Internet Antivirus Pro

par **Malekal_morte** » 22 oct. 2008 21:30

Internet Antivirus Pro est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware Files-server pour soit disant désinfecter votre ordinateur.

Quelques exemples de captures des Fausses pages de scan/alerte de sécurité (ia-scanner-pro.com 78.157.143.184)

par **Malekal_morte** » 19 déc. 2008 16:48

Fausse page pour Internet Antivirus Pro aujourd'hui

Code : Tout sélectionner

1229700763.951    617 192.168.1.25 TCP_MISS/200 10285 GET http://avscan5.com/22/?uid=165&in=1&xx=1&end=1&g=1&h=0&ag=1 - DIRECT/66.45.250.180 text/html

Code : Tout sélectionner

1229700781.284    599 192.168.1.25 TCP_MISS/200 2943 GET http://in5is.com/download/file.exe - DIRECT/66.45.250.180 application/x-msdownload
1229700844.780    191 192.168.1.25 TCP_MISS/200 13023 GET http://in5is.com/download/InternetAntivirusPro.exe - DIRECT/66.45.250.180 application/x-msdownload
1229700774.517   1374 192.168.1.25 TCP_MISS/200 48459 GET http://avscan5.com/download/IAInstall.exe - DIRECT/66.45.250.180 application/x-msdownload

Fichier file.exe reçu le 2008.12.19 16:35:41 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 3/38 (7.9%)

Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.12.19.3 2008.12.19 -
AntiVir 7.9.0.45 2008.12.19 -
Authentium 5.1.0.4 2008.12.18 -
Avast 4.8.1281.0 2008.12.18 -
AVG 8.0.0.199 2008.12.19 -
BitDefender 7.2 2008.12.19 -
CAT-QuickHeal 10.00 2008.12.19 (Suspicious) - DNAScan
ClamAV 0.94.1 2008.12.19 -
Comodo 781 2008.12.19 -
DrWeb 4.44.0.09170 2008.12.19 -
eSafe 7.0.17.0 2008.12.18 Suspicious File
eTrust-Vet 31.6.6268 2008.12.18 -
Ewido 4.0 2008.12.19 -
F-Prot 4.4.4.56 2008.12.18 -
F-Secure 8.0.14332.0 2008.12.19 -
Fortinet 3.117.0.0 2008.12.19 -
GData 19 2008.12.19 -
Ikarus T3.1.1.45.0 2008.12.19 Rootkit.Win32.TDSS
K7AntiVirus 7.10.559 2008.12.19 -
Kaspersky 7.0.0.125 2008.12.19 -
McAfee 5468 2008.12.18 -
McAfee+Artemis 5468 2008.12.18 -
Microsoft 1.4205 2008.12.19 -
NOD32 3706 2008.12.19 -
Norman 5.80.02 2008.12.19 -
Panda 9.0.0.4 2008.12.19 -
PCTools 4.4.2.0 2008.12.19 -
Prevx1 V2 2008.12.19 -
Rising 21.08.42.00 2008.12.19 -
SecureWeb-Gateway 6.7.6 2008.12.19 -
Sophos 4.37.0 2008.12.19 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.19 -
TheHacker 6.3.1.4.191 2008.12.17 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.18 -
ViRobot 2008.12.19.1527 2008.12.19 -
VirusBuster 4.5.11.0 2008.12.19 -
Information additionnelle
File size: 36352 bytes
MD5...: 20b0db1adecf4a297c64a912357b7f6b
SHA1..: 39a59710ce94387f8bc44dae233dd59ff707bf56

Contrairement à ce que peux indiquer la détection d'Ikarus, ce n'est pas le rootkit TDSS, file.exe drop le fichier C:\Documents and Settings\user\Application Data\Microsoft\Windows\winlogon.exe et ajoute la clef suivante dans le registre pour le charger au démarrage :

Clef : HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Run
Name : Microsoft Windows logon process
Valeur : C:\Documents and Settings\user\Application Data\Microsoft\Windows\winlogon.exe

A noter aussi que le service suivant est créé, si vous tenter de stopper le processus IAPro.exe (le rogue en lui même), ce dernier sera automatiquement rechargé par le service

O23 - Service: Guard Service (ITGrdEngine) - Unknown owner - C:\Documents and Settings\SuperCanard\Local Settings\Application Data\Microsoft\Windows\services.exe

par **Malekal_morte** » 28 déc. 2008 01:22

Code : Tout sélectionner

1230396354.533    948 192.168.1.25 TCP_MISS/200 48020 GET http://5avscan.com/download/install.php - DIRECT/66.45.250.180 application/octet-stream

Domain Name: 5AVSCAN.COM
Registrar: NETEARTH ONE, INC. DBA NETEARTH
Whois Server: whois.netearthone.com
Referral URL: http://www.netearthone.com
Name Server: NS1.5AVSCAN.COM
Name Server: NS2.5AVSCAN.COM
Status: clientTransferProhibited
Updated Date: 21-dec-2008
Creation Date: 19-dec-2008
Expiration Date: 19-dec-2009

Registrant:
N/A
Bruce Pouncey ([email protected])
Clevischer Ring 121
Koeln
Koeln,51063
DE
Tel. +49.22196470

Creation Date: 19-Dec-2008
Expiration Date: 19-Dec-2009

Domain servers in listed order:
ns2.5avscan.com
ns1.5avscan.com

par **Malekal_morte** » 29 déc. 2008 19:37

Code : Tout sélectionner

1230575349.956    416 192.168.1.120 TCP_MISS/200 11982 GET http://scan4pro.com/22/?uid=keyin - DIRECT/78.159.99.52 text/html

par **Malekal_morte** » 03 janv. 2009 15:18

Code : Tout sélectionner

1230999793.627    196 192.168.1.25 TCP_MISS/200 48020 GET http://scan4plus.com/download/install.php - DIRECT/78.159.99.52 application/octet-stream

Code : Tout sélectionner

1230999799.340    305 192.168.1.25 TCP_MISS/200 4383 GET http://in4is.com/download/file.exe - DIRECT/78.159.99.52 application/x-msdownload

par **Malekal_morte** » 05 janv. 2009 18:50

Code : Tout sélectionner

1231185229.050    429 192.168.1.25 TCP_MISS/200 11990 GET http://av7scan.com/22/?uid=12600 - DIRECT/208.85.181.108 text/html

par **Malekal_morte** » 26 mai 2009 16:09

Toujours envie :

Code : Tout sélectionner

1243346452.256    969 192.168.1.25 TCP_MISS/200 40889 GET http://note4scan.info/download/install.php - DIRECT/209.44.126.102 application/octet-stream
1243346562.228    919 192.168.1.200 TCP_MISS/200 40889 GET http://note4scan.info/download/install.php - DIRECT/209.44.126.102 application/octet-stream
1243346571.137    725 192.168.1.200 TCP_MISS/200 2910 GET http://in4tk.com/download/InternetAntivirusPro.exe - DIRECT/209.44.126.102 application/x-msdownload
1243346573.909   2616 192.168.1.200 TCP_MISS/206 2167780 GET http://in4tk.com/download/InternetAntivirusPro.exe - DIRECT/209.44.126.102 application/x-msdownload
1243346574.120    180 192.168.1.200 TCP_MISS/200 2911 GET http://in4tk.com/download/file.exe - DIRECT/209.44.126.102 application/x-msdownload
1243346574.859    734 192.168.1.200 TCP_MISS/206 29085 GET http://in4tk.com/download/file.exe - DIRECT/209.44.126.102 application/x-msdownload
1243346726.870    355 192.168.1.25 TCP_MISS/200 40889 GET http://note4scan.info/download/install.php - DIRECT/209.44.126.102 application/octet-stream
1243346726.978    358 192.168.1.25 TCP_MISS/200 40889 GET http://note4scan.info/download/install.php - DIRECT/209.44.126.102 application/octet-stream

par **Malekal_morte** » 10 nov. 2009 09:06

Toujours actif :

Code : Tout sélectionner

data-saver.org	 A 	91.212.107.103
scanatom6.com	 A 	91.212.107.103
goscanxtra.com	 A 	91.212.107.103
goscanadd.com	 A 	91.212.107.103
goscanmend.com	 A 	91.212.107.103
goscanherd.com	 A 	91.212.107.103
goscancode.com	 A 	91.212.107.103
goscansake.com	 A 	91.212.107.103
goscanlike.com	 A 	91.212.107.103
goscansole.com	 A 	91.212.107.103
goscanease.com	 A 	91.212.107.103
goscanref.com	 A 	91.212.107.103
goscanback.com	 A 	91.212.107.103
goscandeck.com	 A 	91.212.107.103
goscanpick.com	 A 	91.212.107.103
goscanfowl.com	 A 	91.212.107.103
goscanroom.com	 A 	91.212.107.103
goxtrascan.com	 A 	91.212.107.103
gohandscan.com	 A 	91.212.107.103
gomendscan.com	 A 	91.212.107.103
goherdscan.com	 A 	91.212.107.103
gosakescan.com	 A 	91.212.107.103
gosolescan.com	 A 	91.212.107.103
gonamescan.com	 A 	91.212.107.103
goeasescan.com	 A 	91.212.107.103
gofatescan.com	 A 	91.212.107.103
gomutescan.com	 A 	91.212.107.103
goeachscan.com	 A 	91.212.107.103
gobackscan.com	 A 	91.212.107.103
gopickscan.com	 A 	91.212.107.103
golookscan.com	 A 	91.212.107.103
gowellscan.com	 A 	91.212.107.103
gofowlscan.com	 A 	91.212.107.103
goroomscan.com	 A 	91.212.107.103
goironscan.com	 A 	91.212.107.103
gotrioscan.com	 A 	91.212.107.103
golimpscan.com	 A 	91.212.107.103
gobarscan.com	 A 	91.212.107.103
godoerscan.com	 A 	91.212.107.103
godirscan.com	 A 	91.212.107.103
goneatscan.com	 A 	91.212.107.103
gojestscan.com	 A 	91.212.107.103
goscantrio.com	 A 	91.212.107.103
ia-pro.com	 A 	91.212.107.103
iantivirus-pro.com	 A 	91.212.107.103
iav-pro.com	 A 	91.212.107.103
http://www.iav-pro.com	 A 	91.212.107.103
iantiviruspro.com	 A 	91.212.107.103
inavpro.com	 A 	91.212.107.103
goscanslip.com	 A 	91.212.107.103
goscanlimp.com	 A 	91.212.107.103
goscanbar.com	 A 	91.212.107.103
goscandoer.com	 A 	91.212.107.103
databackuper.com	 A 	91.212.107.103
woptimizer.com	 A 	91.212.107.103
goscandir.com	 A 	91.212.107.103
in5cs.com	 A 	91.212.107.103
g-antivirus.com	 A 	91.212.107.103
general-antivirus.com	 A 	91.212.107.103
http://www.general-antivirus.com	 A 	91.212.107.103
generalantivirus.com	 A 	91.212.107.103
generalavs.com	 A 	91.212.107.103
goscanneat.com	 A 	91.212.107.103
in5ct.com	 A 	91.212.107.103
in5it.com	 A 	91.212.107.103
wopayment.com	 A 	91.212.107.103
goscanjest.com	 A 	91.212.107.103
goscanrest.com	 A 	91.212.107.103
general-av.com	 A 	91.212.107.103
duvaba.cn	 A 	91.212.107.103
ereuqba.cn	 A 	91.212.107.103
ebeama.cn	 A 	91.212.107.103
keturma.cn	 A 	91.212.107.103
esuteyb.cn	 A 	91.212.107.103
duwbiec.cn	 A 	91.212.107.103
eqaofed.cn	 A 	91.212.107.103
kirdabe.cn	 A 	91.212.107.103
kixyhce.cn	 A 	91.212.107.103
cecyde.cn	 A 	91.212.107.103
erujale.cn	 A 	91.212.107.103
eqaone.cn	 A 	91.212.107.103
dyqunre.cn	 A 	91.212.107.103
byzivte.cn	 A 	91.212.107.103
dovzyag.cn	 A 	91.212.107.103
ebeozag.cn	 A 	91.212.107.103
edoqeg.cn	 A 	91.212.107.103
cafgouh.cn	 A 	91.212.107.103
cifebi.cn	 A 	91.212.107.103
dovnaji.cn	 A 	91.212.107.103
ebogumi.cn	 A 	91.212.107.103
dyzani.cn	 A 	91.212.107.103
dybapi.cn	 A 	91.212.107.103
kevsopi.cn	 A 	91.212.107.103
bysivak.cn	 A 	91.212.107.103
cecxoyk.cn	 A 	91.212.107.103
dyqkuam.cn	 A 	91.212.107.103
ducyqan.cn	 A 	91.212.107.103
cigzaon.cn	 A 	91.212.107.103
duzebyn.cn	 A 	91.212.107.103
etyawjo.cn	 A 	91.212.107.103
erauso.cn	 A 	91.212.107.103
kiluxso.cn	 A 	91.212.107.103
etuacwo.cn	 A 	91.212.107.103
kipuxo.cn	 A 	91.212.107.103
etuexyp.cn	 A 	91.212.107.103
byxzeq.cn	 A 	91.212.107.103
etywuq.cn	 A 	91.212.107.103
ebejar.cn	 A 	91.212.107.103
ebiuhas.cn	 A 	91.212.107.103
dozabes.cn	 A 	91.212.107.103
kijxayt.cn	 A 	91.212.107.103
edoeqnu.cn	 A 	91.212.107.103
evaopsu.cn	 A 	91.212.107.103
ebaetu.cn	 A 	91.212.107.103
dytrevu.cn	 A 	91.212.107.103
eboezu.cn	 A 	91.212.107.103
eqadozu.cn	 A 	91.212.107.103
eruqav.cn	 A 	91.212.107.103
edociv.cn	 A 	91.212.107.103
epuneyv.cn	 A 	91.212.107.103
etykauw.cn	 A 	91.212.107.103
ebeoxuw.cn	 A 	91.212.107.103
dotqyuw.cn	 A 	91.212.107.103
kiwraux.cn	 A 	91.212.107.103
evaolux.cn	 A 	91.212.107.103
duvegy.cn	 A 	91.212.107.103
cafropy.cn	 A 	91.212.107.103
etyupy.cn	 A 	91.212.107.103
cakevy.cn	 A 	91.212.107.103
duxsoez.cn	 A 	91.212.107.103
epuvyiz.cn	 A 	91.212.107.103
sigeia.info	 A 	91.212.107.103
hilloa.info	 A 	91.212.107.103
bedaub.info	 A 	91.212.107.103
girded.info	 A 	91.212.107.103
mobled.info	 A 	91.212.107.103
midid.info	 A 	91.212.107.103
bedrid.info	 A 	91.212.107.103
qward.info	 A 	91.212.107.103
volsce.info	 A 	91.212.107.103
spinge.info	 A 	91.212.107.103
gicke.info	 A 	91.212.107.103
eratile.info	 A 	91.212.107.103
bettre.info	 A 	91.212.107.103
bagse.info	 A 	91.212.107.103
pante.info	 A 	91.212.107.103
cuique.info	 A 	91.212.107.103
obsque.info	 A 	91.212.107.103
nroof.info	 A 	91.212.107.103
squach.info	 A 	91.212.107.103
daphni.info	 A 	91.212.107.103
dislik.info	 A 	91.212.107.103
lequel.info	 A 	91.212.107.103
topful.info	 A 	91.212.107.103
http://www.topful.info	 A 	91.212.107.103
birnam.info	 A 	91.212.107.103
goterm.info	 A 	91.212.107.103
octian.info	 A 	91.212.107.103
vipren.info	 A 	91.212.107.103
swoln.info	 A 	91.212.107.103
veldun.info	 A 	91.212.107.103
pasio.info	 A 	91.212.107.103
asbro.info	 A 	91.212.107.103
rogero.info	 A 	91.212.107.103
fedar.info	 A 	91.212.107.103
xonker.info	 A 	91.212.107.103
cheir.info	 A 	91.212.107.103
implor.info	 A 	91.212.107.103
brawns.info	 A 	91.212.107.103
evyns.info	 A 	91.212.107.103
taulus.info	 A 	91.212.107.103
dolet.info	 A 	91.212.107.103
nnight.info	 A 	91.212.107.103
fliht.info	 A 	91.212.107.103
atquit.info	 A 	91.212.107.103
lavolt.info	 A 	91.212.107.103
moont.info	 A 	91.212.107.103
afront.info	 A 	91.212.107.103
wincot.info	 A 	91.212.107.103
engirt.info	 A 	91.212.107.103
besort.info	 A 	91.212.107.103
monast.info	 A 	91.212.107.103
odest.info	 A 	91.212.107.103
lowatt.info	 A 	91.212.107.103
bettev.info	 A 	91.212.107.103
orifex.info	 A 	91.212.107.103
pplay.info	 A 	91.212.107.103
washy.info	 A 	91.212.107.103
brisky.info	 A 	91.212.107.103
realfly.info	 A 	91.212.107.103
meanly.info	 A 	91.212.107.103
ignomy.info	 A 	91.212.107.103
freiny.info	 A 	91.212.107.103
sundery.info	 A 	91.212.107.103
strawy.info	 A 	91.212.107.103
suivez.info	 A 	91.212.107.103

Code : Tout sélectionner

1257848198.314    393 192.168.1.26 TCP_MISS/200 2916 GET http://moeedeu.awardspace.co.uk/ - DIRECT/82.197.131.52 text/html
1257848198.598    193 192.168.1.26 TCP_MISS/302 373 GET http://onlyfind.net/in.cgi?3&group=181&parameter=mandalay+bay+resort+and+convention+center - DIRECT/78.159.102.99 text/html
1257848199.156    557 192.168.1.26 TCP_MISS/302 542 GET http://gorefscan.com/?uid=12401 - DIRECT/93.174.95.191 text/html
1257848199.844    684 192.168.1.26 TCP_MISS/200 1932 GET http://eviyqdu.cn/?uid=12401 - DIRECT/93.174.95.192 text/html
1257848201.933    111 192.168.1.26 TCP_MISS/200 10283 GET http://eviyqdu.cn/22/?uid=12401 - DIRECT/93.174.95.192 text/html
1257848202.157    112 192.168.1.26 TCP_MISS/200 689 GET http://inb4ck.com/cki.php?uid=12401 - DIRECT/93.174.95.192 text/html
1257848203.225      0 192.168.1.26 TCP_MISS/000 0 GET http://eviyqdu.cn/reports/visit-report.php?from=/22/&uid=12401 - DIRECT/eviyqdu.cn -
1257848203.225      0 192.168.1.26 TCP_MISS/000 0 GET http://eviyqdu.cn/reports/visit-report.php?from=/22/&uid=12401 - DIRECT/eviyqdu.cn -
1257848203.400    173 192.168.1.26 TCP_MISS/200 522 GET http://eviyqdu.cn/reports/visit-report.php?from=/22/&uid=12401 - DIRECT/93.174.95.192 text/html

Code : Tout sélectionner

1257848295.296      0 192.168.1.26 TCP_MISS/000 0 GET http://216.240.130.168/9541654.html - DIRECT/216.240.130.168 -
1257848295.914    509 192.168.1.26 TCP_MISS/200 1144 GET http://wellnesslabs.com.mx/ - DIRECT/216.81.71.64 text/html
1257848296.410    497 192.168.1.26 TCP_MISS/200 1120 GET http://216.240.130.168/9541654.html - DIRECT/216.240.130.168 text/html
1257848296.978    396 192.168.1.26 TCP_MISS/302 295 GET http://goscanjest.com/?uid=12502 - DIRECT/91.212.107.103 text/html
1257848297.511    359 192.168.1.26 TCP_MISS/200 2022 GET http://duxsoez.cn/?uid=12502 - DIRECT/91.212.107.103 text/html

etc

Malekal.com forum

Internet Antivirus Pro

Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro

Re: Internet Antivirus Pro