Friday, September 4, 2009

Personal Antivirus: antimalwarescanner8.com/ best-antivirus8.com/ hqvirusscanner.com/ advancedpcscanner3.com

I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.
If we click OK or Cross(X)/Close button it will take us to fake scanning page depicting real Anti -virus scanning of the PC.
After the scanning it gives the scan results as shown in figure below depicting a real Anti-Virus scan stating various directories on the PC are infected with trojans.
Asks the users to download "Personal Antivirus" to protect their PC.
Clicking anywhere on this page will give a pop-up window to download Anti-virus binary.
If we click on the page for multiple times it will pop-up multiple windows for downloading
Antivirus-[a-f0-9]{3,7}_2031.exe file.If we do "View Source" on above page it will show few interesting javascript files.
Contents of listfile.js were interesting because it had an array of various file names with EXE, HLP, DLL etc extensions.
I downloaded different binary files samples but all the files had same MD5 value. Surprising !!!
Tried to execute the sample on VMware with MS Windows XP SP2 installed. It gives the following memory access error on VM. Is it detecting VM environment?!!
I executed the same sample on MS Windows Server 2003 Standard Edition with SP2 but not able to run the sample successfully.
Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM

sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@ = L
Wow!! It contains an IP Address.

Malicious Domains:
hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High

  • File is Packed with unknown packer.
  • PEiD doesn't give any packer name.
  • OllyDBG throws exception while loading the file.
  • Imports few APIs from KERNEL32.DLL
Virustotal results can be found at
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765

If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!