KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Rogue Antimalware (FakeAV, 2013 year)

https://www.kernelmode.info/forum/viewtopic.php?f=16&t=75

Page 9 of 15

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Aug 02, 2013 2:55 pm
by andrew9406
ISergey256 wrote:Live Security Professional
to run -> rundll32 DUMP_003E0000-003EF000_unpack_reveton.dll, XFG00

original https://www.virustotal.com/ru/file/410f ... /analysis/
unpacked https://www.virustotal.com/ru/file/2f8c ... /analysis/
fakeav memory dump https://www.virustotal.com/ru/file/3f12 ... /analysis/

activation code F9292-QRT38-U9291-29291-3923F
This... this is a 2012 sample
just search "live security professional" on the internet

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Aug 07, 2013 3:11 pm
by Win32:Virut
Attentive Antivirus

This one is working in virtual machine.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Fri Aug 09, 2013 6:46 am
by bitstechs
andrew9406 wrote:
ISergey256 wrote:Live Security Professional
to run -> rundll32 DUMP_003E0000-003EF000_unpack_reveton.dll, XFG00

original https://www.virustotal.com/ru/file/410f ... /analysis/
unpacked https://www.virustotal.com/ru/file/2f8c ... /analysis/
fakeav memory dump https://www.virustotal.com/ru/file/3f12 ... /analysis/

activation code F9292-QRT38-U9291-29291-3923F
This... this is a 2012 sample
just search "live security professional" on the internet
Seems like it's a 2013 sample. However, there is the old name of Live Security Platinum that you may be thinking of. I'm seeing new youtube videos and articles from about a week ago explaining this virus.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Aug 10, 2013 7:30 pm
by andrew9406
bitstechs wrote:
andrew9406 wrote:
ISergey256 wrote:Live Security Professional
to run -> rundll32 DUMP_003E0000-003EF000_unpack_reveton.dll, XFG00

original https://www.virustotal.com/ru/file/410f ... /analysis/
unpacked https://www.virustotal.com/ru/file/2f8c ... /analysis/
fakeav memory dump https://www.virustotal.com/ru/file/3f12 ... /analysis/

activation code F9292-QRT38-U9291-29291-3923F
This... this is a 2012 sample
just search "live security professional" on the internet
Seems like it's a 2013 sample. However, there is the old name of Live Security Platinum that you may be thinking of. I'm seeing new youtube videos and articles from about a week ago explaining this virus.
apparently around september 2012 there was a rogue in another rogue family called "live security professional"
and also the "copyright" date on the rogue was 2012...

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sun Aug 11, 2013 9:55 pm
by secObs
PC Defender 360

Virustotal 6/41
https://www.virustotal.com/en/file/1d3ba...1376254175/

MD5: a437f77b1a2789b7a23a19f098fd37fb
SHA-1: def5ae938bb7f7bfc023ffb1f32d18550ba85805

Image

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Mon Aug 12, 2013 1:15 am
by Grinler
Thanks. From the same family as Antivirus System.

http://www.kernelmode.info/forum/viewto ... 078#p20078

Hijacks .exe extension.

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Mon Aug 12, 2013 1:21 pm
by rusl
secObs wrote:PC Defender 360

Virustotal 6/41
https://www.virustotal.com/en/file/1d3ba...1376254175/

MD5: a437f77b1a2789b7a23a19f098fd37fb
SHA-1: def5ae938bb7f7bfc023ffb1f32d18550ba85805

Image
Key Generator (python 2.7.5)
Code: Select all
n = 0x4F #Second character == 'O'
i = 0
key = str('?O')
while i < 0xF:
    n += 0xB
    if n <= 0x5A:
        pass
    else:
        n = (n - 0x41)%0x19 + 0x41
    key += '?' + chr(n)
    i += 1
print key

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Aug 14, 2013 8:35 am
by secObs
Antiviral Factory 2013

Virustotal 23/45
https://www.virustotal.com/en/file/bd44 ... 376468890/

MD5: 1267861198810de041f203a4026514b8
SHA-1: db7733cefb3f1197f35f23f25ce87c3c709f0d60

Image

Payment page

[url]hxxp://secfastpay.com/p/?&lid=3070040&affid=00083100&nid=0091B719&group=af[/url]

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Wed Aug 14, 2013 7:17 pm
by Xylitol
secObs wrote: Payment page

[url]hxxp://secfastpay.com/p/?&lid=3070040&affid=00083100&nid=0091B719&group=af[/url]
Site rip in attach, (and containing also some olders BestAV payement pages)
https://www.virustotal.com/fr/file/cf7e ... 376507657/
lulz:
Image
Code: Select all
htxp://secfastpay.com/p/test/
htxp://secfastpay.com/p/ds/
htxp://secfastpay.com/p/sf/
htxp://secfastpay.com/p/af/
htxp://secfastpay.com/p/amd/
htxp://secfastpay.com/p/sd/
htxp://secfastpay.com/p/dap/
htxp://secfastpay.com/p/srs/
htxp://secfastpay.com/p/pas/
htxp://secfastpay.com/p/sca/
htxp://secfastpay.com/p/ava/
htxp://secfastpay.com/p/sdx/
htxp://secfastpay.com/p/fta/
htxp://secfastpay.com/p/ata/
htxp://secfastpay.com/p/sca2/

Re: Rogue Antimalware (FakeAV, 2013 year)

PostPosted:Sat Aug 17, 2013 4:49 pm
by andrew9406
secObs wrote:PC Defender 360

Virustotal 6/41
https://www.virustotal.com/en/file/1d3ba...1376254175/

MD5: a437f77b1a2789b7a23a19f098fd37fb
SHA-1: def5ae938bb7f7bfc023ffb1f32d18550ba85805

Image
Activation code:
?O?Z?L?W?I?T?F?Q?C?N?Y?K?V?H?S?E
same as attentive antivirus...
All times are UTC
Page 9 of 15
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/