HelpSites

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, August 25, 2008

Andromeda AV and AntiVirus PRO 2008 - new Rogue scanners

Posted on 5:37 AM by Unknown
I helped someone today where Andromeda AV was installed on the computer -
According to the user, it was installed automatically. I'm still waiting for some more info where and/or how it was installed.
Not many hits for this scanner via searchengines yet - so I suspected this as a new Rogue Antivirus, especially after I found the website:
andromeda-av. com, where Antivirus PRO 2008 was hosted as well (antiviruspro2008. net)
All these rogues look the same anyway:




For Andromeda AV..
This one installs as a service called AndromedaAVService (system32\AndromedaAv.exe) and driver AndromedaAvDrv (system32\drivers\winav.sys)

Interesting part here is, it creates some extra files in the system32 folder and dllcache folder (actually renamed MS files) and detects the renamed ones afterwards as infected.
For example, rproxycfg.exe, which is the legitimate file proxycfg.exe, hiissuba.dll, which is the legitimate file issuba.dll, vcliconfg.dll, which is the legit cliconfg.dll etc etc.
It doesn't alter the original files, it only adds renamed copies of them.

Andromeda AntiVirus installed on a clean system (XP Pro):




Threatexpert report here.
Email ThisBlogThis!Share to XShare to Facebook
Posted in Malware, Rogue | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 3 stubborn PC problems you can fix
    Copy from retired Microsoft at Work website (retired June 30, 2013), Copyright Microsoft.  3 stubborn PC problems you can fix Ever notice h...
  • Reminder for Forum owners
    This post is actually a reminder to my previous blog post http://miekiemoes.blogspot.com/2008/04/forum-owners-take-your-responsability.html ...
  • Forum owners - Take your responsibility!!
    After we had this , with a little update here , I'm still amazed how many website owners don't take responsibility. I was researchin...
  • Email-Worm.Win32.Locksky - new stubborn variant
    I was helping a user the other day where his computer was crippled with malware. We could successfully delete all other files, registry keys...
  • Beware Telenet.be users - Telenet.be phishing scam going around
    First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real ...
  • Miekiemoes rules ?? Yeah right...
    This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud...
  • Friendship
    The source of these images is unknown. They were in one of those forwarded emails -- you know, the type your friends are sure you will love...
  • Fake sysaudio.sys causes Searchengine Hijack
    What is this infection about... It actually loads a script, so searchengine results are loaded within a script. For example, when you resear...
  • 10 tips to help improve your wireless network
    Copy from the retired "Microsoft at Home" website (retired 30June2013), copyright Microsoft. 10 tips to help improve your wireless...
  • Joomla! Password Reset/Remind Functionality vulnerability - update asap!
    There was a serious security vulnerability found in the popular CMS-software Joomla! (1.5.x, including 1.5.5). The vulnerability/bug resides...

Categories

  • BlogTools
  • Compromised
  • databases
  • dogs
  • email
  • Exploits
  • Firefox
  • forums
  • Funny
  • hacks
  • Internet Explorer
  • Malware
  • Me
  • Mobile
  • Online Tools
  • Other
  • phish
  • Popups
  • Prevention
  • Rant
  • Recipe
  • Registry
  • Rogue
  • scam
  • Security Products
  • Slow computer
  • Software
  • spam
  • websites
  • Windows
  • Windows Update
  • Windows Vista

Blog Archive

  • ►  2013 (11)
    • ►  June (9)
    • ►  April (1)
    • ►  February (1)
  • ►  2012 (4)
    • ►  December (1)
    • ►  November (1)
    • ►  August (1)
    • ►  January (1)
  • ►  2011 (2)
    • ►  November (2)
  • ►  2010 (3)
    • ►  November (1)
    • ►  October (1)
    • ►  April (1)
  • ►  2009 (13)
    • ►  November (2)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (3)
  • ▼  2008 (71)
    • ►  December (1)
    • ►  November (8)
    • ►  October (5)
    • ►  September (5)
    • ▼  August (7)
      • Andromeda AV and AntiVirus PRO 2008 - new Rogue sc...
      • The Lists have moved
      • Your illegal internet activities are being logged
      • Joomla! Password Reset/Remind Functionality vulner...
      • Beware of fake email from Microsoft!
      • I don't use an Antivirus, because I have never bee...
      • In between message...
    • ►  July (5)
    • ►  June (12)
    • ►  May (8)
    • ►  April (6)
    • ►  March (5)
    • ►  February (9)
Powered by Blogger.

About Me

Unknown
View my complete profile