Antivirus 2008

par **Malekal_morte** » 29 avr. 2008 13:48

Antivirus 2008 est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware Files-server pour soit disant désinfecter votre ordinateur.

Fausse page de scan/alerte pour vous faire croire que vous êtes infecté...

par **Malekal_morte** » 25 mai 2008 15:30

Hop la version Pro... pour les Pro..

par **Malekal_morte** » 01 août 2008 15:16

Exemple d'infection qui affiche une icone d'alerte et renvois vers de fausses pages de scan/alerte de sécurité pour le rogue Antivirus 2008 ou AntiSpywareExpert (rien de vraiment nouveau).
L'infection installe aussi le rogue Antivirus XP Pro

Exemple de lignes HijackThis ajoutées par l'infection :

O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O4 - HKLM\..\Run: [lphc390j0eabc] C:\WINDOWS\system32\lphc390j0eabc.exe
O4 - HKLM\..\Run: [SMrhcg3mj0ee2p] C:\Program Files\rhcg3mj0ee2p\rhcg3mj0ee2p.exe
O4 - HKCU\..\Run: [Somefox] C:\DOCUME~1\Owner\LOCALS~1\Temp\setup73.exe

Fichier promomodule.exe reçu le 2008.08.01 14:10:53 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 1/36 (2.78%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.01 -
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.08.01 -
DrWeb 4.44.0.09170 2008.08.01 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.01 -
Ikarus T3.1.1.34.0 2008.08.01 -
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 -
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 -
NOD32v2 3317 2008.08.01 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 -
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.01 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 -
Information additionnelle
File size: 39936 bytes
MD5...: 7a3342502b5d2bae52c2af0ad56e7a27
SHA1..: eb94d632df2505b56cfdee175b680a1dabff75a8

Fichier msxml71.dll reçu le 2008.08.01 14:33:54 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 4/35 (11.43%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.7.29.1 2008.08.01 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.07.31 -
Avast 4.8.1195.0 2008.07.31 -
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.01 -
CAT-QuickHeal 9.50 2008.07.31 -
ClamAV 0.93.1 2008.08.01 -
DrWeb 4.44.0.09170 2008.08.01 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.5999 2008.07.31 -
Ewido 4.0 2008.08.01 -
F-Prot 4.4.4.56 2008.07.31 -
F-Secure 7.60.13501.0 2008.08.01 -
Fortinet 3.14.0.0 2008.08.01 -
GData 2.0.7306.1023 2008.08.01 -
Ikarus T3.1.1.34.0 2008.08.01 Generic.Win32.Malware.Antivirus2008
K7AntiVirus 7.10.399 2008.07.31 -
Kaspersky 7.0.0.125 2008.08.01 -
McAfee 5351 2008.07.31 -
Microsoft 1.3704 2008.07.28 Program:Win32/Antivirus2008
NOD32v2 3317 2008.08.01 Win32/Adware.BHO.NCX
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.01 -
PCTools 4.4.2.0 2008.08.01 -
Prevx1 V2 2008.08.01 Fraudulent Security Program
Rising 20.55.42.00 2008.08.01 -
Sophos 4.31.0 2008.08.01 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.01 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
ViRobot 2008.8.1.1321 2008.08.01 -
VirusBuster 4.5.11.0 2008.07.31 -
Webwasher-Gateway 6.6.2 2008.08.01 -
Information additionnelle
File size: 78340 bytes
MD5...: 4b9a06c16bd26760a30c93c00705ac70
SHA1..: 4865c647731a2de7b3adc9cb17d3fbb7efd1cee4

Quelques liens :

Code : Tout sélectionner

1217599540.873    884 192.168.1.50 TCP_MISS/200 40808 GET http://softupdat.com/advset/setup0.exe - DIRECT/74.50.117.84 application/octet-stream
1217599547.266    481 192.168.1.50 TCP_MISS/200 5177 GET http://updatehost.com/size.php?data=z6pEHas3Q+mwIB0Md/kcAkKwXnnIB6Dr3VcNb70QEIr3hCVcJFEPYkMAbSoCNOo4OOwDCI7ctd+pAyeK4IXd7QLlrhOB53PxBV6uZmmXx5bP10R/ytC8mzcTCNt6FlfCbY1i5w== - DIRECT/74.50.117.84 application/xml
1217599559.919    988 192.168.1.50 TCP_MISS/200 73065 GET http://softupdat.com/bho/get_ie.php?pin=0 - DIRECT/74.50.117.84 application/octet-stream
1217599568.793  21452 192.168.1.50 TCP_MISS/200 73060 GET http://softupdat.com/bho/get_ie.php?pin=0 - DIRECT/74.50.117.84 application/octet-stream
1217599571.359    757 192.168.1.50 TCP_MISS/200 40312 GET http://softupdat.com/promo/1000/promomodule.exe - DIRECT/74.50.117.84 application/octet-stream
1217599652.296   1238 192.168.1.50 TCP_MISS/200 110594 GET http://softupdat.com/download/scan.exe - DIRECT/74.50.117.84 application/octet-stream
1217599701.083    579 192.168.1.50 TCP_MISS/200 5868 GET http://dwl.av2008dl.com/load/setup_100542_3_.exe - DIRECT/85.255.118.70 application/octet-stream

Les droppers sont assez bien détectés, on ne devrait donc pas voir souvent cette infection :

Voir le sujet Trojan-Downloader.Win32.FraudLoad

Complete scanning result of "scan.exe", processed in VirusTotal at 08/01/2008 14:08:36 (CET).

[ file data ]
* name..: scan.exe
* size..: 110080
* md5...: cf57824cd1673827916aa6c6e7d17f17
* sha1..: 91ba77e0bc2a5000a5a12b331fce30093f3e1693
* peid..: -

[ scan result ]
AhnLab-V3 2008.7.29.1/20080801 found nothing
AntiVir 7.8.1.15/20080801 found [TR/Dldr.Small.zdo]
Authentium 5.1.0.4/20080731 found nothing
Avast 4.8.1195.0/20080731 found [Win32:Trojan-gen {Other}]
AVG 8.0.0.156/20080801 found [Downloader.FraudLoad.A]
BitDefender 7.2/20080801 found [Trojan.Peed.JPX]
CAT-QuickHeal 9.50/20080731 found [TrojanDownloader.Small.zdo]
ClamAV 0.93.1/20080801 found nothing
DrWeb 4.44.0.09170/20080801 found [Trojan.Fakealert.995]
eSafe 7.0.17.0/20080729 found [Suspicious File]
eTrust-Vet 31.6.5999/20080731 found [Win32/Bugnraw!generic]
Ewido 4.0/20080801 found [Downloader.Small.zdo]
F-Prot 4.4.4.56/20080731 found [W32/Zhelatin.O.gen!Eldorado]
F-Secure 7.60.13501.0/20080801 found [Trojan-Downloader.Win32.Small.zdo]
Fortinet 3.14.0.0/20080801 found [W32/Tibs.JB!tr]
GData 2.0.7306.1023/20080801 found [Trojan-Downloader.Win32.Small.zdo]
Ikarus T3.1.1.34.0/20080801 found [Trojan.Peed.JPU]
K7AntiVirus 7.10.399/20080731 found [Trojan-Downloader.Win32.Small.zdo]
Kaspersky 7.0.0.125/20080801 found [Trojan-Downloader.Win32.Small.zdo]
McAfee 5351/20080731 found [FakeAlert-AG.gen]
Microsoft 1.3704/20080728 found [Trojan:Win32/Tibs.J]
NOD32v2 3317/20080801 found [Win32/TrojanDownloader.FakeAlert.DR]
Norman 5.80.02/20080801 found [W32/Tibs.CPIG]
Panda 9.0.0.4/20080801 found [Trj/Downloader.MDW]
PCTools 4.4.2.0/20080801 found nothing
Prevx1 V2/20080801 found [Malicious Software]
Rising 20.55.42.00/20080801 found nothing
Sophos 4.31.0/20080801 found [Mal/TibsPk-D]
Sunbelt 3.1.1537.1/20080801 found [Trojan-Downloader.Win32.Small.zdo]
Symantec 10/20080801 found [Packed.Generic.174]
TheHacker 6.2.96.391/20080731 found nothing
TrendMicro 8.700.0.1004/20080801 found nothing
VBA32 3.12.8.2/20080801 found [Trojan-Downloader.Win32.Small.zdo]
ViRobot 2008.8.1.1321/20080801 found nothing
VirusBuster 4.5.11.0/20080731 found [Trojan.DL.Small.AOVB]
Webwasher-Gateway 6.6.2/20080801 found [Trojan.Dldr.Small.zdo]

Complete scanning result of "get_ie.php?pin=0", processed in VirusTotal at 08/01/2008 14:22:25 (CET).

[ file data ]
* name..: get_ie.php?pin=0
* size..: 72708
* md5...: 331a6da2a88736d1714bf0031ac87d33
* sha1..: 4971cf23cfa933935d2976bf325d376ac4c45267
* peid..: -

[ scan result ]
AhnLab-V3 2008.7.29.1/20080801 found nothing
AntiVir 7.8.1.15/20080801 found [TR/BHO.fig]
Authentium 5.1.0.4/20080731 found nothing
Avast 4.8.1195.0/20080731 found nothing
AVG 8.0.0.156/20080801 found [SHeur.BUOU]
BitDefender 7.2/20080801 found nothing
CAT-QuickHeal 9.50/20080731 found nothing
ClamAV 0.93.1/20080801 found nothing
DrWeb 4.44.0.09170/20080801 found nothing
eSafe 7.0.17.0/20080729 found [Suspicious File]
eTrust-Vet 31.6.5999/20080731 found nothing
Ewido 4.0/20080801 found [Trojan.BHO.fig]
F-Prot 4.4.4.56/20080731 found nothing
F-Secure 7.60.13501.0/20080801 found [Trojan.Win32.BHO.fig]
Fortinet 3.14.0.0/20080801 found [W32/BHO.FIG!tr]
GData 2.0.7306.1023/20080801 found [Trojan.Win32.BHO.fig]
Ikarus T3.1.1.34.0/20080801 found [Trojan.Win32.BHO.fig]
K7AntiVirus 7.10.399/20080731 found nothing
Kaspersky 7.0.0.125/20080801 found [Trojan.Win32.BHO.fig]
McAfee 5351/20080731 found nothing
Microsoft 1.3704/20080728 found nothing
NOD32v2 3317/20080801 found [Win32/Adware.BHO.NCX]
Norman 5.80.02/20080801 found [W32/BHO.DYN]
Panda 9.0.0.4/20080801 found nothing
PCTools 4.4.2.0/20080801 found nothing
Prevx1 V2/20080801 found [Malicious Software]
Rising 20.55.42.00/20080801 found nothing
Sophos 4.31.0/20080801 found nothing
Sunbelt 3.1.1537.1/20080801 found [Trojan.Win32.BHO.fig]
Symantec 10/20080801 found nothing
TheHacker 6.2.96.391/20080731 found nothing
TrendMicro 8.700.0.1004/20080801 found [PAK_Generic.001]
VBA32 3.12.8.2/20080801 found [Win32.Adware.BHO.NCX]
ViRobot 2008.8.1.1321/20080801 found nothing
VirusBuster 4.5.11.0/20080731 found nothing
Webwasher-Gateway 6.6.2/20080801 found [Trojan.BHO.fig]

Complete scanning result of "setup0.exe", processed in VirusTotal at 08/01/2008 14:19:50 (CET).

[ file data ]
* name..: setup0.exe
* size..: 40452
* md5...: 8dea48bf3e0424280dfd153e87b02ee1
* sha1..: f8df37a854166d3c6ca2263cad3964a404c160e8
* peid..: -

[ scan result ]
AhnLab-V3 2008.7.29.1/20080801 found nothing
AntiVir 7.8.1.15/20080801 found [TR/Spy.ZBot.IF]
Authentium 5.1.0.4/20080731 found nothing
Avast 4.8.1195.0/20080731 found [Win32:Zbot-AJN]
AVG 8.0.0.156/20080801 found [SHeur.BYNR]
BitDefender 7.2/20080801 found [Trojan.Spy.Zbot.IF]
CAT-QuickHeal 9.50/20080731 found [TrojanDownloader.FraudLoad.va]
ClamAV 0.93.1/20080801 found nothing
DrWeb 4.44.0.09170/20080801 found nothing
eSafe 7.0.17.0/20080729 found nothing
eTrust-Vet 31.6.5999/20080731 found nothing
Ewido 4.0/20080801 found nothing
F-Prot 4.4.4.56/20080731 found nothing
F-Secure 7.60.13501.0/20080801 found [Trojan-Downloader.Win32.FraudLoad.vatd]
Fortinet 3.14.0.0/20080801 found nothing
GData 2.0.7306.1023/20080801 found [Trojan-Downloader.Win32.FraudLoad.vatd]
Ikarus T3.1.1.34.0/20080801 found [Virus.Win32.Zbot.AJN]
K7AntiVirus 7.10.399/20080731 found nothing
Kaspersky 7.0.0.125/20080801 found [Trojan-Downloader.Win32.FraudLoad.vatd]
McAfee 5351/20080731 found nothing
Microsoft 1.3704/20080728 found [PWS:Win32/Zbot.gen!G]
NOD32v2 3317/20080801 found [Win32/TrojanDownloader.FakeAlert.FE]
Norman 5.80.02/20080801 found nothing
Panda 9.0.0.4/20080801 found [Suspicious file]
PCTools 4.4.2.0/20080801 found nothing
Prevx1 V2/20080801 found [Suspicious]
Rising 20.55.42.00/20080801 found nothing
Sophos 4.31.0/20080801 found [Mal/EncPk-EI]
Sunbelt 3.1.1537.1/20080801 found nothing
Symantec 10/20080801 found nothing
TheHacker 6.2.96.391/20080731 found nothing
TrendMicro 8.700.0.1004/20080801 found nothing
VBA32 3.12.8.2/20080801 found [suspected of Malware-Cryptor.Win32.General.2]
ViRobot 2008.8.1.1321/20080801 found nothing
VirusBuster 4.5.11.0/20080731 found nothing
Webwasher-Gateway 6.6.2/20080801 found [Trojan.Spy.ZBot.IF]

Malekal.com forum

Antivirus 2008

Antivirus 2008

Antivirus 2008 Pro

Re: Antivirus 2008