1

Pav.exe is not a Personal Touch You're Looking For

Rogueware of the week: Personal Anti-Virus

The distributors of this scareware, FakeAv, Rogueware, Fakealert (whatever you want to refer to it) software recently have chased headline events as we posted here. As the distributors repack the binaries for their ongoing various campaigns, the newest variants are evading legitimate AV detection fairly effectively for the most part. In the meantime, the ThreatFire community continues to be protected from the latest pav.exe variants and activity has been quite high over the past few days.

The install names seen in the ThreatFire community, in addition to the pav.exe payload, look like
Antivirus-3ab3_2006-71.exe, Antivirus-9dc04_2006-71.exe, Antivirus-dea18f_2006-71.exe.

This morning’s top five busiest servers providing these installers are hosted on ip addresses accompanied by very official sounding dns names…
88.198.120.177
best-folder-scanv3.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
online-best-scanv3.com
online-defenderv9.com
online-secure-scannerv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com

91.212.127.200
check-for-malwarev3.com
check-your-pc-onlinev3.com

88.198.107.25
best-folder-scanv3.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
online-best-scanv3.com
online-defenderv9.com
online-secure-scannerv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com

91.212.107.5
basicsystemscannerv8.com
best-folder-scanv3.com
bestpersonalprotectionv2.com
bestpersonalprotectionv7.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
computer-antivirus-scanv9.com
fastvirusscanv6.com
govirusscanner.com
mysafecomputerscan.com
online-best-scanv3.com
online-defenderv9.com
online-pro-antivirus-scan.com
online-secure-scannerv2.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
onlineproantivirusscanner.com
personalantivirusprotection.com
personalfolderscanv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
private-antivirus-scannerv2.com
privatevirusscannerv8.com
secure-antispyware-scanv3.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com
securepersonalscanner.com
securityfolderprotection.com
spyware-scannerv2.com
spywarescannerv4.com

209.44.126.52 <-- This one and its related domains appears to be more recently used by the group.
antimalwareonlinescanv4.com
best-security-scanv8.com
online-secure-scanv7.com
virusonlinescanv3.com

94.102.51.26
basicsystemscannerv8.com
best-folder-scanv3.com
bestpersonalprotectionv2.com
bestpersonalprotectionv7.com
check-for-malwarev3.com
check-your-pc-onlinev3.com
computer-antivirus-scanv9.com
fastvirusscanv6.com
govirusscanner.com
mysafecomputerscan.com
online-best-scanv3.com
online-defenderv9.com
online-pro-antivirus-scan.com
online-secure-scannerv2.com
onlineantispywarescanv6.com
onlinebestscannerv3.com
onlinepersonalscanner.com
onlineproantivirusscan.com
onlineproantivirusscanner.com
personalantivirusprotection.com
personalfolderscanv2.com
premium-antispy-scanv3.com
premium-antispy-scanv7.com
private-antivirus-scannerv2.com
privatevirusscannerv8.com
secure-antispyware-scanv3.com
secure-spyware-scannerv3.com
secure-virus-scannerv5.com
securepersonalscanner.com
securityfolderprotection.com
spyware-scannerv2.com
spywarescannerv4.com

Update: Dancho Danchev dissected the Seo campaign related to delivering this FakeAv here. It seems that the campaign may be morphing its keyword targets to printables, bob the builder valentines, wisconsin badgers, and others.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>