Vir7remover_2009_b2.exe / defend6-pc.com scareware

While researching some information, I came across a Google hit that looked like what I was looking for, but when I opened the page, none of the text in the preview paragraph was there. Somebody must have fed bogus contents to GoogleBot to attract searches.

Instead of the expected information I found myself on a scareware site called defend6-pc.com that was then trying to coerce me into downloading and installing their fake security software. A pop-up dialog asked me whether I wanted to scan my computer with their software. It didn’t matter if I clicked OK or Cancel, a download would always start. Only by closing the browser Window could I get rid of their nasty popup dialogs.

I’m using Mozilla FireFox, which does not offer to run downloaded EXEs directly. I did not click on the downloaded “Vir7remover_2009_b2.exe”, instead I ran it through the VirusTotal.com online malware scanner (highly recommended!) and products by four companies diagnosed it as malicious or suspicious:

  • Microsoft (1.5605) says it’s a “Trojan:Win32/FakeXPA”
  • Sophos (4.52.0) says it’s “Mal/FakeAV-CX”
  • VBA32 (3.12.12.4) says it’s “BScope.Trojan.MTA.0157”
  • Panda (10.0.2.2) calls it a “”Suspicious file”

“Mal/FakeAV-CX” indicates “scareware“, software that pretends to be an anti-virus / malware scanner that scares you with bogus alerts of malware on your harddisk into installing and or purchasing the software. Such software can include Trojans (as you would suspect from “Trojan:Win32/FakeXPA” and “BScope.Trojan.MTA.0157”) that take over your machine and can give someone else full control over your machine for malicious activities.

The following domains are all hosted on the same server as defend6-pc.com (IP address 93.174.95.154) and this list probably is not complete. I definitely would not recommend installing any software from any of these sites:

  • 10scanantispyware.com
  • 20scanantispyware.com
  • 2scanantispyware.com
  • 30scanantispyware.com
  • 3scanantispyware.com
  • 50virus-scanner.com
  • 5scanantispyware.com
  • 60scanantispyware.com
  • 7scanantispyware.com
  • 80scanantispyware.com
  • 8scanantispyware.com
  • 90virus-scanner.com
  • antispy-scan200.com
  • antispy-scan400.com
  • antispy-scan600.com
  • antispy-scan700.com
  • antispy-scan800.com
  • antispywarehelp002.com
  • antispywarehelp004.com
  • antispywarehelp008.com
  • antispywarehelp010.com
  • antispywarehelp022.com
  • antispywarehelpk0.com
  • antispywarehelpk2.com
  • antispywarehelpk4.com
  • antispywarehelpk6.com
  • antispywarehelpk8.com
  • antivirus-inet01.com
  • antivirus-inet31.com
  • antivirus-inet41.com
  • antivirus-inet51.com
  • antivirus-scan200.com
  • antivirus-scan400.com
  • antivirus-scan600.com
  • antivirus-scan700.com
  • antivirus-scan900.com
  • antivirus-test88.com
  • antivirus10scanner.com
  • antivirus900scanner.com
  • av-scanner200.com
  • av-scanner300.com
  • av-scanner400.com
  • av-scanner500.com
  • av-scanner700.com
  • defend-computer10.com
  • defend-computer30.com
  • defend-computer50.com
  • defend-computer70.com
  • defend-computer82.com
  • defend-computer83.com
  • defend-computer84.com
  • defend-computer85.com
  • defend-computer86.com
  • defend-computer88.com
  • defend-computer90.com
  • defend-pc100.com
  • defend-pc130.com
  • defend-pc150.com
  • defend-pc170.com
  • defend2-pc.com
  • defend5-pc.com
  • defend6-pc.com
  • inetproscan001.com
  • inetproscan031.com
  • inetproscan061.com
  • inetproscan081.com
  • inetproscan091.com
  • insight-scan20.com
  • insight-scan40.com
  • insight-scan60.com
  • insight-scan80.com
  • insight-scan90.com
  • insight-scanner2.com
  • insight-scanner5.com
  • insight-scanner7.com
  • insight-scanner8.com
  • insight-scanner9.com
  • internet-scan020.com
  • internet-scan040.com
  • internet-scan050.com
  • internet-scan070.com
  • internet-scan090.com
  • internet-scanner020.com
  • internet-scanner030.com
  • internet-scanner050.com
  • internet-scanner070.com
  • internet-scanner090.com
  • net-02antivirus.com
  • net-04antivirus.com
  • net-05antivirus.com
  • net-07antivirus.com
  • net001antivirus.com
  • net011antivirus.com
  • net021antivirus.com
  • net111antivirus.com
  • net222antivirus.com
  • novirus-scan00.com
  • novirus-scan01.com
  • novirus-scan22.com
  • novirus-scan31.com
  • novirus-scan33.com
  • novirus-scan41.com
  • novirus-scan55.com
  • novirus-scan61.com
  • novirus-scan81.com
  • novirus-scan88.com
  • spyware-stop01.com
  • spyware-stopb1.com
  • spyware-stopm1.com
  • spyware-stopn1.com
  • spyware-stopz1.com
  • spyware200scan.com
  • spyware500scan.com
  • spyware800scan.com
  • spyware880scan.com
  • spywarescan010.com
  • spywarescan013.com
  • spywarescan015.com
  • spywarescan017.com
  • spywarescan018.com
  • stop-all-virus1.com
  • stop-all-virus3.com
  • stop-all-virus6.com
  • stop-all-virus9.com
  • stop-virus-01a.com
  • stop-virus-01b.com
  • stop-virus-01d.com
  • stop-virus-01e.com
  • stop-virus-01f.com
  • stop-virus-03b.com
  • stop-virus-03u.com
  • stop-virus-03y.com
  • stop-virus-03z.com
  • stop-virus-040.com
  • stop-virus-070.com
  • stop-virus-090.com
  • stop-virus-091.com
  • stop-virus-099.com
  • stopvirus-scan11.com
  • stopvirus-scan13.com
  • stopvirus-scan16.com
  • stopvirus-scan18.com
  • stopvirus-scan33.com
  • stopvirus-scan66.com
  • stopvirus-scan88.com
  • stopvirus-scan99.com
  • virus77scanner.com
  • virus88scanner.com

Spam from hacked hotmail accounts sent from China

A bit over a year ago I wrote here about the “New Shopping, new life” spam that was sent from hacked free webmail accounts to advertise fake Chinese online shops. Recently I am seeing a lot more spam like that, mostly using hacked Hotmail accounts. Here is a typical example:

helloļ¼š
Please forgive us to disturb your valued time.
This is a big wholesale company in china, sell electronic products to all the world,such as laptop, camera, phone and so on. We can offer the low price and high quality to you. If you have free time, please to visit our official website: http://lezucker.com
if you have any other questions, please be free contact us by email or msn at any time.
Yours Sincerely,

——————————————————————————–
Not got a Hotmail account? Sign-up now – Free

The emails accounts appear to be accessed from IP addresses in China such as these:

  • 60.4.32.231 (3220 emails)
  • 116.7.20.191 (1974 emails)
  • 121.35.79.35 (1865 emails)
  • 60.4.153.48 (326 emails)
  • 121.35.79.16 (265 emails)

The email counts are for a period of about 60 hours and are only for my spam traps and external spam feeds, not the total sent from those addresses. What’s more, it’s not just a large number of emails per IP address but also per mail account (full address obscured for privacy reasons):

  • XXamari35@hotmail.com (2645 emails)
  • XXpsychling@hotmail.com (1994 emails)
  • XXishacarroll@hotmail.com (1215 emails)
  • XXbgreene27@hotmail.com (671 emails)
  • XXedina723@hotmail.com (575 emails)
  • XXgmo@hotmail.com (326 emails)
  • XXroxd1@hotmail.com (294 emails)

I find it surprising that Hotmail would allow a single free mail account to send out thousands of spams a day without getting it shut down. I can only guess what the total number is, as the above are only spam that I have received copies of. Clearly Microsoft will have to improve its mechanisms to catch such abuse.

Here are some of the domains advertised via these scammers:

  • lezucker.com (4189 emails)
  • ebroun.com (2645 emails)
  • hgbet.com (329 emails)

The IP address seem to be mostly but not exclusively from providers in the South of China, in Henan and Guangdong provinces:

inetnum: 115.48.0.0 – 115.63.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.8.0.0 – 123.15.255.255
netname: UNICOM-HA
descr: China Unicom Henan province network
descr: China Unicom
country: CN

inetnum: 123.52.0.0 – 123.55.255.255
netname: MAINT-CHINANET-HA
descr: CHINANET HENAN PROVINCE NETWORK
descr: henan Telecom Corporation
descr: 97# Zhongyuan Street, Zhengzhou,henan,Chinese
country: CN

inetnum: 121.32.0.0 – 121.35.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN

inetnum: 219.128.0.0 – 219.137.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

inetnum: 123.112.0.0 – 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN