[EP_X0FF]

advanced security tool 2010

Original attach removed, see comment.
In attach re-uploaded original and unpacked exe (Solodovnikov creative removed).

Crapware has Russian origin and written on CodeGear RAD Studio v12.0.3170.16989

[EP_X0FF]

@deco11

I recommend you to follow this link and read that topic http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16

[bitx]

Antivirus AntiSpyware 2011

[EP_X0FF]

That's continuation of FakeAV "Security Essentials 2010" and "Internet Security 2010" :)




http://forum.sysinternals.com/fake-av-s ... 22020.html
http://forum.sysinternals.com/forum_pos ... l-3#115292

[Xylitol]

@lolikas: for register your Antivirus AntiSpyware 2011: AAS17-F7D9M-G3B2A or AAS17F7D9MG3B2A

---
Fake BitDefender 2011

http://www.virustotal.com/file-scan/rep ... 1303403611



Fake BitDefender 2011 serial: BKI14-HJP10-IKO78-OBK894-XYL77

kg:

Code: Select all

.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start

Code: Select all

;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END

edit: another vt: http://www.virustotal.com/file-scan/rep ... 1303403931
sample repacked

[Xylitol]

CleanThis

repacked CleanThis







VT: 3/42 >> 7.1%
https://www.virustotal.com/file-scan/re ... 1304091561

[thekillergreece]

Rogue antivirus threat found!:Antivirus center!

InstallInternetProtection_319.zip

Pass: infected
(80.75 KiB) Downloaded 57 times

[a_d_13]

Hello,

thekillergreece: I have added a password to the archive. Please be sure to password-protect malware samples in future.

Thanks,
--AD

[Xylitol]

Security Shield



VT 7/41 >> 17.1%
http://www.virustotal.com/file-scan/rep ... 1304235188

Code: Select all

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==
X-Message-Status: n
X-SID-PRA: Security Shield <support@gods-support.com>
X-AUTH-Result: NONE
X-Message-Info: 6sSXyD95QpXVWcVGuYnXAzv4aWyjS8hakKG2aii+CD3n4o+ema3a5oL6WEtHot7IEE8RWG9T+VRElyxrKzFyYlwgzVMA+F07288PQ+dYKrs=
Received: from pcsecuritysolutions.biz ([195.225.55.16]) by bay0-mc2-f4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Sun, 1 May 2011 00:16:28 -0700
Received: from v-2-do12-d1334-16.webazilla.com (v-2-do12-d1334-16.webazilla.com [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pcsecuritysolutions.biz (Postfix) with ESMTP id 0856C2A0234
	for <phoenixbytes@live.fr>; Sun,  1 May 2011 07:16:11 +0000 (UTC)
Received: (from www@localhost)
	by v-2-do12-d1334-16.webazilla.com (8.13.8/8.13.8/Submit) id p417GAc1001577;
	Sun, 1 May 2011 07:16:10 GMT
Date: Sun, 1 May 2011 07:16:10 GMT
To: ******@live.fr
Subject: Your ST registration key
X-PHP-Originating-Script: 5001:send_key.php
From: Security Shield<support@gods-support.com>
Reply-To: Security Shield<support@gods-support.com>
Message-ID: <1304234170-support@gods-support.com>
X-Mailer: PHP v5.3.3
Return-Path: www@v-2-do12-d1334-16.webazilla.com
X-OriginalArrivalTime: 01 May 2011 07:16:28.0620 (UTC) FILETIME=[B06908C0:01CC07CF]

Your new serial key: 64C665BE-4DE7-423B-A6B6-BC0172B25DF2
Regards, ST support

[EP_X0FF]

Flood and offtopic deleted.

deco11 and thekillergreece both go to rest until May 4, 2011.

Reasons: Prophylactic ban due to multiple flooding with nonsense replies, contempt of forum rules. Also seems both banned in Google and forum "Search" button unavailable too.
Next time this will be permanent ban including all their IP's.