30
Dec

Phishing emails pointing to fake Classmates.com website featuring malware

By mwdisector Comments
Categories: Database Update

In the past couple months there has been phishing campaigns against Classmates.com.  On a regular basis emails talking about class reunions containing links pointing to fake Classmates.com websites have spewed onto the Internet.  These fake websites have fake videos which are actually malware (EXE file) designed to take control of your computer and using trojans and keyloggers. Oh and by the way, these EXE files will automatically try to download onto your PC without you clicking them.

WARNING: Websites hosting malicious content!

classmates-reunion-phish-email

FROM ADDRESSES:
Classmates Alert Center
Classmates Community
Classmates Help Center
Classmates Management
Classmates Meeteng Center
Classmates Member Center
Classmates Messagebox#
Classmates Online Center
Classmates Reunion Center
Classmates Shedule Center
Classmates Support Center
Classmates Technical Support
Classmates Video Center

SUBJECTS:
Classmates Important Meeting Information
Classmates Organisation.Class Reunion Information
Classmates Organisation.Class Reunion Planner
Classmates Organiser Warning - Meeting high school and junior college classmates
Classmates Organiser Warning - This is a forum where you can make any suggestions for the Reunion.
Classmates Party invitation…
Classmates Party invitation…
Classmates Preview, public invitation
Classmates Reunion -  Invitation
Classmates Reunion - Classmates Reunion - Special Preview Invitation
Classmates Reunion - Congratulations Today !
Classmates Reunion - Invitation: Ready
Classmates Reunion - Your Classmates Invitation - He’s Ready, Are You?
Classmates Reunion - unique invitation.
Classmates Reunion Soon - Classmates Organisation.What Have You Been Up To
Classmates Reunion Soon - Important Dates for Classmates Meeting
Classmates Video your personal invitation by John
Currently planning the 2009 Year Reunion
Do Not Miss Tonight’s Classmates Reunion !
Please Do Not Miss the Classmates Meeting!
Revised reunion date announced
Webster meetings among former classmates
Welcome to Classmates Personal Invitation
You have one new message. Classmates
Your Classmates Are Waiting - AN URGENT MESSAGE
Your classmates Day New Date..How can someone miss a Classmates meeting?
Your classmates Day New Date.A Meeting with my HighSchool Classmates
Your own unique invitations from classmates.

ROOT DOMAINS:
adobeflasplayer10.com
classmateqs.com
classmatersunion.com (24.136.176.91, 68.51.164.175, 75.63.170.53, 76.27.148.240, 98.217.125.105)classmatescom-phish-website
classmatesupdates.com
dnuemjsi.com
downloadservers7.com
downloadupdateadobe10.com
flashadobeplayer9.com
getinstallations.com
happynewyearclassmates.com
indexguideclassmates.com (68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240, 67.172.60.164)
installationsadobeflash10.com
keiortue.com
kertuierp.com
meetingclassmaterss.com
meetwithyourfriends.com
merrychristmassclass.com (208.78.242.184)
newflashadobe.com
newklassmates.com (208.73.210.121)
newyearclassmates.com
reinstallflash.com (67.172.60.164, 68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240)
reunionclassmates.com
sdunsosdu.com
serveronlines.com
serversupdates.com
user-X1aR1qC1newclasshost.com
user-j1oz1zj1newklassmates.com
user-m1qa1nk1updatedclassmates.com
user-p1pc1iu1getinstallations.com
user-x1ar1qc1newclasshost.com
vreied.com
vreixs.com

FAKE VIDEO MALWARE FILE:
Adobe_Player10.exe
VT coverage 27/38:
https://www.virustotal.com/analisis/4d17de3d6ba580900af852ed5ad9a52f

–mwdisector

22
Dec

Several domains redirecting to rogue security site antispyware-scanner-free.com

By mwdisector Comments
Categories: Database Update

WARNING: Fraudulent/fake security website/application!

Found several domains that are redirecting to a domain hosting rogue security software called Web Spy Shield. This website claims to perform a scan of your PC than reports back that it found infections including nude/porn pictures. It even displays the porn pictures during and after the scan. Incidently the PC I scanned this on was clean - it was a fresh install.

Redirects:scanantispyware-scanner-freecom-clean2
fronthomepagez.com (94.247.3.22)
anotherdnserrorz.com (94.247.3.23)
AS12553   | 94.247.3.22      | PCEXPRESS-AS _DATORU EXPRESS SERVISS_ Ltd.

scanonlinefreee.com (64.27.18.54)
scan-onlinefreee.com (64.27.18.54)
AS7796    | 64.27.18.54      | ATMLINK - ATMLINK, INC.scanantispyware-scanner-freecom-clean1

Rogue/fake security software/scanner site:
scan.antispyware-scanner-free.com (78.26.179.130)
AS34187   | 78.26.179.130    | RENOME-AS Renome-Service: Joint Multimedia Cable Network

–mwdisector

20
Dec

New domain redirects to rogue security software VirusRemover 2008 / Winfixer

By mwdisector Comments
Categories: Rogue Anti-Malware and Rogue Security Software

WARNING: Fraudulent website/application!powerfulvirusremover2008com-website-screenshot2-cropped

A newly registered domain redirects the visitor to a website featuring a fake security products called VirusRemover 2008 / Winfixer. This website will automatically start a scan of the system (although doesnt appear to be doing any scan at all) then reports your PC is infected (which is a lie).

Website:
online-spyware-detector.com (68.180.151.16)
redirects to powerfulvirusremover2008.com (78.157.142.47)

online-spyware-detector.com
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 2008-12-16

powerfulvirusremover2008.com
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-08-29

EXE downloaded from site:
VirusRemover2008_Setup_Free_en.exe
VT scan 29/38: (detected as fraudtool Winfixer)
http://www.virustotal.com/analisis/f26a6ee6abf1ed9c1e8828a69ae439be

12
Dec

Fraudware security app on antispywerepro.com

By mwdisector Comments
Categories: Database Update

WARNING: Fraudulent webiste/application!

Known fraudulent antispyware application called ‘SpywareStop’ is being hosted on antispywerepro.com.  For those keeping score, it used to be called ‘SpywareBot’.

antispywereprocom-spywarestop-app-website-screenshot

Downloaded file: setupxv.exe
VirusTotal detection 5/38
http://www.virustotal.com/analisis/1527d9573168d7997b38ea889f4f89d6

Website:
antispywerepro.com (74.53.28.242)
AS21844 | 74.53.28.242 | ThePlanet.com Internet Services Inc.

–mwdisector

27
Nov

Fake antivirus site features drive-by install of PDF exploits

By mwdisector Comments
Categories: Malicious Domains and Rogue Security Software

Here’s a fake antivirus site that has a special *gift* for you when you visit: PDF exploits! When visiting site it will attempt a drive-by install using a exploit-embedded PDF file.

Bad Site:
hxxp://2008-noadware-antivirus.com (68.180.151.74)
AS36752 | 68.180.151.74 | YAHOO-SP1 - Yahoo

Goes to:
hxxp://abb192.cn/exp/index.php
hxxp://abb192.cn/exp/load.php?id=2926
abb192.cn (82.192.88.2)
AS16265 | 82.192.88.2 | LEASEWEB LEASEWEB AS

Launches a process called AcroRd32.exe (Acrobat Reader) and slows your machine down to a crawl.

Pulls down a PDF file. VT coverage is 10/37.
http://www.virustotal.com/analisis/28d3a59…f1ac43bd00fe253

Found a load.exe file from hxxp://abb192.cn/exp/load.php?id=2926
VT coverage is low 4/37.
http://www.virustotal.com/analisis/e22e2de…830413b3d949441

See a connection to:
hxxp://sp2.information.com/?epl=03220029R1UMXGYWVlEFDVFTDVBfA1MMUgBFUVgMAFxb
VllZVFgHBFIBWAtHXRdZEBZLSwVcDBIBWAxqRQQHUEddSglZEUFEWBcWVwMEWFEMF1ETD0EUR0hU
DFgYRxFaRU1WUFQXCFsEXh8BVkcIVww8UQFbB1MSFl8CRlJcDVpUXB5XUBFQUw1KQFhUUQ9VEApb
QwpcAlUKaAtaQhNcABNbV0FfEUdNX21yQ11bFW8AD1cGDVYFCVcRBlNRBAJBXE5da10EW1MXWV4A
DlEPFgM8UQFbB1AGXwdFVEIVDkFQS0xrXhVBXQ1WZgxXCVQAWlcBXV4GVg

abb192.cn was registered on 10/29 and hosted on a Leaseweb box in Amsterdam.
Other domains on that IP 82.192.88.2:
abbcp.cn
abc801.cn
bmanager.shadypart.net
shadypart.net

-mwdisector

27
Nov

More mailing list unsubscription phishing websites

By mwdisector Comments
Categories: E-mail, Phishing and Rogue

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info

IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 - Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 - AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.

–mwdisector

24
Nov

New fake security software called Micro Antivirus 2008

By mwdisector Comments
Categories: Database Update and Rogue Security Software

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Product named 2008 yet website is 2009. I see that microav2008.com is available, maybe they should register that too.  ;-)

Fake Product Name:microav2009-website
Micro Antivirus 2008

Site: microav2009.com

IP: 91.208.0.223
Location: Russia
Registration:
ICANN Registrar:  IN

TERNET.BS CORP.
Created:  2008-09-24

File:
MicroAVSetup.exe
VirusTotal coverage: 27/37
http://www.virustotal.com/analisis

/38e2f2bc89e9803b8d313424f21957cd

20
Nov

Antivirus 2009

By stingner Comments
Categories: Antivirus 2009 and Database Update

Note: This site is distributing Rogue “Fake” Anti-Malware product.  Do not visit, pay, or download the software discussed below.

Very low detection.
Site:
hxxp://antivirus-premium-scan.com/2009/1/en/_freescan.php?nu=77025304

File: A9installertest_77025304.exe
Virustotal: Result 1/36 (2.78%)

Additional information
File size: 163840 bytes
MD5…: ccdfcdcea179cf0ecf12035d5ee8b821
SHA1..: e85dd4eebb5ae4d61f36385281922637712a56bd
SHA256: 6ffe5e74108fce512aa3c2de39e13ea9aebdda9606a7966d424254282679c03c
SHA512: 4de947fd4bf09f6ac2ef6dc34fafdf471555fe6e37dc0f8722cd4e726b5d6dc5
3c76a98f2786df5af5527f0356715bf5787f2b6b44a15eeffea5ff7aed4b6d37
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)

19
Nov

Fake Activation and Mailing List Unsubscribe Websites

By mwdisector Comments
Categories: MalSpam and Phishing

In the past few days I’ve seen many websites pop up pretending to be mailing list unsubscription sites.  And per usual, these sites feature legit sounding names like antivirus-activation-code1.org or online-activation-code.info.

Fake unsubscribe

Example screenshot.

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

Domains involved:

antivirus–activation–code1.org
antivirus–activation-code2.org
antivirus-activation–code1.org
antivirus-activation-code1.org
antivirus-activation-code2.org
antivirus-activation–code.info
antivirus–activation–code.info
new-activation-code.info
new–activation-code.info
online-activation-code.info
online–activation-code.info
online-activation–code.info
online–activation–code.info
pdf-activation-code.info
pdf–activation-code.info
pdf-activation–code.info

IPs associated with these:
66.79.162.82
67.209.140.130

antivirus-activation–code2.org
91.199.50.101

BE ADVISED: These sites may still be active, be careful!

–mwdisector

15
Nov

Database Update - 19 Files (Low Detection)

By djpnuemo Comments
Categories: Antivirus 2009, Codec, Database Update, Low Detection, Malicious Domains and Malware

Quite a few files added to the database today. As you can see below, these aren’t detected by many AV’s out there.

BE ADVISED: These URL’s may still be active. Proceed at your own risk!

A9installer_77024202.exe
Result: 0/36 (0%)
MD5: fd6c1b0cec99796c72213ee330eb7b58
VirusTotal
ThreatExpert Analysis
hxxp://allinone-scanner.com/2009

av_2009.exe
Result: 1/36 (2.78%)
MD5: 4c68e58e317f7111ac147d5279ef23e0
VirusTotal
ThreatExpert Analysis

zcodec.1482.exe
Result: 3/36 (8.34%)
MD5: 9acea07175a11ae690263f9be7828467
VirusTotal
ThreatExpert Analysis
hxxp://codecdownload.pc-storesoft.com

doc.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://chanchoi.cn

default.exe
Result: 13/36 (36.12%)
MD5: 58e3a60289854bb435570a14ac3c616e
VirusTotal
ThreatExpert Analysis
hxxp://chanchoi.cn

kryostm.dll
Result: 21/36 (58.34%)
MD5: b8d72237913a95b597583f8f91181ed8
VirusTotal
ThreatExpert Analysis

kryo2.sys & pavtpk.sys
Result: 20/36 (55.56%)
MD5: abbce53fa9411adbd8a870ae9c27a92e
VirusTotal
ThreatExpert Analysis

test.pdf
Result: 10/36 (27.78%)
MD5: 220e84ba5748fbd62234f3f8db52c660
VirusTotal
hxxp://onlinestat.cn

file1.exe & U.exe
Result: 4/36 (11.12%)
MD5: 0fe5b393bef43d95f5e86c820097491e
VirusTotal
ThreatExpert Analysis
hxxp://onlinestat.cn

ntos.exe
Result: 4/36 (11.12%)
MD5: fbe5869d3f03108296e10a81e9b7d160
VirusTotal
ThreatExpert Analysis

After multiple runs through a sandbox, these different binaries were downloaded

ntos.exe
Result: 4/36 (11.12%)
MD5: df4f605f59823324cceaf359d46a5d27
VirusTotal
ThreatExpert Analysis

ntos.exe
Result: 5/36 (13.89%)
MD5: fa736d7136176eebfcefd109b33f2e90
VirusTotal
ThreatExpert Analysis

soft.exe
Result: 9/36 (25%)
MD5: dcdd783dd8f84ef8b9a0c8233d152540
VirusTotal
ThreatExpert Analysis

csrss7.dll
Result: 3/36 (8.34%)
MD5: e87c0ab9c96b000f86199118d38539c1
VirusTotal
ThreatExpert Analysis

This also modified the hosts file to block international search engines (AOL, Google, & MSN)

doc.pdf
Result: 12/36 (33.34%)
MD5: 9b3822a11c9e94763150282f0c9b1d01
VirusTotal

default.exe & ~.exe
Result: 8/36 (22.23%)
MD5: 4dcc389638a9cf14972752df79ed0dd6
VirusTotal
ThreatExpert Analysis

nvaux32.exe
Result: 8/36 (22.23%)
MD5: 94d724d0740a3f6a26b624051950b053
VirusTotal
ThreatExpert Analysis

user32.dll
Result: 8/35 (22.86%)
MD5: 5f24060f06fd415314485a66a0be8726
VirusTotal
ThreatExpert Analysis

flash_update.exe (Koobface Facebook Worm)
Result: 7/36 (19.45%)
MD5: f47a95dc8003bb0f206d836b757fa9f3
VirusTotal
ThreatExpert Analysis
hxxp://youtube-cam.com

« Previous Entries

Malware Database Forum



Click for

Malware Removal Information


 

January 2009
M T W T F S S
« Dec    
 1234
567891011
12131415161718
19202122232425
262728293031  

Support Malware Database!


Security Engineering: A Guide to Building Dependable Distributed Systems

Reversing: Secrets of Reverse Engineering

Crimeware: Understanding New Attacks and Defenses (Symantec Press)

Security Power Tools

IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job

Windows Command-Line Administrator's Pocket Consultant, 2nd Edition

CompTIA Security+ Certification Kit