.12
Malware drop: WinWebSecurity

plus5scan.com
in5ck.com
plusscan5.com
5scanav.com
scan5plus.com
scan5av.com
goscantip.com
69.10.52.12
Malware drop: InternetAntivirusPro

bestscan5.com
in5is.com
in5sk.com
in5ik.com
66.197.154.197
Malware drop: WinWebSecurity

unionshells.net
66.197.154.198
Malware drop: WinWebSecurity

gohardscan.com
goportscan.com
goscanhard.com
goscanmind.com
goscanport.com
goscanquick.com
in4ik.com
scan6mega.com
66.197.154.198
Malware drop: WinWebSecurity

golitescan.com
logscan6.com
home6scan.com
mainscan6.com
goscanplan.com
goscantime.com
66.197.154.199
Malware drop: InternetAntivirusPro

gotipscan.com
scanlite6.com
scan6step.com
scan6log.info
log6scan.info
mainscan6.info
gen6in.com
gen6iz.com
66.197.154.199
Malware drop: InternetAntivirusPro

scan6lite.com
scanlive6.info
linescan6.info
scanstep6.com
in6st.com
in6iz.com
in6ck.com
in6sk.com
66.197.154.xxx
Malware drop: InternetAntivirusPro

66.197.154.197
66.197.154.198
66.197.154.199
66.197.154.200
66.197.154.201
72.232.186.18
Malware site: WinWebSecurity

systemsecurityline.com
212.95.63.237
Redirectors

netservice1.net
netservice2.net
78.26.179.34
Malware drop: Privacy components

tube-funs-world.com
78.26.179.28
Malware drop: Fake Codec

adult-tube-downloads.net
209.44.126.14
Malware drop: WinWebSecurity

bestfiresfull.com
fuckmoneycash.com
getpcguard.com
getscanonline.com
mostpopularscan.com
onlinescandetect.com
onlinescanservice.com
popularpcscan.com
209.44.126.14
Malware drop: WinWebSecurity

runpcscannow.com
scanalertspage.com
scanvistanow.net
yourstabilitysystem.com
vistastabilitynow.com
vistastabilitynow.net
209.44.126.16
Malware drop: WinWebSecurity

systemsecurityonline.com
systemsecuritytool.com
209.44.126.22
Malware drop: WinWebSecurity

onlinestabilityguide.com
onlinestabilityworld.com
protectionskim.com
onlinesafetyscansite.com
safetyscansite.com
securityscansite.com
stabilityaudit.com
wwwsafeexamine.com
205.252.24.226
Malware drop: AntiSpware Pro 2009

antispywarepro.net
netspywarescan.com
online-spyware-scan.net
scanspywareonline.net
94.247.2.215
Malware drop: Antivirus2010

antivirus-plus-new.com
antivirusplussite.com
bestinternetexamine.com
bestnetcheckonline.com
bestwebexamine.com
downloadantivirusplus.com
easynetcheckonline.com
easywebchecklive.com
94.247.2.215
Malware drop: Antivirus2010

addedantiviruslive.com
easywebexamine.com
easywebscanlive.com
internethomecheck.com
linkcanlive.com
linkcanpro.com
myantivirusplus.com
94.247.2.215
Malware drop: Antivirus2010

rapldhsare.com
safeyouthnet.com
security-check-center.com
securesoftinternet.com
theantivirusplus.com
websecurecheck.com
websmartcheck.com

94.247.2.215
Malware drop: Antivirus2010

myinternetexamine.com
onlinescanweb.com

94.247.2.215
Malware drop: Antivirus2010

yourinternetexamine.com
yournetascertain.com
yournetcheckonline.com
yournetcheckonline.com
yourwebexamine.com
yourwebscanlive.com
94.247.2.215
Malware drop: AntivirusPlus

linkcanonline.com
yournetascertain.com
94.247.3.3
Malware drop: WinWebSecurity

theonlinesecurity.com
greatonlinesecurityscan.com
webwidesecurity.com
beststabilityscans.com
greatvirusscan.com
internetsafetyskim.com
networkstabilitytrace.com
94.247.3.3
Malware drop: WinWebSecurity

protectionexamine.com
stabilityinetscan.com
webprotectionscan.com
wwwsecurityread.com
94.247.3.74
Malware drop: WinWebSecurity

securityexamine.com
wwwsafetyread.com
securityexamine.com
webnetsafety.com
webprotectionreads.com
websafetynetscan.com
webstabilityscan.com
wwwsafetyscan.com
94.247.2.42
Fraudulent payment system

sales.getpaymentform.com:443
64.191.12.38
Malware drop: MS Antispyware 2009

addantivirus.com
antispyme.com
antispylinks.com
antispylist.com
antiviruscheckout.com
pro-antispyware2009.com
64.191.12.38
Malware drop

syscleanerpro.com
systemcleanerpro.com
system-cleanerpro.com
totalantispyware.com
totalantispyware2009.com
totalantispyware.net
78.129.166.225
Malware drop: WinWebSecurity

wwwprotectionread.com
thestabilityinternet.com
wwwskimonline.com
194.165.4.41
Malware drop+ns: WinWebSecurity

best6scan.com
bestscan6.com
ns1.avscan1.com
newscan4.com
newscan6.com
scan4easy.com
scanbest4.com
194.165.4.140
Malware drop: GeneralAntivirus

goscanlead.com
goscanbase.com
easy6scan.com
general-antivirus.com
generalantivirus.com
goopenscan.com
goscantrue.com
209.85.171.83
Malware drop: WinWebSecurity

lite4scan.com
209.249.222.48
Malware drop: Malware Defender 2009

antiviralscanner14.com
easywinscanner17.com
malwarescanner20.com
protectprivacy18.com
systemscanner19.com
sg9scanner.com
sg10scanner.com
sg11scanner.com
209.160.20.117
Malware drop

antivirus-pro-live-scan.com
84.243.252.160
Redirector

evenmorestats.com
94.102.51.14
Malware drop

securecleanersolution.com
85.17.254.158
Malware drop

promotion-offer.com
94.102.51.14
Malware drop

removespywarethreats.com
84.16.227.222
Malware drop

bestcleaner.us
ultracleaner.biz
91.212.65.29
Malware drive-by-download

free-web-scaners.net
free-web-scaners.biz
free-web-scaners.com

Virus/Malware Analyzer

Scan a malicious file:

ThreatExpert
VirusTotal

Report a malicious domain:

Malware Domain List
hpHosts
Google

Analyzing a suspicious file/URL:

Wepawet Iseclab (JS/Flash/PDF)
Jsunpack (JS/Flash/PDF)
Anubis Iseclab (Executable)

Malware Web Threats

Sunday, March 22, 2009

SystemSecurity2009 spread new variants - Fake Admess.Trojan

Malware Web Threats Headline

Malware Web Threats

Malware Web Threat Research

Malware Web Based Threats Headline Animator

Blog Archive