Wednesday, December 19, 2007

codecdvi.com

Another Fake Codec Site from ESTDOMAINS.

Do NOT download any installers from this website. Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.
codecdvi.com
Virustotal results: 12/32 (37.5%)

My sample is codecdvi1007.exe.

AntiVir ------> HEUR/Malware
AVG ------> Generic_c.FTY
BitDefender ------> Trojan.Zlob.BZY
CAT-QuickHeal ------> Win32.Trojan.DNSChanger.aho
ClamAV ------> Trojan.DNSChanger-2168
Fortinet ------> W32/ZLOB.ESC!tr
F-Secure ------> Trojan.Win32.DNSChanger.aii
Kaspersky ------> Trojan.Win32.DNSChanger.aii
McAfee ------> Puper.gen.d
Microsoft ------> Trojan:Win32/Alureon.gen!E
Symantec ------> Trojan.Zlob
Webwasher-Gateway ------> Heuristic.Malware


Additional information:
Domain Name: codecdvi.com
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com
Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-17

Name Servers:
ns1.codecdvi.com
ns2.codecdvi.com

IP Address: 64.28.184.190
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-19 06:33:44 MST

Tuesday, December 18, 2007

SpySnipe





SpySnipe is a rogue application which is a clone of Sunshine Spy.

spysnipe.com is that domain that produces spysnipe.

SpySnipe displays fake allerts as shown in the screenshot below.

It appears that sunshinespy.com was previously under 88.255.94.51. Now they share the IP 77.91.229.42.

I have also included the screenshot of "Sunshine Spy". Make sure note to download these applications.

SpySnipe.com

SpySniper v 1.0







SunshineSpy 1


Domain Name: spysnipe.com
Status: clientDeleteProhibited, clientTransferProhibited
Registrar: BIZCN.COM, INC.
Referral URL: http://www.bizcn.com

Expiration Date: 2008-11-18
Creation Date: 2007-11-18
Last Update Date: 2007-11-18

Name Servers:
ns1.spysnipe.com
ns2.spysnipe.com

IP Address: 77.91.229.42
Website Status: active
Server Type: nginx/0.5.22
Cache Date: 2007-12-17 11:15:49 MSTCompare Archived Data: 2007-12-07

Thursday, December 13, 2007

CodecPretty.net

Another Fake Codec Site from ESTDOMAINS.

Do NOT download any installers from this website. Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.


CodecPretty.net

Virustotal Results:14/32 (43.75%)

My sample is CodecPretty1001.exe

AntiVir ------> HEUR/Malware
AVG ------> Downloader.Zlob.KF
BitDefender ------> Trojan.Zlob.BYQ
CAT-QuickHeal ------> Win32.Trojan.DNSChanger.abj
eSafe ------> Win32.DNSChanger.abj
Fortinet ------> W32/Zlobar.ADZ!tr
F-Secure ------> Trojan.Win32.DNSChanger.acv
Kaspersky ------> Trojan.Win32.DNSChanger.adz
Microsoft ------> Trojan:Win32/Alureon.gen!E
Prevx1 ------> Generic.Dropper.xCodec
Sophos ------> Troj/Zlobar-Fam
Symantec ------> Trojan.Zlob
TheHacker ------> Trojan/Downloader.Zlob.eie
Webwasher-Gateway ------> Heuristic.Malware

Domain Name: codecpretty.net
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-11

Name Servers:
ns1.codecpretty.net
ns2.codecpretty.net

IP Address: 64.28.184.188
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-13 03:17:45 MST

Monday, December 10, 2007

CodecHot.net

Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNS Changer. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.

CodecHot.net

Domain Name: codechot.net
Status: ok
Registrar: ESTDOMAINS, INC. Referral URL: http://www.estdomains.com
Expiration Date: 2008-09-21 Creation Date: 2007-09-21 Last Update Date: 2007-12-08
Name Servers: ns1.codechot.net ns2.codechot.net
IP Address: 64.28.184.187

Friday, December 7, 2007

SpyKillerPro





SpyKillerPro - Another Rogue application from the strange website xen.name

Is seems to be a clone of RaptorDefence.

SpyKillerPro

Warning Message


Virus Total results:
AntiVir ------> DR/FraudTool.XPAntivirus.A.2
ClamAV ------> Adware.Fakealert-13
DrWeb ------> Trojan.Fakealert.373
Kaspersky ------> not-a-virus:FraudTool.Win32.XPAntivirus.a
Webwasher-Gateway ------> Trojan.Dropper.FraudTool.XPAntivirus.A.2

File size: 1402387 bytes
MD5: b2cb8c2168f279a0d62fcf7d0061e5a5
SHA1: a2fb6d6570366dda1690eafb990b331de07d859c

codechard.com





Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program. It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.


codechard.com


Virus Total Results: 15/32 (46.88%)

AntiVir ------> HEUR/Malware
AVG ------>Downloader.Zlob.KF
BitDefender ------>Trojan.Zlob.BYQ
CAT-QuickHeal ------>Win32.Trojan.DNSChanger.abj
Ewido ------>Downloader.Zlob.eie
Fortinet ------>W32/Zlobar.ADZ!tr
F-Secure ------>Trojan.Win32.DNSChanger.adz
Kaspersky ------>Trojan.Win32.DNSChanger.adz
Microsoft ------>Trojan:Win32/Alureon.gen!E
Panda ------>Adware/JustPorn
Prevx1 ------>Generic.Dropper.xCodec
Sophos ------>Troj/Zlobar-Fam
Symantec ------>Trojan.Zlob
TheHacker ------>Trojan/Downloader.Zlob.eie
Webwasher-Gateway ------>Heuristic.Malware

File size: 231549 bytes
MD5: d0071820c328a1985d63e86f61d5b606
SHA1: 0d92ab6bc8f25d55d9799a5c479edc751ece17b1
PEiD: -
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=675A623B7D5697AB88DB03AB863BA800D8053CA9


More information:
Domain Name: codechard.com
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-05

Name Servers:
ns1.codechard.com
ns2.codechard.com

IP Address: 64.28.184.186
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-07 03:09:19 MST

StopingSpy 2.1






StopingSpy 2.1 is a clone of a well known Rogue application -SpySheriff.

Stopingspy.com is the domain distributing StopingSpy 2.1.

Registrar of stopingspy.com is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.

Stopingspy.com

StopingSpy 2.1

Virustotal results : 6/32 (18.75%)
AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

File size: 30208 bytes
MD5: 8bc81891175a149bfef84ac0c8c556d4
SHA1: 6d76546f81dd3806a4e1b7e793237a1bc2293f30
PEiD: Armadillo v1.71

Additional information:

stopingspy.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-27
Creation Date: 2007-11-27
Last Update Date: 2007-11-27

Name Servers:
ns1.stopingspy.com
ns2.stopingspy.com

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 11:41:25 MST

Thursday, December 6, 2007

LiveProtection 2.1






LiveProtection 2.1 is a clone of a well known Rogue application -SpySheriff.

liveprotection.net is the domain distributing LiveProtection 2.1.

Registrar of liveprotection.net is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.


liveprotection.net


LiveProtection 2.1


Virustotal results : 6/32 (18.75%)

AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

File size: 60928 bytes
MD5: d135860f40c86477e83f26aa49688be9
SHA1: 656feee197f0713bb15a4fd3db3f62bc545975ff
PEiD: Armadillo v1.71


Additional information:
Domain Name: liveprotection.net
Status: clientTransferProhibited

Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-27
Creation Date: 2007-11-27
Last Update Date: 2007-11-27

Name Servers:
ns1.liveprotection.net
ns2.liveprotection.net

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 10:45:19 MST





KillSpy 2.1





KillSpy 2.1 is a clone of a well known Rogue application -SpySheriff.

killspy.org is the domain distributing KillSpy 2.1.

Registrar of killspy.org is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.



killspy.org
KillSpy 2.1

Virustotal results : 6/32 (18.75%)

AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

Additional information:
Domain Name: killspy.org
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED
Registrar: EstDomains, Inc. (R1345-LROR)

Expiration Date: 2008-11-27 15:43:30
Creation Date: 2007-11-27 15:43:30
Last Update Date: 2007-11-27 15:46:36

Name Servers:
ns1.killspy.org
ns2.killspy.org

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 06:48:49 MST

AntiSpy Pro 2.4






AntiSpy Pro 2.4 -Another rogue application from ESTDOMAINS, This application is a clone of IEDefender.

I have added screenshots for both the applications, so that you can compare them.

Make sure you do not install this useless application.


AntiSpy-Pro.com


AntiSpy Pro 2.4

IEDefender.com

IE Defender 2.4.3

Additional information:

Domain Name: antispy-pro.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-15
Creation Date: 2007-11-15
Last Update Date: 2007-11-15

Name Servers:
ns1.antispy-pro.com
ns2.antispy-pro.com

IP Address: 85.255.121.149
Website Status: active
Server Type: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch4
Cache Date: 2007-12-06 04:27:55 MST

Virustotal results: 4/32 (12.5%)

ClamAV-----> Adware.Fakealert-21
Kaspersky----->not-a-virus:FraudTool.Win32.IeDefender.j
VBA32----->suspected of Backdoor.Delf.180 (paranoid heuristics)
Symantec----->AntiSpyPro


File size: 2836949 bytes
MD5: 3e66a8d4eed567b696fd23de45f1b1ee
SHA1: 86dbd9677bfcf0bc96528bbad18b6e5e1c12e4f8
PEiD: -
packers: ASPack

Virustotal result is quiet bad, so stay away from this site.

Tuesday, December 4, 2007

CodecMega.net


CodecMega.net


Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNSChanger. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.


CodecMega.net


Virus Total Results: 16/32 (50%)
-------------------------------------------------------
AntiVir----->HEUR/Malware
AVG----->Downloader.Zlob.KF
BitDefender----->Trojan.Zlob.BYQ
CAT-QuickHeal----->Win32.Trojan.DNSChanger.abj
eSafe----->Win32.DNSChanger.abj
Ewido----->Downloader.Zlob.eie
Fortinet----->W32/Zlobar.ABJ!tr
F-Secure----->Trojan.Win32.DNSChanger.adz
Kaspersky----->Trojan.Win32.DNSChanger.adz
Microsoft----->Trojan:Win32/Alureon.gen!E
Panda----->Adware/KeyToPorn
Prevx1----->Generic.Dropper.xCodec
Sophos----->Troj/Zlobar-Fam
Symantec----->Trojan.Zlob
TheHacker----->Trojan/Downloader.Zlob.eie

Detection rate seems to be better.

More Information:
-----------------
Domain Name: codecmega.net
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-02

Name Servers:
ns1.codecmega.net
ns2.codecmega.net

IP Address: 64.28.184.185
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-04 06:15:38 MST

Saturday, December 1, 2007

RaptorDefence.com



RaptorDefence 1.2.1 is a rogue application which displays fake detections to surprises users and make them purchase the worthless product.

Screenshots:

RaptorDefence.com


RaptorDefence 1.2.1

Domain Name: raptordefence.com
Status: ok
Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.publicdomainregistry.com
Referral URL: http://www.publicdomainregistry.com

Expiration Date: 2008-07-20
Creation Date: 2007-07-20
Last Update Date: 2007-09-18
Name Servers: ns0.hqhost.net ns1.hqhost.net

IP Address: 88.214.198.90
Website Status: active
Server Type: Apache/1.3.37 (Unix) PHP/5.2.3
Alexa Trend/Rank: 3 Month: 1,680,653
Page Views per Visit: 3 Month: 5.0
Cache Date: 2007-12-01 04:19:35 MST

VirusTotal results: 4/32 (12.5%)

DrWeb ---> Trojan.Fakealert.373
Kaspersky ---> not-a-virus:FraudTool.Win32.XPAntivirus.a
Prevx1 ---> Heuristic: Suspicious Self Modifying File
Sunbelt ---> RaptorDefence

File size: 1578279 bytes
MD5: 4d0e16828cdd140d77221e806e535be8
SHA1: 32434e2641003f6d3b203f9214b0831ff7eb21f1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8B98308C27FC6C0715D218E1D988C3000933526E


The detection rate is very poor. Make sure you stay away from this program.

CodecTime.com



Another Fake Codec Site from ESTDOMAINS.
Do NOT download any installers from this website.
Note that this program is a DNSChanger. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.

Screenshot:

CodecTime.com

And this is why we call it as DNS changer:

Additional information:

Domain Name: codectime.com
Status: ok
Registrar: ESTDOMAINS, INC.
Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-11-29

Name Servers:
ns1.codectime.com
ns2.codectime.com
--------------------------------------------------------------------------------
Extended Info IP Address: 64.28.184.184
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-01 03:04:48 MST


VirusTotal results:


My sample is: CodecTime1090.exe

AntiVir ---> HEUR/Malware
AVG ---> Downloader.Zlob.KF
BitDefender ---> Trojan.Zlob.BYQ
CAT-QuickHeal ---> Win32.Trojan.DNSChanger.abj
eSafe ---> Win32.Zlob
Ewido ---> Downloader.Zlob.eie
Fortinet ---> W32/Zlobar.ADZ!tr
F-Secure ---> Trojan.Win32.DNSChanger.adz
Kaspersky ---> Trojan.Win32.DNSChanger.adz
Microsoft ---> Trojan:Win32/Dnschanger.AI
Prevx1 ---> Generic.Dropper.xCodec
Sophos ---> Troj/Zlobar-Fam
Symantec ---> Trojan.Zlob
TheHacker ---> Trojan/Downloader.Zlob.eie
Webwasher-Gateway ---> Heuristic.Malware

Google



Friday, November 30, 2007

VirusProtect 3.8





Registrar of Virprotect.com is ESTDOMAINS, which is well known for fake products.

If your system is infected by Virprotect through Zlob infections, it will display fake warnings in the system tray which will not vanish even if you uninstall the product, it will insist you to purchase the product.

Also the product does not uninstall completely.


Screenshots:

Virprotect.com

VirusProtect 3.8

If you note that the VirusProtectPro variants are no more active.


Virustotal results: 6/32 (18.75%)

The detection rate is very poor, make sure you stay out of this website and the application.

Avast ---> Win32:Spycrush-B
BitDefender ---> Adware.SpyLocked.C
NOD32v2 ---> Win32/Adware.VirusProtectPro
Prevx1 ---> VirusProtectPro:Spyware-All Variants
Sophos ---> Virus ProtectPro Installer
VBA32 ---> Application.Win32.Adware.VirusProtectPro

File size: 3318554 bytes
MD5: baac3692b436b982193bb7895d7405c3
SHA1: ff0de2bed0bd903de9c003e05f3767ee9e35f8f8
packers: Armadillo
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=D81609571AEEC833A360320269C934002DEEC94B

Domain Name: virprotect.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com/
Expiration Date: 2008-10-23
Creation Date: 2007-10-23
Last Update Date: 2007-11-12
Name Servers:
ns1.sigmacode.biz
ns2.sigmacode.biz
ns3.sigmacode.biz
ns4.sigmacode.biz


IP Address: 85.255.119.126
Website Status: active
Server Type: nginx/0.4.13
Cache Date: 2007-11-30 06:33:49 MST
Compare Archived Data: 2007-11-13


Most of them get infected by this app. Now the question is “How to get rid of it?????”

Herez the answer!!!!!!

Juz follow the steps provided in the following link to get rid of the application using “SmitfraudFix”

http://siri.urz.free.fr/Fix/SmitfraudFix.php

The previous versions of Virprotect 3.8 are the PRO versions.

Screenshot of the previous versions are provided below (If it might help your):

VirusProtect PRO 3.3

VirusProtect PRO 3.4

VirusProtect PRO 3.5

VirusProtect PRO 3.6

VirusProtect PRO 3.7


Google



Thursday, November 29, 2007

Online-Guard.net




Online-Guard 2.1


Online-Guard 2.1 is a clone of a well known Rogue application -SpySheriff.

Registrar of Online-Guard.net is ESTDOMAINS, wellknown for producing Useless websites.DoNOT install this application and avoide this website.


Online-Guard.net




Online-Guard 2.1


Virustotal results : 6/32 (18.75%)

AhnLab-V3 ---> Win-Trojan/Spyshield.51200
CAT-QuickHeal ---> FraudTool.SpySheriff.f (Not a Virus)
Ikarus ---> not-a-virus:.FraudTool.Win32.SpySheriff.f
Kaspersky ---> not-a-virus:FraudTool.Win32.SpySheriff.f
Symantec ---> OnlineGuard
VirusBuster ---> Adware.SpySherif.Gen.2

File size: 24064 bytes
MD5: 658474189f62b7a8472473357210be85
SHA1: 6beb36171279b363e88e1de21dbc74a827e7065

Additional information:

Domain Name: online-guard.net
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL:
http://www.estdomains.com
Expiration Date: 2008-10-25
Creation Date: 2007-10-25
Last Update Date: 2007-11-16
Name Servers: ns1.online-guard.net ns2.online-guard.ne

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-11-29 09:58:02 MST
Compare Archived Data: 2007-11-27

Google