Archive for August 7th, 2008

Power Antivirus 2009 another fake Antivirus application

Thursday, August 7th, 2008

Power Antivirus 2009 is another fake Antivirus application. Installer of  Power Antivirus 2009 is signed by Verisign’s Thawte division. Here are some fake scanning pages:

DO NOT download any software from domain(s) of Power Antivirus 2009!

Power Antivirus 2009

VirusTotal description of Antivirus 2009 loader 

File setup.exe received on 08.07.2008 13:54:37 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 HEUR/Malware
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.07 FakeAlert.BH
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 -
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6017 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 FraudTool.Win32.PowerAntivirus2009.e
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 -
Ikarus T3.1.1.34.0 2008.08.07 -
K7AntiVirus 7.10.405 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.07 not-a-virus:FraudTool.Win32.PowerAntivirus2009.e
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 Trojan:Win32/Killav.gen!A
NOD32v2 3336 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 Suspicious
Rising 20.56.32.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 Sus/Dropper-R
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.07 -

Thawte sert of Power Antivirus 2009 loader

Power Antivirus 2009

Power Antivirus 2009

Host: scanner.power-antivirus-2009.com
IP: 91.208.0.233 

Whois:

netname:        STILLTRADE-NET
descr:          Still Trade Ltd
country:        RU
org:            ORG-STIL1-RIPE

person:         Perevitskiy Sergey
address:        Russian Federation,
address:        St. Petersburg, Fedosenko st, 30 liter A, 24-N
mnt-by:         STILLTRADE-MNT
abuse-mailbox:  abuse@still-trade.com

Host: e-statistic.com
IP: 207.226.175.78

Whois:

OrgName:    Still Trade Ltd
, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone:  +1-703-621-1637
OrgAbuseEmail:  probinson@pccwglobal.com

Power Antivirus 2009

Power Antivirus 2009

Tags: , ,
Posted in Malware, Rogues | No Comments »

Antivirus 2008 fake Antivirus application

Thursday, August 7th, 2008

Antivirus 2008 is a fake Antispyware application. . Here are some fake scanning pages of Antivirus 2008.

Stay away from following IP and hosts!

Antivirus 2008

 

VirusTotal description of Antivirus 2008 loader

File AntvrsInstall.exe received on 08.07.2008 13:38:21 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.07 -
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 -
eSafe 7.0.17.0 2008.08.06 -
eTrust-Vet 31.6.6017 2008.08.07 -
Ewido 4.0 2008.08.07 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 -
Ikarus T3.1.1.34.0 2008.08.07 -
K7AntiVirus 7.10.405 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.07 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 -
NOD32v2 3336 2008.08.07 a variant of Win32/TrojanDownloader.FakeAlert.FP
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 Fraudulent Security Program
Rising 20.56.32.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 -
ViRobot 2008.8.7.1328 2008.08.07 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.07 -
 
Additional information
File size: 106496 bytes
MD5…: 48d3996da1f206e624fd56ac58255525
SHA1..: 176c16b9ed3c796fca62f53c72234fa345266f11
SHA256: adf8c6003f31f1af87f7a536d97a6606ae4899f5108168522c5b454fde3647d0
SHA512: 2d9b6c09aa261b511a4e796400e94c554eb6b4e57e55b029d08cf8e570832199
cd9e2df1990907ed5591bb76cd2d0fdfa58449537e30eff452519382635d11ce
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4033a0
timedatestamp…..: 0×48998373 (Wed Aug 06 10:56:51 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0×1000 0×1fd98 0×3000 5.62 d53d3edd908ca80b1a86f4f528a6c07c
.rdata 0×21000 0×135e4 0×14000 7.80 da11dddf52303eb5012609e4992d5656
.rsrc 0×35000 0×1000 0×1000 3.29 142e6619c20ff681d0452b97bcf49b9b
.pack32 0×36000 0×6f4 0×1000 1.03 5eed4416bd0169f6e0311b74a7b62aa5

( 3 imports )
> kernel32.dll: SetVolumeMountPointW
> user32.dll: ScrollWindow, GetGUIThreadInfo, GetClassInfoExA, UserLpkPSMTextOut, CreateIconIndirect, FlashWindowEx, LookupIconIdFromDirectory, HiliteMenuItem, ImpersonateDdeClientWindow, DlgDirSelectComboBoxExW, EnumClipboardFormats, GetMenuStringA, GetUpdateRect, DdeQueryNextServer
> gdi32.dll: GetTextExtentExPointWPri

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F3F8B5F400374255A0660150F6523A002980AABD

Antivirus 2008

Host: fast-pc-scanner-online.com
IP: 91.203.92.106

Whois:

organisation:   ORG-TG39-RIPE
org-name:       UATELECOM LLC
org-type:       OTHER
address:        Ukraine
address:        Voznesensk
address:        Lenina 52
phone:          +380963801321
phone:          +380963801326
fax-no:         +380963801326
abuse-mailbox:  abuse@uatelecom.com.ua

Host: download.fast-pc-scanner-online.com
IP: 91.203.92.112

Whois  of domain download.fast-pc-scanner-online.com distributing fake antivirus Antivirus 2008 :

organisation:   ORG-TG39-RIPE
org-name:       UATELECOM LLC
org-type:       OTHER
address:        Ukraine
address:        Voznesensk
address:        Lenina 52
phone:          +380963801321
phone:          +380963801326
fax-no:         +380963801326
abuse-mailbox:  abuse@uatelecom.com.ua

Antivirus 2008

 

Host: secure.billingware.net
IP: 84.243.253.220
Whois of IP 84.243.253.220 of domain secure.billingware.net selling pseudo antivirus Antivirus 2008 :

netname:        GFX-CUST-WORLDSTREAM
descr:          WorldStream ip-block 3
org:            ORG-WS14-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
source:         RIPE # Filtered

organisation:   ORG-WS14-RIPE
org-name:       WorldStream2
org-type:       OTHER
address:        Dijkweg 127c
address:        2675 AC  Honselersdijk
address:        The Netherlands
phone:          +31 70 755 1131
abuse-mailbox:  abuse@worldstream.nl
mnt-ref:        GFX-MNT
mnt-by:         GFX-MNT
source:         RIPE # Filtered

role:           GrafiX NOC
org:            ORG-GIB1-RIPE
address:        GrafiX Internet B.V.
address:        Stationsplein 20
address:        2907 MJ  Capelle aan den IJssel
phone:          +31 10 2640210
fax-no:         +31 10 2640211
abuse-mailbox:  abuse@grafix.nl

Other sites on IP 84.243.253.220  of domain secure.billingware.net selling fake antivirus Antivirus XP :

1.  Anonymbrowser.com
2.  Best-payments.net
3.  Bestpaymentsolution.net
4.  Billingbit.com
5.  Billingbridge.com
6.  Billinghlp.com
7.  Billingware.net
8.  Blablahost.com
9.  Direct-billing.com
10.  Errordigger.com
11.  Errorinspector.com
12.  Internetsupernanny.com
13.  Passwordinspector.com
14.  Pctotaldefender.com
15.  Sellmosoft.net
16.  Softwarepayments.net
17.  Statsgod.com
18.  Winbugfixer.com

Antivirus 2008

Tags: , ,
Posted in Malware, Rogues | 1 Comment »

PC Protection Center 2008 rogue antispyware software

Thursday, August 7th, 2008

PC Protection Center 2008 is a rogue antispyware software. Here are some fake scanning pages of PC Protection Center 2008. Stay away from following IP and hosts!

PC Protection Center 2008

 

File pcprotectioncenter_setup.exe received on 08.07.2008 10:43:24 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.8.7.0 2008.08.07 -
AntiVir 7.8.1.19 2008.08.07 -
Authentium 5.1.0.4 2008.08.07 -
Avast 4.8.1195.0 2008.08.06 -
AVG 8.0.0.156 2008.08.07 -
BitDefender 7.2 2008.08.07 -
CAT-QuickHeal 9.50 2008.08.06 -
ClamAV 0.93.1 2008.08.07 -
DrWeb 4.44.0.09170 2008.08.07 BACKDOOR.Trojan
eSafe 7.0.17.0 2008.08.06 Suspicious File
eTrust-Vet 31.6.6016 2008.08.06 -
Ewido 4.0 2008.08.06 -
F-Prot 4.4.4.56 2008.08.06 -
F-Secure 7.60.13501.0 2008.08.07 -
Fortinet 3.14.0.0 2008.08.07 -
GData 2.0.7306.1023 2008.08.07 -
Ikarus T3.1.1.34.0 2008.08.07 PHISH.FraudTool.Spyaway.G
K7AntiVirus 7.10.405 2008.08.07 -
Kaspersky 7.0.0.125 2008.08.07 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.07 -
NOD32v2 3335 2008.08.07 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 -
Prevx1 V2 2008.08.07 -
Rising 20.56.30.00 2008.08.07 -
Sophos 4.31.0 2008.08.07 -
Sunbelt 3.1.1537.1 2008.08.07 -
Symantec 10 2008.08.07 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.07 -
VBA32 3.12.8.2 2008.08.06 suspected of Malware.VB.31 (paranoid heuristics)
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 -
Webwasher-Gateway 6.6.2 2008.08.07 -
 
Additional information
File size: 562213 bytes
MD5…: 8319ab6c214919017c22a15406188dbd
SHA1..: 8e507cc42141fe74699e7b4cd39011146f187a7a
SHA256: 15dcba2c2c0e3bcac2d55fad7f7fa94218c9b7a338e41a511df50eac4213958a
SHA512: a79bd799b32adb79a5b8dc206adeeaf02447676118d47b308753d7652d58bed3
69e7d2841f9e25227f44017199ce2c3831482216128c824443152d73e507532d
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×45c930
timedatestamp…..: 0×48983190 (Tue Aug 05 10:55:12 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×47000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×48000 0×15000 0×14c00 7.92 6f9d35af0485f957bc5a16596c0fb73b
.rsrc 0×5d000 0×7000 0×6e00 5.33 28f40f0a145c62194227f109ca6745e5

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> MSVBVM60.DLL: -

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=8319ab6c214919017c22a15406188dbd
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

 

PC Protection Center 2008

Host: pcprotectioncenter2008.com
IP: 85.255.118.116

Whois of IP 85.255.118.116 :

netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
country:        UA
person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@urktelegroup.com.ua

Other sites on IP 85.255.118.116  of domain pcprotectioncenter2008.com distributing fake antivirus PC Protection Center 2008 :

1.  Antispystorm2008.com 
2.  Cleanmaster-pro.com 
3.  Pcprotectioncenter2008.com 
4.  Perfectcleaner2007.com 
5.  Pills-shop-online.com 
6.  Spyaway2007.com 
7.  Spymaxx.com 

Host: secure.pnm-soft.com
IP: 207.226.175.125

Whois of IP 207.226.175.125 of domain secure.pnm-soft.com selling fake antivirus PC Protection Center 2008 :

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US
OrgAbuseHandle: PAD13-ARIN
OrgAbuseName:   PCCW AUP Department
OrgAbusePhone:  +1-703-621-1637
OrgAbuseEmail:  probinson@pccwglobal.com

PC Protection Center 2008

Tags: , , ,
Posted in Malware, Rogues | No Comments »

Page 1 of 11

© 2009 - CleanThe.Net  Remove Virus |  Contact US |  Advertising |  Report Malware/Virus |  Glossary