Rogue

Sunbelt Blog, screenshots here

Anykindmp3 com advertises free music. Instead, what you’re going to get is a trojan downloader that installs Virusheat.

This is an extremely dangerous site, because it’s so innocuous, luring people in with “free MP3s”. Expect users to get infected by typing in various keywords to search engines.

Certifiedbug: VirusHeat Rogue antispyware program

Not yet tested at Site Advisor: http://www.siteadvisor.com/sites/anykindmp3.com/postid?p=936196

{ 0 comments }

Not much information at this time, a couple of screenshots at the Sunbelt Blog and a few victims in the security forums seeking assistance.

Sunbelt: Fresh new rogue antispyware programs

{ 0 comments }

Bharath’s Security Blog

The rogue uses Software-payment.com site for payment processing. Beware that this site is also used by many other rogue security applications for payment processing.

How to remove KVMSecure
http://www.bleepingcomputer.com/malware-removal/kvmsecure

As always, if you have an infected computer and would feel more comfortable being assisted by a trained malware remover helper, please start a topic at a trusted security forum.

{ 2 comments }

Going by the amount of complaints you have less chance of getting a refund from bucksbill.com than winning the lottery.

Spyware Sucks, an anti spyware blog, warned about the rogue awhile back and today posted a disclaimer:

Unfortunately, people are also emailing me directly because they (mistakenly) believe that I and/or this blog are associated with the fraudsters.

I am NOT associated with bucksbill.com

Please, remember that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

Think twice before handing over credit card information on the internet. Do you know anything about the company, a little research could save a lot of grief.

Certainly don’t do it in a panic because some company you have never heard of before pops up saying your computer is infected and buy their product to remove it.

Sure sign of a rogue.

{ 0 comments }

Along with the dark side pushing cracks, warez, keygens for rogue programs (perhaps to dupe people into thinking the programs have value), there are also many untrustworthy sites offering to remove it. From the frying pan into the fire.

From Bleeping Computer:

This infection attempts to make it difficult to uninstall by disabling the Windows regedit.exe program and the Windows Task Manager. This makes it so you can’t edit your registry with RegEdit or kill processes that may be running with the Task Manager. As part of this fix, I have created a small tool called regallow that will re-enable the use of RegEdit so that this infection can be properly removed.

How to remove AntiSpySpider and sockins32.dll
http://www.bleepingcomputer.com/malware-removal/antispyspider

If you have an infected computer and would feel more comfortable being assisted by a trained malware remover helper, please start a topic at one of the forums. Short but trusted list in the right hand column.

{ 0 comments }

xpsecuritycenter has only two pages in Google at the moment, it may not be regarded as a serious threat as it was noticed in the Spring of 2008. However, xpsecuritycenter belongs to a family of rogues.

Many people rely on Site Advisor to check if a domain is good or bad, but site advisor is extremely slow to test and rate, surprising as the site belongs to Symantec McAfee.

For instance malwarebell.com was added to Symantec.com’s Rapid Release April 16, 2008

Yet at Site Advisor it still isn’t rated as of writing, and what about pandora-software.com which was given a green rank.

We tested this site and didn’t find any significant problems.

The domain name might have been a tip off.

An experienced reviewer at Site Advisor posted January 2008 that pandora-software.com is a malicious domain.

Bharath’s Security Blog: Saga of IE Defender Family

If you don’t have a HOSTS File other than the default one in Microsoft Windows please consider:
Blocking Unwanted Parasites with a Hosts File

{ 0 comments }

Malware that goads people into purchasing a fake rogue anti spyware program to remove it, is old news, only the name changes.

So we have a new spin, MonaRonaDona appears to be malware created to scare people into purchasing a fake anti-virus product, Unigray AntiVirus.

According to an analysis by Kaspersky Lab, MonaRonaDona’s author is hoping the victim will conduct a Google search for instructions on how to remove it and thus to Unigray AntiVirus.

Unigray.com has only been in existence for two weeks now, said the Analyst’s Diary.

It seems very strange that such a new program would include detection for MonaRonaDona while legitimate antivirus products don’t.

Analysing the program further I found that it has only one removal routine. Guess for which malicious program? That’s right - MonaRonaDona. Unigray will clean it up for only $39.90 – this doesn’t sound like the best of deals to me.

A comparison of the code of MonaRonaDona and Unigray Antivirus show that there are many, many similarities. This leaves very little doubt that the same group is behind both MonaRonaDona and Unigray. And this case clearly shows that the bad guys are getting very good at social engineering.

If you have this infection please see this topic: http://www.dslreports.com/forum/r20088377-Re-MonaRonaDona-virus

{ 0 comments }

New Rogues:

WinReanimator is a rogue security program that is advertised and installed by the Vundo Trojan and other malware. The Vundo infection is typically installed by visiting or downloading executables from certain pornographic or crack sites. Once installed, the infections will bombard the infected computer with popups and fake security alerts stating that your computer is infected or has security risks. When you click on these popups you will be presented with variety of rogue anti-spyware programs, including WinReanimator, stating that you are infected and that you should install their products. Remember, that these are all scams and ads delivered by the infections and should be ignored.

Another byproduct of these infections is an alert icon (Fake Taskbar alert) that appears in your Windows taskbar that periodically displays fake security alerts and warnings. The title of these alerts are Windows antivirus and they contain the following text:

Windows has detected spyware infection!

It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you

Click here to protect your computer from spyware!

Removal Instructions.

SpyBurner is a program classified as a rogue anti-spyware program. Rogue anti-spyware programs are ones that are installed or advertised via malware, use deceptive advertising, or use false positives in the scan results to convince a user to purchase the commercial version of the software. These programs also typically will not allow you to remove anything it finds without first paying to register the program. SpyBurner is classified as one of these programs as it is advertised through the use of malware and Trojans that display fake security alerts on your Windows taskbar.

Removal Instructions.

{ 0 comments }

VirusHeat. Can’t say it enough, Rogue!

VirusHeat is installed on your computer when you download and install a Trojan masquerading as a video or audio codec required to view a movie on the Internet. These fake codecs are know as Zlob Trojans. Once you install these programs, though, they install VirusHeat onto your computer along with other malware without your permission.

When the Zlob Trojan is installed, it automatically downloads and installs VirusHeat onto your computer. It will then configure your computer to automatically start another Trojan that displays fake security alerts in your taskbar that states you are infected or have some other security problem on your computer. When you click these alerts, VirusHeat automatically opens and scans your computer. This scan will not only display fake and exaggerated results, but will also find the Trojan that installed it in the first place. The scam, though, is that in order to remove anything you must first pay for the commercial version of this software. It goes without saying that by no means should you purchase this scamware.

How to remove VirusHeat (Removal Instructions)
http://www.bleepingcomputer.com/forums/topic130080.html

{ 0 comments }