A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9478  by Maxstar
 Mon Oct 31, 2011 5:04 pm
Grinler wrote:That first image really makes it looks like its a product by returnil.
I send EP_X0FF a PM with a new link of an image of these malicious program whitout a Returnil logo.
Grinler wrote:After looking at it more, I remember this prog from a while back.
I was already surprised when MBAM detects this (semi)-rogue-program as well with a comment 'Antivirus 2008'.
So far as I know this program is back in circulation i guess.

IMHO it is more a (semi)-rogue-program like Nava-Shield, or am I wrong?
 #9480  by Grinler
 Mon Oct 31, 2011 5:24 pm
Quite honestly the nava shield was just a bizarre app. I really have no idea how to classify that program as it was/is truly unique in the weird crap it did.

AntiSpyware, to me, is more of rogue due to the business practices of the company rather than the program itself. The program can easily be removed, does not offer an overt amount of scammy and deceptive false positives, and does not hijack any functionality on the computer.
 #9482  by rsav
 Mon Oct 31, 2011 6:34 pm
Xylitol,

Can you attach a copy of the Security Defender that you posted? http://xylibox.blogspot.com/2011/10/sec ... ender.html

It appears to download the installer from the internet but my sample will not connect. Do you have a working sample that will connect, or even better a full installer? Thanks.

Attached is the sample I have.
Attachments
(55.82 KiB) Downloaded 63 times
 #9483  by Xylitol
 Mon Oct 31, 2011 6:44 pm
rsav wrote:Xylitol,

Can you attach a copy of the Security Defender that you posted? http://xylibox.blogspot.com/2011/10/sec ... ender.html

It appears to download the installer from the internet but my sample will not connect. Do you have a working sample that will connect, or even better a full installer? Thanks.

Attached is the sample I have.
here you go ~ http://www.kernelmode.info/forum/viewto ... =290#p9421
 #9484  by rsav
 Mon Oct 31, 2011 9:43 pm
Xylitol wrote:
rsav wrote:Xylitol,

Can you attach a copy of the Security Defender that you posted? http://xylibox.blogspot.com/2011/10/sec ... ender.html

It appears to download the installer from the internet but my sample will not connect. Do you have a working sample that will connect, or even better a full installer? Thanks.

Attached is the sample I have.
here you go ~ http://www.kernelmode.info/forum/viewto ... =290#p9421
I have tried running the installer, dll and shortcut. But nothing. Any suggestions?
 #9488  by EP_X0FF
 Tue Nov 01, 2011 2:09 am
Maxstar wrote:I send EP_X0FF a PM with a new link of an image of these malicious program whitout a Returnil logo.
Image replaced.
 #9490  by BachMinuetInG
 Tue Nov 01, 2011 6:20 am
Security Defender's website was up and down in an hour. What can you expect? The rundll32 does not work, by the way. Running Windows 7 without Antivirus also does not work. Any suggestions?

And by the way, anyone can upload the semi-rogues (full package, not installer, preferred.) ?
 #9540  by BachMinuetInG
 Sat Nov 05, 2011 3:42 am
Security Defender

hxxp://yourowndefence.net
hxxp://scan60.neosit.in/index.php?Q33hFdRQbe1GhHqjMxNONixvAH+7RGMorWX+3BAL5zeCtyBYiGI+ZQM74p/sPVgUs9+nDCsSHboxL5l/o6LCMVWgO96M2uDLP+JRKxdGu1QP9BolRQLnvq0V4KOHqQ==#9

Adds registry key:

BB532651-A56C-A774-FA64-E01E2314869B, "C:\Windows\system32\rundll32.exe" "C:\Users\XWXProductions\AppData\Roaming\BB532651-A56C-A774-FA64-E01E2314869B.avi", start minimized

Fake scanner running on my mobile:
http://imageshack.us/photo/my-images/805/img5468d.jpg/

http://imageshack.us/photo/my-images/843/img5464y.jpg/

Uploaded full package when install.
(Files)
Attachments
Password: xwxprod
(1.92 MiB) Downloaded 106 times
  • 1
  • 25
  • 26
  • 27
  • 28
  • 29
  • 34