A colleague called me today stating that his website was the victim of a hack and he did not know what to do. He was frantic and said that his website was distributing Antivirus 2009, so I decided to take a look at it and Lo and behold, we found Antivirus 2009 being distributed from their ad system. For those who don’t know what Antivirus 2009 is, it’s a rogue (fake) security product.

See the full post here....

0570484b66e9a139d8fd0a71f5448957

Sites: hxxp://antivirusworld9.com -> hxxp://scanthnet.com -> hxxp://innovagest2000sl.com
Files: AV2009Install_*.exe (0570484B66E9A139D8FD0A71F5448957)
VirusTotal Result: 4/36 (11.11%)
MDB: /lithium-malware/AV2009Install.zip

See the full post...

0570484b66e9a139d8fd0a71f5448957

We found a new WinSpywareProtect binary in the wild today. It currently has a low (2/36 hueristic) detection rate at VirusTotal.

Click for the post...

File:
a3cb3d1dd392e1df079f263b9c653ee8

While stepping through malicious domains I noticed that the “International Virus Research Lab” (IVRL) pages for XP Antivirus 2008 had changed hashes. I was looking at hxxp://bestantivirus2009.com at the time and noticed the inclusion of an IFRAME pointing to hxxp://huytegygle.com/index.php. Click to see the full post....

Files:
8bb859824df2a4492877dd99d2437f8d
a2a6455a4da0192fb8efe85e98fd3dfa[via exploit]

This morning the AV XP 2008 spammers were at it again with another round of spam messages claiming to offer an update to Microsoft Windows Vista (we have seen similar attacks before offering false updates). However, when the user clicks the link he/she is directed to a malicious .swf that will download the file install.exe which essentially is a downloader Trojan designed to install AV XP 2008.

Full Details here:

A couple of minutes ago another round of spam messages appeared claiming to provide information concerning a statement of fees recently posted (inferring to banking account fees). The message contained an attachment with a fake Microsoft Word Document which actually is an executable (Fees-2008_2009.doc.exe) that installs a Trojan Downloader.

Further analysis indicates that the Trojan when installed connects to a php page hosted on a Russian domain to obtain several possible sites as a means of downloading the installer for AntiVirus XP 2008.

Full details here:

Spammers continue their efforts today with another round of celebrity oriented spam designed to entice users into watching a non-existent video. The fake video site exhibits the same behavior found in the CNN and MSNBC spam attacks covered earlier this month (i.e. a popup message indicates that the ActiveX movie control is out of date and the user is required to install an update to properly view the video).

It is apparent that the spammers are very interested in getting a large number of users to install and use false security products such as AV XP 2008 and it’s variants in an effort to generate revenue.

Full Story Here:

This morning we detected another spam campaign with the aim of enticing users into downloading and executing a file they believe is a 6 month trial of a product called “Anti-Virus Nero Advanced Pro 2009“. When analyzed further the file is actually a variation of the rouge antivirus application known as AV XP 2008 which has been seen in earlier attacks this month.

For more information:

We have been tracking a number of spam messages over the last couple of days pertaining to celebrities involved in a number of odd and unexplained activities. The binary file being delivered in this latest spam run involving Paris Hilton is stream.exe which is meant to lure a user into executing the file hidden behind the link, thus, the user thinking he/she will be viewing a video is actually getting a Trojan. Stream.exe is identified as a varient of Trj/Exchanger.

Full Details Here:

The file has been uploaded with the name of stream.exe with a3aec9130af6f69c715dc6eb89949079.

Today we found a new site distributing WinSpywareProtect. The URL in question is hxxp://antivirus777.com which is redirecting to a recently created domain hxxp://antivir-online-scan.com/. Once on the site it will "run" a scan on your computer and it will proceed to tell you that it found malware and adult material. The file antivirus.v.1.0.exe only has a 5/36 detection ratio at VirusTotal at the time of the post so be careful!

More info here...

b7d5753de85d50f1847fa8b699113a62