[Xylitol]

UPDATE: AVASoft (tech-ava-soft.org) and System Care Antivirus (systemcare-antivirus.org) sites brought down

• dns: 1 ›› ip: 5.149.249.151 - adresse: TECH-AVA-SOFT.ORG
seem working fine.

Bach Khoa Antivirus, seem legit but MBAM detect it as FakeAV
• dns: 1 ›› ip: 123.30.174.157 - adresse: BKAV.COM.VN
EXE is signed
https://www.virustotal.com/fr/file/08a4 ... 366626953/
i'm a bit annoyed by this one since months because bkav exes make trigg some of my yara rules about pos malware.

[herg62123]

This is ESET.com's post about the malware rogue app http://www.welivesecurity.com/2013/04/1 ... o-malware/

and here is the website for the download of the rogue app (keep in mind this is an infected app if you download) hxxp://freeantivirusglobe.com/about.php

I tried to upload the program in a zip file but the system keeps blocking it so I had to post the link.

The EXE is signed by Comodo as well.

ESET calls it MSIL_LockScreen.EC - http://www.virusradar.com/en/MSIL_LockS ... escription

Here is virustotal.com remarks - https://www.virustotal.com/en/file/31f1 ... 366674831/

[EP_X0FF]

Above madskillz FakeAV in attach. Pass infected.

[herg62123]

I apologize the above was my first post and I will not make the same mistake again.

Thank you for posting the 5 files as well.

[BachMinuetInG]

This is ESET.com's post about the malware rogue app http://www.welivesecurity.com/2013/04/1 ... o-malware/

and here is the website for the download of the rogue app (keep in mind this is an infected app if you download) hxxp://freeantivirusglobe.com/about.php

I tried to upload the program in a zip file but the system keeps blocking it so I had to post the link.

The EXE is signed by Comodo as well.

ESET calls it MSIL_LockScreen.EC - http://www.virusradar.com/en/MSIL_LockS ... escription

Here is virustotal.com remarks - https://www.virustotal.com/en/file/31f1 ... 366674831/

It now links to AVG Free Antivirus. Ripoff of Secure Bit Technologies.

[Blaze]

System Care Antivirus attached.

[acoustics]

Disk Antivirus Professional


Original: https://www.virustotal.com/file/95e4027 ... 359625432/ > 21/46
Unpack: https://www.virustotal.com/file/41fc7f7 ... 359625192/ > 12/45
Network:

Code: Select all

GET /api/urls/?ts=f3626e3f&affid=00100 HTTP/1.1
Host: 112.121.178.189
---
GET /api/stats/install/?ts=f3626e3f&affid=00100&ver=3070024&group=dap HTTP/1.1
Host: 112.121.178.189
---
GET /p/?&lid=3070024&affid=00100&nid=8065D52C&group=dap HTTP/1.1
Host: kilopaybilling.com

thank you very much for unpacking this sample. :D

I try to unpack it by myself. I found 2 packers. The first packer is a manual packer. the second one, I guest PE Compact. I can dump process and fix IAT. My unpacked sample can be loaded and run. When I open my unpacked version with IDA, some functions are broken. I compare my version and yours, I see the difference from headers. My unpacked header has 6 sections : text, rdata, data, rsrc, reloc and mackt (from ImportREC) but your one has 3 sections: text. data and mackt. Can you help me to fix the header? I don't know how to do?

Thank you!!

[Xylitol]

Hi,
There is a feature 'Rebuild PE Header' on LordPE (on PE Tools too) just use that to remove garbage.
For the second layer, yes it's PECompact 2

[acoustics]

Thank you for replying. :D

I find another way : don't use "Full dump: Paste header from disk" option

[dumb110]

Can anyone attach the sample for this:
http://blog.malwarebytes.org/intelligen ... he-tables/