(The quickest way to register)

Forum

  1. User picture
    • g7w on Mon 06 Feb 2012
    • 06:39:24 AM UTC

    Security Monitor 2012

    Security Monitor 2012 - FAKE AV | anti-Spyware
    Initial screen load

    Completed screen load

    Fake alert

    BleepingComputer
    Security Monitor 2012 is a rogue anti-spyware program from the same family as Security Solution 2011. This rogue displays fake scan results and alerts in order to trick you into thinking your computer is infected. This program is installed through Trojans that download and install the program on to your computer without your permission. When installed, the rogue will also create numerous harmless files in your Windows Temp folder that will then be detected as malware when Security Monitor 2012 attempts to scan your computer. If you attempt to use the program to remove any of the files it detects as infections, it will state that you need to purchase the program before you can do so. As all the files it detects as infections are harmless or legitimate Windows files, please disregard the scan results and do not purchase the program.

    Two forms of infection:

    1. auto-installed when Java is available
      generally initiates Windows Media Player
    2. The user is informed they have system "problems" and are encouraged to download and install the "fix" normally from a JavaScript pop-up alert box.

    note:
    I waited till the referenced domains were pulled offline before posting, there are others involved, many are victim sites (compromised) as referenced in a SafeBrowsing report, example: cb-technics.com - SB You can tell by viewing source for the page, you'll notice multiple JavaScript tags above the HTML DocType

    The user-opted download file is small; example:
    watchitnegu7.tk/ldpatch/ldpatch.php
    sends file: secure_0.exe (35KB)
    with affiliate links provided, the filename is changed to the affiliate ID, example:
    watchitnegu7.tk/ldpatch/ldpatch.php?afid=390
    result: secure_390.exe [35KB]

    these are installation files, while online they will install the rogue Security Monitor 2012

    Malware
    24onlinedrug.com
    teamroomonline.com
    watchitnegu7.tk

    images hosted courtesy of: http://imageshack.us/

    cataloged on wiki: Forum discussion: Threats:Fake Antivirus scanners

    ------- WOT Services Ltd. - gives us safety through Web of Trust. WOT Community - gives us security through unity. ∞

Comments:

  2. User picture
    • Myxt on Mon 06 Feb 2012
    • 09:07:09 AM UTC

    RE: Security Monitor 2012

    Google> inurl:ldpatch.php
    Addresses of the form "schema://domain/ldpatch/ldpatch.php?afid=n"
    Use strong security if you visit these sites.

    List of domains/hosts:

    getip-nomac.tk
    hostup-newpc.tk
    hostup-newtoday.tk
    main-itcomp.tk
    netmedia-tvbest.tk
    scaner-anend.tk
    scaner-cecode.tk
    scaner-dodimm.tk
    scaner-mouse.tk
    search-webhost.tk
    video-antron.tk
    videogb-alotgood.tk
    videonetab-itsgood.tk
    web-inregistr.tk
    webhelp-cb.tk

    EDIT:
    Confirmed: detected and blacklisted by Sucuri.