av-best-info Anti-VirusN1 Rogue FakeXPA

av-best.info "VirusDoctor Online Scan" Anti-Virus1 Rogue FakeXPA av-best.info is a site that distribute AntivirusN1 a rogue antivirus application. AntiVirusN1 displays fake alerts in order to persuade users buying it. Registry keys/values must be deleted with antivirus / antispyware. Anti-Virus Number-1 can be removed by stopping the following processes - Kill processes: N1Two.exe, N1i.exe, 2.exe, 3.exe - Unregister DLLs (regsvr32 /u [dll_name]): QWProtect.dll - Delete files and folders: ► C:\Documents and Settings\All Users\Application Data\N1 ► %CommonAppData%\N1 ► %CommonPrograms%\Anti-Virus Number-1 This site appear to be normal at first sight. The payment system for this fraudulent and rogue program is made via Plimus (screenshot below) But the site has been reported as malicious by some users. Here is the fake scanner Site screenshot: Fake Security Warning Message: Adware.Win32.Look2me.ab Virus Critical Backdoor.Win32.Haxdoor.gu Virus High Trojan-Downloader.Win32.Small.dge Virus High Trojan Horse IRC/Backdoor.SdBot4.FRV Virus Medium W32.Benjamin.Worm Virus High W32.Mypics.Worm.36352 Virus Medium W32.Yaha.B@mm Virus Critical Trojan Horse Generic11.OQJ Virus High Magic DVD Ripper Virus High Recommend: Click "Start Protection" button to erase all threats Fake messages: Alert! Your PC is at risk of virus and spyware attack. Your system requires immediate check!i System Security Scanner will perform a quick and free scan of your PC for viruses and spyware programs. Associated website [174.142.113.206] [ip-174-142-113-206.static.privatedns.com] scanner.av-best.info download.av-best.info
Analysis:
	Site URLs: hxxp://scanner.av-best.info/scan.php?campaign=mmb_35930207 43&landid=4       hxxp://download.av-best.info/install.php?campaign=mmb_3593020743 &country=en&counter=0&campaign=mmb_3593020743&landid=4                     File info: AntiVirusInstaller.exe             File size 53278 bytes     MD5 f8d38325d9570ce3320f04e9d5278466                     ThreatExpert: Report     VirusTotal: Report     Anubis: Report             First received 03.28.2009 19:18:31 (CET)     Results 8/39 (20.52%)             Alias: TR/Crypt.CFI.Gen AntiVir       Win32.Packed.Krap.c.4 CAT-QuickHeal       Trojan.DownLoad.33135 DrWeb       Suspicious File eSafe       Trojan.Crypt.CFI.Gen McAfee-GW-Edition       Trojan:Win32/FakeXPA Microsoft       Suspicious File Panda       Cryp_FakeAV-11 TrendMicro
When running:
	HTTP Requests: [70.38.11.165]       http://70.38.11.165/admin/cgi-bin/get_domain.php?type=site       Content html: av-best.info               http://70.38.11.165/admin/cgi-bin/get_domain.php?type=download       Content html: download.av-best.info               [174.142.113.206]       hxxp://download.av-best.info/en/PE/2.exe       hxxp://download.av-best.info/en/PE/3.exe       hxxp://download.av-best.info/en/PE/en/PE/N1.CAB       hxxp://download.av-best.info/en/PE/en/PE/QWProtect.dll       hxxp://download.av-best.info/en/PE/en/PE/svchost.exe                     File info: 2.exe     File size 53248 Bytes     MD5 364f5d30dba520937f9f3b7979b389b1             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:07 (CET)       8/39 (20.52%)     ThreatExpert: Report     Prevx: Report                     File info: 3.exe     File size 257536 Bytes     MD5 b7d14c7ea7844057efcfd1a41ddc530f             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:18 (CET)       6/39 (15.39%)     ThreatExpert: Report                     File info: AntiVirusInstaller.exe     File size 53278 Bytes     MD5 f8d38325d9570ce3320f04e9d5278466             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:19 (CET)       8/38 (21.06%)     ThreatExpert: Report                     File info: N1.CAB     File size 504489 Bytes     MD5 c37aa0887be14b68381301e24ddaf8fb             VirusTotal: Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs       Received on 03.28.2009 22:08:51 (CET)       5/38 (13.16%)             File info: N1.exe     File size 527360 Bytes     MD5 2d6a49219639d63428b91eb7647ce491             VirusTotal: Report Alias: Trojan.Win32/FakeXPA / Trojan.Win32.Tibs       Received on 03.28.2009 22:09:09 (CET)       5/38 (13.16%)     ThreatExpert: Report                     File info: QWProtect.dll     File size 697856 Bytes     MD5 1b6c35cb941eaa9f6325a449cb6770b0             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:09:01 (CET)       4/38 (10.53%)     Prevx: Report     ThreatExpert: Report                     File info: svchost.exe     File size 80896 Bytes     MD5 c2613b801da4c8b6967d6da05c0443ed             VirusTotal: Report Alias: Trojan.Win32/FakeXPA       Received on 03.28.2009 22:08:47 (CET)       10/38 (26.32%)     Prevx: Report     ThreatExpert: Report
Result when running:
	Display fake BlueScreen "MALWARE.MONSTER.DX_NEW_0xA21518F0"
Anti-Virus Number-1 Rogue Application Screenshot: