Users continue to get slammed by a Rogue Antivirus distributor. We’ve posted before about the prevalent Virut family redirecting compromised hosts to download FakeAv or scareware product. You can see a screenshot of the previous scareware scam “Secure Antivirus Pro” from “Guardog Computing” at the previous post. Compare to the current version “Advanced Virus Remover PRO”:

Along with modifying tcp drivers, another fairly prevalent and currently active malicious component is editing hosts files with the same effort, adding the following entries to the hosts file on victim systems:
92.241.176.188 advanced-virus-remover2009. com
92.241.176.188 www.advanced-virus-remover2009. com

Check out the image in the TE report, the lvllord component reports on its own maximum concurrent half open tcp connection editing functionality there with “VALUES HIGHER THAN 100 ARE NOT RECOMMEND! Worms will be able to spread very fast!” It is obvious what tool these distributors are bundling and reusing in an attempt to increase the networking throughput of the system.

When there is money to be made on scareware, the same behaviors will be displayed again and again in malware, including the stuff by sloppy authors.

This entry was posted on Thursday, July 16th, 2009 at 9:38 am and is filed under Rogueware. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.