Latest Discovered Rogues

TeMerc · **Posted:** Fri Jul 04, 2008 7:06 pm

Quote:

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\hkushdr.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{d1577581-2ed7-469f-99b1-72c1339e0ee0}"="doctordom"

It also installs Toolbar, BHO, Antispycheck Rogue software...

S!ri.UKZ

SmitFraudFix removes this variant

TeMerc · **Posted:** Sat Jul 05, 2008 9:36 am

Wista Antivirus

Quote:

Wista Antivirus is the latest rogue security application seen in the wild.
Site Name: Wista-Antivirus.com
IP Address: 85.255.118.107
Site Name: WistaScanner.com
IP Address: 85.255.118.109

Screenshots @ Bharath's Security Blog

TeMerc · **Posted:** Sat Jul 05, 2008 2:51 pm

WinAntiSpyware 2008

Quote:

WinAntiSpyware 2008 is a rogue Antispyware application which is a near clone of Winreanimator rogue Antispyware application. Malwarebytes has reported this rogue here. This group calls themselves as "WinTechProtection LTD"

Site Name: WinAntiSpyware2008.com
IP Address: 206.161.126.40

Additionally the following malicious sites also shares the same IP Address [206.161.126.40:

Site Name: Antispywarexp2008.com
Site Name: Winantimalware.com
Site Name: Winreanimator.com
Site Name: Xpantispyware.com
Site Name: Xpcleaner2008.com
Site Name: Xpdefender2008.com
Site Name: Xpguard2008.com
Site Name: Xpsecuritycenter.com

Quote:

Antispyware 2008 is a rogue Antispyware application. Its The rogue application has already been reported by Flash and Edgar a couple of day earlier.

The following is the list of sites used by the rogue to do its dirty task

Site Name: Antispyware2008.org
Site Name: Anti-spy-ware-2008.com
Site Name: Antispyware2008y.com
Site Name: Antispyware2008.name
Site Name: Antispyware-2008-download.com
Site Name: Antispyware-2008-download.info
Site Name: Antispyware-2008-download.net
Site Name: Antispyware-2008-download.org
Site Name: Antispyware-2008-download.name
Site Name: Antispyware-2008.info
Site Name: Antispyware-2008.org
Site Name: Antispyware-2008.name
Site Name: Antispyware2008-download.com
Site Name: Antispyware2008-download.info
Site Name: Antispyware2008-download.net
Site Name: Antispyware2008-download.org
Site
Name: Antispyware2008-download.name

PC Antispy and PC Clean Pro

Quote:

PC Antispy is a rogue Antispyware application. Its a clone of PC-Antispyware rogue Antispyware application. Malwarebytes has reported this rogue here

Site Name: Pc-antispy.com
IP Address: 74.52.32.66

Quote:

PC Clean Pro is a rogue security application and is a near clone of Pc-Cleaner. Malwarebytes has reported this rogue here

Site Name: Pc-cleanpro.com
IP Address: 74.52.32.67

Bharath's Security Blog w\Screenshots & Links

TeMerc · **Posted:** Mon Jul 07, 2008 4:42 pm

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: eps, epson, eps, drv, bho, 32

Files could look like: epsdrv.dll, epsondrv.dll ...

and displays alert messages with popups.

S!ri.UKZ

SmitFraudFix targets this variant

TeMerc · **Posted:** Tue Jul 08, 2008 11:06 am

Quote:

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\gnmguxh.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{629340b5-8df6-4211-9245-a86563a35792} = enation

Malwarebytes Blog

MBAM now targets this variant

TeMerc · **Posted:** Wed Jul 09, 2008 12:54 am

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: nav, nvg, nv, filter, flt, f

Files could look like: nvgflt.dll, nvgf.dll ...

and displays alert messages with popups

S!ri.UKZ

SmitFraudFix targets this variant

TeMerc · **Posted:** Wed Jul 09, 2008 12:20 pm

Trojan distributing sites

Quote:

Zlob Trojan Distributing site:
Site Name: Flwtool.com
IP Address: 77.91.231.183

Site Name: Flwapplication.com
IP Address: 85.255.120.107

DNS Changer Trojan Distributing site:
Site Name: Gigaticket.net
IP Address: 64.28.184.180

Trojan-Downloader Distributing sites
Site Name: Tmptmpservvv.com
IP Address: 58.65.238.34

The trojan installs the following Malicious BHO
O2 - BHO: EpsonToolBandKicker Class - {87FD33C2-7891-45D5-ACD1-7935F9AEA26B} - C:\WINDOWS\system32\epsondrv.dll

Site Name: Opaadownload.com
IP Address: 193.164.132.208

The trojan installs the following Malicious BHO
O2 - BHO: IESiteBlocker.NavFilter - {1AB6932F-92FE-42E6-870C-544AE458EA78} - C:\WINDOWS\system32\nvfilter.dll

These sites belongs to IE-defender family and the BHO is used to push IE-Antivirus which is a well documented rogue security application. For more information on malicious BHO's visit CastleCops

MediaTubeCodec Trojan Distributing site:
Site Name: Bestsoftware.cc
IP Address: 91.203.70.18

Trojan-Downloader-CodecPack Distributing site:Site Name: Codecupgrade.com
IP Address: 74.50.117.84

Bharath's Security Blog
=======================================================
Update on Trojan-Downloader-CodecPack Distributing sites

Quote:

A while ago I wrote about Trojan-Downloader-CodecPack Distributing site, now here is some facts about this Trojan and the sites involved in this campaign.

The following porn site lures user to download and install missing missing "Video ActiveX object" to view porn online.
Site Name: Just-tube.com
IP Address: 74.50.117.84

The Trojan is then downloaded from the following site:
Site Name: Codecupgrade.com
IP Address: 74.50.117.84

Continued @ Bharath's Security Blog w\Analysis & screenshots

TeMerc · **Posted:** Fri Jul 11, 2008 6:14 pm

Violating OPSEC for Increasing the Probability of Malware Infection

Friday, July 11, 2008

Are malware authors and the rest of the participants in fact willing to violate their OPSEC (operational security) for the sake of increasing the probability of successful malware infection by on purposely lowering down the security settings of Internet Explorer, by adding their malicious netblocks and domains into "Trusted Sites"? You bet.

The infamous Smitfraud or PSGuard Desktop Hijacker, has been cooperating with known malicious parties for over an year now, a cooperation which exposes interesting relatinships between the usual suspects. Starting from the basic fact that a malware infected host is infected with many other totally unrelated to one another pieces of malware, Smitfraud's "pre-infection foreplay" demonstrates that they are willing to sacrifice operational security in order to increaes the probabilty of future infections on the same host.

Rogue software added as trusted sites upon Smitfraud infection:

Rogue netblocks and IPs added as trusted IP ranges upon Smitfraud infection:

More @ DDanchev Blog

TeMerc · **Posted:** Sat Jul 12, 2008 9:45 am

Zlob sites update

Quote:

Scam Internet Security Page:
Site Name: Safepageplace.com
IP Address: 85.255.116.210

404Errorpage Scam:
Site Name: Serverserror.com
IP Address: 85.255.118.246

Security Guide Scam Page:
Site Name: Websecurelinks.com
IP Address: 85.255.118.210

Reference pages:
http://www.Websecurelinks(dot)com/soft/?c=05333
http://www.Websecurelinks(dot)com/test/?c=05434

This links redirects user to different Scare/fake scanner pages, The new scare scan site in the list is:

Scare/Fake scanner page:
Site Name: Winspywareprotectscan.com

Ad-Server-Gate Pages:
Site Name: Gatelp.com
IP Address: 85.255.118.212

Site Name: Gatecd.com
IP Address: 85.255.118.213

Reference links:
Gatelp(dot)com/gatevc.php?pn=srch0p1total7s2&c=441041
Gatecd(dot)com/gatevc.php?id=dw01

The Ad-Server-Gate pages redirects to fake Security center site Securewarn.com which promotes Rogue security applications.

Site Name: Securewarn.com
IP Address: 85.255.118.35

Bharath's Security Blog

TeMerc · **Posted:** Sat Jul 12, 2008 9:46 am

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: ie, iexp, inte, fltr, fl, _f

Files could look like: iefltr.dll ...

and displays alert messages with popups

S!ri.UKZ

Smitfraud Fix now targets this variant

TeMerc · **Posted:** Sun Jul 13, 2008 11:15 pm

Quote:

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\oyryp.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{ec86e5b0-45f2-45fa-9294-24878aec09f6} = elat

Malwarebytes Blog
=======================================================

Quote:

A new version of Trojan.DNSChanger was released. It installs the following files.

C:\Windows\System32\msliksurdns.dll
C:\Windows\System32\msliksurcredo.dll
C:\Windows\System32\Drivers\msliksurserv.sys

Malwarebytes Blog

MBAM targets both these variants.

TeMerc · **Posted:** Mon Jul 14, 2008 11:32 am

Quote:

VideoAccessCodec has been updated. The codec installs the following files.

C:\Windows\agpqlrfm.exe
C:\Windows\evgratsm.dll
C:\Windows\kvxqmtre.dll
C:\Windows\qndsfmao.dll

We have provided removal instructions for anybody unfortunate to have been infected by this codec.

Malwarebyes Blog

MBAM now targets this variant.

TeMerc · **Posted:** Tue Jul 15, 2008 7:53 pm

Quote:

New Zlob has been released again. It installs the following files, and registry entries.

C:\Windows\System32\cxbrk.dll
C:\Windows\System32\784953\784953.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{32E0E18C-7B9A-4A83-96D1-75DF1AFD98A3}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{c96395b8-ab09-46a4-b539-7ddf6e061808} = altigraph

Malwarebytes blog

MBAM now targets this variant.

TeMerc · **Posted:** Sat Jul 19, 2008 1:39 pm

IEDefender, File Secure, Malware Bell and IEAntivirus have been updated.

it installs files with semi-random filenames, composed from fragment words: tb, toolbar, tbr, srch, s, sch

Files could look like: toolbars.dll, tbrsrch.dll

And displays alert messages with popups
http://siri-urz.blogspot.com/2008/07/ie ... ll_19.html

Smitfraud targets this variant

MysteryFCM · **Posted:** Sat Jul 19, 2008 1:42 pm

Test ....

MysteryFCM · **Posted:** Sat Jul 19, 2008 1:58 pm

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: tb, toolbar, tbr, srch, s, sch

Files could look like: toolbars.dll, tbrsrch.dll ...

and displays alert messages with popups. 0-=

S!ri.UKZ

MysteryFCM · **Posted:** Sat Jul 19, 2008 2:02 pm

Code:

test

Quote:

test

TeMerc · **Posted:** Sat Jul 19, 2008 2:57 pm

Saturday, July 19, 2008

Quote:

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\xevhbpw.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{201a14d7-b5b4-422c-816f-5f2a1e92e0e7}"="incorrectnesses"

It also installs Toolbar, BHO, Antispycheck Rogue software...

S!ri.UKZ

TeMerc · **Posted:** Sun Jul 20, 2008 1:39 pm

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: ie, iex, IE_, filter, flt, fil

Files could look like: iefilter.dll ...

And displays alert messages with popups.

S!ri.UKZ

Smitfraud Fix targets this variant.

TeMerc · **Posted:** Mon Jul 21, 2008 8:42 pm

Quote:

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\uszhv.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{629340b5-8df6-4211-9245-a86563a35792} = cramping

Malwarebytes Blog

MBAM now targets and removes this variant.

TeMerc · **Posted:** Tue Jul 22, 2008 8:23 am

Quote:

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\uszhv.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{629340b5-8df6-4211-9245-a86563a35792}"="cramping"

It also installs Toolbar, BHO, Antispycheck Rogue software

S!ri.UKZ

SmitfraudFix now targets and removes this variant

TeMerc · **Posted:** Wed Jul 23, 2008 8:14 am

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: bho, bho2, ie, ext, extn, _e

Files could look like: bho2extn.dll ...

And displays alert messages with popups.

S!ri.UKZ

TeMerc · **Posted:** Wed Jul 23, 2008 8:21 pm

MySpace infected pages distributing ZLOB
By jsalva

During the last weeks I have seen a few infected MySpace pages. Pages from regular users that get “corrupted” by malicious visitors. The malicious attacker will insert an iframe onto one of the posts on the page, turning most of the page into a huge hyperlink to a malicious site.

Take a closer look at the link itself:

hxxp://profile.myspace.com.index.cfm.fuseaction=user.viewprofile&friendid=.16658764.tk

It looks just like any other myspace link but pay closer attention: There are no “/”! There should have been one after myspace.com, and before index.cfm. Without the slash, the real domain of the page is now 16658764.tk, far different from what they want the user to believe it is. A regular user will not notice the difference and if he clicks on the hot area of the page, he will end landing up here:

hxxp://myspacelogin-error900.freehostia.com/myspace.php

0-=

Continued @ Malware Database Blog

TeMerc · **Posted:** Thu Jul 24, 2008 2:19 pm

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs files with semi-random filenames, composed from fragment words: dom, hom, sof, ie, bho, iebho

Files could look like: domie.dll ...

and displays alert messages with popups.

S!ri.UKZ

TeMerc · **Posted:** Mon Jul 28, 2008 1:10 am

Quote:

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\yizgdux.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ba934431-76af-4c99-93c2-c3d21944a72e}"="chokestrap"

It also installs Toolbar, BHO, Antispycheck Rogue software

S!ri.UKZ

Smitfraud Fix targets this variant

TeMerc · **Posted:** Mon Jul 28, 2008 10:32 pm

Quote:

New Zlob has been released again. It installs the following files, and registry entries.

C:\Windows\System32\yizgdux.dll
C:\Windows\System32\804031\804031.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{C82B3296-FC52-4CD7-876B-8147E28DA748}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{BA934431-76AF-4C99-93C2-C3D21944A72E} = chokestrap

Malwarebytes Blog

MBAM now targets this variant

TeMerc · **Posted:** Tue Jul 29, 2008 3:28 pm

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs a file with semi-random filename composed from fragment words: aol, aol_, aol2, tbl, bho, toolbar

Possible filenames are: aoltbl.dll, aolbho.dll, aoltoolbar.dll, aol_tbl.dll, aol_bho.dll, aol_toolbar.dll, aol2tbl.dll, aol2bho.dll, aol2toolbar.dll

It displays alert messages with popups that download IE Antivirus.

S!ri.UKZ

Smitfraud Fix targets this variant

TeMerc · **Posted:** Wed Jul 30, 2008 5:05 pm

Quote:

New Zlob has been released again. It installs the following files and registry entries.

C:\Windows\System32\jkqvjzl.dll
C:\Program Files\Applications\iebr.dll
C:\Program Files\Applications\iebt.dll
C:\Program Files\Applications\iebtm.exe
C:\Program Files\Applications\iebtmm.exe
C:\Program Files\Applications\iebtu.exe
C:\Program Files\Applications\iebu.exe
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\Applications\ot.ico
C:\Program Files\Applications\ts.ico
C:\Program Files\Applications\wcm.exe
C:\Program Files\Applications\wcs.exe
C:\Program Files\Applications\wcu.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{c96395b8-ab09-46a4-b539-7ddf6e061808} = ceroxylon

We have provided removal instructions for anybody unfortunate to have been infected by this trojan.

Malwarebytes Blog

MBAM targets this variant.

TeMerc · **Posted:** Thu Jul 31, 2008 3:05 pm

Quote:

Zlob fake codec has been update. It drops the following file:

%SYSTEM%\jkqvjzl.dll

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{c96395b8-ab09-46a4-b539-7ddf6e061808}"="ceroxylon"

It also installs Toolbar, BHO, Antispycheck Rogue software

S!ri.UKZ

Smitfraud Fix targets this variant

TeMerc · **Posted:** Sun Aug 03, 2008 9:54 am

Quote:

IE Defender/Files Secure/MalwareBell/IE Antivirus Codec has been update, it installs a file with semi-random filename composed from fragment words: MEGAUP, MEGAUP, MEGAUP, 1, LOAD, L

Possible filenames are: MEGAUP1.dll, MEGAUPLOAD.dll, MEGAUPL.dll.

It displays alert messages with popups that download IE Antivirus.

S!ri.UKZ

Smitfraud Fix now targets this variant

Latest Discovered Rogues

Who is online

Who is online

Who is online
	In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes) Most users ever online was 115 on Tue Jul 13, 2010 5:32 pm Users browsing this forum: No registered users and 1 guest