Sunday, March 15, 2009

easynetcheckonline FraudTool Win32 AntivirusPlus RapidAntivirus AntivirusPlus.exe

Web Poisoning - Fake Scanner - easywinscanner17. com

Easywinscanner17. com is new fake scanner site which
distribute "Malware Defender 2009", a clone of System Guard 2009

Screenshots below:

The site appear to host several template used by the
family of fake scanner site

root:

Title: Virus Scan in Progress



Pop up message:

Your computer remains infected by viruses!
They can cause data loss and file damages and
need to besecured as soon as possible.
Return to Spyware Guard 2008 and
download it secure your PC





The second has a better style

hosted here:

hxxp://easywinscanner17. com/maldef09_1/4/10193





Title used: Spyware Scanner Online: Scan in Progress

Pop up message:

Warning!!! Your computer contains various signs of
viruses and malware programs presence.
Your system requires immediate anti viruses check!
Malware Defender 2009 will perform a quick and free
scanning of your PC for viruses and malicious programs.



 gomaldef09.com redirect to malwaredefender2009.com

Site screenshot:

MalwareDefender2009.com - Site screenshot
 On the site we can download the complete appllication

MalwareDefender2009.exe

File:

MD5: 9370c61acf77926e283c0e96f34372e7
SHA-1: 0edbbd7b0c5ca1fb2863038e9cd457f025709857
File Size: 2676736 Bytes

Registry Keys:

HKLM\​Software\​Malware Defender 2009
HKLM\​Software\​Malware Defender 2009\​Lic

Files created:

C:\Documents and Settings\All Users\Application Data
\Microsoft\Media Index\Drivers

C:\Documents and Settings\All Users\Application Data
\Microsoft\Media Index\Drivers\hdddriver.dll

Source: CA - Security Advisories
 
Analysis:


MD5:1e3d03ffc155c14bd6854dc354f5a518
SHA-1: 3c6a0afb058feaf4a67d294a0b5854c973eddc96
File Size: 69637 Bytes

The payloads are located here:

67.43.237.78
dlmaldef09.com/maldef09/install.php?track_id=10001

84.16.243.169
hxxp://84.16.243.169/maldef09/install.php?track_id=10107
  
Result when running:




Window name:

Malware Defender 2009 installation

Window test:

Malware Defender 2009
This application will install Malware
Defender 2009 on your computer.
By pressing Continue you agree to accept the terms
of our User license agreement

Continue
  
Virustotal analysis:
 


File MalwareDefender2009.exe received on 03.12.2009 10:33:14 (CET)

Result: 8/39 (20.52%)

Permalink

CAT-QuickHealWin32.Packed.Tdss.c.6
eSafeSuspicious File
F-SecureAntiVirus2008.gen1
MicrosoftTrojan:Win32/FakeSpyguard
NormanAntiVirus2008.gen1
SecureWeb-GatewayWin32.LooksLike.NewMalware
SophosMal/FakeAV-AB
SunbeltTrojan.Win32.FakeSpyGuard (v)
  
  
Application screenshot:
 
  
Site associated | Source: sunbeltblog.blogspot.com
 


209.249.222.48 easywinscanner17.com

94.247.2.31 gosgd2.com
94.247.2.31 scannersg.com
94.247.2.31 sguardscan.com

78.26.179.253 dldnssg09.com
78.26.179.253 dlsgd2.com
78.26.179.253 gbpings.com
78.26.179.253 getsgd2.com
78.26.179.253 prdnssg09.com
78.26.179.253 scansguard.com
78.26.179.253 sgscanner.com

67.43.237.75 malwaredefender2009.com X
67.43.237.77 gomaldef09.com

On the same server as easywinscanner17.com we also have:

209.249.222.48

Antispyscanner13.com
Antiviralscanner14.com
easywinscanner17.com
privacyscanner15.com
sg10scanner.com
sg11scanner.com
sg12scanner.com
sgviralscan.com
Sg9scanner.com

Always the same source: dlmaldef09.com

Threat Analysis:
 ThreatExpert Result 1
ThreatExpert Result 2

Alias:

Trojan: Win32/FakeSpyguard [Microsoft]

Site Analysis:

Symantec Norton Safe Web

Traffic source:
  hxxp://098765. com/in.php
hxxp://murtinreid. com/in.php
hxxp://hola-aloha. net/in.php
hxxp://lastpoher. ru/in.php
hxxp://sendsometraff. com/in.php
hxxp://x-more-x. net/in.php
hxxp://zorroless. com/in.php

Redirection on March 15 to:
easywinscanner17. com/maldef09_2/4/10108
(209.249.222.48)

Redirection on March 16 to:
fullantispywareproscan. com/promo/1/freescan.php?nu=880817&back=%3DzQyzDzyNQMNMI%3DN
(212.117.164.120)

InstallAVg_880817.exe
File size: 98304 bytes
MD5...: 7ebe834e2e359b8d73be9b9a919c9b50
VirusTotal

Some example here (same attack)

Easywinscanner17.com REMOVAL GUIDE:
 
- Kill processes: malwaredef.exe, uninstall.exe
- Unregister DLLs (regsvr32 /u [dll_name]): hdddriver.dll

- Delete registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Malware Defender 2009
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Internet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defender 2009
- Delete registry values:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    malwaredef = "%ProgramFiles%\Malware Defender 2009\malwaredef.exe"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Malware Defender 2009]

    DisplayName = "Malware Defender 2009"
    DisplayName = "Malware Defender 2009"
    InstallDate = "61163417187"

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defender 2009\Lic]

    HDDCheck = "5C5CF9EE460EAF2066D9ADE4BD9B5571"
- Delete files and folders:

  • ► %CommonAppData%\Microsoft\Media Index\Drivers
  • ► %Programs%\Malware Defender 2009
  • ► %ProgramFiles%\Malware Defender 2009