Posts Tagged ‘NETDIRECT-NET’

« Older Entries

Antivirus 2009 rogue antivirus application

Tuesday, December 30th, 2008

Antivirus 2009 is  a rogue antivirus application. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File Install.exe received on 12.30.2008 14:12:58 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.30 Virus.Win32.Ups!IK
AhnLab-V3 2008.12.30.2 2008.12.30 -
AntiVir 7.9.0.45 2008.12.30 TR/Crypt.CFI.Gen
Authentium 5.1.0.4 2008.12.30 -
Avast 4.8.1281.0 2008.12.29 Win32:Ups
AVG 8.0.0.199 2008.12.29 -
BitDefender 7.2 2008.12.30 -
CAT-QuickHeal 10.00 2008.12.30 -
ClamAV 0.94.1 2008.12.30 -
Comodo 837 2008.12.29 -
DrWeb 4.44.0.09170 2008.12.30 -
eSafe 7.0.17.0 2008.12.28 -
eTrust-Vet 31.6.6281 2008.12.29 -
Ewido 4.0 2008.12.30 -
F-Prot 4.4.4.56 2008.12.29 -
F-Secure 8.0.14470.0 2008.12.30 -
Fortinet 3.117.0.0 2008.12.30 -
GData 19 2008.12.30 Win32:Ups
Ikarus T3.1.1.45.0 2008.12.30 Virus.Win32.Ups
K7AntiVirus 7.10.569 2008.12.29 -
Kaspersky 7.0.0.125 2008.12.30 Trojan-Downloader.Win32.FraudLoad.vffa
McAfee 5478 2008.12.29 -
McAfee+Artemis 5478 2008.12.29 -
Microsoft 1.4205 2008.12.30 Trojan:Win32/FakeXPA
NOD32 3723 2008.12.30 -
Norman 5.80.02 2008.12.29 -
Panda 9.0.0.4 2008.12.29 -
PCTools 4.4.2.0 2008.12.30 -
Prevx1 V2 2008.12.30 Fraudulent Security Program
Rising 21.10.12.00 2008.12.30 -
SecureWeb-Gateway 6.7.6 2008.12.30 Trojan.Crypt.CFI.Gen
Sophos 4.37.0 2008.12.30 Mal/FakeAV-I
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.30 AntiVirus2009
TheHacker 6.3.1.4.202 2008.12.30 -
TrendMicro 8.700.0.1004 2008.12.30 TROJ_RENOS.ARM
VBA32 3.12.8.10 2008.12.30 -
ViRobot 2008.12.30.1540 2008.12.30 -
VirusBuster 4.5.11.0 2008.12.29 -
 
Additional information
File size: 122880 bytes
MD5…: fdf71fb76f20c333c814b42bbe78e770
SHA1..: 4bde41ab62a907176c2a7127a300d322d53b0ebf
SHA256: 0a33393cb255aaaaebd9bd7485e3e572ffe359372d96c75d8a2378bb012d7255
SHA512: b7a188d39f053691477f3ed425d33d477b2e959460aa16fb2e7aa44e49a52c81
a8e099ba1287d63e074d355c9f8236a21f5b4ed9ed5c8d0acac932feb4ebe4c2
ssdeep: 1536:2mo51WDrfKXKNaJXjiea/062TVOlBSVil0tHgCGxROrAE3q7VoagHh:2n51
W/Sa4jieYXPwilgHvQONa7Voa
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×401285
timedatestamp…..: 0×461c692a (Wed Apr 11 04:50:50 2007)
machinetype…….: 0×14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×13ce 0×2000 1.93 e90a4da96bdf4c691cb20a4ea9bdb0a1
.data 0×3000 0×235f11 0×12000 6.73 46aac447ceb18e336e13476735580da0
.tls 0×239000 0xc3 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rdata 0×23a000 0×18 0×1000 0.04 0212d08b7b3688039954d004bebd2823
.idata 0×23b000 0xb21 0×1000 3.97 b97fd674f0952dac0ec7f97289d26f6f
.reloc 0×23c000 0×2bd 0×1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0×23d000 0×4ff3 0×5000 4.62 48b7bf282b25a6161ca23b82c52e2753

( 6 imports )
> COMCTL32.DLL: ImageList_ReplaceIcon, ImageList_DrawIndirect, ImageList_GetImageInfo, ImageList_Merge, ImageList_AddMasked, ImageList_GetDragImage, ImageList_GetIconSize, ImageList_BeginDrag, ImageList_DragEnter, ImageList_AddIcon, ImageList_LoadImageW, ImageList_DrawEx, ImageList_LoadImage, ImageList_GetImageCount, ImageList_LoadImageA, ImageList_Create
> USER32.DLL: BlockInput, CalcMenuBar, DialogBoxParamA, AppendMenuW, GetFocus, IsWindow, GetWindowTextLengthA, IsMenu, DrawIconEx, CloseWindow, CopyIcon, DialogBoxParamW, CopyRect, GetMenu, GetDlgItem, EndDialog
> USER32.DLL: LoadCursorA, GetWindowTextA, LoadMenuA, GetDC, AppendMenuW, CreateIcon, IsMenu, CalcMenuBar, GetFocus, InsertMenuA, CopyIcon, DialogBoxParamA, DrawTextA, DrawIcon, DialogBoxParamW, GetWindowTextLengthA, IsWindow, DrawIconEx, CloseWindow, GetMenu, AlignRects
> GDI32.DLL: CloseFigure, DeleteDC, DeleteObject, ClearBrushAttributes, AddFontMemResourceEx, GetBrushOrgEx, CancelDC, GetClipBox, CreateSolidBrush, BeginPath, GetCurrentPositionEx, CopyMetaFileA, RestoreDC, AddFontResourceTracking, AddFontResourceW, GetPixel, AbortPath
> USER32.DLL: CopyIcon, GetDC, CopyRect, DrawTextW, CloseWindow, GetWindowTextA, EndDialog, DrawIcon, DrawIconEx, DialogBoxParamW, GetCursor, AppendMenuW, AppendMenuA, LoadCursorA, CopyImage, GetFocus, LoadMenuA, BlockInput, IsMenu, AlignRects, GetMenu, GetDlgItem, IsWindow
> USER32.DLL: IsMenu, GetDC, DialogBoxParamW, GetWindowTextLengthA, CopyRect, GetCursor, DrawTextA, GetMenu, GetWindowTextA, InsertMenuA, GetDlgItem, DrawIconEx, CloseWindow, CreateIcon, GetFocus, BlockInput, DrawTextW, AppendMenuW, CalcMenuBar, DialogBoxParamA

( 0 exports )
Prevx info: <a href=’http://info.prevx.com/aboutprogramtext.asp?PX5=FA1F4A450036D329E00A012DDDE82A0007534F54′ target=’_blank’>http://info.prevx.com/aboutprogramtext.asp?PX5=FA1F4A450036D329E00A012DDDE82A0007534F54</a>
ThreatExpert info: <a href=’http://www.threatexpert.com/report.aspx?md5=fdf71fb76f20c333c814b42bbe78e770′ target=’_blank’>http://www.threatexpert.com/report.aspx?md5=fdf71fb76f20c333c814b42bbe78e770</a>

Antivirus 2009

Host: securedwwwclicks.com
IP: 91.211.64.68

Whois:

netname:        Ural-NET
descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: antivirusprofessionalscan.com
IP: 91.211.64.68

Whois:

netname:        Ural-NET
descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: systemprotectionupdates.com
IP: 212.95.37.241

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: updatedeliverysystems.com
IP: 91.211.64.68

Whois:

descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Host: systemprotectiondownloads.com
IP: 78.159.119.52

Whois:

netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Host: protectedonlinepayments.com
IP: 91.211.64.68

Whois:

descr:          Ural Industrial Limited Company
country:        RU
org:            ORG-UICL2-RIPE
admin-c:        UIM1-RIPE
tech-c:         UIM1-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         URALCOMP-MNT
mnt-routes:     URALCOMP-MNT
mnt-domains:    URALCOMP-MNT
source:         RIPE # Filtered

organisation:   ORG-UICL2-RIPE
org-name:       Ural Industrial Company
org-type:       OTHER
address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st.
admin-c:        AP10609-RIPE
mnt-ref:        URALCOMP-MNT
mnt-by:         URALCOMP-MNT
source:         RIPE # Filtered

role:           UralNet IP Master
address:        Ukraine, 69078 Kiev, Luteranskaya 28 st.
phone:          +38 050 577 65 61

Whois of protectedonlinepayments.com:

Registrant Contact:
   Privat person
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Administrative Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Technical Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Billing Contact:
   Igor Popov stats2damains@lycos.com
   +33491858954 fax: +33491858954
   Rue la produit 642
   Marseille Marseille 13002
   fr

Antivirus 2009

Antivirus 2009

Antivirus 2009

Tags: , , ,
Posted in Fake Codec, Malware, Rogues | No Comments »

Antivirus 2009 rogue antivirus application

Wednesday, November 5th, 2008

Antivirus 2009  a rogue antivirus application. To remove that rogue application viruses and antispyware use Kaspersky antivirus - http://cleanthe.net/how-to-remove-virus/

Antivirus 2009

File zcodec.1179.exe received on 11.05.2008 19:03:28 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.11.5.3 2008.11.05 -
AntiVir 7.9.0.26 2008.11.05 -
Authentium 5.1.0.4 2008.11.05 -
Avast 4.8.1248.0 2008.11.05 -
AVG 8.0.0.161 2008.11.05 -
BitDefender 7.2 2008.11.05 -
CAT-QuickHeal 9.50 2008.11.04 -
ClamAV 0.94.1 2008.11.05 -
DrWeb 4.44.0.09170 2008.11.05 -
eSafe 7.0.17.0 2008.11.05 Suspicious File
eTrust-Vet 31.6.6190 2008.11.05 -
Ewido 4.0 2008.11.05 -
F-Prot 4.4.4.56 2008.11.05 -
F-Secure 8.0.14332.0 2008.11.05 -
Fortinet 3.117.0.0 2008.11.05 -
GData 19 2008.11.05 -
Ikarus T3.1.1.45.0 2008.11.05 Trojan-Downloader.Win32.Renos
K7AntiVirus 7.10.517 2008.11.05 -
Kaspersky 7.0.0.125 2008.11.05 -
McAfee 5424 2008.11.04 -
Microsoft 1.4005 2008.11.05 TrojanDownloader:Win32/Renos.BAH
NOD32 3587 2008.11.05 -
Norman 5.80.02 2008.11.05 -
Panda 9.0.0.4 2008.11.05 -
PCTools 4.4.2.0 2008.11.05 -
Prevx1 V2 2008.11.05 Fraudulent Security Program
Rising 21.02.22.00 2008.11.05 -
SecureWeb-Gateway 6.7.6 2008.11.05 Trojan.Dldr.LooksLike.Agent.anlg
Sophos 4.35.0 2008.11.05 -
Sunbelt 3.1.1783.2 2008.11.05 -
Symantec 10 2008.11.05 -
TheHacker 6.3.1.1.140 2008.11.05 -
TrendMicro 8.700.0.1004 2008.11.05 Possible_DLDER
VBA32 3.12.8.9 2008.11.05 -
ViRobot 2008.11.5.1453 2008.11.05 -
VirusBuster 4.5.11.0 2008.11.05 -
 
Additional information
File size: 69120 bytes
MD5…: 5285d1ac7c1ef893c515eef078891a47
SHA1..: f6a528195e49f3cffd9adb9cf6062943ce5bc07d
SHA256: 0d7b5a49ee44f92539424d34721ae741924f890d8f946387373500216783d3bc
SHA512: 82b33ba253349298bc60a54ffe32722c4cc83c876d876f60ff950e2d1d6ed7e2
8ce18b210464e3fa496d050ab15bb6d817cb46570e6b4194f27bf047ea106051
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×4025c0
timedatestamp…..: 0×49114fcf (Wed Nov 05 07:48:31 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×2655 0×2800 6.52 6d38b5001569200d2257b47e266d0ca7
.rdata 0×4000 0×9b2 0xa00 5.08 cbb079fe3e5c511fc08bdc91ee53709c
.data 0×5000 0xde3c 0xd800 7.98 48af1b1d062a2cabf3d70b723b5fabe4

( 6 imports )
> KERNEL32.dll: CreateFileA, CloseHandle, DeviceIoControl, GetSystemDirectoryA, GetVolumeInformationA, ExitProcess, TerminateProcess, SetProcessPriorityBoost, SetThreadPriority, GetCurrentThread, SetPriorityClass, GetCurrentProcess, GetEnvironmentVariableA, GetShortPathNameA, GetModuleFileNameA, IsBadWritePtr, GetComputerNameA, WriteFile, lstrlenA, lstrcatA, GetVersionExA, Sleep, GetTempPathA, CreateProcessA
> USER32.dll: GetDlgItem, wsprintfA
> SHELL32.dll: ShellExecuteExA, SHChangeNotify
> MSVCRT.dll: sprintf, rand, __CxxFrameHandler, __2@YAPAXI@Z, strstr, srand, time, strncat, atoi, _except_handler3, strncpy, _strdup, __3@YAXPAX@Z, _itoa
> MSVCP60.dll: __Tidy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEX_N@Z, _npos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@2IB, _assign@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, _append@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z, __0_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@ABV01@@Z, __Xlen@std@@YAXXZ, __C@_1___Nullstr@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@CAPBDXZ@4DB, __Grow@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAE_NI_N@Z, __Eos@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z, __1_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@QAE@XZ, __Copy@_$basic_string@DU_$char_traits@D@std@@V_$allocator@D@2@@std@@AAEXI@Z
> WININET.dll: HttpQueryInfoA, InternetOpenUrlA, InternetOpenA, InternetCloseHandle, InternetReadFile

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3B56EC65005D9CA90E2F01F8696E9700B4E96D9E

Antivirus 2009

Antivirus 2009

Host: newer-pon-hub2008.com
IP: 66.232.105.254
Whois:

OrgName:    NOC4Hosts Inc.
OrgID:      NOC4H
Address:    400 N Tampa St
Address:    #1025
City:       Tampa
StateProv:  FL
PostalCode: 33602
Country:    US

Other sites:

1.  Best-softportal.com 
2.  Best-softwareportal.com 
3.  Celebrity-on-video-2008.com 
4.  Domain5122.com 
5.  E-softpoertals2008.com 
6.  E-softportals.com 
7.  Funportalsoft.com 
8.  Funsoft-enjoyportal.com 
9.  I-av-scanner.com 
10.  I-softportal08.com 
11.  Main-downloadportal.com 
12.  Main-porn-hub.com 
13.  Main-softwaredownload.com 
14.  New-porn-hub.com 
15.  New-porn-tubeportal.com 
16.  Newest-porn-tube.com 
17.  Online-av-scann2008.com 
18.  Soft4enjoy2008.com 
19.  Soft4funportal.com 
20.  Soft4funportal2008.com 

Host: live-antivirus-scan.com
IPs: 89.149.253.215 and 91.203.92.47 and 78.159.118.217

Whois:

inetnum:        89.149.253.0 - 89.149.255.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822

Other sites:

1.  Protectiononlineinfo.com 

Host: secure.innovagest2000sl.com
IP: 207.226.175.126
Whois:

OrgName:    Beyond The Network America, Inc.
OrgID:      BNA-42
Address:    450 Springpark PL
Address:    Suite 100
City:       Herdon
StateProv:  VA
PostalCode: 20170
Country:    US

Antivirus 2009 by Pandora software

Antivirus 2009

Antivirus 2009

 

Tags: , , , ,
Posted in Malware, Rogues | No Comments »

MalwareProtector 2008

Friday, August 1st, 2008

MalwareProtector 2008 is a rogue Antispyware application.

Here are some fake scanning pages. DO NOT download any software from this domain(s).

MalwareProtector 2008

Hosts: malwareprotector08.com
IP: 216.240.138.220
Whois:

OrgName:    ATMLINK, INC.
OrgID:      ATMLIN
Address:    600 W. 7th Street
Address:    Suite 360
City:       Los Angeles
StateProv:  CA
PostalCode: 90017
Country:    US
OrgAbusePhone:  +1-213-627-1937
OrgAbuseEmail:  noc@atmlinkinc.com

Other sites on this IP:

1.  Axpdefender08.com 
2.  av-xp-08.com

 

File MalwareProtector2008Installer.exe received on 08.01.2008 11:42:48 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 DR/FraudTool.MalwareProtector.H
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 Win32:Agent-AAPR
AVG 8.0.0.156 2008.08.01 FakeAlert.AT
BitDefender 7.2 2008.08.01 Adware.XpAntivirus.AJ
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.08.01 Trojan.Peed.IG
DrWeb 4.44.0.09170 2008.08.01 Trojan.Packed.512
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 FraudTool.Win32.MalwareProtector.h
Fortinet 3.14.0.0 2008.08.01 Misc/MalwareProtector
GData 2.0.7306.1023 2008.08.01 -
Ikarus T3.1.1.34.0 2008.08.01 Trojan.Win32.Tibs.J
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 not-a-virus:FraudTool.Win32.MalwareProtector.h
McAfee 5351 2008.07.31 -
NOD32v2 3317 2008.08.01 Win32/TrojanDownloader.FakeAlert.EU
Norman 5.80.02 2008.07.31 Renos.AAX.dropper
Panda 9.0.0.4 2008.08.01 Suspicious file
Prevx1 V2 2008.08.01 Cloaked Malware
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 MalwareProtector2008
TheHacker 6.2.96.391 2008.07.31 Aplicacion/MalwareProtector.b
TrendMicro 8.700.0.1004 2008.08.01 TROJ_FAKEAV.BC
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.7.31.1319 2008.07.31 Adware.MalwareProtector.2109201
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 Trojan.Dropper.FraudTool.MalwareProtector.H
 
Additional information
File size: 2109201 bytes
MD5…: 499d7dacb0dc68c83650b4fd3928d1dd
SHA1..: 9efa30186c793bcc061c15b1ca2ce2e481ff9df1
SHA256: b7ac71b975b78c054993f98ab067f9cd7c72e351373ee054c7eb1e699f58ae08
SHA512: dd53abec4c17147b20a3fa5a2b14acb0ea898e54b91088cb98a853701ec2b2f9
b3b8cc0622edf4b474ec90a16e82cc183634bce276e1abe13e7e01d87c2af5ea
PEiD..: -
 
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=1355039711C62AA42F562046E6D56D003E37064C

 

Host: stat.malwareprotector08.com
IP: 78.159.96.17

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

MalwareProtector 2008

These are billing pages for fake software MalwareProtector 2008 . Don’t buy there.

MalwareProtector 2008

MalwareProtector 2008
Host: secure.paymentbit.net
IP: 216.195.56.148

Whois:

OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle:  NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net , send network

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone:  +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com

Other sites on this IP:

1.  Adult-billing.com
2.  Billhlp.com
3.  Billingcenteronline.com
4.  Billinghlp.com
5.  Billinghost.net
6.  Billingintegrator.com
7.  Billingmill.com
8.  Billingserviceonline.com
9.  Billingsquad.net
10.  Billingsvc.com
11.  Billingware.net
12.  Billinternet.com
13.  Billsvc.com
14.  Ccbillhelp.com
15.  Ccbillservice.com
16.  Customerhlp.com
17.  Ebillingcenter.com
18.  Eglobalbilling.com
19.  Extrabilling.com
20.  Fantazybill.com
21.  Legalbillingsystems.com
22.  Mainbillingcenter.com
23.  Orderhlp.com
24.  Paymentbit.com
25.  Paymentbit.net
26.  Paymentforge.com
27.  Quickdownloadpro.com
28.  Safepaymentsonline.com
29.  Software-payment.com
30.  Spankyhosting.com
31.  Support-wizard.com
32.  Supporthlp.com
33.  Truebillingservices.com
34.  Ultimatepayment.com

Tags: , , , ,
Posted in Malware, Rogues | No Comments »

Antivirus XP 2008

Friday, August 1st, 2008

Antivirus XP 2008 is a rogue Antispyware application.

Here are some fake scanning pages. DO NOT download any software from this domain(s).

Antivirus XP 2008

Host: www.av-xp-08.com
IP: 200.63.48.140

owner:       CyprusHostingNetworks
ownerid:     CY-CYPR-LACNIC
responsible: Alexandr Buzenidiz
address:     1 Avlonos Street, 22, Office 14
address:     1075 - Nicosia - CY
person:      Alexandr Buzenidiz
e-mail:      abuse@cyprus-hosting.net

Other sites on this IP:

1.  Antivirusxp2008.com 
2.  Av-xp-08.com 

File AntivirusXP2008Installer.exe received on 08.01.2008 11:20:03 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.08.01 FakeAlert.AT
BitDefender 7.2 2008.08.01 Adware.XpAntivirus.AJ
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.08.01 Trojan.Peed.IG
DrWeb 4.44.0.09170 2008.08.01 Trojan.MulDrop.18211
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.07.31 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 FraudTool.Win32.XPAntivirus.nh
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.01 -
Ikarus T3.1.1.34.0 2008.08.01 -
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 not-a-virus:FraudTool.Win32.XPAntivirus.nh
McAfee 5351 2008.07.31 -
NOD32v2 3316 2008.07.31 Win32/TrojanDownloader.Agent.OBK
Norman 5.80.02 2008.07.31 -
Panda 9.0.0.4 2008.08.01 Suspicious file
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 -
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 -
TheHacker 6.2.96.391 2008.07.31 Aplicacion/MalwareProtector.b
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.7.31.1319 2008.07.31 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 -
 
Additional information
File size: 1394321 bytes
MD5…: 414d18f17506eceb6cdcdee4809841b8
SHA1..: e8002146221f17afce38415e7d8cf2a92c73fa7b
SHA256: 704f45f152df70476b6ed346c6b883b07a6c9d2de9b701618a82f3d11029d059
SHA512: b715fa1f66518195c350c428c4e8cbc827b68cfcce902ccdfac06630fe66040d
183d3b27bf91fdba4b128a895601cf12ff1f919b3601932429d7a333b241612c
PEiD..: -
 

 

IP: 78.159.96.17

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Hosts: stat.av-xp-08.com
IP: 216.240.138.220
Whois:

OrgName:    ATMLINK, INC.
OrgID:      ATMLIN
Address:    600 W. 7th Street
Address:    Suite 360
City:       Los Angeles
StateProv:  CA
PostalCode: 90017
Country:    US
OrgAbusePhone:  +1-213-627-1937
OrgAbuseEmail:  noc@atmlinkinc.com

Other sites on this IP:

1.  Axpdefender08.com 
2.  Malwareprotector08.com 

Antivirus XP 2008

These are billing pages for fake software Antivirus XP 2008. Don’t buy there.

Antivirus XP 2008

Antivirus XP 2008

Host: secure.paymentbit.net
IP: 216.195.56.148

Whois:

OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle:  NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net , send network

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone:  +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com

Other sites on this IP:

1.  Adult-billing.com
2.  Billhlp.com
3.  Billingcenteronline.com
4.  Billinghlp.com
5.  Billinghost.net
6.  Billingintegrator.com
7.  Billingmill.com
8.  Billingserviceonline.com
9.  Billingsquad.net
10.  Billingsvc.com
11.  Billingware.net
12.  Billinternet.com
13.  Billsvc.com
14.  Ccbillhelp.com
15.  Ccbillservice.com
16.  Customerhlp.com
17.  Ebillingcenter.com
18.  Eglobalbilling.com
19.  Extrabilling.com
20.  Fantazybill.com
21.  Legalbillingsystems.com
22.  Mainbillingcenter.com
23.  Orderhlp.com
24.  Paymentbit.com
25.  Paymentbit.net
26.  Paymentforge.com
27.  Quickdownloadpro.com
28.  Safepaymentsonline.com
29.  Software-payment.com
30.  Spankyhosting.com
31.  Support-wizard.com
32.  Supporthlp.com
33.  Truebillingservices.com
34.  Ultimatepayment.com

Tags: , , , ,
Posted in Malware | 1 Comment »

Security Expert Cleaner

Monday, July 28th, 2008

Security Expert Cleaner is a rogue Antispyware application. Stay away from following IP and hosts!

Host: www.secureexpertcleaner.com
IP: 89.149.227.50
Whois:

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Other sites on this IP:

1.  Registrydoctor2008.com
2.  Secureexpertcleaner.com
3.  Securefileshredder.com
4.  Virusremover2008.com

File CleanerInstaller.exe received on 07.28.2008 13:53:08 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 -
AVG 8.0.0.130 2008.07.28 Agent_r.H
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.27 Suspicious File
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3302 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 Suspicious file
PCTools 4.4.2.0 2008.07.27 -
Prevx1 V2 2008.07.28 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 SecureExpertCleaner
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 None 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.27 -
Webwasher-Gateway 6.6.2 2008.07.28 -
 
Additional information
File size: 92944 bytes
MD5…: 710b55fd6d22d33e60d086f4960cf6d7
SHA1..: f0deebaa3a30fe43d5c60c5fda649234b5443200
SHA256: 7cf7a76d5c647ffef0472c16695140e156ea7cd503a7e78d0a30f4138d8e96e5
SHA512: 24bc17934f16d61fe04d57df1b680185ec36241fc5c46e55c21e1e0f7af22cb2
e1326205a04f4862709e031a507115482083568fd13d49a023c4a60fc45025dc
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×42f500
timedatestamp…..: 0×487d8e56 (Wed Jul 16 05:59:50 2008)
machinetype…….: 0×14c (I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×1b000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×1c000 0×14000 0×13800 7.92 b60cd27468e4e064e77723a8c2303672
.rsrc 0×30000 0×2000 0×1a00 4.60 58bc9f71b3702139f666ea238af48cec( 11 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> ADVAPI32.dll: RegFlushKey
> COMCTL32.dll: ImageList_Draw
> GDI32.dll: DPtoLP
> iphlpapi.dll: GetAdaptersInfo
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: PathAppendA
> USER32.dll: GetDC
> WININET.dll: InternetOpenA

( 0 exports )
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

Host: download.secureexpertcleaner.com
IP: 88.198.8.15

Whois:

inetnum:        88.198.0.0 - 88.198.15.255
netname:        HETZNER-RZ-NBG-NET
descr:          Hetzner Online AG
descr:          Datacenter Nuernberg
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
source:         RIPE # Filtered

role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Stuttgarter Stra?e 1
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
abuse-mailbox:  abuse@hetzber.de

Host: dwnld1.com
IP: 67.228.177.143

Whois:

OrgName:    SoftLayer Technologies Inc.
OrgID:      SOFTL
Address:    1950 N Stemmons Freeway
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US
NetRange:   67.228.0.0 - 67.228.255.255
CIDR:       67.228.0.0/16
OriginAS:   AS36351
NetName:    SOFTLAYER-4-5
NetHandle:  NET-67-228-0-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.SOFTLAYER.COM
NameServer: NS2.SOFTLAYER.COM
Comment:    abuse@softlayer.com

File FreeCleaner.exe received on 07.28.2008 16:54:11 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.28 -
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.28 -
AVG 8.0.0.130 2008.07.28 -
BitDefender 7.2 2008.07.28 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 -
DrWeb 4.44.0.09170 2008.07.28 -
eSafe 7.0.17.0 2008.07.28 -
eTrust-Vet 31.6.5989 2008.07.28 -
Ewido 4.0 2008.07.28 -
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 -
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 -
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3303 2008.07.28 -
Norman 5.80.02 2008.07.28 -
Panda 9.0.0.4 2008.07.28 -
PCTools 4.4.2.0 2008.07.28 -
Prevx1 V2 2008.07.28 -
Rising 20.55.02.00 2008.07.28 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.28 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.28 -
Webwasher-Gateway 6.6.2 2008.07.28 -
 
Additional information
File size: 1619512 bytes
MD5…: 49f3964b3510ebc29a50fecfe7fa82c2
SHA1..: ab95014fb39c8635ca8d378773b14a96c8b2a9a1
SHA256: 8564a7b521e98bd70bf59745e919a1b7eccfd183a5e40210ac33c15d20214970
SHA512: e837591991aec6a21f2b400e118556ff75e24f3d168685083f0452eee05c1ebd
a5c525e5859cfe2a308910e4afcbdcda8b117caf5a98061379284bfe023aa796
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×409a54
timedatestamp…..: 0×2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype…….: 0×14c (I386)( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0×1000 0×916c 0×9200 6.56 f9c9dd3f4dceede0add0e7309253e897
DATA 0xb000 0×24c 0×400 2.73 4a56e30ca4646e6369d96abeacb0e6f0
BSS 0xc000 0xe48 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0×950 0xa00 4.43 bb5485bf968b970e5ea81292af2acdba
.tls 0xe000 0×8 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xf000 0×18 0×200 0.20 9ba824905bf9c7922b6fc87a38b74366
.reloc 0×10000 0×8b4 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×11000 0×2a00 0×2a00 4.44 cd9160cb7b5b1d16df3f0d1cba2fe6b7

( 8 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
> kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
> user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
> comctl32.dll: InitCommonControls
> advapi32.dll: AdjustTokenPrivileges

( 0 exports )

Host: secure.bestpaymentsolution.net
IP: 84.243.253.220

Whois:

inetnum:        84.243.253.0 - 84.243.253.255
netname:        GFX-CUST-WORLDSTREAM
descr:          WorldStream ip-block 3
org:            ORG-WS14-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
source:         RIPE # Filtered

organisation:   ORG-WS14-RIPE
org-name:       WorldStream2
org-type:       OTHER
address:        Dijkweg 127c
address:        2675 AC  Honselersdijk
address:        The Netherlands
phone:          +31 70 755 1131
abuse-mailbox:  abuse@worldstream.nl

Other sites on this IP:

1.  Anonymbrowser.com
2.  Best-payments.net
3.  Bestpaymentsolution.net
4.  Billingbit.com
5.  Billingbridge.com
6.  Blablahost.com
7.  Direct-billing.com
8.  Errordigger.com
9.  Errorinspector.com
10. Internetsupernanny.com
11. Passwordinspector.com
12. Pctotaldefender.com
13. Sellmosoft.net
14. Softwarepayments.net
15. Statsgod.com

Tags: , , , , ,
Posted in Malware, Rogues | No Comments »

VirusRemover 2008

Thursday, July 24th, 2008

VirusRemover 2008 is a rogue Antispyware application. Stay away from following IP and hosts!

VirusRemover 2008 is a rogue Antispyware application. Stay away from following IP and hosts!

Host: virusremover2008.com
IP:89.149.227.50
Whois:

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Other Sites:

1.  Registrydoctor2008.com 
2.  Secureexpertcleaner.com 
3.  Securefileshredder.com 
4.  Virusremover2008.com 

We got an offer to download fake antivirus from dwnld1(dot)com/VRM_Free.exe

Virus total description of this file:

File VRM_Free.exe received on 07.24.2008 15:15:04 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.24.0 2008.07.24 -
AntiVir 7.8.1.11 2008.07.24 PHISH/FraudTool.Agent.AA
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.24 Win32:Faker-J
AVG 8.0.0.130 2008.07.24 WinFixer.AUR
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.24 -
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5979 2008.07.24 -
Ewido 4.0 2008.07.24 -
F-Prot 4.4.4.56 2008.07.22 W32/FakeAlert.O.gen!Eldorado
F-Secure 7.60.13501.0 2008.07.24 FraudTool.Win32.Agent.aa
Fortinet 3.14.0.0 2008.07.24 Misc/Agent
GData 2.0.7306.1023 2008.07.24 Win32:Faker-J
Ikarus T3.1.1.34.0 2008.07.24 Virus.Win32.Faker.J
Kaspersky 7.0.0.125 2008.07.24 not-a-virus:FraudTool.Win32.Agent.aa
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.24 Program:Win32/VirusRemover
NOD32v2 3295 2008.07.24 Win32/FraudTool.VirusRemover
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.24 -
PCTools 4.4.2.0 2008.07.24 -
Prevx1 V2 2008.07.24 Malicious Software
Rising 20.54.32.00 2008.07.24 -
Sophos 4.31.0 2008.07.24 Troj/FakeVir-DR
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 VirusRemover2008
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.24 -
VBA32 3.12.8.1 2008.07.23 -
ViRobot 2008.7.24.1309 2008.07.24 Adware.VirusRemover.R.917776
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.24 -
 
Additional information
File size: 917776 bytes
MD5…: dea6a2c1043580875d2c51f5ba15bc82
SHA1..: 627e62112a8d4e8b0b590d134eb9c0fba20f8a84
SHA256: 08e34184bee9d8e1c625ac48ddc54d0ef1e9792abeef8429074613f0ecb683a8
SHA512: 28045016049dd000ef3b54e5ab66f80c1ea8f06722cb8d332a565ee679c623a5
d08cde2978e8af38b1f690664b2fc86129cafccafaa0af06561e1471e5b0ad6c
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×6ad290
timedatestamp…..: 0×4875cc72 (Thu Jul 10 08:46:42 2008)
machinetype…….: 0×14c (I386)( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0×1000 0×1d6000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0×1d7000 0xd7000 0xd6800 7.93 b9f41890f4ac9d77caa66e5a96fd3991
.rsrc 0×2ae000 0×8000 0×8000 5.60 a161a4da95deb9125843106e87b90841( 19 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> ADVAPI32.dll: RegEnumKeyA
> COMCTL32.dll: -
> COMDLG32.dll: GetFileTitleA
> GDI32.dll: Escape
> imagehlp.dll: ImageDirectoryEntryToData
> IPHLPAPI.DLL: GetAdaptersInfo
> MSIMG32.dll: AlphaBlend
> ole32.dll: OleRun
> OLEAUT32.dll: -
> oledlg.dll: -
> RPCRT4.dll: UuidCreate
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrCmpNIW
> urlmon.dll: IsValidURL
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WININET.dll: InternetOpenA
> WINSPOOL.DRV: OpenPrinterA( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=18C5BE13105E10F101DC0E6B1C295800543FE9B0
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=dea6a2c1043580875d2c51f5ba15bc82
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX
packers (Avast): UPX

Host: dwnld1.com
IP: 67.228.177.146

Whois:

inetnum:        88.198.0.0 - 88.198.15.255
netname:        HETZNER-RZ-NBG-NET
descr:          Hetzner Online AG
descr:          Datacenter Nuernberg
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
source:         RIPE # Filtered

role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Stuttgarter Stra?e 1
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
abuse-mailbox: abuse@hetzner.de

Screenshot of fake scanning by VirusRemover 2008

Screenshot of fake scanning by VirusRemover 2008

Screenshot of billing form of VirusRevover 2008 from secure.bestpaymentsolution.net

Screenshot of billing form of VirusRevover 2008 from secure.bestpaymentsolution.net

Host: secure.bestpaymentsolution.net
IP: 84.243.253.237

Whois:

inetnum:        84.243.253.0 - 84.243.253.255
netname:        GFX-CUST-WORLDSTREAM
descr:          WorldStream ip-block 3
org:            ORG-WS14-RIPE
country:        NL
admin-c:        GFX-RIPE
tech-c:         GFX-RIPE
status:         ASSIGNED PA
mnt-by:         GFX-MNT
source:         RIPE # Filtered

organisation:   ORG-WS14-RIPE
org-name:       WorldStream2
org-type:       OTHER
address:        Dijkweg 127c
address:        2675 AC  Honselersdijk
address:        The Netherlands
phone:          +31 70 755 1131
abuse-mailbox:  abuse@worldstream.nl

mnt-ref:        GFX-MNT
mnt-by:         GFX-MNT
source:         RIPE # Filtered

role:           GrafiX NOC
org:            ORG-GIB1-RIPE
address:        GrafiX Internet B.V.
address:        Stationsplein 20
address:        2907 MJ  Capelle aan den IJssel
phone:          +31 10 2640210
fax-no:         +31 10 2640211
abuse-mailbox:  abuse@grafix.nl

Other sites on this ip:

1.  Anonymbrowser.com 
2.  Best-payments.net 
3.  Bestpaymentsolution.net 
4.  Billingbit.com 
5.  Billingbridge.com 
6.  Blablahost.com 
7.  Direct-billing.com 
8.  Errordigger.com 
9.  Errorinspector.com 
10.  Internetsupernanny.com 
11.  Passwordinspector.com 
12.  Sellmosoft.net 
13.  Softwarepayments.net 
14.  Statsgod.com 

Additional hosts of  VirusRemover 2008 malware :

Host: fupd.virusremover2008.com
IP: 208.88.53.47

Whois:

OrgName:    Quonix Networks
OrgID:      QUONI
Address:    154 Nancys Lane
City:       King of Prussia
StateProv:  PA
PostalCode: 19406
Country:    US
OrgTechHandle: NETWO1404-ARIN
OrgTechName:   Network Operations
OrgTechPhone:  +1-800-248-1736
OrgTechEmail:  noc@quonix.net
OrgAbuseHandle: ABUSE1911-ARIN
OrgAbuseName:   ABUSE
OrgAbusePhone:  +1-215-257-3110
OrgAbuseEmail:  abuse@saidcom.com

Host: b2adz.com
IP: 76.74.249.30

Whois:

OrgName:    Peer 1 Network Inc.
OrgID:      PER1
Address:    75 Broad Street
Address:    2nd Floor
City:       New York
StateProv:  NY
PostalCode: 10004
Country:    US

NetRange:   76.74.128.0 - 76.74.255.255
CIDR:       76.74.128.0/17
NetName:    PEER1-BLK-10
NetHandle:  NET-76-74-128-0-1
Parent:     NET-76-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.PEER1.NET
NameServer: NS2.PEER1.NET
Comment:   
RegDate:    2007-04-04
Updated:    2007-11-19

RAbuseHandle: NSA-ARIN
RAbuseName:   Peer 1 Network AUP Enforcement
RAbusePhone:  +1-604-484-2588
RAbuseEmail:   abuse@peer1.net

Other Sites on this IP:

 
 1.  Ad2cash.net 
2.  Ad2profit.com 
3.  Adcomatoz.com 
4.  Adgurman.com 
5.  Adnetserver.com 
6.  Adredired.com 
7.  Adverdaemon.com 
8.  Adverlounge.com 
9.  Adzyclon.com 
10.  Astalaprofit.com 
11.  B2adz.com 
12.  Bizadsonline.net 
13.  Bizadverts.com 
14.  Bizmarketads.com 
15.  Blessedads.com 
16.  Brandmarketads.com 
17.  Bucksbill.com 
18.  Clickadnet.net 
19.  Deuspayment.com 
20.  Friedads.com 
21.  Glorymarkets.com 
22.  Greatad.net 
23.  Hostadserve.com 
24.  Iddqdmarketing.com 
25.  Intervarioclick.com 
26.  Invulnerableads.com 
27.  Luckyadcoin.com 
28.  Luckyadsols.com 
29.  Moneycometrue.com 
30.  Mythmarketing.com 
31.  Popadprovider.com 
32.  Prevedmarketing.com 
33.  Rocktheads.com 
34.  Sharpadverts.com 
35.  Shivanetworking.com 
36.  Statisticsmanager.com 
37.  Statsreportserver.com 
38.  Waytotheprofit.com 

Tags: , , ,
Posted in Malware, Rogues | No Comments »

Antivirus 2009

Wednesday, July 23rd, 2008

Antivirus 2009 is a rogue Antispyware application. Stay away from following IP and hosts!

Host: windows-virus-scanner.com
IP:72.232.16.194

Whois:

OrgName:    Layered Technologies, Inc.
OrgID:      LAYER-3
Address:    5085 W Park Blvd
Address:    Suite 700
City:       Plano
StateProv:  TX
PostalCode: 75093
Country:    US
NetRange:   72.232.0.0 - 72.233.127.255
CIDR:       72.232.0.0/16, 72.233.0.0/17
NetName:    LAYERED-TECH-
NetHandle:  NET-72-232-0-0-1
Parent:     NET-72-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment:    Please send all abuse complaints to
Comment:    abuse@layeredtech.com

windows-virus-scanner(dot)com/2009/download/trial/AV2009Install_0011.exe

Virus Total description of this file:

File AV2009Install_0011.exe received on 07.23.2008 12:22:52 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.23.0 2008.07.22 -
AntiVir 7.8.1.11 2008.07.23 -
Authentium 5.1.0.4 2008.07.23 -
Avast 4.8.1195.0 2008.07.23 Win32:Fraudo
AVG 8.0.0.130 2008.07.23 -
BitDefender 7.2 2008.07.23 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.23 -
DrWeb 4.44.0.09170 2008.07.23 -
eSafe 7.0.17.0 2008.07.22 -
eTrust-Vet 31.6.5976 2008.07.23 -
Ewido 4.0 2008.07.22 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.23 -
Fortinet 3.14.0.0 2008.07.23 -
GData 2.0.7306.1023 2008.07.23 Win32:Fraudo
Ikarus T3.1.1.34.0 2008.07.23 -
Kaspersky 7.0.0.125 2008.07.23 -
McAfee 5344 2008.07.22 -
Microsoft 1.3704 2008.07.23 -
NOD32v2 3290 2008.07.23 -
Norman 5.80.02 2008.07.22 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.22 -
Prevx1 V2 2008.07.23 Fraudulent Security Program
Rising 20.54.22.00 2008.07.23 -
Sophos 4.31.0 2008.07.23 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.23 AntiVirus2008
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.23 -
VBA32 3.12.8.1 2008.07.22 Trojan.Win32.Pakes.juu
VIRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.22 -
Webwasher-Gateway 6.6.2 2008.07.23 -
 
Additional information
File size: 103936 bytes
MD5…: b5e0316864b5d7dd4a9060b54d4aeb8e
SHA1..: 49ba66c30f04b9592d835a94d13fae0f750594bd
SHA256: 7030548a6bbd7ad320f5abe8a5d9f220392fd2309881a8885a8ae1b692edaa05
SHA512: ea856e74a873e0df39697c1b79539d85ad19de23c16af9435af6f451e67c39f8
ebddd1b441b0205dadae54c911846631b348669677aea617c92b9b12d35ecb47
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4014a0
timedatestamp…..: 0×463138a0 (Thu Apr 26 23:41:20 2007)
machinetype…….: 0×14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×3477 0×3600 1.34 6d33375141017a1ea632e33caee2510d
.data 0×5000 0xe8cd 0xea00 7.48 6cce7954d864f0e1a339ce805e95cb46
.tls 0×14000 0×3b 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×15000 0×18 0×200 0.22 b2d62274e8f303cd13ac0afc27383ff4
.idata 0×16000 0×474 0×600 2.44 93d16fff8f49687ef4a698be2d5f67de
.rsrc 0×17000 0xf49a 0×6600 5.75 d6b8c0503ae3f1d0151a82dba067ead7

( 2 imports )
> COMCTL32.DLL: CreateMappedBitmap, ImageList_Copy, ImageList_Add, DrawStatusText, ImageList_LoadImageW, InitCommonControls, MenuHelp, ImageList_AddIcon, ImageList_DrawEx
> ADVAPI32.DLL: RegQueryValueA, RegEnumKeyW, RegSetValueA, RegDeleteValueW, RegQueryValueExW, RegEnumKeyExA, RegEnumKeyA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B32E189700C34B0A964901B303010E00E060136A

Screenshot  of fake scanning by Antivirus 2009

Host:antivirus2009professional.com
IP:89.149.226.24

Whois:

inetnum:        89.149.226.0 - 89.149.227.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
admin-c:        WW200-RIPE
tech-c:         SR614-RIPE
status:         ASSIGNED PA
mnt-by:         NETDIRECT-MNT
mnt-lower:      NETDIRECT-MNT
mnt-routes:     NETDIRECT-MNT
source:         RIPE # Filtered

person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirekt.de

Other sites on this IP:

1.  Drivemedirect.com 
2.  Global-clicks.com 
3.  Windows-internet-scanner.com 

Screenshot of a license purchase from antivirus2009professional.com

Screenshot of a license purchase from secure.billingware.net

Host:secure.billingware.net
IP:216.195.56.148

Whois:

OrgName:    APS Telecom
OrgID:      APSTE
Address:    8130 SW BEAVERTON-HILLSDALE HWY
City:       PORTLAND
StateProv:  OR
PostalCode: 97225
Country:    US

NetRange:   216.195.32.0 - 216.195.63.255
CIDR:       216.195.32.0/19
NetName:    APS-EPSI
NetHandle:  NET-216-195-32-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.3FN.NET
NameServer: NS2.3FN.NET
Comment:    send abuse issues to abuse@3fn.net , send network

RTechHandle: NSW-ARIN
RTechName:   Swen, Nash
RTechPhone:  +1-800-539-8209
RTechEmail : noc@apxnoctelecom.com

Other sites on this IP:

1.  Adult-billing.com 
2.  Bestreleases.org 
3.  Billhlp.com 
4.  Billingcenteronline.com 
5.  Billinghlp.com 
6.  Billinghost.net 
7.  Billingintegrator.com 
8.  Billingmill.com 
9.  Billingserviceonline.com 
10. Billingsquad.net 
11. Billingsvc.com 
12. Billingware.net 
13. Billinternet.com 
14. Billsvc.com 
15. Ccbillhelp.com 
16. Ccbillservice.com 
17. Customerhlp.com 
18. Ebillingcenter.com 
19. Eglobalbilling.com 
20. Extrabilling.com 
21. Fantazybill.com 
22. Legalbillingsystems.com 
23. Mainbillingcenter.com 
24. Orderhlp.com 
25. Paymentbit.com 
26. Paymentbit.net 
27. Paymentforge.com 
28. Quickdownloadpro.com 
29. Safepaymentsonline.com 
30. Software-payment.com 
31. Spankyhosting.com 
32. Support-wizard.com 
33. Supporthlp.com 
34. Truebillingservices.com 
35. Ultimatepayment.com 

Tags: , , ,
Posted in Malware, Rogues | 2 Comments »

Rogue Antispyware - XPAntivirus

Wednesday, July 16th, 2008

XPAntivirus is a rogue Antispyware/Adware application. You get fake antivirus scan and then request for download antivirus. Stay away from following products, hosts and IP adresses!

Host: watchnenjoy.com
IP:78.108.177.101

Whois:

netname: HISKYHOST-NET
descr: HISKYHOST network
country: CZ
admin-c: SM9797-RIPE
tech-c: SM9797-RIPE
tech-c: HNRm1-RIPE
status: ASSIGNED PA
mnt-by: UPL-MNT
source: RIPE # Filtered

role: HISKYHOST NETWORK RIPE manager
address: Alexey Vorobiev
address: 192283 S Petersburg ul Oleko Dundicha 5
address: Russia
phone: + 7 921 406 6251
abuse-mailbox: abuse@hiskyhost.net

Then we are offered to download fake antivirus from http://winscanner-freever.com/2008/trial/XPAinstall_880282.exe

Host:winscanner-freever.com
IP:89.149.226.24

Whois:


inetnum: 89.149.226.0 - 89.149.227.255
netname: NETDIRECT-NET
descr: netdirekt e.K.
remarks: INFRA-AW
country: DE
admin-c: WW200-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Wiethold Wagner
address: netdirekt e. K.
address: Kleyer Strasse 79 / Tor 14
address: 60326 Frankfurt
address: DE
phone: +49 69 90556880
fax-no: +49 69 905568822
e-mail: info@netdirect.de

Virus total description of this file

File XPAinstall_880282.exe received on 07.16.2008 16:24:24 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.16.0 2008.07.16 -
AntiVir 7.8.0.68 2008.07.16 TR/Crypt.CFI.Gen
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.15 Win32:Trojan-gen {Other}
AVG 7.5.0.516 2008.07.16 Downloader.Generic7.XAJ
BitDefender 7.2 2008.07.16 Trojan.Generic.355821
CAT-QuickHeal 9.50 2008.07.16 TrojanDownloader.FraudLoad.ge
ClamAV 0.93.1 2008.07.16 Trojan.Fraudload-392
DrWeb 4.44.0.09170 2008.07.16 -
eSafe 7.0.17.0 2008.07.16 -
eTrust-Vet 31.6.5959 2008.07.16 -
Ewido 4.0 2008.07.16 -
F-Prot 4.4.4.56 2008.07.15 -
F-Secure 7.60.13501.0 2008.07.16 Trojan-Downloader.Win32.FraudLoad.gen
Fortinet 3.14.0.0 2008.07.16 PossibleThreat
GData 2.0.7306.1023 2008.07.16 Trojan-Downloader.Win32.FraudLoad.gen
Ikarus T3.1.1.26.0 2008.07.16 Trojan-Downloader.Win32.FraudLoad
Kaspersky 7.0.0.125 2008.07.16 Trojan-Downloader.Win32.FraudLoad.gen
McAfee 5339 2008.07.15 Downloader.gen.a
Microsoft 1.3704 2008.07.16 TrojanDownloader:Win32/Renos
NOD32v2 3272 2008.07.16 Win32/Adware.XPAntivirus
Norman 5.80.02 2008.07.16 W32/DLoader.IAYA
Panda 9.0.0.4 2008.07.16 -
Prevx1 V2 2008.07.16 Malware Downloader
Rising 20.53.22.00 2008.07.16 -
Sophos 4.31.0 2008.07.16 Mal/EncPk-CZ
Sunbelt 3.1.1536.1 2008.07.15 XPAntivirus
Symantec 10 2008.07.16 XPAntivirus
TheHacker 6.2.96.381 2008.07.16 Trojan/Downloader.FraudLoad.gen
TrendMicro 8.700.0.1004 2008.07.16 TROJ_RENOS.ACK
VBA32 3.12.8.0 2008.07.16 Trojan-Downloader.Win32.FraudLoad.gen
VirusBuster 4.5.11.0 2008.07.15 -
Webwasher-Gateway 6.6.2 2008.07.16 Trojan.Crypt.CFI.Gen
Additional information
File size: 112128 bytes
MD5…: 67f26275eeedfb90761d3016f47924c2
SHA1..: 474e0b85200608b90c7fafda21b744e4bc118e16
SHA256: 18b3c469cfbc70c15d275ac9d7bed7337733358ac57ce850eb78d8dd442c4e4b
SHA512: 648c2a82c6f826daf9af14447f5352c440c5d57db070fea223cc60d6d81f856c
c46e6b069690d5b3b0221f62c72691aa7a1a058b4363cf4590d13f61b4da4d23
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×40141e
timedatestamp…..: 0×4593258d (Thu Dec 28 02:01:49 2006)
machinetype…….: 0×14c (I386)( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×3a16 0×3c00 1.22 a0c2bd92c84ab7ec2f4c2265bdf53aa7
.data 0×5000 0×105fc 0×10600 7.60 a94d5115eeed8342a375c1de0fc12df1
.tls 0×16000 0×34 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0×17000 0×18 0×200 0.23 8a2523666e6bee80d27dc90ff6ba0860
.idata 0×18000 0×38d 0×400 4.39 68f23ab215f2c14fb98c65b65841704a
.rsrc 0×19000 0×144bc 0×6600 5.76 3385a56fd2c5be848d0c4d04c93e5806( 4 imports )
> COMCTL32.DLL: InitCommonControls, CreateUpDownControl, CreateStatusWindow, CreateMappedBitmap, ImageList_DragEnter, CreateToolbar, ImageList_DrawEx, ImageList_Destroy, ImageList_Create
> ADVAPI32.DLL: RegDeleteKeyW, RegEnumValueA, RegOpenKeyA, RegEnumKeyW, RegDeleteValueA, RegSetValueA, RegQueryValueA, RegQueryValueW
> GDI32.DLL: CreateCompatibleDC, GetPixel, CreatePalette, DeleteDC, GetClipBox, CreateCompatibleBitmap
> USER32.DLL: DialogBoxParamW, CopyIcon, GetDC, GetDlgItem, GetWindowTextLengthA, LoadCursorA( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=74AB08F000C0F43DB66001A5E38C7C00B30BCB93

Then it download
antispyguard-scanner.com/download/xpa_2008.exe

Host: antispyguard-scanner.com
IP:64.92.174.34

Whois:


OrgName: Savvis
OrgID: SAVVI-3
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

NetRange: 64.92.160.0 - 64.92.175.255
CIDR: 64.92.160.0/20
NetName: SAVVIS
OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@savvis.net

Other sites on this IP:


1. Antispyguard-scanner.com
2. Browserprotectioncenter.com
3. Fastupdateservice.com
4. Fastwebway.com
5. Mcprivate.biz
6. Megacodec.biz
7. Online-xpcleaner.com
8. Securityscannersite.com
9. Streamhotvideo.com
10. Xpantivirussecurity.com
11. Xpcleanerpro.com

Virus total description of this file:

File xpa_2008.exe received on 07.16.2008 16:26:43 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.16.0 2008.07.16 -
AntiVir 7.8.0.68 2008.07.16 -
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.15 -
AVG 7.5.0.516 2008.07.16 -
BitDefender 7.2 2008.07.16 -
CAT-QuickHeal 9.50 2008.07.16 -
ClamAV 0.93.1 2008.07.16 -
DrWeb 4.44.0.09170 2008.07.16 -
eSafe 7.0.17.0 2008.07.16 -
eTrust-Vet 31.6.5959 2008.07.16 -
Ewido 4.0 2008.07.16 -
F-Prot 4.4.4.56 2008.07.15 -
F-Secure 7.60.13501.0 2008.07.16 -
Fortinet 3.14.0.0 2008.07.16 -
GData 2.0.7306.1023 2008.07.16 -
Ikarus T3.1.1.26.0 2008.07.16 -
Kaspersky 7.0.0.125 2008.07.16 -
McAfee 5339 2008.07.15 FakeAlert-AB.gen
Microsoft 1.3704 2008.07.16 -
NOD32v2 3272 2008.07.16 -
Norman 5.80.02 2008.07.16 -
Panda 9.0.0.4 2008.07.16 -
Prevx1 V2 2008.07.16 -
Rising 20.53.22.00 2008.07.16 -
Sophos 4.31.0 2008.07.16 -
Sunbelt 3.1.1536.1 2008.07.15 -
Symantec 10 2008.07.16 -
TheHacker 6.2.96.381 2008.07.16 -
TrendMicro 8.700.0.1004 2008.07.16 -
VBA32 3.12.8.0 2008.07.16 suspected of Malware-Cryptor.Win32.General.2
VirusBuster 4.5.11.0 2008.07.15 -
Webwasher-Gateway 6.6.2 2008.07.16 -
Additional information
File size: 995840 bytes
MD5…: ba154b6c3c3ed9b26e90d39ad0315498
SHA1..: a8a3e668af0c9a79fdce9645a3a7899e18706f1d
SHA256: dc9b5a5233e6f459ea896c812bf929ae708afa3fea51ed8dd25be0fce0e72807
SHA512: e2bf02b1654228e349781b9ad89863bfd28735e9e48bbe738b0d710bdc25bd25
220ae014ed28e06be442d3586b3308d28394a2e4696118912794c738794a9ee8
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×4013df
timedatestamp…..: 0×463c7af4 (Sat May 05 12:39:16 2007)
machinetype…….: 0×14c (I386)( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×2a28 0×2c00 1.58 e058c8c84327c51993aea1e7902998e2
.data 0×4000 0xe5ed0 0xe6000 7.82 33fb05164646b32a335791efc29a7579
.tls 0xea000 0×73 0×200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rdata 0xeb000 0×18 0×200 0.23 107ab79774875e8bebcf05b227bf4201
.idata 0xec000 0×311 0×400 3.99 0a3b48ebcc6e28148513b1d4dae1b78b
.rsrc 0xed000 0×1f26c7 0×9800 5.06 334cd05cd56da26c3af50e964ca71943( 3 imports )
> COMCTL32.DLL: ImageList_Create, ImageList_Destroy, ImageList_LoadImageW, CreateStatusWindow, InitCommonControls, ImageList_AddIcon, ImageList_LoadImageA, ImageList_Add, CreateToolbarEx, CreateUpDownControl
> ADVAPI32.DLL: RegCreateKeyExA, RegQueryValueW, RegEnumValueW, RegEnumKeyA, RegQueryValueA, RegSetValueW
> USER32.DLL: GetFocus, DrawIcon, GetWindowTextLengthA, GetMenu, DrawTextA, CreateIcon, LoadCursorA, LoadMenuA( 0 exports )

Then we are getting fake scan

And after offer to buy license for malware fake-antivirus

Host: updatesantivirus.com
IP: 209.67.214.194

Whois:

OrgName: Savvis
OrgID: SAVVI-3
Address: 3300 Regency Parkway
City: Cary
StateProv: NC
PostalCode: 27511
Country: US

NetRange: 209.67.0.0 - 209.67.255.255
CIDR: 209.67.0.0/16
NetName: SAVVIS
OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@savvis.net

Other sites:

1. Liveresponsesite.com
2. Onlinexpsecurity.com
3. Piante-grasse.info
4. Updatesantivirus.com
5. Xp-registration.com
6. Xpprotectionsoftware.com

Host: xp-registration.com
IP:209.67.214.194

Other sites on this ip and Whois info read bellow

Tags: , , , , , , , ,
Posted in Malware, Rogues | No Comments »

Fake Codec - DNSChanger

Wednesday, July 16th, 2008

DNSChanger is a malware application. It is trying to get install of downloader from fake PornTube site clipwizards.com

Stay away from following products, hosts and IP adresses!

Host:http://www.clipwizards.com/
IP:85.255.118.157

Whois:

inetnum:        85.255.112.0 - 85.255.127.255
netname:        UkrTeleGroup
descr:          UkrTeleGroup Ltd.
admin-c:        UA481-RIPE
tech-c:         UA481-RIPE
country:        UA
org:            ORG-UL25-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         UKRTELE-MNT
mnt-routes:     UKRTELE-MNT
mnt-domains:    UKRTELE-MNT
source:         RIPE # Filtered
person:         Andrew Sotov
address:        Mechnikova 58/5 65029 Odessa
abuse-mailbox:  abuse@urktelgroup.com.ua

Other Sites on this IP:

1.  Clipwizards.com
2.  Getdailyvideos.com
3.  Getxxxphotos.com
4.  Imagesuniverse.com
5.  Immensepics.com
6.  Movstube.com
7.  Photospool.net
8.  Picstransformer.com
9.  Picturesbomb.com
10.  Pornwizardry.com
11.  Streampornvideos.com
12.  Traffgates.com

Additinonal redirect to domain www.movieexternal.com

Host: www.movieexternal.com
IP:77.91.231.201

Whois:

inetnum:        77.91.231.128 - 77.91.231.255
netname:        WAHOME-DEDIC
descr:          Wahome dedicated
country:        RU
admin-c:        AT2998-RIPE
tech-c:         AT2998-RIPE
status:         ASSIGNED PA
mnt-by:         RU-WEBALTA-MNT
source:         RIPE # Filtered

person:         Alexey Tarasov
address:        Webalta JSC,
Wahome Networks
address:        Andropova pr. 22
address:        Moscow, Russia
address:        115533
mnt-by:         RU-WEBALTA-MNT
abuse-mailbox:  abuse@wahome.ru

Other sites on this ip:

1.  Movieexternal.com
2.  Wmvcompressor.com

After redirect we got request for fake codec download from http://cleancodec.net/download/cleancodec5198.exe

Host: cleancodec.net/
IP:64.28.184.181

Whois:

OrgName:    Cernel, Inc
OrgID:      CERNE-3
Address:    23404 W. Lyons Ave #223
City:       Santa Clarita
StateProv:  CA
PostalCode: 91321
Country:    US

NetRange:   64.28.176.0 - 64.28.191.255
CIDR:       64.28.176.0/20
NetName:    CERNELNETWORK
NetHandle:  NET-64-28-176-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: ALPHA.CERNEL.NET
NameServer: BETA.CERNEL.NET
Comment:
RegDate:    2005-12-29
Updated:    2005-12-29

RAbuseHandle: ABUSE1052-ARIN
RAbuseName:   Abuse department
RAbusePhone:  +1-661-347-0577
RAbuseEmail:   abuse@cernel.net

Other sites on this IP:

1.  Uinticket.com
2.  Cleancodec.net

Virus total description of this file:

File cleancodec5198.exe received on 07.16.2008 17:13:35 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.7.16.0 2008.07.16 -
AntiVir 7.8.0.68 2008.07.16 DR/Dldr.DNSChanger.Gen
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.16 Win32:DNSChanger-VR
AVG 7.5.0.516 2008.07.16 DNSChanger.AE
BitDefender 7.2 2008.07.16 Trojan.Pakes.ZVF
CAT-QuickHeal 9.50 2008.07.16 -
ClamAV 0.93.1 2008.07.16 -
DrWeb 4.44.0.09170 2008.07.16 -
eSafe 7.0.17.0 2008.07.16 -
eTrust-Vet 31.6.5959 2008.07.16 -
Ewido 4.0 2008.07.16 -
F-Prot 4.4.4.56 2008.07.15 -
F-Secure 7.60.13501.0 2008.07.16 Trojan.Win32.DNSChanger.dqm
Fortinet 3.14.0.0 2008.07.16 W32/DNSChanger.0513!tr
GData 2.0.7306.1023 2008.07.16 Trojan.Win32.DNSChanger.dqm
Ikarus T3.1.1.26.0 2008.07.16 Virus.Trojan.Win32.DNSChanger.chg
Kaspersky 7.0.0.125 2008.07.16 Trojan.Win32.DNSChanger.erp
McAfee 5339 2008.07.15 -
Microsoft 1.3704 2008.07.16 -
NOD32v2 3272 2008.07.16 -
Norman 5.80.02 2008.07.16 Vundo.gen202.dropper
Panda 9.0.0.4 2008.07.16 -
Prevx1 V2 2008.07.16 Cloaked Malware
Rising 20.53.22.00 2008.07.16 -
Sophos 4.31.0 2008.07.16 -
Sunbelt 3.1.1536.1 2008.07.15 -
Symantec 10 2008.07.16 -
TheHacker 6.2.96.381 2008.07.16 Trojan/DNSChanger.chg
TrendMicro 8.700.0.1004 2008.07.16 TROJ_ZLOB.CCW
VBA32 3.12.8.0 2008.07.16 -
VirusBuster 4.5.11.0 2008.07.16 -
Webwasher-Gateway 6.6.2 2008.07.16 Trojan.Dropper.Dldr.DNSChanger.Gen
Additional information
File size: 177012 bytes
MD5…: ecd91867c352f9c0e0ba14190ddbdf2d
SHA1..: 9c956c90762bd785bbf25109fae13c3852a4e250
SHA256: 3240ce6a59ea08aeee93896dbba29640870c6b765164f98e77be92a4b7479ce3
SHA512: 398106310273207f82edf83bf3d27079e0fe4c96a2578e43b4293a7435e13035
1d3ead367e60f0aaf0626218ba85f29ca7d4b2ecc66fe40d42282aea93baf06c
PEiD..: -
PEInfo: PE Structure information( base data )
entrypointaddress.: 0×403228
timedatestamp…..: 0×47acc8a9 (Fri Feb 08 21:24:57 2008)
machinetype…….: 0×14c (I386)( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×5a7e 0×5c00 6.47 47641d572224078da00d12032a7bb9d7
.rdata 0×7000 0×1190 0×1200 5.18 db16645055619c0cc73276ff5c3adb75
.data 0×9000 0×3997d8 0×400 4.71 1043e85c0a23a45c2aa392431eeaf00d
.ndata 0×3a3000 0xa000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×3ad000 0×41f8 0×4200 5.88 918d4c78d61273d0820a7a1c3d144d43( 8 imports )
> KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
> USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=89E44400741AFD8BB339022CAFB25700BAF5EAFA
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Creating several executable files on hard-drive.
* **Locates window \”NULL [class #32770]\” on desktop.
* File length: 177012 bytes.[ Changes to filesystem ]
* Creates directory C:\WINDOWS\TEMP\.
* Creates file C:\WINDOWS\TEMP\nsr8199.tmp.
* Deletes file C:\WINDOWS\TEMP\nsr8199.tmp.
* Creates file C:\WINDOWS\TEMP\nsp0099.tmp.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates file C:\WINDOWS\TEMP\notepad.exe.dat.
* Creates file C:\WINDOWS\TEMP\calc.exe.dat.
* Creates file C:\WINDOWS\TEMP\linux.
* Creates file C:\WINDOWS\TEMP\nsz8099.tmp.
* Deletes file C:\WINDOWS\TEMP\nsz8099.tmp.
* Creates directory C:\WINDOWS\TEMP\nsz8099.tmp.
* Creates file C:\WINDOWS\TEMP\nsz8099.tmp\dcryptdll.dll.
* Creates file C:\WINDOWS\TEMP\notepad.exe.
* Creates file C:\WINDOWS\TEMP\calc.exe.
* Deletes file C:\WINDOWS\TEMP\CALC.DAT.
* Deletes file C:\WINDOWS\TEMP\NOTEPA~1.DAT.
* Deletes file C:\WINDOWS\TEMP\NOTEPAD.EXE.
* Deletes file C:\WINDOWS\TEMP\CALC.EXE.
* Creates file C:\WINDOWS\TEMP\nsz8099.tmp\modern-header.bmp.
* Creates directory C:\PROGRA~1.
* Creates directory C:\PROGRA~1\RUSAdult.
* Creates file C:\PROGRA~1\RUSAdult\Uninstall.exe.
* Creates directory C:\documen~1.
* Creates directory C:\documen~1\sandbox.
* Creates directory C:\documen~1\sandbox\startm~1.
* Creates directory C:\documen~1\sandbox\startm~1\Programmer.
* Creates directory C:\documen~1\sandbox\startm~1\Programmer\RUSAdult.
* Creates file C:\WINDOWS\TEMP\nsz8099.tmp\StartMenu.dll.
* Deletes file C:\WINDOWS\TEMP\nsp0099.tmp.
* Deletes file C:\WINDOWS\TEMP\nsz8099.tmp\DCRYPT~1.DLL.
* Deletes file C:\WINDOWS\TEMP\nsz8099.tmp\MODERN~1.BMP.
* Deletes file C:\WINDOWS\TEMP\nsz8099.tmp\STARTM~1.DLL.

Then we are offered to install RusAdult malware

It will change your DNS and search results in google.com

Tags: , , , , , , , , , ,
Posted in Fake Codec, Malware | No Comments »

Rogue Antispyware - IeDefender

Friday, July 11th, 2008

IE Antivirus - Win32/Adware.IeDefender.NGE is a rogue Antispyware/Adware application. From following resourses it is try to get install from atention screen.

Host: getmyvideonow.com
IP:89.149.208.179

Whois:

inetnum:        89.149.208.0 - 89.149.209.255
netname:        NETDIRECT-NET
descr:          netdirekt e.K.
remarks:        INFRA-AW
country:        DE
person:       Wiethold Wagner
address:      netdirekt e. K.
address:      Kleyer Strasse 79 / Tor 14
address:      60326 Frankfurt
address:      DE
phone:        +49 69 90556880
fax-no:       +49 69 905568822
e-mail:       info@netdirect.de

Host: opaadownload.com
IP:193.164.132.208

Whois:

inetnum:        193.164.131.0 - 193.164.133.255
netname:        GIGAHOSTING
descr:          Giga-Hosting.biz GbR
country:        DE
org:            ORG-GG14-RIPE
org-name:       Giga-Hosting.biz GbR
org-type:       OTHER
address:        Giga-Hosting.biz GbR
address:        Hoerselbergstr. 5
address:        81677 Muenchen
address:        Germany
phone:          +49 (0)89 21268372
abuse-mailbox:  abuse@giga-hosting.biz

Other sites on this ip:

1.  Campbellandlipold.com 
2.  Moodbenews.com 

Host: hotvid44.com
IP:58.65.238.34

Whois:

inetnum:      58.65.232.0 - 58.