Wednesday, December 19, 2007

codecdvi.com

Another Fake Codec Site from ESTDOMAINS.

Do NOT download any installers from this website. Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.
codecdvi.com
Virustotal results: 12/32 (37.5%)

My sample is codecdvi1007.exe.

AntiVir ------> HEUR/Malware
AVG ------> Generic_c.FTY
BitDefender ------> Trojan.Zlob.BZY
CAT-QuickHeal ------> Win32.Trojan.DNSChanger.aho
ClamAV ------> Trojan.DNSChanger-2168
Fortinet ------> W32/ZLOB.ESC!tr
F-Secure ------> Trojan.Win32.DNSChanger.aii
Kaspersky ------> Trojan.Win32.DNSChanger.aii
McAfee ------> Puper.gen.d
Microsoft ------> Trojan:Win32/Alureon.gen!E
Symantec ------> Trojan.Zlob
Webwasher-Gateway ------> Heuristic.Malware


Additional information:
Domain Name: codecdvi.com
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com
Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-17

Name Servers:
ns1.codecdvi.com
ns2.codecdvi.com

IP Address: 64.28.184.190
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-19 06:33:44 MST
Posted by at 1 comment:

Tuesday, December 18, 2007

SpySnipe





SpySnipe is a rogue application which is a clone of Sunshine Spy.

spysnipe.com is that domain that produces spysnipe.

SpySnipe displays fake allerts as shown in the screenshot below.

It appears that sunshinespy.com was previously under 88.255.94.51. Now they share the IP 77.91.229.42.

I have also included the screenshot of "Sunshine Spy". Make sure note to download these applications.

SpySnipe.com

SpySniper v 1.0







SunshineSpy 1


Domain Name: spysnipe.com
Status: clientDeleteProhibited, clientTransferProhibited
Registrar: BIZCN.COM, INC.
Referral URL: http://www.bizcn.com

Expiration Date: 2008-11-18
Creation Date: 2007-11-18
Last Update Date: 2007-11-18

Name Servers:
ns1.spysnipe.com
ns2.spysnipe.com

IP Address: 77.91.229.42
Website Status: active
Server Type: nginx/0.5.22
Cache Date: 2007-12-17 11:15:49 MSTCompare Archived Data: 2007-12-07

Posted by at 2 comments:

Thursday, December 13, 2007

CodecPretty.net

Another Fake Codec Site from ESTDOMAINS.

Do NOT download any installers from this website. Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.


CodecPretty.net

Virustotal Results:14/32 (43.75%)

My sample is CodecPretty1001.exe

AntiVir ------> HEUR/Malware
AVG ------> Downloader.Zlob.KF
BitDefender ------> Trojan.Zlob.BYQ
CAT-QuickHeal ------> Win32.Trojan.DNSChanger.abj
eSafe ------> Win32.DNSChanger.abj
Fortinet ------> W32/Zlobar.ADZ!tr
F-Secure ------> Trojan.Win32.DNSChanger.acv
Kaspersky ------> Trojan.Win32.DNSChanger.adz
Microsoft ------> Trojan:Win32/Alureon.gen!E
Prevx1 ------> Generic.Dropper.xCodec
Sophos ------> Troj/Zlobar-Fam
Symantec ------> Trojan.Zlob
TheHacker ------> Trojan/Downloader.Zlob.eie
Webwasher-Gateway ------> Heuristic.Malware

Domain Name: codecpretty.net
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-11

Name Servers:
ns1.codecpretty.net
ns2.codecpretty.net

IP Address: 64.28.184.188
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-13 03:17:45 MST

Posted by at No comments:

Monday, December 10, 2007

CodecHot.net

Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNS Changer. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.

CodecHot.net

Domain Name: codechot.net
Status: ok
Registrar: ESTDOMAINS, INC. Referral URL: http://www.estdomains.com
Expiration Date: 2008-09-21 Creation Date: 2007-09-21 Last Update Date: 2007-12-08
Name Servers: ns1.codechot.net ns2.codechot.net
IP Address: 64.28.184.187
Posted by at

Friday, December 7, 2007

SpyKillerPro





SpyKillerPro - Another Rogue application from the strange website xen.name

Is seems to be a clone of RaptorDefence.

SpyKillerPro

Warning Message


Virus Total results:
AntiVir ------> DR/FraudTool.XPAntivirus.A.2
ClamAV ------> Adware.Fakealert-13
DrWeb ------> Trojan.Fakealert.373
Kaspersky ------> not-a-virus:FraudTool.Win32.XPAntivirus.a
Webwasher-Gateway ------> Trojan.Dropper.FraudTool.XPAntivirus.A.2

File size: 1402387 bytes
MD5: b2cb8c2168f279a0d62fcf7d0061e5a5
SHA1: a2fb6d6570366dda1690eafb990b331de07d859c

Posted by at 1 comment:

codechard.com





Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNS Changer.

It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program. It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.


codechard.com


Virus Total Results: 15/32 (46.88%)

AntiVir ------> HEUR/Malware
AVG ------>Downloader.Zlob.KF
BitDefender ------>Trojan.Zlob.BYQ
CAT-QuickHeal ------>Win32.Trojan.DNSChanger.abj
Ewido ------>Downloader.Zlob.eie
Fortinet ------>W32/Zlobar.ADZ!tr
F-Secure ------>Trojan.Win32.DNSChanger.adz
Kaspersky ------>Trojan.Win32.DNSChanger.adz
Microsoft ------>Trojan:Win32/Alureon.gen!E
Panda ------>Adware/JustPorn
Prevx1 ------>Generic.Dropper.xCodec
Sophos ------>Troj/Zlobar-Fam
Symantec ------>Trojan.Zlob
TheHacker ------>Trojan/Downloader.Zlob.eie
Webwasher-Gateway ------>Heuristic.Malware

File size: 231549 bytes
MD5: d0071820c328a1985d63e86f61d5b606
SHA1: 0d92ab6bc8f25d55d9799a5c479edc751ece17b1
PEiD: -
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=675A623B7D5697AB88DB03AB863BA800D8053CA9


More information:
Domain Name: codechard.com
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-05

Name Servers:
ns1.codechard.com
ns2.codechard.com

IP Address: 64.28.184.186
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-07 03:09:19 MST
Posted by at No comments:

StopingSpy 2.1






StopingSpy 2.1 is a clone of a well known Rogue application -SpySheriff.

Stopingspy.com is the domain distributing StopingSpy 2.1.

Registrar of stopingspy.com is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.

Stopingspy.com

StopingSpy 2.1

Virustotal results : 6/32 (18.75%)
 AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

File size: 30208 bytes
MD5: 8bc81891175a149bfef84ac0c8c556d4
SHA1: 6d76546f81dd3806a4e1b7e793237a1bc2293f30
PEiD: Armadillo v1.71

Additional information:

stopingspy.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-27
Creation Date: 2007-11-27
Last Update Date: 2007-11-27

Name Servers:
ns1.stopingspy.com
ns2.stopingspy.com

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 11:41:25 MST

Posted by at No comments:

Thursday, December 6, 2007

LiveProtection 2.1






LiveProtection 2.1 is a clone of a well known Rogue application -SpySheriff.

liveprotection.net is the domain distributing LiveProtection 2.1.

Registrar of liveprotection.net is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.


liveprotection.net


LiveProtection 2.1


Virustotal results : 6/32 (18.75%)

AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

File size: 60928 bytes
MD5: d135860f40c86477e83f26aa49688be9
SHA1: 656feee197f0713bb15a4fd3db3f62bc545975ff
PEiD: Armadillo v1.71


Additional information:
Domain Name: liveprotection.net
Status: clientTransferProhibited

Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-27
Creation Date: 2007-11-27
Last Update Date: 2007-11-27

Name Servers:
ns1.liveprotection.net
ns2.liveprotection.net

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 10:45:19 MST





Posted by at No comments:

KillSpy 2.1





KillSpy 2.1 is a clone of a well known Rogue application -SpySheriff.

killspy.org is the domain distributing KillSpy 2.1.

Registrar of killspy.org is ESTDOMAINS, well known for producing Useless websites.

DoNOT install this application and avoid this website.



killspy.org
KillSpy 2.1

Virustotal results : 6/32 (18.75%)

AhnLab-V3 ------> Win-Trojan/Spyshield.51200
CAT-QuickHeal ------> FraudTool.SpySheriff.f (Not a Virus)
Kaspersky ------> not-a-virus:FraudTool.Win32.SpySheriff.f
Microsoft ------> Program:Win32/SpySheriff
Sophos ------> Troj/DrProt-Gen
VirusBuster ------> Adware.SpySherif.Gen.2

Additional information:
Domain Name: killspy.org
Status: CLIENT TRANSFER PROHIBITED, TRANSFER PROHIBITED
Registrar: EstDomains, Inc. (R1345-LROR)

Expiration Date: 2008-11-27 15:43:30
Creation Date: 2007-11-27 15:43:30
Last Update Date: 2007-11-27 15:46:36

Name Servers:
ns1.killspy.org
ns2.killspy.org

IP Address: 58.65.238.130
Website Status: active
Server Type: nginx/0.5.33
Cache Date: 2007-12-06 06:48:49 MST
Posted by at No comments:

AntiSpy Pro 2.4






AntiSpy Pro 2.4 -Another rogue application from ESTDOMAINS, This application is a clone of IEDefender.

I have added screenshots for both the applications, so that you can compare them.

Make sure you do not install this useless application.


AntiSpy-Pro.com


AntiSpy Pro 2.4

IEDefender.com

IE Defender 2.4.3

Additional information:

Domain Name: antispy-pro.com
Status: clientTransferProhibited
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com

Expiration Date: 2008-11-15
Creation Date: 2007-11-15
Last Update Date: 2007-11-15

Name Servers:
ns1.antispy-pro.com
ns2.antispy-pro.com

IP Address: 85.255.121.149
Website Status: active
Server Type: Apache/2.2.3 (Debian) PHP/4.4.4-8+etch4
Cache Date: 2007-12-06 04:27:55 MST

Virustotal results: 4/32 (12.5%)

ClamAV-----> Adware.Fakealert-21
Kaspersky----->not-a-virus:FraudTool.Win32.IeDefender.j
VBA32----->suspected of Backdoor.Delf.180 (paranoid heuristics)
Symantec----->AntiSpyPro


File size: 2836949 bytes
MD5: 3e66a8d4eed567b696fd23de45f1b1ee
SHA1: 86dbd9677bfcf0bc96528bbad18b6e5e1c12e4f8
PEiD: -
packers: ASPack

Virustotal result is quiet bad, so stay away from this site.

Posted by at 2 comments:

Tuesday, December 4, 2007

CodecMega.net


CodecMega.net


Another Fake Codec Site from ESTDOMAINS,

Do NOT download any program from this website.

Note that this program is a DNSChanger. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.


CodecMega.net


Virus Total Results: 16/32 (50%)
-------------------------------------------------------
AntiVir----->HEUR/Malware
AVG----->Downloader.Zlob.KF
BitDefender----->Trojan.Zlob.BYQ
CAT-QuickHeal----->Win32.Trojan.DNSChanger.abj
eSafe----->Win32.DNSChanger.abj
Ewido----->Downloader.Zlob.eie
Fortinet----->W32/Zlobar.ABJ!tr
F-Secure----->Trojan.Win32.DNSChanger.adz
Kaspersky----->Trojan.Win32.DNSChanger.adz
Microsoft----->Trojan:Win32/Alureon.gen!E
Panda----->Adware/KeyToPorn
Prevx1----->Generic.Dropper.xCodec
Sophos----->Troj/Zlobar-Fam
Symantec----->Trojan.Zlob
TheHacker----->Trojan/Downloader.Zlob.eie

Detection rate seems to be better.

More Information:
-----------------
Domain Name: codecmega.net
Status: ok
Registrar: ESTDOMAINS, INC.
Referral URL: http://www.estdomains.com

Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-12-02

Name Servers:
ns1.codecmega.net
ns2.codecmega.net

IP Address: 64.28.184.185
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-04 06:15:38 MST

Posted by at

Saturday, December 1, 2007

RaptorDefence.com



RaptorDefence 1.2.1 is a rogue application which displays fake detections to surprises users and make them purchase the worthless product.

Screenshots:

RaptorDefence.com


RaptorDefence 1.2.1

Domain Name: raptordefence.com
Status: ok
Registrar: DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM
Whois Server: whois.publicdomainregistry.com
Referral URL: http://www.publicdomainregistry.com

Expiration Date: 2008-07-20
Creation Date: 2007-07-20
Last Update Date: 2007-09-18
Name Servers: ns0.hqhost.net ns1.hqhost.net

IP Address: 88.214.198.90
Website Status: active
Server Type: Apache/1.3.37 (Unix) PHP/5.2.3
Alexa Trend/Rank: 3 Month: 1,680,653
Page Views per Visit: 3 Month: 5.0
Cache Date: 2007-12-01 04:19:35 MST

VirusTotal results: 4/32 (12.5%)

DrWeb ---> Trojan.Fakealert.373
Kaspersky ---> not-a-virus:FraudTool.Win32.XPAntivirus.a
Prevx1 ---> Heuristic: Suspicious Self Modifying File
Sunbelt ---> RaptorDefence

File size: 1578279 bytes
MD5: 4d0e16828cdd140d77221e806e535be8
SHA1: 32434e2641003f6d3b203f9214b0831ff7eb21f1
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=8B98308C27FC6C0715D218E1D988C3000933526E


The detection rate is very poor. Make sure you stay away from this program.

Posted by at No comments:

CodecTime.com



Another Fake Codec Site from ESTDOMAINS.
Do NOT download any installers from this website.
Note that this program is a DNSChanger. It pretends to be a browser add-on for viewing porn which is actually a Trojan Horse program.It has the capability to install a Rootkit on to your computer to re-route your Internet searches through the bad servers to make money for them.

Screenshot:

CodecTime.com

And this is why we call it as DNS changer:

Additional information:

Domain Name: codectime.com
Status: ok
Registrar: ESTDOMAINS, INC.
Expiration Date: 2008-09-21
Creation Date: 2007-09-21
Last Update Date: 2007-11-29

Name Servers:
ns1.codectime.com
ns2.codectime.com
--------------------------------------------------------------------------------
Extended Info IP Address: 64.28.184.184
Website Status: active
Server Type: Apache/2.0.59 (FreeBSD) PHP/5.2.1 with Suhosin-Patch
Cache Date: 2007-12-01 03:04:48 MST


VirusTotal results:


My sample is: CodecTime1090.exe

AntiVir ---> HEUR/Malware
AVG ---> Downloader.Zlob.KF
BitDefender ---> Trojan.Zlob.BYQ
CAT-QuickHeal ---> Win32.Trojan.DNSChanger.abj
eSafe ---> Win32.Zlob
Ewido ---> Downloader.Zlob.eie
Fortinet ---> W32/Zlobar.ADZ!tr
F-Secure ---> Trojan.Win32.DNSChanger.adz
Kaspersky ---> Trojan.Win32.DNSChanger.adz
Microsoft ---> Trojan:Win32/Dnschanger.AI
Prevx1 ---> Generic.Dropper.xCodec
Sophos ---> Troj/Zlobar-Fam
Symantec ---> Trojan.Zlob
TheHacker ---> Trojan/Downloader.Zlob.eie
Webwasher-Gateway ---> Heuristic.Malware

Google



Posted by at 2 comments:
Subscribe to: Posts (Atom)