MaCatte scareware fools users by masquerading as McAfee

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users.

This scareware has been seen to be using a bogus My Computer online scan similar to ones we've seen here, here and here.



The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.

Sysguard / Winifighter Clones

Here are some screenshots of the members of this scareware family:



Beware of these rouge apps.

Winifighter Clone: TrustFighter

Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.

Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.

Sample junk files are the following:

%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl

Here are some domains participating in this campain:

securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com

Unsuspecting users get set back by $49.95 from their hard-earned money.

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as "The Best Nude Celebrity Movie Site"
hxxp://alyssafan.net/1.html



But in order to watch the any video, we would need to download and install their "Certified ActiveX video codec (VAC codec) use to protect content Copyrights"

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.



This script translates to:



This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:



Beware of fake video codecs!

Rogue AV Clone: Windows Protection Suite

Another scareware has been spotted and it calls itself Windows Protection Suite.

You can get Windows Protection Suite from one of these urls:

hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D

It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user's computer, detects heaps of infections, and offers a bogus solution.



Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.



Even their websites are clones:



hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com

Social engineering trick leads to Rogue AV: MacroVirus

I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:



It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c

Following the link, tinyurl does its magic and we are directed to:

hxxp://macrovirus(dot)com/?hop=starbasi



If we believe everything we see and hear, we'll be downloading and installing a scareware:



Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.

Also, you might notice, there's a striking resemblance between the following:

bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi

This is probably giving us a hint as to how the bad guys get paid.

If you got this scareware, remove it immediately.

Rogue AV: Winifighter

We've talked about digital clutter on a previous post.

But this one's a real bugger. Winifighter creates heaps of junk binary files in the %systemroot% and %system% directories. The filenames, the contents, and filesize are all random. The names, however, contains bits and pieces taken from malware names such as the following:

backdoor
not a virus
spy
trojan
virus
worm

This one also, spoofs the Windows Security Center to give itself that authentic feel and advises unsuspecting users to register Winifighter.



Ad of course we also have those ever so genuinely adorable warning messages:




As always, I advise everyone to steer clear of these Rogue AVs.

Rogue AV: Antivirus Plus

Here's another Rogue AV out there, and it's being served by more than one domain:



Here's a list of some of the domains used to host this Rogue AV:

addedantiviruslive(dot)com
addedantivirusonline(dot)com
addedantivirusstore(dot)com
easyaddedantivirus(dot)com
freeantivirusplus09(dot)com
goodantivirusplus(dot)com
i-antivirusplus(dot)com
internetantivirusplus(dot)com
mybestantivirusplus(dot)com
myplusantiviruspro(dot)com
nextantivirusplus(dot)com
realantivirusplus09(dot)com
realbestantivirusplus(dot)com
yesantivirusplus(dot)com



Stay away from these rogue domains and block them if you have any means of doing so.

Rogue App: System Cleaner

I visited this rogue domain:

hxxp://antivirussecurescannerv3.com



The website proceeded to show me that it is scanning my machine for system errors and that it is doing a very wonderful job because it found heaps of problems on my machine and it is very eager to fix it.

To give the website some kind of authentic feel, it also showed me which browser I am using, my operating system, and my IP address.

It was also offering 60% discount on the product. Isn't that a good deal?

Now, if the dubious scanning and the overall feel of the website did not give away its real intentions, and if we are to be lulled into buying their software, well... hold on a minute!

If you notice that on my screenshot, the rogue website was giving some errors about the Windows TEMP folder, Internet Explorer temp files. But how can that be? As I mentioned on a previous post, I am not running Windows!

As usual, unsuspecting users get ripped off for a crappy software. So be careful!

Rogue AV: Antivirus Plus

Here's another Rogue AV using the same animated system scan on the internet browser as the one in a previous post



In some instances, Antivirus Plus uses this animated scan instead:



It also uses one of those warnings that look oh so genuinely sincere:



Then of course downloading and installing the rogue app give us the usual scan results:



Here's a list of domains currently serving this rogue app:


hxxp://adoimi.cn
hxxp://yourguardpro.cn
hxxp://yourcheckpoisonpro.cn
hxxp://yourfriskviruspro.cn
hxxp://antivirusplus09.com
hxxp://antivirusplus-ok.com
hxxp://addedantiviruspro.com



Because of the same animated system scan that they use, I reckon System Security and Antivirus Plus are two related rogue apps.

Heaps of threats found on my C: and D: drives! Oh wait, I'm not runningWindows

I have recently been working on Rogue AVs and there's one that made me chuckle.

Rogue website: zocleaner(dot)com



Visiting the rogue website warned me that my computer is infected and then it started scanning my computer as shown above. The image above was being displayed on my browser and was telling me that it had found heaps of threats already!

Clearly the rogue site was trying to fool me into thinking that my computer is infected. Duh! I wasn't even running Windows!

Downloading and installing the rogue application on a test machine gave me the usual outrageous scan results:



I advise everyone to be vigilant. People behind these rogue apps are out there to rip us off.