MonaRonaDona and rogue Unigray
FYI...
- http://preview.tinyurl.com/2m8h33
March 4, 2008 (Symantec Security Response Weblog) - "We have analysed samples of malware that is calling itself 'MonaRonaDona'... it seems the sole purpose of the malware is to prompt the user to enter the term "MonaRonaDona" into a search engine. This is an attempt to lead them to an application that can remove the unwelcome threat - a fix that has obviously been conveniently provided by the very people who created the virus in the first place. When the Trojan executes, it creates the file SRVSPOOL.EXE in the startup folder of all user accounts... Once the user enters the name 'MonaRonaDona' into an Internet search engine, some of the top search results will be the "fix" that the malware authors have - in all probability - also conveniently created in order to solve the problem... this is a scam and warn victims against downloading the Trojan author's application created to remove the malware, which they were charging US$39.90 for (the Unigray Web site was down at the time of writing). While the software does in fact remove the MonaRonaDona Trojan - it is the ONLY malware it removes, despite the fact that it (falsely) reports to have cleaned over 200 other threats..."
(Screenshots available at the URL above.)
:fear:
Removal:
> http://www.dslreports.com/forum/r200...RonaDona-virus
2008-03-01
:bigthumb:
- http://blog.trendmicro.com/the-art-d...-monaronadona/
March 6, 2008 - "...Unconfirmed reports of initial infection happens when users click on a certain ad banner for Registry Clean Fix, a possible rogue program, to initiate stealth download of MonaRonaDona onto a system. The malware remains inactive (and impervious to detection) until users restart their systems.... Trend Micro advises users to refrain from clicking ad banners, which might lead to unexpected download of malicious files on a system or redirection to a malicious Web site. Trend Micro also implores users to be more wary of new social engineering techniques being practiced in the wild."
Another FAKE MS SPAM msg...
FYI...
Another fake MS spam
- http://sunbeltblog.blogspot.com/2008...e-ms-spam.html
July 15, 2008 - "...The file being pushed, free.exe, is an installer for Antivirus XP 2008, a nasty rogue antispyware program... SPAM has stopped just being a nuisance, and become a serious potential security threat..."
(Screenshot available at the URL above.)
:fear:
Fake AV Trojans Ramping Up
FYI...
Fake AV Trojans Ramping Up
- http://blog.trendmicro.com/fake-anti...ns-ramping-up/
August 14, 2008 - "...new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites. Once the said URL link is clicked, the Web threat infection chain begins and ultimately leads to the downloading of a Trojan detected by Trend Micro as TROJ_FAKEAV.CX, a rogue antivirus that displays very convincing (and for some, alarming) messages... TROJ_FAKEAV.CX also drops another malware, detected as TROJ_RENOS.ACG. RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it. Rogue antispyware isn’t entirely new, although our researchers have been seeing an increase in activity for the past couple of months... Perhaps it’s because this is also the time of the year when the more legitimate security suites are releasing their latest software updates, and cybercriminals are riding on this season to ramp up their profits. Bad news for the infected users though, as their latest versions of “antivirus software” are actually adding more threats to their system..."
(Screenshots available at the URL above.)
:fear::spider::fear:
XP Antivirus 2008 - Anatomy of a malware SCAM
FYI...
- http://www.theregister.co.uk/2008/08...ack/page8.html
22 August 2008 - "...One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.
This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious..."
(Many screenshots shown in the article - well worth your time to review.)
You may also want to visit TeMerc's site on this subject:
- http://www.temerc.com/forums/viewtopic.php?f=26&t=5053
...and this tool: RogueRemover FREE (i.e.: XP Antivirus 2008, etc. - 444 different suspicious applications)
> http://www.malwarebytes.org/rogueremover.php
:fear:
XP Antivirus 2008 - now with exploits...
FYI...
XP Antivirus 2008 now with sploits, Google Adwords affected
- http://sunbeltblog.blogspot.com/2008...h-sploits.html
August 27, 2008 - "...problem of Google Adwords pushing Antivirus XP Antivirus 2008. The situation is still ongoing. However, it’s taken a turn for the worse, as these XP Antivirus pages are pushing exploits to install malware on the users system. This will also affect the many syndicators of Google Adwords... There are a variety of exploits being used, including setslice and an AOL IM exploit. Unusually, an exploit framework is not being used. Fully patched systems will not be affected by these exploits. The exploit attempts to install the following malicious file: huytegygle com/bin/ file.exe..."
(Screenshots available at the URL above.)
:fear:
Spammed SWF URLs... lead to rogue AV
FYI...
Spammed SWF URLs Abuse ImageShack, Lead to Rogue AV
- http://blog.trendmicro.com/spammed-s...d-to-rogue-av/
Aug. 28, 2008 - "We’re seeing a lot of spam right now using the now annoyingly familiar Free Update Windows XP, Vista spam template. This time though, instead of linking to an .EXE file, it is now pointing to an .SWF file. The SWF file linked via the large-font text Free Update Windows XP,Vista contains Flash ActionScript... After this a EULA window appears, and then the system proceeds to install a rogue AV software from avxp-2008.net. Note that it does this automatically from the moment the install.exe is run... The technique used in the spam has two things going for it:
1. the use of SWF instead of EXE and
2. the use of an ImageShack-hosted file, both of which may suggest to normal users that the file is possibly harmless.
So it seems the siege of rogue AV is not only not dying down, its proponents are becoming more creative in their “advertising” schemes. We detect this rogue AV as TROJ_FAKEAV.IG."
(Screenshots available at the URL above.)
:fear::mad:
Fake AV 2009 and search engine results
FYI...
Fake AV 2009 and search engine results
- http://isc.sans.org/diary.html?storyid=5042
Last Updated: 2008-09-16 01:15:04 UTC - "Web servers have been compromised and their .htaccess files have been modified. Here you can see an example of a modified .htacces
http://forums.devnetwork.net/viewtopic.php?f=6&t=85984 ...
Another site that was compromised and searches redirected is discussed here:
http://groups.google.com/group/Googl...d2cafd907a0380 ...
Their .htaccess is being modified to rewrite requests. Specifically they are redirecting to sites that "advertise" antivirus2008 or antivirus2009 when several search engines try to spider the original site. They redirect most of the search engines there (google, yahoo, altavista...). I believe that is how they are getting their fake av into the search engines with a HIGH hit rate. The site I was seeing in use was int3rn3t-d3f3ns3s .com Which is an "ad" for anti-virus2009... used to convince victims to load this fake-av software...
int3rn3t-d3f3ns3s .com is at 84.16.252.73 I recommend blocking that at your enterprise gateway. Prt3ctionactiv3scan .com which is mentioned in the sunbelt blog is at 78.159.118.168 blocking that at your gateway is also recommended.
There is a blog here about some of these fake av sites.
http://ddanchev.blogspot.com/2008/08...-security.html
Microsoft mvp Harry Waldron blogged about it here.
http://msmvps.com/blogs/harrywaldron...n-attacks.aspx ...
Sunbelt did a good write up of it here and has been tracking the sites involved.
http://sunbeltblog.blogspot.com/2008...pdate-iii.html
If you need antivirus software icsa labs has a useful collection of valid links here:
https://www.icsalabs.com/icsa/topic....$5ac9-0f77e15b "
:fear::fear: