URLVoid Blog

We have detected few fake scanner pages that are still active and that distribute the dangerous executable files of rogue security software.

First initial fake alert:

Fake scanner page in action:

Prompt to download the (infected) setup file of the rogue software:

Report date: 2011-04-15 01:10:23 (GMT 1)
File name: bestav2-exe
File size: 374784 bytes
MD5 hash: a31da4fa72e277fe8abf298a4aa30d9d
SHA1 hash: 0f7bb119ff7889d3981d8ecdf2494c1cf4ba1a42
Detection rate: 7 on 10 (70%)
Status: INFECTED
Antivirus Database Engine Result
Avast 15/04/2011 5.0 Win32:Renos-ACT [Trj]
AVG 15/04/2011 10.0.0.1190 FakeAlert.AAW
Avira AntiVir 15/04/2011 8.2.4.202 TR/Winwebsec.A.4010
Comodo 15/04/2011 4.0 TrojWare.Win32.Trojan.Agent.Gen
Emsisoft 15/04/2011 5.1.0.2 Trojan.Fakealert!IK
F-Prot 15/04/2011 6.3.3.4884 W32/FakeAlert.LY.gen!Eldorado
Ikarus 15/04/2011 T31001097 Trojan.Fakealert

There is also a reference to an external JS file:

<script type="text/javascript" src="hxxp://figaroo. ru/tools/ip.js"></script>

List of malicious domains and IPs:

hxxp://www.downloadmyprog. biz
hxxp://91.213.217.247:80
hxxp://184.82.159.52:80
hxxp://91.213.217.244:80
hxxp://91.213.217.246:80
hxxp://www.ratingswatchdiscussions. com
hxxp://91.213.217.225:80
hxxp://184.82.159.51:80
hxxp://91.213.217.229:80
hxxp://184.82.159.52:80
hxxp://www.powerwerxmotorcorp. com
hxxp://91.213.217.241:80
hxxp://www.purityanddivinityspa. com

At the end of few fake scanner pages, there is also a surprise:

An obfuscated malicious JS code (note also the random function names at the end of the script) that leads most probably to an exploit kit. We can extract also the JS code from the file “/index_files/set00000.js”, used to display the fake threats in the fake scanner page:

URLVoid domain analysis:

http://www.urlvoid.com/scan/downloadmyprog.biz
http://www.urlvoid.com/scan/ratingswatchdiscussions.com
http://www.urlvoid.com/scan/purityanddivinityspa.com
http://www.urlvoid.com/scan/powerwerxmotorcorp.com

Posted by admin on Thursday, April 14th, 2011 at 11:34 pm and filed under Security with tags exploits, fake scanner pages, rogue, rogue security software. You can skip to the end and leave a response. Pinging is currently not allowed.