{"id":695,"date":"2010-04-10T13:35:02","date_gmt":"2010-04-10T04:35:02","guid":{"rendered":"http:\/\/www.joewein.net\/blog\/?p=695"},"modified":"2010-04-12T09:07:45","modified_gmt":"2010-04-12T00:07:45","slug":"vir7remover_2009_b2-exe-defend6-pc-com-scareware","status":"publish","type":"post","link":"https:\/\/joewein.net\/blog\/2010\/04\/10\/vir7remover_2009_b2-exe-defend6-pc-com-scareware\/","title":{"rendered":"Vir7remover_2009_b2.exe \/ defend6-pc.com scareware"},"content":{"rendered":"<p>While researching some information, I came across a Google hit that looked like what I was looking for, but when I opened the page, none of the text in the preview paragraph was there. Somebody must have fed bogus contents to GoogleBot to attract searches.<\/p>\n<p>Instead of the expected information I found myself on a scareware site called defend6-pc.com that was then trying to coerce me into downloading and installing their fake security software. A pop-up dialog asked me whether I wanted to scan my computer with their software. It didn&#8217;t matter if I clicked OK or Cancel, a download would always start. Only by closing the browser Window could I get rid of their nasty popup dialogs.<\/p>\n<p>I&#8217;m using Mozilla FireFox, which does not offer to run downloaded EXEs directly. I did not click on the downloaded &#8220;Vir7remover_2009_b2.exe&#8221;, instead I ran it through <a href=\"http:\/\/www.virustotal.com\/analisis\/9b36053a5703131b8ff8e3b97788bd381cce9c295d125b859001158562f09459-1270866553\">the VirusTotal.com online malware scanner<\/a> (highly recommended!) and products by four companies diagnosed it as malicious or suspicious:<\/p>\n<ul>\n<li> Microsoft (1.5605) says it&#8217;s a &#8220;Trojan:Win32\/FakeXPA&#8221; <\/li>\n<li> Sophos (4.52.0) says it&#8217;s &#8220;Mal\/FakeAV-CX&#8221; <\/li>\n<li> VBA32 (3.12.12.4) says it&#8217;s &#8220;BScope.Trojan.MTA.0157&#8221; <\/li>\n<li> Panda (10.0.2.2) calls it a &#8220;&#8221;Suspicious file&#8221; <\/li>\n<\/ul>\n<p>&#8220;Mal\/FakeAV-CX&#8221; indicates &#8220;<a href=\"http:\/\/en.wikipedia.org\/wiki\/Scareware\">scareware<\/a>&#8220;, software that pretends to be an anti-virus \/ malware scanner that scares you with bogus alerts of malware on your harddisk into installing and or purchasing the software. Such software can include Trojans (as you would suspect from &#8220;Trojan:Win32\/FakeXPA&#8221;  and &#8220;BScope.Trojan.MTA.0157&#8221;) that take over your machine and can give someone else full control over your machine for malicious activities.<\/p>\n<p>The following domains are all hosted on the same server as defend6-pc.com (IP address 93.174.95.154) and this list probably is not complete. I definitely would not recommend installing any software from any of these sites:<\/p>\n<ul>\n<li> 10scanantispyware.com<\/li>\n<li> 20scanantispyware.com<\/li>\n<li> 2scanantispyware.com<\/li>\n<li> 30scanantispyware.com<\/li>\n<li> 3scanantispyware.com<\/li>\n<li> 50virus-scanner.com<\/li>\n<li> 5scanantispyware.com<\/li>\n<li> 60scanantispyware.com<\/li>\n<li> 7scanantispyware.com<\/li>\n<li> 80scanantispyware.com<\/li>\n<li> 8scanantispyware.com<\/li>\n<li> 90virus-scanner.com<\/li>\n<li> antispy-scan200.com<\/li>\n<li> antispy-scan400.com<\/li>\n<li> antispy-scan600.com<\/li>\n<li> antispy-scan700.com<\/li>\n<li> antispy-scan800.com<\/li>\n<li> antispywarehelp002.com<\/li>\n<li> antispywarehelp004.com<\/li>\n<li> antispywarehelp008.com<\/li>\n<li> antispywarehelp010.com<\/li>\n<li> antispywarehelp022.com<\/li>\n<li> antispywarehelpk0.com<\/li>\n<li> antispywarehelpk2.com<\/li>\n<li> antispywarehelpk4.com<\/li>\n<li> antispywarehelpk6.com<\/li>\n<li> antispywarehelpk8.com<\/li>\n<li> antivirus-inet01.com<\/li>\n<li> antivirus-inet31.com<\/li>\n<li> antivirus-inet41.com<\/li>\n<li> antivirus-inet51.com<\/li>\n<li> antivirus-scan200.com<\/li>\n<li> antivirus-scan400.com<\/li>\n<li> antivirus-scan600.com<\/li>\n<li> antivirus-scan700.com<\/li>\n<li> antivirus-scan900.com<\/li>\n<li> antivirus-test88.com<\/li>\n<li> antivirus10scanner.com<\/li>\n<li> antivirus900scanner.com<\/li>\n<li> av-scanner200.com<\/li>\n<li> av-scanner300.com<\/li>\n<li> av-scanner400.com<\/li>\n<li> av-scanner500.com<\/li>\n<li> av-scanner700.com<\/li>\n<li> defend-computer10.com<\/li>\n<li> defend-computer30.com<\/li>\n<li> defend-computer50.com<\/li>\n<li> defend-computer70.com<\/li>\n<li> defend-computer82.com<\/li>\n<li> defend-computer83.com<\/li>\n<li> defend-computer84.com<\/li>\n<li> defend-computer85.com<\/li>\n<li> defend-computer86.com<\/li>\n<li> defend-computer88.com<\/li>\n<li> defend-computer90.com<\/li>\n<li> defend-pc100.com<\/li>\n<li> defend-pc130.com<\/li>\n<li> defend-pc150.com<\/li>\n<li> defend-pc170.com<\/li>\n<li> defend2-pc.com<\/li>\n<li> defend5-pc.com<\/li>\n<li> defend6-pc.com<\/li>\n<li> inetproscan001.com<\/li>\n<li> inetproscan031.com<\/li>\n<li> inetproscan061.com<\/li>\n<li> inetproscan081.com<\/li>\n<li> inetproscan091.com<\/li>\n<li> insight-scan20.com<\/li>\n<li> insight-scan40.com<\/li>\n<li> insight-scan60.com<\/li>\n<li> insight-scan80.com<\/li>\n<li> insight-scan90.com<\/li>\n<li> insight-scanner2.com<\/li>\n<li> insight-scanner5.com<\/li>\n<li> insight-scanner7.com<\/li>\n<li> insight-scanner8.com<\/li>\n<li> insight-scanner9.com<\/li>\n<li> internet-scan020.com<\/li>\n<li> internet-scan040.com<\/li>\n<li> internet-scan050.com<\/li>\n<li> internet-scan070.com<\/li>\n<li> internet-scan090.com<\/li>\n<li> internet-scanner020.com<\/li>\n<li> internet-scanner030.com<\/li>\n<li> internet-scanner050.com<\/li>\n<li> internet-scanner070.com<\/li>\n<li> internet-scanner090.com<\/li>\n<li> net-02antivirus.com<\/li>\n<li> net-04antivirus.com<\/li>\n<li> net-05antivirus.com<\/li>\n<li> net-07antivirus.com<\/li>\n<li> net001antivirus.com<\/li>\n<li> net011antivirus.com<\/li>\n<li> net021antivirus.com<\/li>\n<li> net111antivirus.com<\/li>\n<li> net222antivirus.com<\/li>\n<li> novirus-scan00.com<\/li>\n<li> novirus-scan01.com<\/li>\n<li> novirus-scan22.com<\/li>\n<li> novirus-scan31.com<\/li>\n<li> novirus-scan33.com<\/li>\n<li> novirus-scan41.com<\/li>\n<li> novirus-scan55.com<\/li>\n<li> novirus-scan61.com<\/li>\n<li> novirus-scan81.com<\/li>\n<li> novirus-scan88.com<\/li>\n<li> spyware-stop01.com<\/li>\n<li> spyware-stopb1.com<\/li>\n<li> spyware-stopm1.com<\/li>\n<li> spyware-stopn1.com<\/li>\n<li> spyware-stopz1.com<\/li>\n<li> spyware200scan.com<\/li>\n<li> spyware500scan.com<\/li>\n<li> spyware800scan.com<\/li>\n<li> spyware880scan.com<\/li>\n<li> spywarescan010.com<\/li>\n<li> spywarescan013.com<\/li>\n<li> spywarescan015.com<\/li>\n<li> spywarescan017.com<\/li>\n<li> spywarescan018.com<\/li>\n<li> stop-all-virus1.com<\/li>\n<li> stop-all-virus3.com<\/li>\n<li> stop-all-virus6.com<\/li>\n<li> stop-all-virus9.com<\/li>\n<li> stop-virus-01a.com<\/li>\n<li> stop-virus-01b.com<\/li>\n<li> stop-virus-01d.com<\/li>\n<li> stop-virus-01e.com<\/li>\n<li> stop-virus-01f.com<\/li>\n<li> stop-virus-03b.com<\/li>\n<li> stop-virus-03u.com<\/li>\n<li> stop-virus-03y.com<\/li>\n<li> stop-virus-03z.com<\/li>\n<li> stop-virus-040.com<\/li>\n<li> stop-virus-070.com<\/li>\n<li> stop-virus-090.com<\/li>\n<li> stop-virus-091.com<\/li>\n<li> stop-virus-099.com<\/li>\n<li> stopvirus-scan11.com<\/li>\n<li> stopvirus-scan13.com<\/li>\n<li> stopvirus-scan16.com<\/li>\n<li> stopvirus-scan18.com<\/li>\n<li> stopvirus-scan33.com<\/li>\n<li> stopvirus-scan66.com<\/li>\n<li> stopvirus-scan88.com<\/li>\n<li> stopvirus-scan99.com<\/li>\n<li> virus77scanner.com<\/li>\n<li> virus88scanner.com<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>While researching some information, I came across a Google hit that looked like what I was looking for, but when I opened the page, none of the text in the preview paragraph was there. Somebody must have fed bogus contents &hellip; <a href=\"https:\/\/joewein.net\/blog\/2010\/04\/10\/vir7remover_2009_b2-exe-defend6-pc-com-scareware\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,22,14],"tags":[],"class_list":["post-695","post","type-post","status-publish","format-standard","hentry","category-fraud","category-malware","category-software"],"_links":{"self":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/comments?post=695"}],"version-history":[{"count":6,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/695\/revisions"}],"predecessor-version":[{"id":701,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/posts\/695\/revisions\/701"}],"wp:attachment":[{"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/media?parent=695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/categories?post=695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joewein.net\/blog\/wp-json\/wp\/v2\/tags?post=695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}