[EP_X0FF]

What up with biz?
http://blogs.technet.com/b/mmpc/archive ... light.aspx

[rnd.usr]

What up with biz?
http://blogs.technet.com/b/mmpc/archive ... light.aspx

FakeAV's want to be lockers, kinda cute.

Anyone have a sample of Win32/Defru? Tried to find one but no luck..

[ISergey256]

Rogue:Win32/Defru
https://www.virustotal.com/uk/file/24ec ... /analysis/

[rnd.usr]

Rogue:Win32/Defru
https://www.virustotal.com/uk/file/24ec ... /analysis/

Thanks!

Attached unpacked(from UPX) and extracted PHP-files. Can someone also decode the PHP-files? When I try to do it I get the same output as input.

But I get error when running the file, it says "WINDOWS ERROR!!!" in a CMD-prompt. The file itself does not do anything to the system after the message goes away. Same for you?

[iShare]

Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page

%SYSDIR%\drivers\etc\hosts has been modified with lines like this

***
82.146.48.21 http://www.101.ru
82.146.48.21 ovg.cc
82.146.48.21 http://www.ovg.cc
82.146.48.21 onlainfilm.ucoz.ua
82.146.48.21 http://www.onlainfilm.ucoz.ua
82.146.48.21 hdkinoteatr.com
****

[rnd.usr]

Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page

Ah, yes! This is really a lame FakeAV. Just infecting the host-file.. I thought this was something good.

Attached host-file.

[Xylitol]

Braviax/FakeRean
• dns: 1 ›› ip: 146.0.79.164 - adress: DNSHEQ.COM
• dns: 1 ›› ip: 146.0.79.164 - adress: DNSUER.COM
• dns: 1 ›› ip: 146.0.79.164 - adress: SOFTCLEANING.NET
---
a83719b9bbaddb43a6abf7e0009abcd32b19ab767a89e597e9a34f84426861c4 >> 18/55
979e11ec917a6fe805ca92332940cf2c058545b5a93643b77605ffaf96bcfadb >> 35/55
fcfd27b1d35ecd9de6e11411bc27f9a64ccb076c8af9a4f320de197e376d6caf >> 35/55
5931209aaee9dad9d190e421fdaaab1a96c1bdf454cbb6dcb3a213bc4019711d >> 36/55
57b1bd6cf542c10f21e4886d67b4aebdec01b7995323ec7e15cc83afb290b0d0 >> 35/55
44fdc83afc9842e235d304e28e2847fedd2c6b22b42db43105464f8bdb28e52d >> 35/55
68a7874c89428c7c07675b0bd098b3e3177d394862aa9ba24bf218265e964a1d >> 41/55
8dc4d5e4aae5b8d68b5ebc1410c625911359da715a3152e5eec08d606e1e3927 >> 40/55
a079f5534412711c06d2ec6732f7bc55f2c979ec85d478595bb0453f62e43d78 >> 29/55
Dumped:
623a8505526e3d0368f6e4a9053a17dbf4dfd4dbbccf96f57e826a933bc8e72b >> 14/55

[bandicoot_]

Hi, this is my first post on the forums.

While looking in the payment page, i found that the website for the rogue above is [url]hxxp://www.softcleaning.net[/url] (Warning: WILL infect!!!)

Note the site is very generic where it only says "Antivirus 2014".

[Xylitol]

Hi, this is my first post on the forums.

Welcome, i suggest you to read the forum rules: http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16

While looking in the payment page, i found that the website for the rogue above is [url]hxxp://www.softcleaning.net[/url]

What i said just before your post:

• dns: 1 ›› ip: 146.0.79.164 - adress: SOFTCLEANING.NET

(Warning: WILL infect!!!)

I don't see any hostile code on this site.

[Ramtadryla]

Hi, maybe someone has a sample of "Spyware Defender" (or "System Defender") fake av (hxxp://spyware-defender.com)?