Monday, June 29, 2009

AntivirusBest

Antivirus Best is a fake security software (rogue). It displays fake alerts to justify an infection to incite users into buying a license.
It belongs to the same Total Virus Protection, Anti-Virus Number-1, Antivirus Sentry, Antivirus 2010, Micro Antivirus 2009, MS Antivirus, Smart Antivirus 2009, System Antivirus 2008, Antivirus 2009, Internet-antivirus

Saturday, June 27, 2009

Secret Service Rogue

Secret Service is a new rogue made by TRITAX, (creator of Crusader Antivirus). It it using a part of the sample used by Privacy Center (the Russian female voice).
The rogue drops many fake executables on the system and also detects legit files to justify an infection and scare users to incite them into buying a license.

Sunday, June 21, 2009

Antivirus Protection

Antivirus Protection is a clone of Antivirus 2009



Thanks to Bharath

Thursday, June 18, 2009

Virus Remover Pro.

Virus Remover Professional is a new rogue. It is from the same family as Extra Antivirus,
AV Antispyware, PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
As always, detection of fake infections to scare users and a promise to remove all infected files/keys when activated for $49,95 (1 year license).



Thanks fly to Bharath.
BleepingComputer Removal Guide.

Wednesday, June 17, 2009

Malware Destructor

Malware Destructor 2009 is a new fake security scanner (rogue). It belongs to the same family as FastAntivirus,
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. MalwareDestructor comes from fake online scanners and detects nonexistent malwares to scare users.

Saturday, June 13, 2009

DOS Fake Online Scanner

VirusShield rogue comes from fake online scanners. Usually, those fake scanners have Windows (XP/Vista) style. This new one have a DOS design, in a browser page... with a STOP BSOD imitation alert.



Thursday, June 11, 2009

Advanced Virus Remover

Advanced Virus Remover Rogue displays fake infections to incite users into buying a license.



Notice the shared IP with VSCodec Pro and other rogues:

antivirus-scan-2009.com (91.212.65.29)
vs-codec-pro.com (91.212.65.29)
vscodec-pro.com (91.212.65.29)
alltubesplace.com (91.212.65.29)
antivirus-xppro2009.com (91.212.65.29)
onlinescanxpp.com (91.212.65.29)
antivirus-pppro.com (91.212.65.29)
antivirus-xppro-2009.com (91.212.65.29)

Tuesday, June 9, 2009

Loaris Trojan Remover is not Rogue

Loaris Trojan Remover was classified as rogue few days ago because of suspicious coincidences:
- It is hosted on an IP block known for criminal activity.
- HijackThis program was bundle without Trendsecure permission.
- Users had to buy a license to activate cleaning option. This should not be a problem if we ignore the fact of giving personal informations from an infected system to register. But important rogues components remains active after cleaning process when Loaris removal guide claims to remove those rogues and argues it "was created especially for such types of rouge programs".

Loaris Trojan Remover never acts like classic rogues.
- It does NOT show fakes alerts,
- It does NOT hijack internet browser,
- It is NOT promoted via Trojan or fake online scanners.

Considering that creators have quickly removed HijackThis from their tool and think about moving to another provider that does not have illegal activities.
Considering that the tool has now 15 days trial, users don't have to buy a license and can test efficiency of it. (web pages saying it can remove malware it was not able to have been removed).
Considering the creator's reactivity to fix those problems, Loaris Trojan Remover have been declassified from Rogues application.

VSCodec Pro

VSCodecPro is the new version of PCCodecPack, LuxeCodecXP, WinCoDecPRO. It display fake alerts about media problems.



When trying to run Windows Media Player, it displays an alertbox and redirect to vs-vodec-pro.com webpages.



alltubesplace.com (91.212.65.29)
antivirus-xppro2009.com (91.212.65.29)
antivirus-xppro-2009.com (91.212.65.29)
free-webscaners.net (91.212.65.29)
free-web-scaners.net (91.212.65.29)
free-web-scaners.com (91.212.65.29)
free-web-scaners.biz (91.212.65.29)
onlinescanxpp.com (91.212.65.29)
onlinescanxppp.com (91.212.65.29)
vs-codec-pro.com (91.212.65.29)
vscodec-pro.com (91.212.65.29)
scan-virusremover2009.com (91.212.65.29)

Friday, June 5, 2009

AdWare.Win32.CashOn

Analysis of a Malware trojan downloader on MAD blog (French).

Thursday, June 4, 2009

Loaris Trojan Remover Rogue

Update: Loaris Trojan Remover have been declassified from Rogue applications: Link.

Loaris Trojan Remover is a rogue anti-spyware program. The tool has a dirty malware database. It can detects some real infections on a system but is not able to remove the full infection when registered. It is bundle with HijackThis tool.
Loaris Removal Guide says it can get rid of UnVirex rogue. After cleaning, some UnVirex componant (LSP Hijack) are still active.



loaris.com (216.97.239.105)
Installer is hosted at 88.214.197.165
hosts-file.net

Thanks to MysteryFCM

XP Deluxe Protector Rogue

XPDeluxeProtector is a new fake security software from the same creators of Win PC Antivirus, Win PC Defender, XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.



baseupdatecenter.com (217.112.94.230)
downloadsoftwareserver2.com (217.112.94.230)
softwaredownloadcentercom.com (217.112.94.230)
winbestsoftdownload.com (217.112.94.230)

deluxe-protector.com (91.212.65.140)
winpc-antivirus09.com (91.212.65.140)
winpcantivirus-2009.com (91.212.65.140)
winpcantivirus2010.com (91.212.65.140)
securebillingpayment.com (91.212.65.140)

deluxeprotector.com (91.212.65.141)
loyaldown11.com (91.212.65.141)
loyaldown99.com (91.212.65.141)
loyaltube10.com (91.212.65.141)
tubeloyaln.com (91.212.65.141)
tube-loyal.com (91.212.65.141)
winpcdown09.com (91.212.65.141)
winpcdown10.com (91.212.65.141)
winpcdown99.com (91.212.65.141)

downloadfixandlove.com (194.165.4.77)
macromedla.com (194.165.4.77)
tubeonporn09.net (194.165.4.77)
winpcdown9.com (194.165.4.77)
(...)

BleepingComputer Removal Guide.

Antivirus System Pro

Antivirus System Pro Rogue is a clone of Spyware Protect 2009.
It displays fake infections to incite users into buying a license.



check-viruses.com (67.212.81.29)

antivir2009pro.com (209.44.111.57)
inetavirus.com (209.44.111.57)
inetantivirus.com (209.44.111.57)
inetantivir.com (209.44.111.57)

Wednesday, June 3, 2009

Digiweb corp. rogues

Digiweb corp. (aka ibisweb corp , G. Kavalakis) makes fake security softwares. They detect nonexistent problems (Spyware, Registry, IE Cache, Cookies,...) to scare users.
Some of their products have the old interface, some others have the new one.

RegistryCleanerPro new and old GUI:



AntiMalwarePro new and old GUI:



AdwarePro new and old GUI:



AntivirusPro new and old GUI:



AntiSpywarePro


AntiTrojanPro


SpywareDestroyer


SearchAndDestroy

Tuesday, June 2, 2009

UnVirex Rogue

UnVirex is a new fake malware cleaner (rogue).



HijackThis symptoms:
O2 - BHO: StatusBarPane - {CCB5551D-8594-4999-85F9-1E3EABCB95AC} - C:\Program Files\UnVirex\IEAddon.dll
O4 - HKLM\..\Run: [UnVirex] C:\Program Files\UnVirex\UnVirex.exe
O10 - Unknown file in Winsock LSP: c:\program files\unvirex\siglsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\unvirex\siglsp.dll

Notice the LSP Hijack. Removing siglsp.dll file without restoring the LSP chain will break Internet connexion.

unvirex.com (195.2.253.43)
Registrant: andy (zaxarsoftware@gmail.com)

Thanks to Malware Database