Tag Archives: spywarecleanermicrosoft info

Spam link on Twitter leads to Fake Antivirus Rogue Software

One user has reported us a malicious URL that is being sent as a private message to the users that are registered on Twitter, the extracted malicious link is:

hxxp:// www. delicious-audio .com /wp-content

If clicked, it redirects users to a new malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:06 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Location: hxxp:// blog.keeples .com /wp-content
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// blog.keeples .com /wp-content

Now there is a new redirect to another malicious link:

HTTP/1.1 302 Found
Date: Tue, 08 May 2012 20:50:13 GMT
Server: Apache/2.2.3 (CentOS)
Location: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Extracted malicious link:

hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/

This is the link of the web page of the fake antivirus rogue software.

Whois details:

Domain Name: spywarecleanermicrosoft.info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:32:40
Creation Date: 2012-05-08 11:32:40
Last Update Date: 2012-05-08 11:33:15
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Gerolamo Genovese
Address 1: Via Bernardino Rota 1
City: Mellana
State: CN
Zip: 12012
Country: IT
Phone: +39.3535605212
Email: kinsman@doramail.com

Hosting details:

The website spywarecleanermicrosoft .info is hosted at BurstNET Limited and its current IP address is 31.193.12.3 (31-193-12-3.static.hostnoc.net). The server machine is located in United Kingdom (GB) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is spywarecleanermicrosoft. The organization is BurstNET Limited.

Screenshot of the fake warning message:

Fake Warning Message

Screenshot of the fake scanning web page:

Fake Scanning Page

From the above images we can see that it is distributed the fake rogue security software named Windows Antivirus 2012. After the fake system scanning is finished, the user is prompted to downloaded an executable file named setup.exe:

Downloaded File

The file is downloaded from a new malicious website:

GET /0520091375cbc551/setup.exe HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: hxxp:// spywarecleanermicrosoft .info /0520091375cbc551/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: scannerdatamicrosoft .info

Whois Details:

Domain Name: scannerdatamicrosoft .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 11:11:28
Creation Date: 2012-05-08 11:11:28
Last Update Date: 2012-05-08 11:12:08
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: milner@snail-mail.net

Domains Details:

The website scannerdatamicrosoft .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.13 (hst-10-13.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 0 websites. The domain is registered with the suffix INFO and the keyword of the domain is scannerdatamicrosoft. The organization is Webhosting, collocation services.

File details:

File: setup.exe
Size: 2278400 bytes
MD5: EC91E0F31587F6471A4EBCFE2681A45B
SHA1: 0AB7F7253F5CBADF6D664781A73D30A19E251FCA
SHA256: 67DFD917561DF7FE653CE5E0CD7E0688E42B719F1BB475A5EE2819003CE6DC6A
SHA384: 77BB9D7DF670BC9F4C91DED341086C30570E6D9AE14BEE1A172F502CA5C502428FC631B9F88A31CECF290B7CFB1C5FA2
SHA512: 85D1F0608D24DD2B15477EAC540666319831F829B7E8065D9E5B8A2AC5D4860486BCA891FA95DBBBB8EB93834485575108EE957C5AD556EFBA9FDA5824D2C780

When executed the file setup.exe, the rogue software drops two .EXE files:

Dropped .EXE files

File Modified - %SAMPLE% - %AppData%\Protector-phkm.exe
Process Created - %SAMPLE% - %AppData%\Protector-phkm.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-phkm.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE
Process Created - %SAMPLE% - C:\WINDOWS\system32\cmd.exe - Microsoft Corporation - 6D778E0F95447E6546553EEEA709D03C - 389120 bytes
File Deleted - C:\WINDOWS\system32\cmd.exe - %SAMPLE% - 2278400 bytes
File Modified - %SAMPLE% - %AppData%\Protector-tpqx.exe
Process Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - Unknown Publisher - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes
File Created - %SAMPLE% - %AppData%\Protector-tpqx.exe - EC91E0F31587F6471A4EBCFE2681A45B - 2278400 bytes - attr: [] - PE

And this is the screenshot of the splash screen of the rogue software:

windows-prosecurity-scanner-fake-antivirus

More screenshots of the rogue software:

GUI

When the user click on “Activate” button, the rogue software executable opens a new Internet Explorer web page where user is supposed to insert his/her credit card details (that will be stolen by the trojan), here is the screenshot of the malicious web page:

Fraud Page

Connections logged:

GET / HTTP/1.0
Accept: application/x-shockwave-flash, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www. cmyip .com
Connection: Keep-Alive
 
GET /service/ HTTP/1.0
User-Agent: Mozilla/4.0
Host: 0520091375cbc551 .on-linepaysafery .info
 
POST / HTTP/1.0
Accept: application/x-shockwave-flash, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551. on-linepaysafery .info
Content-Length: 109
Connection: Keep-Alive
Pragma: no-cache
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a
action=form&projectId=72&partnerId=146&subId=0&install_id=yhstmcvcgj&group_name=2011-3-28_1&reason=errorflash
 
GET /payment_forms/default/images/sprite.png HTTP/1.0
Accept: */*
Referer: hxxp://0520091375cbc551 .on-linepaysafery .info /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0520091375cbc551 .on-linepaysafery .info
Connection: Keep-Alive
Cookie: ct=2011:3:27:23:23; ch=f58320d2a7c79b1a48b7c70a7d2d280a

Malicious links extracted:

hxxp:// 0520091375cbc551. on-linepaysafery .info /service/

Whois Details:

Domain Name: on-linepaysafery .info
Registrar: eNom, Inc. (R126-LRMS)
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED, ADDPERIOD
Expiration Date: 2013-05-08 08:24:44
Creation Date: 2012-05-08 08:24:44
Last Update Date: 2012-05-08 08:26:02
 
Name Servers:
ns1.dnsexit.com
ns2.dnsexit.com
ns3.dnsexit.com
ns4.dnsexit.com
 
Registrant Contact Information:
Name: Dionisia Barese
Address 1: Corso Porta Borsari 78
City: San Martino Di Castrozza
State: TN
Zip: 38058
Country: IT
Phone: +39.3171462400
Email: sini@wildmail.com

Domain details:

The website www.on-linepaysafery .info is hosted at SPLIUS, UAB and its current IP address is 77.79.10.15 (hst-10-15.duomenucentras.lt). The server machine is located in Lithuania (LT) and in the same server there are hosted other 2 websites. The domain is registered with the suffix INFO and the keyword of the domain is on-linepaysafery. The organization is Webhosting, collocation services.

URLVoid scan reports:

http://www.urlvoid.com/scan/delicious-audio .com
http://www.urlvoid.com/scan/spywarecleanermicrosoft .info
http://www.urlvoid.com/scan/0520091375cbc551. on-linepaysafery .info
http://www.urlvoid.com/scan/on-linepaysafery .info
http://www.urlvoid.com/scan/blog.keeples .com
http://www.urlvoid.com/scan/scannerdatamicrosoft .info