Obviously, the scareware (or rogue) as any of the malicious code is added to the current criminal organization they represent as an active and constantly looking for economic gain, often as part of crimeware packages such as Unique Sploits Pack, which incorporates a module for the spread of scareware.
In this case it's the scareware MalwareRemovalBot, although it isn't anything new, it's now manifesting through different domain names hosted on the same IP address (174.132.250.194). Surely using virtual servers.
Some of the domains involved in this campaign are:
antivirus360remover .com
av360removaltool .com
malwarebot .org
malwaree .com
malwaree .org
remove-a360 .com
remove-antivirus-360 .com
remove-av360 .com
remove-ie-security .com
remove-malware-defender .com
remove-personal-defender .com
remove-spyware-guard .com
remove-spyware-protect-2009 .com
remove-spyware-protect .com
remove-system-guard .com
remove-total-security .com
remove-ultra-antivir-2009 .com
remove-ultra-antivirus-2009 .com
remove-virus-alarm .com
remove-virus-melt .com
remove-winpc-defender .com
smitfraudfixtool .com
vundofixtool .com
www.antivirus360remover .com
www.av360removaltool .com
www.malwarebot .org
www.malwaree .com
www.malwaree .org
www.remove-a360 .com
www.remove-antivirus-360 .com
www.remove-av360 .com
www.remove-ie-security .com
www.remove-ms-antispyware .com
www.remove-personal-defender .com
www.remove-spyware-guard .com
www.remove-spyware-protect-2009 .com
www.remove-spyware-protect .com
www.remove-system-guard .com
www.remove-total-security .com
www.remove-ultra-antivir-2009 .com
www.remove-ultra-antivirus-2009 .com
www.remove-virus-alarm .com
www.remove-virus-melt .com
www.remove-winpc-defender .com
www.vundofixtool .com
The executable file of the threat (MD5: 08a0b7b100567eb5a1373eb4607d5b24) is setupxv.exe name, and has a low rate of detection. Only 11 of 39 antivirus companies detect it :(
This binary is only a capsule containing the other pieces of malware such as executables that allow the execution platform of Microsoft 32-bit and 64-bit, depending on the case. Any of the files are:
- MalwareRemovalBot64.msi - 0/40 (0%) (MD5: 708149179e0f18304413edd56d16fa48)
- MalwareRemovalBot.msi - 0/40 (0.00%) (MD5: e1a1c6175d65ab6be8d5f5cbc85a4ca6)
- MSIStart.exe - 7/40 (17.50%) (MD5: 3de82388a6e799446bada69b6a08dc9e)
- zlib.dll - 2/40 (5%) (MD5: 81ac3f43a5b07d202b5723145d3d88f9)
- TCL.dll - 5/40 (12.5%) (MD5: 2a4a0083d63d44374a64a27974eea789)
- SpyCleaner.dll - 13/40 (32.5%) (MD5: 1ca00d4ef4319c9cd454397e5659600b)
- MalwareRemovalBot.srv.exe - 3/40 (7.50%) (MD5: 852f708466a5b74556b69c536d3add7e)
- MalwareRemovalBot.exe - (MD5: 25166bb5d2629cb6dfb9ac6143b88f00)
Related Information
Continuing the important and massive campaign scareware - Spanish version
Campaign scareware infection through false Windows Explorer - Spanish version
Campaign spreading XP Antivirus Police through Visual Social Engineering - Spanish version
# Jorge Mieres
No comments:
Post a Comment