MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

8.31.2010

AntiSpy Safeguard with new social engineering approach

AntiSpy Safeguard is a new rogue that is In-the-Wild and that its spread is new coverage of using deception in a video shown and a false report in the style of the services offered by VirusTotal or Virscan.

 
The following image belongs to the inicial interface that is displayed in the first instance on a system infected by this rogue.


To read the full report MalwareIntelligence blog.

Related information

Litter Korean rogue lurking V
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Ver más

8.29.2010

Litter Korean rogue lurking V

Another piece of rogue from Korea and belonging to the family of PrivacyKeep, PrivacyCorp and PCScan.

ProtectInfo

protectinfo.co.kr - 114.108.168.8 - DACOM-NET LG DACOM


The IP address also resolves the following domains:
ad-clear.com
privacycop.co.kr
privacykeep.co.kr
protectinfo.co.kr

protectinfo_home.exe (a48e62c64f68a2b32dc601efffa2973d)

update.protectinfo.co.kr/instchk.php

226
[COUNTER]
NUM=6

[CHECK1]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK2]
HKEY=HKLM
REGPATH=PrivacyCheck
REGNAME=DisplayName
REGVALUE=.......... ....

[CHECK3]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK4]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK5]
HKEY=HKLM
REGPATH=..........
REGNAME=DisplayName
REGVALUE=..........

[CHECK6]
HKEY=HKLM
REGPATH=privacykeep
REGNAME=DisplayName
REGVALUE=............

[HISTORYREG]
PATH="............"


protectinfo.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=infocode0067
protectinfo.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C

3d
payed=0
pw_usr=
pw_sup=1470
hp1=
hp2=
hp3=
small=300
big=300


log.adsence.co.kr/logexp.php?aid=protectinfo&pid=infocode0067&kind=inst
file.protectinfo.co.kr/update.php

protectinfo.exe=0.325
pnfoupdater.exe=0.113
pnfohk.dll=0.110
pnfouninst.exe=0.1
pnfowcher.exe=0.116
pnfopopd.dll=0.1


protectinfo.co.kr/app_linkage/app_boot.php?ver=.0.398
protectinfo.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C
protectinfo.co.kr/settlement/paysys/mobile/Deliver.php
protectinfo.co.kr/settlement/paysys/pbill/Deliver.php
protectinfo.co.kr/settlement/paysys/ars/Deliver.php



Countermeasures

Uninstall from Program Files
Running updated antivirus

Related information



Litter Korean rogue lurking IV
Litter Korean rogue lurking III
Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Jorge Mieres 

Ver más

8.22.2010

Litter Korean rogue lurking IV

Korean rogue fourth part of the "litter" that haunts the past few days looking for potential victims caught in Korea. At times the rogue that spread can have an option to change the language, so that coverage is much wider infection, however, in this case, it's directed at specific populations rogue.

PrivacyCorp
privacycop.co.kr - 114.108.168.8 - DACOM-NET LG DACOM


The IP is also the following domains:
ad-clear.com
info-dr.com

privacycop_setup.exe (8362c089bc4f7932dc885e23044cb2f6)
privacy_mediccop.exe (46f2a84d7217a5ca56208ea0b13c6f52)

The circuit is part rogue criminal systems led by members who pay a percentage of money for each installation of the threat spread. This case is no exception. The rogue reports successful installation immediately after infection.

privacycop.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=home
log.adsence.co.kr/logexp.php?aid=privacycop&pid=home&kind=inst
privacycop.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C
3e
payed=0
pw_usr=
pw_sup=1470
hp1=
hp2=
hp3=
small=300
big=3660

file.privacycop.co.kr/update.php
6d
privacycop.exe=0.328
pvcupdater.exe=0.112
pvchk.dll=0.1
pvcuninst.exe=0.1
pvcwcher.exe=0.112
pvcpopd.dll=0.1

privacycop.co.kr/app_linkage/app_boot.php?ver=.0.4.5.3
privacycop.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C


Countermeasures
Terminate the processes called privacycop.exe and pvcwcher.exe. You can use the ProcessExplorer to view and terminate processes.

Uninstall from Program Files
Running updated antivirus

Related information

Litter Korean rogue lurking III
Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Ver más

Litter Korean rogue lurking III

PCScan is another rogue Koreans that have appeared in recent days, in addition to the two previously showed.

pcscan.kr - 114.108.129.233 - DACOM-NET LG DACOM

The IP also resolves the following domains:
eroza.net
master.to84.net
to84.net
www.tvbaro.net

Setup.exe (a85900759318ea66dc94ba789aae2cfe)
PCScan.exe (665b846b82d959843744d9d3a7b39bdc)
PCScanMon.exe (01cdb8f8955a4df6eebb1aca04d6a43c)
Uninstall.exe (76cd1340bded9d96050df30999f6274d)

Unistaller.exe file simulates the uninstaller antivirus program assumes, however, no effect arises because it’s false.

Check the following pages:
pcscan.kr/request/module_setup.php?p=PCScan&a=type1
pcscan.kr/request/License.txt
pcscan.kr/down/install.exe
down.elineguide.com/down/install.exe

pcscan.kr/down/files.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c
pcscan.kr/down/PCScan.exe
pcscan.kr/down/PCScanMon.exe
pcscan.kr/down/Uninstall.exe
pcscan.kr/down/PCScanControl.dll

pcscan.kr/value.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c&url=
pcscan.kr/settle.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/bill_danal/bill_home/with_bill.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/consultation.php


Countermeasure

Terminate the processes called PCScan.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PCScan folder (which houses six files) located in C:\Program Files\pcscan\

Delete the system registry pcscan key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to "C:\Program Files\pcscan\pcscan.exe". You can use the Autoruns to view and delete the key.

Delete the desktop shortcut.

Running updated antivirus

Related information

Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Ver más

8.21.2010

Litter Korean rogue lurking II

Se trata de otro rogue perteneciente a la camada que actualmente se encuentra al acecho. Su nombre es PC Boan Plus.
pcboanplus.com - 222.122.84.56 - KORNET KOREA TELECOM

Domains that resolve to the same IP:
postmaster.8282tv.co.kr
pspd.org

PcBoanPlus2SetupH.exe (0ab2cc07373a4b88a0084f12ae63f54f)



This rogue report a system of affiliates Pay-per-Install that resolves the domain to an IP address corresponding to the ISP "KRNIC".

211.33.123.40/pcboanplus/install.php?mac=000C29CA888C&partner=PcBoanPlus&ver=

file.pcboanPlus.com/app/updater/PcBoanPlus2Up.exe
file.pcboanplus.com/app/Client/PcBoanplus2.exe
pcboanplus.com/app/badinfo.php?Vn=2005010100&Kind=comp

s223.pc-korea.net/badlist/2010080700_badfile.dat



Countermeasure

Uninstall from Program Files
Running updated antivirus


Related information

Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!
Pirated Edition. Affiliate program Pay-per-Install
Pay-per-Install through VIVA INSTALLS / HAPPY INSTALLS in BKCNET “SIA” IZZI 

Ver más

Litter Korean rogue lurking I

Language issues are not limited to developers of malicious code and the objectives of the criminals are far beyond any border, and although it is usually the largest flow of varieties are in English and, to a lesser extent Russian every now and then the guns are aimed at specific audiences, as in this case: Korean rogue.

MegaVaccine
megavaccine.com - 218.146.255.151 - KORNET KOREA TELECOM

The IP is also the following domains:
goodprivacy.co.kr
megavaccine.com
pc-privacy.co.kr
pc-up.co.kr
pcsweeper.co.kr
pctool.co.kr
privacyboan.com
privacyq.com
rprotect.co.kr
uprivacy.net
wowprotect.co.kr

megavaccine_setup.exe (2234041b04e072aa7585209fa66e8550)

down.megavaccine.com/autoupdate/MegaVaccine/MVaccine.exe
down.megavaccine.com/Update_db/addb.dat
down.megavaccine.com/Update_db/adsub.dat
down.megavaccine.com/Update_db/adtc.dat
down.megavaccine.com/Update_db/avmon.dat
down.megavaccine.com/Update_db/inter.dll
down.megavaccine.com/Update_db/pwdb.dat
down.megavaccine.com/Update_db/vsdb.dat
down.megavaccine.com/Update_info/2010081900-00-.txt
down.megavaccine.com/Update_ini/MegaVaccine/autoupdate.ini
down.megavaccine.com/app/weboard.html

Countermeasure

Uninstall from Program Files
Running updated antivirus


Related information
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Ver más

8.16.2010

New Russian SMS ransomware In-the-Wild

The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of ransomware the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.

In this case, it’s a new variant of SMS ransomware blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for ZeuS is actually false.


The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.

According to the text, to get a key to unlocking it's necessary to send a message such as SMS to 4161 with the message 2AV112239. This set of alphanumeric characters isn’t the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:

2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179

The malware disables the possibility to access the system in Safe Mode and access the following programs:
  • TASKMGR.EXE
  • REGEDT32.EXE
  • MSCONFIG.EXE
  • EXPLORER.EXE
  • TEXPL.EXE
  • ANVIR.EXE
Countermeasure
Unlock using the following key:
  • Environ
Click the first button and press the Enter key.
Restart the system.
Delete the registry key from ctfmon.exe.


Run an updated antivirus.

Related information
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Ver más

8.11.2010

PC Defender Antivirus rogue update system registry

The criminals who are behind the development of PC Defender Antivirus rogue in the last few hours have updated the registration system for the false application.

The record in the first version was to send a text message SMS rate telephone number located in Russia, while this new version requests a serial number (supposedly under the hardware-locked system) generated using as part of a activation key.

It also adds a button (Buy) that redirects to a form hosted on Plimus, and updated the malware into English. The first version was only in Russian.

This action makes it quite evident that behind the spread of these threats, lies across an organization intended to develop malware to accommodate an underground economy that feeds, increasingly, fraudulent methods.

Ver más

Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

Pay-per-Install is one of the business models by which an affiliate system provides a set of "clients" one or more malicious code, paying each a percentage of money as a commission for each installation the malicious application successful.

Phoenix Exploit's Kit is a crimeware by which intelligence is done collecting statistical information related to each of the infected computers. You enter through an access panel via the http protocol as we see in the screenshot.

PC Defender Antivirus is a rogue Russian origin whose spread is being made through Phoenix Exploit's Kit, reporting at the same time to an affiliate system that records the installation of each downloaded copy.

In addition to collaborating with the criminal circuit feeding back the fraudulent business through Pay-per-Install, the rogue has the grain of usual business whereby it’s intended that the fraudulent application is purchased, also via the web, this action involving form information stored somewhere confidential credit card. The cost of the rogue is USD 59.95.

Through Phoenix Exploit's Kit spreads a trojan downloader called exe.exe, in this case MD5 e49be7ef82250a36cf7410004ac3d69c that, after it establishes a connection to fordkaksosat.info (193.105.207.45 - AS50793 "ALFAHOSTNET") from which it downloads and executes the rogue (PCDefenderSilentSetup.msi - ecff63c1f983858dfd7fb926738cb478).

In this instance, the rogue is reported to the affiliate system to load the information on successful installation through count_installs.php file, and begins a malware scan issuing alerts about alleged attempts to connect infections and also false. This activity is usual in this type of malware to be one of their employers.


The release system for the alleged security application is similar to that used by some families of ransomware through the business model that involves sending a text message SMS to a specific type of phone number.

In this case, the information should be sent to the number 5711000002209 with the message 6681.


The threat has a timer which generates a false statement Blue Screen of Death (BSoD), in which shows the incentive to record the program, exerting a fear (psychological warfare) on the user that after reading this information might think register/buy what you think, this is a real antivirus solution.


Countermeasures
Terminate the processes called prockill32.exe, proccheck.exe and rundelay.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PC Defender folder (which houses six files) located in C:\Program Files\Def Group\

Delete the system registry PC Defender key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to c:\program files\def group\PC Defender\pcdef.exe. You can use the Autoruns to view and delete the key.

Related Information
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

Ver más