The installation or crack is in a password protected rar file that in order to get the password, one must run the supplyed tool called "XXX Password Generator".
This installs another variant of the AntiVirus 2008, I can truely say I can't tell anymore if it comes from the same guys, ok of course it's them but there is just no way they got so much man power to write so many completely different versions!!!
Here are the websites it pops up to purchase from:
Installs executables at:
%ProgramFiles%\Antivirus 2008\Antivirus-2008.exe
which is today detected by 24 of 36 AV vendors
http://www.virustotal.com/en/analisis/5ca67e83d763a44d2719de3c40ab0086
This virus adds a scary DANGER! iframe to your desktop.htt, who would remove this for you?
<\div style="position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 836px;">It installed some dlls and executables which are very known to AVs:
<\img src="file:///C:/WINDOWS/web/wallpaper/Bliss.bmp" cache="" style="position: absolute; left: 0pt; top: 0pt; width: 100%; height: 100%;" />
<\iframe id="1" marginwidth="0" marginheight="0" name="DeskMovrW" src="file:///C:%5CWINDOWS%5Cprivacy_danger%5Cindex.htm" resizeable="XY" subscribed_url="" style="background: transparent none repeat scroll 0% 0%; -moz-background-clip: -moz-initial; -moz-background-origin: -moz-initial; -moz-background-inline-policy: -moz-initial; position: absolute; left: 0pt; top: 0pt; width: 1280px; height: 806px; z-index: 0;" frameborder="0">
http://www.virustotal.com/en/analisis/3ed55959b67a666973798fa0c35f23f5
http://www.virustotal.com/en/analisis/c44ccd7ef6b11f700a52042bdb09057f
http://www.virustotal.com/en/analisis/ee13a4586807956432b3989534febf60
http://www.virustotal.com/en/analisis/2af01563b34916780ac23799ec1368df
http://www.virustotal.com/en/analisis/0e309871a713b62a6e68a0071ac54b06
http://www.virustotal.com/en/analisis/1f5371eb356e9c893c3dbec8b496641b
http://www.virustotal.com/en/analisis/0d012def38cd3adfe5ada8d7c45b3041
http://www.virustotal.com/en/analisis/0d9eacd2a5c15fb03a91f2b044000bc3
http://www.virustotal.com/en/analisis/bbef207525a04ba4152509a1e458d1e4
There is as another variant I found called "AntiMalwareGuard_Free.exe" packed with PECompact 2.xx, this is considered detected relatevly to the other variants 19 of 36 AV vendors detect it.
http://www.virustotal.com/en/analisis/c0b7c0498a9b0f684f9e3cbbcc0e5b53
So where is the problem???
The Troajn Downloader it self wasn't detected by any vendor and now 2 month after I found it (which means the vendors got the samples from my virustotal file upload 2 month ago), now it is detected by only 15 AV vendors!!!
http://www.virustotal.com/he/analisis/a38ab04057b44c6bd870ef0446a19a5e
Kaspersky! McAfee! TrendMicro! Panda! F-Secure! Fortinet! Where are you people?!?!?!?!
The malicious guys have no problem replacing the executables at the server side to avoid detection, they even have the man power to write completely new ones.
Posts
No comments:
Post a Comment