"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:HqqdnW6MUanR21DVnZ2dnUVZ_sninZ2d@giganews.com :

> From: "Lil' Abner" <blvstk@dogpatch.com>
>
>| This may appear as kind of a rant. As far as I'm concerned, it's the
>| best thing that has come along yet. I have probably cleaned up 100
>| instances of the AntivirusXP2008(2009) variants. MalwareBytes and
>| Smitfraudfix are my top two tools.
>| I installed XP in a virtual machine and have tried every which way to
>| infect it with one of those variants. So I went to the warez groups
>| and looked for obvious stuff. They all have different names, of
>| course, but the last one, for instance, is Wise Disk Cleaner Pro v3
>| 61 Keygen.zip. It unzips into an .exe file of the same name and is
>| 130kb. This file gets 12 hits at Virus Total. Malwarebytes doen't
>| detect anything. So I ran the exe file. It didn't do anything visible
>| but I noticed in task manager that Wise Disk Cleaner and another file
>| called file.exe were running. I didn't stop them but then ran
>| MalwareBytes on the VM and it found 10 objects. 5 files (3 were
>| dll's) and 2 were file.exe. The other 5 were in the registry. It
>| cleaned them perfect and on reboot there was no evidence left
>| except.... Wise Disk Cleaner Pro v3 61 Keygen.exe, the one that
>| installed it. I use an ISP provided antivirus and antispyware app
>| called Secureit. It doesn't identify it. I have another machine with
>| Norton on it and it didn't tag it either. According to VirusTotal,
>| this file has been scanned before. So that means it's been around a
>| while. What takes the antivirus companies and the antispyware people
>| so long to get them on their lists?
>| Oh yeah... how do I infect myself with AntivirusXP? :-)
>
>
> The file, file.exe is a downloader trojan that will download and
> install the Zlob trojan will subsequently download and install rogue
> anti malware such as Antivirus 2008.
>
> The file; file.exe is 15 ~15.5KB
>
> Most of the software associated with the Zlob and rogue anti malre is
> supplied through Atrivo and its accomplices. There has been much in
> the way of writeups on how Atrivo and its pals like ESTDomains,
> Intercage, Hostfreah and Inhoster to host the malware by the RBN.
>
> http://voices.washingtonpost.com/sec...rt_slams_us_ho
> st_as_major.html
>
> Read the HostExploits white paper...
> http://hostexploit.com/index.php?opt...article&id=12&
> Itemid=15
>
> and...
> http://voices.washingtonpost.com/sec...stdomains.html
> http://www.spamhaus.org/news.lasso?article=636
>
> Now that they are being exposed, uplink feeds have been cutoff to
> Atrivo and many of the sites hosting the malware are now hosed.
> However, expect the RBN however to find new hosts for their malicious
> actions.

Very informative... thanks!

--
- The bible was written by the same people who said the earth was flat -