Wednesday, April 29, 2009

CoreGuard Antivirus 2009

CoreGuard Antivirus is a new fake security scanner (rogue).



Stay away from these sites:
bitcoreguard.net (72.232.187.197)
bitcoreguard.com (72.232.187.197)
guardlab.com (72.232.187.198)
guardav.com (72.232.187.198)
coreguard2009.com (78.46.151.181)
coreguard2009.biz (78.46.151.181)
coreguard2009.net (78.46.151.181)
coreguardlab2009.biz (95.211.14.161)
coreguardlab2009.net (95.211.14.161)
coreguardlab2009.com (95.211.14.161)
guardlab2009.biz (76.76.103.164)
guardlab2009.net (76.76.103.164)
guardlab2009.com (76.76.103.164)

BleepingComputer CoreGuard Antivirus 2009 removal guide.
Thanks to MAD

Tuesday, April 28, 2009

Virus Shield

VirusShield is a new fake security scanner (rogue). It belongs to the same family as Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Virus Shield comes from fake online scanners.



BleepingComputer Virus Shield removal guide.

Friday, April 24, 2009

ErrorEasy

ErrorEasy is a rogue that belongs to the same family as ErrorFix, RegTool, RegfixPro.
These fake tools are not detecting infected files or malwares but fake registry problems.



Another rogue (ErrorRepairTool) shows a relationship between, PC Utility Inc. (the editor of these tools) and 2Squared.com (a known rogue editor). But PC Utility Inc. claims that their products are legit and there is no relationship with 2Squared.com.

IP of ErrorRepairTool websites and the name of the company in the privacy page:
updatesprofessional.com (174.36.234.248) 2Squared Inc.
updates-micro.com (174.36.234.248) 2Squared Inc.
fixupdates.com (174.36.234.248) 2Squared Inc.
fix-xp.com (174.36.234.248) 2Squared Inc.
registry-updates.com (174.36.234.248) 2Squared Inc.

errorrepairtool.com (75.125.61.163) PC Utility Inc.
errorstool.com (75.125.61.163) PC Utility Inc.
errorsrepair.com(75.125.61.163) PC Utility Inc.

All pages where PC Utility Inc. was quoted have been removed (they were online yesterday). Google keeps some traces about it:


It was exactly the same page, but 2Squared Inc. was replaced by PC Utility Inc.


Back to ErrorEasy. To update itself, ErrorEasy contacts
ErrorEasy.com/databases/getinfo.php
database.registrysmart.com/updates/definitions.db
database.privacycontrol.com/updates/privacy.db

Looks like déja-vu, see RegistryFox Rogue (from another known rogue company: AntiSpyware LLC.).

database.registrysmart.com (75.125.200.226)
adwarealert.com (75.125.200.226)
evidenceeraser.com (75.125.200.226)
registrysmart.com (75.125.200.226)
restore-pc.com (75.125.200.226)

privacycontrol.com (75.125.61.162)
errorsweeper.com (75.125.61.162)
antispywarebot.com (75.125.61.162)
regclean.com (75.125.61.162)
2squared.com (75.125.61.162)

In the code of ErrorEasy, there is a hardcoded URL to 2Squared.com:



The Database is the same as AntiSpyware LLC. rogue.
There is a hardcoded string of 2Squared.com in the PC Utility Inc. tool.
And no relationship ?

Thursday, April 23, 2009

Advanced Spyware Detector

Advanced Spyware Detector is a new rogue. It is also know under Advanced Spyware Detect or Advansed Spyware Detector (typo error in the binary tab version and registry keys).

This fake security software detects false positives to justify an infection and scare users.


It replace the desktop background with a fake security message.

Tuesday, April 21, 2009

Malware Cleaner

MalwareCleaner is a new rogue. This fake security software drops many fake executables on the system to justify an infection and scare users.



BleepingComputer Removal Guide.

ErrorFix, RegTool, RegfixPro

ErrorFix, RegTool, RegfixPro are new rogues. They are from the same family and have the same GUI. These fake tools are not detecting infected files or malware but fake registry problems.







Malwarebytes removal instructions for ErrorFix, RegTool, RegFix Pro.

Monday, April 20, 2009

Extra Antivirus

ExtraAntivirus is a new rogue. It is from the same family as AV Antispyware, PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.



It has the same name as another rogue but not from the same family. With so many rogues, it's not a surprise that two families have one day the same product name.

Thanks to Bharath

PCCodecPack

PC Codec Pack is the new version of LuxeCodecXP, WinCoDecPRO.

PCCodec Pack displays codec error, redirecting infected user to PCCodecPack web site.



The Fake Alert binary use Lighty Compressor (seen on WinPC Antivirus dropper, and DNS.Changer dropper).

Extra Antivirus

ExtraAntivirus is a new rogue. It belongs to the same family as Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm.





Extra Antivirus comes from fake online scanners. Extra Antivirus drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections to scare users.

BleepingComputer Removal Guide.

Saturday, April 18, 2009

AV Antispyware

AVAntispyware is a new rogue. It is from the same family as PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
As always, detection of fake infections to scare users and a promise to remove all infected files/keys when activated for $49,95 (6 month license).



BleepingComputer Removal Guide.

WiniBlueSoft

WiniBlueSoft is a new fake antimalware. This rogue detects fake infections on a clean system and displays lots of warning messages to remove them.
Many files are created on the system (with a random filename) to simulate an infection. Those files are not executable and filled with junk.



WiniBlueSoft also display a fake Windows Security Center Window.



BleepingComputer WiniBlueSoft removal guide.

Friday, April 17, 2009

Home Antivirus 2009

HomeAntivirus 2009 is a new fake antivirus/antimalware software. This rogue saves files in the system (filled with junk) and detects them as infections to scare users. These files have a random filename, are not executable and are not infected. Home Antivirus 2009 displays alerts to be registered to remove those files.



HomeAntivirus2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.

Thanks to Grinler
BleepingComputer Home Antivirus 2009 removal guide.

Wednesday, April 15, 2009

Antivirus'09

Antivirus 2009 (aka Antivius'09, Antivirus09) is a fake security software (rogue).

Antivirus'09 is installed through Fake online antivirus scanners. This Javascript animation detects inexistent infected files on the system to scare users and propose a free scan with Antivirus'09.


Once installed, Antivirus'09 will detects many inexistent infected files and displays alerts to be registered.




Thanks to Bharath

Tuesday, April 14, 2009

P Antispyware 09

PAntispyware09 is a new rogue. It is from the same family as MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.



Thanks to Bharath
BleepingComputer Removal Guide.

TotalAntiSpyware, SysCleaner, WebAntiSpy, Rebrand Software

Rebrand Software is a company who sells empty projects. Some of these products are Security Softwares. Rebrand customers buy a Kit and finalize their new softwares with their own Graphics/Name. Total Antispyware, Sys Cleaner Pro are made with those ready-to-make kits:

Installers screens of SyscCleanerPro, TotalAntispyware, and an Empty Project:






Graphic User Interface (GUI) of TotalAntiSpyware and an Empty Project:




One of the new Rebrand Software product is an HijackThis-Like Software (note the misplaced button bug):




syscleanerpro.com (64.191.12.38)
av-antispyware.com (64.191.12.38)
antispylist.com (64.191.12.38)
addantivirus.com (64.191.12.38)
antispyme.com (64.191.12.38)
totalantispyware.com (64.191.12.38)
totalantispyware.net (64.191.12.38)
totalantispyware2009.com (64.191.12.38)
system-cleanerpro.com (64.191.12.38)

Is Web Antispy going to be the next of these DIY Rogues ? At this time WebAntispy page is hosting TotalAntispyware Rogue.

webantispy.com (65.110.60.123)



Thanks To Sparsha

Saturday, April 11, 2009

Antivirus Plus

AntivirusPlus is another fake security software (rogue). This scareware is not new, but it was not very active. Recently, more fake online scanners advertise Antivirus Plus for removal tool.

easyincomeprotection.cn (94.247.2.215)
easybestprotection.cn (94.247.2.215)
easypersonalprotection.cn (94.247.2.215)
freedefense2u.cn (94.247.2.215)
myascertainpoison.cn (94.247.2.215)
mycheckdiseasestore.cn (94.247.2.215)
mydefense4you.cn (94.247.2.215)
refugepro.cn (94.247.2.215)
yourguardforyou.cn (94.247.2.215)
yourguardonline.cn (94.247.2.215)
yourguardpro.cn (94.247.2.215)
yourguardstore.cn (94.247.2.215)

av-plus-support.com (94.247.2.215)
myplusantiviruslive.com (94.247.2.215)

easyaddedantivirus.com (94.247.2.215)
myplusantiviruspro.com (94.247.2.215)
yourcountedantivirus.com (94.247.2.215)
addedantivirusonline.com (94.247.2.215)
addedantivirusstore.com (94.247.2.215)
realantivirusplus.com (94.247.2.215)
addedantiviruspro.com (94.247.2.215)
addedantiviruslive.com (94.247.2.215)

If the rogue detects a lot of infections (all inexistent), once registered, it propose to remove them. If we don't accept (ALT-F4 to quit) they have all disappeared on next execution.

Thursday, April 9, 2009

Virus Sweeper

Virus Sweeper is a new rogue. It belongs to the same family as Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. The GUI is always the same, only the title name is changing. Note that 2 GUIs exist, one with a Vista skin, the other with a XP skin.





As for the previous rogues of this family, the software is hosted on google code.

Virus Sweeper comes from fake online scanners. Nonexistent files are detected on a clean system, installation of the software is proposed to users for a free scan.
Virus Sweeper drops many files on the system with different filenames taken from a dictionary. These files are not Win32 executables and are detected as infections.

BleepingComputer Removal Guide.
Malwarebytes VirusSweeper Blog Post.

Antivirus XP Pro 2009

Antivirus XP Pro 2009 is a fake security software (rogue). It displays fake alerts and detects fake infections on the system. AntivirusXPPro2009 is from the same family as Renus 2008

A real malware modifies the desktop (desktop hijack) and promote the rogue with popups.



Looking into the code, we can see that just after being registered, the rogue removes the malware and its restriction that prevent users to restore the original desktop background. Then it displays the "Register Success" Message box.

Desktop Hijack

This kind of Desktop Hijack is used to scare users. The evil code installs restrictions to prevent infected users to restore the original background picture.



The message in the taskbar is from the malware and leads to Antivirus XP Pro 2009 fake security software (rogue) website.

One of the Hijack symptom is the presence of this start key:
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe

Thursday, April 2, 2009

WinPC Antivirus

WinPC Antivirus is a Fake Security application. It replaces WinPC Defender.

These rogues are from the same creators of XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.



Once registered, all the fake malwares detected are now missing. And it looks like designers forgot to remove a part of the GUI Skin.
(Click on the Help & Support button redirects to win-pc-defender Website).



Thanks to Bharath
WinPC Antivirus on MAD Blog
Bleepingcomputer Removal guide