Users continue to get slammed by a Rogue Antivirus distributor. We’ve posted before about the prevalent Virut family redirecting compromised hosts to download FakeAv or scareware product. You can see a screenshot of the previous scareware scam “Secure Antivirus Pro” from “Guardog Computing” at the previous post. Compare to the current version “Advanced Virus Remover PRO”:
Along with modifying tcp drivers, another fairly prevalent and currently active malicious component is editing hosts files with the same effort, adding the following entries to the hosts file on victim systems:
220.127.116.11 advanced-virus-remover2009. com
18.104.22.168 www.advanced-virus-remover2009. com
Check out the image in the TE report, the lvllord component reports on its own maximum concurrent half open tcp connection editing functionality there with “VALUES HIGHER THAN 100 ARE NOT RECOMMEND! Worms will be able to spread very fast!” It is obvious what tool these distributors are bundling and reusing in an attempt to increase the networking throughput of the system.
When there is money to be made on scareware, the same behaviors will be displayed again and again in malware, including the stuff by sloppy authors.