Easywinscanner17.com - Win32/FakeSpyguard - Fake Scanner - MalwareDefender2009 - SystemGuard CLONE

Web Poisoning - Fake Scanner: easywinscanner17.com - malwarescanner20.com Easywinscanner17.com, systemscanner19.com and malwarescanner20.com are new fake scanner site that distribute "Malware Defender 2009", a clone of System Guard 2009 READ THIS page if you need more information Screenshots below: The site appear to host several template used by the family of fake scanner site URL: hxxp://easywinscanner17.com hxxp://systemscanner19.com/sysgd09_2/3/10284 hxxp://malwarescanner20.com/ hxxp://malwarescanner20.com/sysgd09_2/3/10239 hxxp://malwarescanner20.com/maldef09_2/4/10239 Title: Virus Scan in Progress Pop up message: Your computer remains infected by viruses! They can cause data loss and file damages and need to besecured as soon as possible. Return to Spyware Guard 2008 and download it secure your PC The second has a better style hosted here: hxxp://easywinscanner17.com/maldef09_1/4/10193 hxxp://systemscanner19.com/maldef09_1/4/10207 hxxp://systemscanner19.com/maldef09_2/4/10207 Title used: Spyware Scanner Online: Scan in Progress Pop up message: Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! Malware Defender 2009 will perform a quick and free scanning of your PC for viruses and malicious programs.
	gomaldef09.com redirect to malwaredefender2009.com Site screenshot:
	On the site we can download the complete appllication MalwareDefender2009.exe File: MD5: 9370c61acf77926e283c0e96f34372e7 SHA-1: 0edbbd7b0c5ca1fb2863038e9cd457f025709857 File Size: 2676736 Bytes Registry Keys: HKLM\​Software\​Malware Defender 2009 HKLM\​Software\​Malware Defender 2009\​Lic Files created: C:\Documents and Settings\All Users\Application Data \Microsoft\Media Index\Drivers C:\Documents and Settings\All Users\Application Data \Microsoft\Media Index\Drivers\hdddriver.dll Source: CA - Security Advisories
Analysis:
	MD5:1e3d03ffc155c14bd6854dc354f5a518 SHA-1: 3c6a0afb058feaf4a67d294a0b5854c973eddc96 File Size: 69637 Bytes The payloads are located here: 67.43.237.78 dlmaldef09.com/maldef09/install.php?track_id=10001 84.16.243.169 hxxp://84.16.243.169/maldef09/install.php?track_id=10107 78.159.122.156 hxxp://78.159.122.156/maldef09/install.php?track_id=
Result when running:
	Window name: Malware Defender 2009 installation Window test: Malware Defender 2009 This application will install Malware Defender 2009 on your computer. By pressing Continue you agree to accept the terms of our User license agreement Continue
Virustotal analysis:
	File MalwareDefender2009.exe received on 03.12.2009 10:33:14 (CET) Result: 8/39 (20.52%) Permalink CAT-QuickHeal Win32.Packed.Tdss.c.6 eSafe Suspicious File F-Secure AntiVirus2008.gen1 Microsoft Trojan:Win32/FakeSpyguard Norman AntiVirus2008.gen1 SecureWeb-Gateway Win32.LooksLike.NewMalware Sophos Mal/FakeAV-AB Sunbelt Trojan.Win32.FakeSpyGuard (v)     File MalwareDefender2009.exe [systemscanner19.com] received on 03.25.2009 20:49:32 (CET) File size: 70149 bytes MD5: 083a70ccdad37bf0619121a99d69ad45 Result: 12/39 (30%) VirusTotal Permalink File MalwareDefender2009.exe [malwarescanner20.com] received on 03.25.2009 23:39:04 (CET) File size: 70149 bytes MD5: 8ac8f0379826548f4da196ce23d910c8 Result: 14/39 (35.9%) VirusTotal Permalink AVG Crypt.DEZ DrWeb Trojan.DownLoad.32913 eSafe Suspicious File F-Secure Packed.Win32.Tdss.f Ikarus Rootkit.Win32.TDSS Kaspersky Packed.Win32.Tdss.f McAfee-GW-Edition Trojan.PCK.Tdss.F.1794 Microsoft Trojan:Win32/FakeSpyguard NOD32 Win32/TrojanDownloader.FakeAlert.SM Panda Suspicious file Sophos Mal/FakeAV-AD Sunbelt Trojan.Win32.FakeSpyGuard (v)
Application screenshot:
Site associated | Source: sunbeltblog.blogspot.com
	209.249.222.48 easywinscanner17.com 94.247.2.31 gosgd2.com 94.247.2.31 scannersg.com 94.247.2.31 sguardscan.com 78.26.179.253 dldnssg09.com 78.26.179.253 dlsgd2.com 78.26.179.253 gbpings.com 78.26.179.253 getsgd2.com 78.26.179.253 prdnssg09.com 78.26.179.253 scansguard.com 78.26.179.253 sgscanner.com 67.43.237.75 malwaredefender2009.com X 67.43.237.77 gomaldef09.com On the same server as easywinscanner17.com we also have: 209.249.222.48 Antispyscanner13.com Antiviralscanner14.com easywinscanner17.com malwarescanner20.com privacyscanner15.com sg10scanner.com sg11scanner.com sg12scanner.com sgviralscan.com sg9scanner.com systemscanner19.com Always the same source: dlmaldef09.com
Threat Analysis:
	ThreatExpert Result 1 ThreatExpert Result 2 Alias: Trojan: Win32/FakeSpyguard [Microsoft] Site Analysis: Symantec Norton Safe Web
Traffic source:
	hxxp://098765. com/in.php hxxp://murtinreid. com/in.php hxxp://hola-aloha. net/in.php hxxp://lastpoher. ru/in.php hxxp://sendsometraff. com/in.php hxxp://x-more-x. net/in.php hxxp://zorroless. com/in.php Redirection on March 15 to: easywinscanner17. com/maldef09_2/4/10108 (209.249.222.48) Redirection on March 16 to: fullantispywareproscan. com/promo/1/freescan.php?nu=880817 &back=%3DzQyzDzyNQMNMI%3DN (212.117.164.120) InstallAVg_880817.exe File size: 98304 bytes MD5...: 7ebe834e2e359b8d73be9b9a919c9b50 VirusTotal Some example here (same attack) Redirection on March 28 to: hxxp://easywinscanner17.com/counter/img.php?tracker_id=10286 &product_id=4&cookie=1&referrer= hxxp://malwarescanner20.com/maldef09_2/4/10286 hxxp://dlmaldef09.com/maldef09/install.php?track_id=10286 hxxp://78.159.122.156/maldef09/install.php?track_id=10286 by hxxp://us-euro.biz/in.cgi?4&parameter=wifi Javascript analysis here
Easywinscanner17.com REMOVAL GUIDE:
	- Kill processes: malwaredef.exe, uninstall.exe - Unregister DLLs (regsvr32 /u [dll_name]): hdddriver.dll - Delete registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\Malware Defender 2009 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Internet HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defender 2009 - Delete registry values: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] malwaredef = "%ProgramFiles%\Malware Defender 2009\malwaredef.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\Malware Defender 2009] DisplayName = "Malware Defender 2009" DisplayName = "Malware Defender 2009" InstallDate = "61163417187" [HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defender 2009\Lic] HDDCheck = "5C5CF9EE460EAF2066D9ADE4BD9B5571" - Delete files and folders: ► %CommonAppData%\Microsoft\Media Index\Drivers ► %Programs%\Malware Defender 2009 ► %ProgramFiles%\Malware Defender 2009