Wednesday, March 31, 2010

Antivirus Suite

Antivirus Suite is a new fake security application (rogue) (Antivirus Soft clone)

The rogue detects fake infections and prevents legit softwares execution, displaying alert messages to scare users.



If your PC is infected with Antivirus Suite use MBAM to remove the infection.

Thanks To Malekal Morte.

Friday, March 26, 2010

Fake Antivirus, Security Update

AntiVirus is a fake security application. This rogue displays fake alerts, detects non existent infections to scare users and prevent legit programs execution: freecell.exe, iexplore.exe, itunes.exe, limewire.exe, mbam.exe, mspaint.exe, notepad.exe, rundll32.exe, taskmgr.exe, wmplayer.exe, wordpad.exe

Rogues creators used to create nicer GUI:


If your PC is infected with AntiVirus use MBAM to remove the infection.

Thursday, March 25, 2010

Antivirus and FP

I did a test on Virus Total Online Scanner with an inoffensive ASM code.

This is the source code:


.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
    Push 0
        CALL ExitProcess
end start


And this is what the compiled binary looks like


00401000 >/$  6A 00         PUSH 0                                   ; /ExitCode = 0
00401002  \.  E8 01000000   CALL jmp.kernel32.exitprocess         ; \ExitProcess
00401007      CC            INT3
00401008   .- FF25 00204000 JMP DWORD PTR DS:[<kernel32.ExitProcess>];  kernel32.ExitProcess


The program just exit itself. No more, no less.
Few years ago, the result on VT was: 3/33 with suspicious Virus Names. Today, the result is 10/42 for this Exit Program.

a-squared 4.5.0.50 2010.03.25 Backdoor.Poisonivy.E!IK
AhnLab-V3 5.0.0.2 2010.03.25 -
AntiVir 7.10.5.210 2010.03.25 -
Antiy-AVL 2.0.3.7 2010.03.24 -
Authentium 5.2.0.5 2010.03.25 -
Avast 4.8.1351.0 2010.03.24 -
Avast5 5.0.332.0 2010.03.24 -
AVG 9.0.0.787 2010.03.25 BackDoor.PoisonIvy.AD
BitDefender 7.2 2010.03.25 -
CAT-QuickHeal 10.00 2010.03.25 -
ClamAV 0.96.0.0-git 2010.03.25 -
Comodo 4378 2010.03.25 -
DrWeb 5.0.1.12222 2010.03.25 -
eSafe 7.0.17.0 2010.03.24 -
eTrust-Vet 35.2.7387 2010.03.25 -
F-Prot 4.5.1.85 2010.03.24 -
F-Secure 9.0.15370.0 2010.03.25 -
Fortinet 4.0.14.0 2010.03.24 -
GData 19 2010.03.25 -
Ikarus T3.1.1.80.0 2010.03.25 Backdoor.Poisonivy.E
Jiangmin 13.0.900 2010.03.25 -
K7AntiVirus 7.10.1004 2010.03.22 Trojan.Win32.Xorpix
Kaspersky 7.0.0.125 2010.03.25 -
McAfee 5930 2010.03.24 -
McAfee+Artemis 5930 2010.03.24 Artemis!CD73D32FC69E
McAfee-GW-Edition 6.8.5 2010.03.25 -
Microsoft 1.5605 2010.03.25 -
NOD32 4972 2010.03.24 -
Norman 6.04.10 2010.03.24 -
nProtect 2009.1.8.0 2010.03.25 -
Panda 10.0.2.2 2010.03.24 -
PCTools 7.0.3.5 2010.03.25 -
Prevx 3.0 2010.03.25 High Risk System Back Door
Rising 22.40.03.04 2010.03.25 -
Sophos 4.52.0 2010.03.25 Mal/Generic-A
Sunbelt 6075 2010.03.25 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.03.25 Suspicious.Insight
TheHacker 6.5.2.0.242 2010.03.24 -
TrendMicro 9.120.0.1004 2010.03.25 -
VBA32 3.12.12.2 2010.03.25 -
ViRobot 2010.3.25.2243 2010.03.25 -
VirusBuster 5.0.27.0 2010.03.24 Backdoor.Poisonivy.MM

Information additionnelle
File size: 1536 bytes
MD5...: cd73d32fc69e10e9f4b7c736cfaf2f22
SHA1..: acfa9c1beadfd9021552fe962029d00aea25221a
SHA256: cbe4ce3d527e6d6c0d0c94e9cf5e8b064c4205e35fc31ee99bfd04dfe50c1464
ssdeep: 3:WlWUqt/vllXl+YZcFTS9gXeF+X32ZpfLj4UTqQat4ll/ml8UTXlAkQ9dlllNl/
/w:idq2Vg3F+X32Tj4HYlOFiHUEEu2OuB

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x46ca8aeb (Tue Aug 21 06:49:15 2007)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xe 0x200 0.16 b429b070d0408908f37618354c81acb1
.rdata 0x2000 0x54 0x200 0.62 9469b36bdb6e6a481f3d64647c84b836

( 1 imports )
> kernel32.dll: ExitProcess

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=15781E43006B64C30666003B3C2E0700B79BCD14</a>


This test was done with an unpacked binary. Using a packer increase the results: 27/42 with FSG and 25/41 with MEW. Various Trojan names were listed such as: Vundo, Trojan-Downloader, Backdoor/RBot and so on.
With packed versions, some AV are detecting the file because of an heuristic routine: Trojan.Generic, Win32.Suspicious, Mal/EncPk-BA, Cryp_MEW-11.

Take care with Antivirus Results and learn to decode Trojan Names.

PS: I've edited the post, writing the conclusion in bold. Some people misinterpret this post: this is just a fun test, not an attack against AV vendors.

Wednesday, March 24, 2010

Security Guard

Security Guard is a new fake Antivirus. This rogue drops files on the system and detects them as infected to scare users; files are filled with junk data and do not represent a risk. It replaces CleanUp Antivirus and Security Antivirus (family link)



Security Guard comes from fake online scanners and porn sites

If your PC is infected with Security Guard use MBAM to remove the infection.

User Protection

User Protection is a fake security application. This rogue prevents legit softwares execution, displays fake alerts and warning messages. User Protection also detects non existent infections to scare users. It is from the CoreGuard family (Dr. Guard, Paladin Antivirus copycat).



If your PC is infected with User Protection use MBAM to remove the infection or follow Bleeping Computer's removal guide.

Saturday, March 13, 2010

Security Tool Ransomware

A Security Tool affiliate has created a ransomware to scare users: the malware displays a full screen window with the following message:
WARNING WINDOWS SECURITY CENTER ! DANGEROUS TROJANS, KEYLOGGERS AND SPYWARES DETECTED IN YOUR COMPUTER !!!
For Security of your data computer is locked... To unlock your computer buy the antispyware software below and remove all viruses as soon as possible. In case trojans are not removed from your computer in 3 hours, all data in the computer will deleted. Enter the serial number you are given after buying the antispyware below and unlock your computer and clean the spywares



Entering ANY serial with more than 12 characters will remove the alert.

If your PC is infected with Security Tool Ransomware use MBAM to remove the infection.

Friday, March 12, 2010

Antivirus 7

Antivirus 7 is a new rogue. It replaces Antivir 2010. Like any fake Antivirus software, this rogue cannot removes or detects any malware.

Antivirus 7 detects fake infections on a clean system to scare users. It also installs a BHO to display error messages in Internet Explorer.



If your PC is infected with Antivirus 7 use MBAM to remove the infection or follow Bleeping Computer's removal guide.

Wednesday, March 10, 2010

Smart Security

Smart Security (SmartSecurity, Smart-Security) is a new fake Antivirus. It replaces Security Tool (Total security 2009 family).



Like the previous versions, registering the software won't help for updates. This tool is fake, during the download animation, there is no network activity. No files have been created when it says the tool is now Updated. The notable difference is: when registered, Smart Security does not detect malwares anymore (no cleaning required).

If your PC is infected with Smart Security use MBAM to remove the infection.

CleanUp Antivirus

CleanUp Antivirus is a new fake Antivirus. This rogue drops files on the system and detects them as infected to scare users; files are filled with junk data and do not represent a risk. It replaces Security Antivirus and My Security Wall (family link)



CleanUp Antivirus comes from fake online scanners.

If your PC is infected with CleanUp Antivirus use MBAM to remove the infection.

Saturday, March 6, 2010

Gibmedia - ADSPY/Gibmed.A / Adware.Gibmedia

Antivir et MBAM détectent des logiciels de GibMedia comme étant ADSPY/Gibmed.A ou Adware.Gibmedia.

Les symptômes HijackThis d'une infection Adware.Gibmedia sont:

O4 - HKCU\..\Run: [WinUsr] C:\Program Files\Winsudate\gibusr.exe
O23 - Service: Gestionnaire de mise à jour Winsudate (WinSvc) - Winsudate - C:\Program Files\Winsudate\gibsvc.exe

GibMedia est une société toulonnaise qui offre des services payants comme des résultats d'examens, la météo, l'annuaire (...) Pour accéder à ces services, il suffit d'installer leur logiciel qui contient un composant minitel (édité par Synertel).
Une fois le logiciel installé, on accède aux services payants. Il n'y a pas de vérification (âge ou contrat). La facturation est immédiate. C'est le fournisseur Internet qui surtaxe la facture de la connexion Internet par un service "Minitel".

De nombreux utilisateurs sont surpris de voir apparaitre une ligne "Service Minitel" sur leur facture Internet. Certains d'entre eux n'ayant pas installé personnellement le logiciel de GibMedia.
Ce manque de contrôle lors de l'installation, les services proposés qui existent gratuitement sur d'autres sites web (meteofrance.com, education.gouv.fr, pagesjaunes.fr ...) ont incités des éditeurs d'antivirus à classer ces produits comme étant Adware ou AdSpy.



annuaire-inverse.net (195.81.228.20)
bilan-express.com (195.81.228.20)
bilan-express.net (195.81.228.20)
bilans-express.net (195.81.228.20)
bilantiel.net (195.81.228.20)
concoursonline.net (195.81.228.20)
conventions-collectives.net (195.81.228.20)
defiscalisation-robien-toulouse.net (195.81.228.20)
exa6.com (195.81.228.20)
examens-concours.net (195.81.228.20)
facile-impot.net (195.81.228.20)
facileimpot.net (195.81.228.20)
faciles-impots.net (195.81.228.20)
facilesimpots.net (195.81.228.20)
futurfonctionnaire.net (195.81.228.20)
gibmedia.com (195.81.228.20)
gibmedia.net (195.81.228.20)
impot-facile.net (195.81.228.20)
impotfacile.net (195.81.228.20)
impots-faciles.net (195.81.228.20)
impotsfaciles.net (195.81.228.20)
info-meteo.fr (195.81.228.20)
info-resultats-examens.fr (195.81.228.20)
info-resultats-examens.net (195.81.228.20)
info-societe.com (195.81.228.20)
info-societe.net (195.81.228.20)
info-societes.net (195.81.228.20)
infosociete.net (195.81.228.20)
infosocietes.net (195.81.228.20)
k-bis-express.net (195.81.228.20)
k-bisexpress.net (195.81.228.20)
kaliceo.com (195.81.228.20)
kbis-express.net (195.81.228.20)
kbisexpress.com (195.81.228.20)
kbisexpress.net (195.81.228.20)
mon-bac.net (195.81.228.20)
monbac.net (195.81.228.20)
renseignements-telephonique.fr (195.81.228.20)
resultat-bac.net (195.81.228.20)
resultat-bep.fr (195.81.228.20)
resultat-bepc.net (195.81.228.20)
resultat-bts.info (195.81.228.20)
resultat-bts.net (195.81.228.20)
resultat-examen.eu (195.81.228.20)
resultatexamen.net (195.81.228.20)
resultatsexamens.net (195.81.228.20)
searcheo.fr (195.81.228.20)
servir-et-proteger.net (195.81.228.20)
stats.gibmedia.fr (195.81.228.20)
vizzeo.fr (195.81.228.20)
wibeez.com (195.81.228.20)
yougoo.fr (195.81.228.20)
concours-administratif.net (195.81.228.21)
concours-fonction-publique.net (195.81.228.21)
emploi-fonctionnaire.net (195.81.228.21)
fonctionnaire-demain.net (195.81.228.21)
resultat-bac-2009.fr (195.81.228.29)
resultat-bac.fr (195.81.228.29)
resultat-brevet.fr (195.81.228.29)
resultat-bts-2009.fr (195.81.228.29)
resultat-bts.fr (195.81.228.29)
resultats-du-bac.com (195.81.228.29)
france-examen.com (195.81.228.29)

En cas d'infection GibMedia, suivez l'aide sur le site de Malekal tout en utilisant MBAM.


GIBMEDIA, la monétisation au coeur d'une stratégie:

Monday, March 1, 2010

Antivir rogue

Antivir takes its name from the real Antivir Antivirus by Avira. This Antivir is a fake security application (a clone of Antivir 2010)

Like any fake Antivirus software, this rogue cannot removes or detects any malware.



If your PC is infected with Antivir use MBAM to remove the infection.

Thanks to Miekiemoes.