Advanced Defender

[Malekal_morte]

Advanced Defender est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

[Malekal_morte]

Le rogue peut afficher ces fausses détections :

C:\WINDOWS\inf\1394vdbg.inf|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
c:\WINDOWS\inf\axant5.inf|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\inf\1394.inf|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\inf\1394vdbg.inf|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
c:\WINDOWS\inf\axant5.inf|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system\VER.DLL|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\inf\1394.inf|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\ehome\custsat.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\AppPatch\sysmain.sdb|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\Driver Cache\i386\portcls.sys|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\updspapi.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\twain_32\wiatwain.ds|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\Microsoft.NET\Framework\sbs_iehost.dll|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\Microsoft.NET\Framework\SharedReg12.dll|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\srchasst\msgr3en.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\explorer.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\TASKMAN.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\srchasst\srchctls.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\PeerNet\sqlqp20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\PeerNet\sqldb20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\PeerNet\sqlse20.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\security\Database\secedit.dll|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\chkntfs.exe|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\csrss.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\dxdiag.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\iernonce.dll|Email-Worm.Win32.Eyeveg.g|This worm spreads via the Internet as an attachment to infected emails|3|Malware|0
C:\WINDOWS\system32\jobexec.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\mfc40.dll|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\msdtc.exe|Backdoor.Netbus|This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (a.k.a. Back Orifice) Trojan|2|backdoor|0
C:\WINDOWS\system32\ntmsevt.dll|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0
C:\WINDOWS\system32\runas.exe|Trojan-Clicker.BAT.Small.c|This Trojan opens web sites without the knowledge or consent of the user|2|Internet virus|0
C:\WINDOWS\system32\wpabaln.exe|Trojan-Spy.HTML.Combats.a|This Trojan is designed to steal confidential data|2|Spyware program|0

Ces fausses alertes :

Your virus protection is currently disabled, that''s why your PC is unprotected and exposed to many kinds of viruses. Let Advanced Defender help you. Enable protection immediately.
Your PC isn''t being protected from spyware, so that unwanted application can steal your private data. Let Advanced Defender help you. Enable protection immediately.
Your malware protection software is currently turned off, so that unwanted applications can turn your PC into adware center. Let Advanced Defender help you. Enable protection immediately.
Your web-surfing is now in unprotected mode, so you cannot browse the Web safely. Save your PC from unwanted threats. Let Advanced Defender help you. Enable protection immediately.
General protection of your PC is switched off or absent, so you are exposed to different kinds of threats - viruses, adware, spyware. Let Advanced Defender help you. Enable your protection immediately.

Et enfin bloquer l'exécution de programmes (dont les antivirus et fix de désinfection) avec ce message :

xxxxxx.exe is infected with worm Lsas.Blaster.Keyloger.
This worm is trying to send your credit card details using
to connect to remote host.
Advanced Defender Warning

Renommer le fichier en advanceddefender.exe permet son exécution.

La détection du dropper :

File hereLayoutTheory.exe received on 2010.02.14 11:30:49 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/41 (17.08%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.14 -
AhnLab-V3 5.0.0.2 2010.02.14 -
AntiVir 7.9.1.160 2010.02.12 -
Antiy-AVL 2.0.3.7 2010.02.14 -
Authentium 5.2.0.5 2010.02.13 -
Avast 4.8.1351.0 2010.02.13 -
AVG 9.0.0.730 2010.02.14 SHeur2.CLNI
BitDefender 7.2 2010.02.14 -
CAT-QuickHeal 10.00 2010.02.13 -
ClamAV 0.96.0.0-git 2010.02.13 -
Comodo 3932 2010.02.14 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.1.12222 2010.02.14 -
eSafe 7.0.17.0 2010.02.11 -
eTrust-Vet 35.2.7300 2010.02.12 -
F-Prot 4.5.1.85 2010.02.13 -
F-Secure 9.0.15370.0 2010.02.13 -
Fortinet 4.0.14.0 2010.02.14 -
GData 19 2010.02.14 -
Ikarus T3.1.1.80.0 2010.02.14 -
Jiangmin 13.0.900 2010.02.14 -
K7AntiVirus 7.10.972 2010.02.12 -
Kaspersky 7.0.0.125 2010.02.14 Trojan.Win32.FraudPack.aliq
McAfee 5891 2010.02.13 -
McAfee+Artemis 5891 2010.02.13 Artemis!F1FB04ED2C89
McAfee-GW-Edition 6.8.5 2010.02.14 -
Microsoft 1.5406 2010.02.14 -
NOD32 4864 2010.02.13 -
Norman 6.04.08 2010.02.14 -
nProtect 2009.1.8.0 2010.02.14 -
Panda 10.0.2.2 2010.02.13 -
PCTools 7.0.3.5 2010.02.14 -
Prevx 3.0 2010.02.14 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.14 Mal/TDSSPack-Q
Sunbelt 5676 2010.02.13 -
Symantec 20091.2.0.41 2010.02.14 Suspicious.Insight
TheHacker 6.5.1.4.193 2010.02.14 -
TrendMicro 9.120.0.1004 2010.02.14 Cryp_Xed-22
VBA32 3.12.12.2 2010.02.14 -
ViRobot 2010.2.13.2186 2010.02.13 -
VirusBuster 5.0.21.0 2010.02.13 -
Additional information
File size: 1232901 bytes
MD5...: f1fb04ed2c89d81fbd8c8d4a1247f27a
SHA1..: 38d0e6a193f210adbd6f10322ef07dfc48d3d8e1

[Malekal_morte]

Autre URL distribuant le rogue :

Code : Tout sélectionner

1266233341.035   1022 192.168.1.63 TCP_MISS/200 27785 GET http://slinkadult.biz/frm/upBeDe.pdf - DIRECT/188.124.15.230 application/pdf
1266233345.243   3227 192.168.1.63 TCP_MISS/200 1215292 GET http://slinkadult.biz/frm/download.php?expid=4&fid=1 - DIRECT/188.124.15.230 application/octet-stream

File load_68_.exe received on 2010.02.15 09:15:42 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 12/41 (29.27%)

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.15 -
AhnLab-V3 5.0.0.2 2010.02.14 -
AntiVir 7.9.1.170 2010.02.15 -
Antiy-AVL 2.0.3.7 2010.02.15 -
Authentium 5.2.0.5 2010.02.15 -
Avast 4.8.1351.0 2010.02.14 -
AVG 9.0.0.730 2010.02.14 SHeur2.CLNI
BitDefender 7.2 2010.02.15 -
CAT-QuickHeal 10.00 2010.02.15 -
ClamAV 0.96.0.0-git 2010.02.15 -
Comodo 3942 2010.02.15 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.1.12222 2010.02.15 -
eSafe 7.0.17.0 2010.02.14 -
eTrust-Vet 35.2.7303 2010.02.15 -
F-Prot 4.5.1.85 2010.02.15 -
F-Secure 9.0.15370.0 2010.02.15 Trojan-Downloader:W32/FraudPack.ALIQ
Fortinet 4.0.14.0 2010.02.15 W32/FraudPack.ALIQ!tr
GData 19 2010.02.15 -
Ikarus T3.1.1.80.0 2010.02.15 -
Jiangmin 13.0.900 2010.02.15 -
K7AntiVirus 7.10.972 2010.02.12 -
Kaspersky 7.0.0.125 2010.02.15 Trojan.Win32.FraudPack.aliq
McAfee 5892 2010.02.14 -
McAfee+Artemis 5892 2010.02.14 Artemis!F1FB04ED2C89
McAfee-GW-Edition 6.8.5 2010.02.15 -
Microsoft 1.5406 2010.02.15 -
NOD32 4866 2010.02.14 a variant of Win32/Kryptik.BYA
Norman 6.04.08 2010.02.14 -
nProtect 2009.1.8.0 2010.02.15 -
Panda 10.0.2.2 2010.02.14 Suspicious file
PCTools 7.0.3.5 2010.02.15 -
Prevx 3.0 2010.02.15 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.15 Mal/TDSSPack-Q
Sunbelt 5678 2010.02.15 Trojan.Win32.Generic!BT
Symantec 20091.2.0.41 2010.02.15 Suspicious.Insight
TheHacker 6.5.1.4.194 2010.02.15 -
TrendMicro 9.120.0.1004 2010.02.15 Cryp_Xed-22
VBA32 3.12.12.2 2010.02.14 -
ViRobot 2010.2.13.2186 2010.02.13 -
VirusBuster 5.0.21.0 2010.02.14 -
Additional information
File size: 1232901 bytes
MD5...: f1fb04ed2c89d81fbd8c8d4a1247f27a
SHA1..: 38d0e6a193f210adbd6f10322ef07dfc48d3d8e1