Jump to content

Rogue Antivirus on tourdevietnam.com


Recommended Posts

Greetings,

I was browsing through google for my favorite actress now I clicked on this site

tourdevietnam.com and I got message prompted that my machine wants to install Antivirus program. I trminated firefox using Task manager, I didn't click yes or no on the Firefox window. I scanned my PC with Norton 360 and malwareBytes, that rogue antivirus hasn't been installed.

Here's the link hxxp://images.google.com/images?um=1&h...=84&ndsp=21

properties of the picture hxxp://t0.gstatic.com/images?q=tbn:lckYsmB...EzDffQDJv8l.jpg

There's a picture of Estelle Parsons, there's a photo of Jim parsons, where the rogue antivirus message prompts to install.

Is there a way to report this site on the internet, so they can shot it down?

Thanks

Link to post
Share on other sites

Here's the name of picture from google.com image:

Estelle Parsons

369 x 594 - 47k - jpg

tourdevietnam.com

Find similar images

Below results of my Norton 360 Scan:

Category: Intrusion Prevention

Date & Time,Severity,Activity,Status,Recommended Action,Risk Name,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description,Category

3/8/2010 9:22 AM,High,"An intrusion attempt by localhost was blocked. Application path <path>\DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE</path>",Blocked,No Action Required,HTTP Fake Antivirus Install Request 4,"localhost (127.0.0.1, 49191)",93.186.127.201/hitin.php?land=20&affid=95202,"localhost (127.0.0.1, 50398)",127.0.0.1 (127.0.0.1),"TCP, Port 49191",

3/8/2010 8:47 AM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention

3/8/2010 8:47 AM,Info,Intrusion Prevention is monitoring 1535 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention

3/8/2010 8:47 AM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100224.002,Detected,No Action Required,,,,,,,Intrusion Prevention

Intrusion attempt by localhost was blocked Application Path\DEVICE\HARDDISKVOLUME3\PROGRAMFILES(X68)\MOZILLAFIREFOX\FIREFOX.EXE Attacker URL: 93.186.127.201/hitin.php?land=20&affid=95202 Traffic Description: TCP Port 49191 Risk Name: HTTP Fake Antivirus Install Request 4

Link to post
Share on other sites

Hi Slava12,

The initial legitimate website has been hacked and had a redirect inserted to a fake scanner page(93.186.127.201/hitin....)

The fake scanner site then tries to force the download of a rogue/trojan install file.(93.186.117.25/7_7575fc.....)

Unless this trojan file has been allowed to run you will not be infected with the SystemTool rogue install.

MBAM realtime IP blocking intercepts this at 2 different stages of the attack vector(should the first be missed/ignored)

The fake scanner page will be blocked unless the IP blocker is switched off.

16:13:16	User	MESSAGE	IP Protection started successfully
16:13:18 User IP-BLOCK 93.186.127.201
16:13:20 User IP-BLOCK 93.186.127.201
16:13:22 User MESSAGE IP Protection stopped

The source URL for the rogue/trojan installer(SystemTool) that the fakescanner propmts a download/run box for.

16:13:54	User	MESSAGE	IP Protection started successfully
16:13:56 User IP-BLOCK 93.186.117.25
16:13:58 User IP-BLOCK 93.186.117.25

Inorder to become infected by this file you would have had to turn off the IP blocker again to even receive the file on your computer,let alone allowing our realtime signatures and in memory heuristics lose on the file after you receive it :P

16:14:02	User	MESSAGE	IP Protection stopped
16:14:04 User DETECTION C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\P7L0Z8A6\inst[2].exe Rogue.SecurityTool QUARANTINE
16:14:05 User DETECTION C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\P7L0Z8A6\inst[2].exe Rogue.SecurityTool DENY

Link to post
Share on other sites

OK, I can buy Malwarebyrtes and have areal-time protection. But, is it advisable to keep Malwarebytes and Norton 360 on the same PC?

What about the conflict between two programs?

@Slava12

If you can afford to, a purchase of Malwarebytes would be well, well worth it! :P

Link to post
Share on other sites

Hi Slava12 :P

Please use the "ADD REPLY" button in the future when replying.

Yes, you can use Norton 360 & Malwarebytes on the same computer :)

Sometimes conflicts can occur, and if they do, you should follow these two sets of directions:

For Most Norton Products

Add exclusion to Auto-Protect and Risk scan

1 Start your Norton 2010 product.

2 In the Computer pane, click Settings.

3 Under Exclusions, next to Scan Exclusions, click Configure.

4 If you want to exclude a file from scan, under Scan Exclusions, click Add.

5 Browse and select the disk drive or folder or file you would like to exclude and click OK.

If you want to include subfolders within the folder, check Include Subfolders.

6 If you want to exclude a file from Auto-Protect, under Auto-Protect Exclusions, click Add.

7 Browse and select the disk drive or folder or file you would like to exclude and click OK.

If you want to include subfolders within the folder, check Include Subfolders.

8 Click Apply > OK

Step 3: Exclude Malwarebytes' Anti-Malware's Files and Folders From Other Active Security Programs:

For Windows XP:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

For Windows Vista or Windows 7:

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\System32\drivers\mbamswissarmy.sys

For 64 bit versions of Windows Vista or Windows 7:

  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\zlib.dll
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.dll
  • C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamext.dll
  • C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  • C:\Windows\System32\drivers\mbam.sys
  • C:\Windows\SysWoW64\drivers\mbamswissarmy.sys

Note: If using a software firewall besides the built in Windows Firewall you'll need to exclude them from it as well

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.