Antivir64, a new rogue antispyware is on the prowl, it seems to be installing from scanner.antivir64.com with an affiliate id 1050 (scanner.antivir64.com/?aff=xxxx). The victims are redirected -probably through .htaccess file hack- from certain pages of legitimate but hacked websites. A quick google search shows first reports of blog sites getting hacked to redirect visitors to entice them to install antivir64 a variant of antispyware2008. I came across this malware accidentally when I happened to visit a page in connectedinternet.co.uk earlier today. My Firefox 3 hung in Windows Vista and I was forced to terminate it in not so graceful manner.
I decided to visit the hacked Website using Internet Explorer 8 beta, as expected IE8 was redirected to the malware site via 220.127.116.11 through an encrypted link. antivir64.com is a domain controlled by four nameservers at estboxes.com. All of them are on the same IP network. antivir64.com has two IP records. 18.104.22.168 and the one mentioned earlier. Both of them hosts the following domains: antispyware-2008-buy.com, antispyware-2008-download.com, antispyware-2008.info, antispyware2008.org, antispyware2008a.com, antispyware2008buy.com, antispyware2008y.com, antivir64.com, antivirus2008pro-download1.com, antivirus2008pro-download2.com among others. (Thanks robtex)
On redirection, the following dialog box popped up
On clicking either of the buttons, the antivir64 fradulent virus scanning animation starts and goads the user by displaying scary messages about the health of the system.
Once the user is convinced to click on the “Protect now” button the full rogue antispyware software is downloaded in the form of setup_1096_MTA1MHwzNXww_.exe with a size of about 770.80KB (Virustotal). One still needs to get past the blocked download bar of Internet Explorer to start the download. This warning clearly shows that this site wants to download a plugin setup.cab from Nooly Systems.
The downloaded software does not run by itself, user needs to run the software to install the unwanted rogue antispyware. Numerous taskbar alerts scares you to install the downloaded software. I choose to install the software to test it out as usual, the bogus software comes with a bogus license agreemet with only one button called “Continue“, you can close the Window though, the last line of the agreement really caught my eye:
If you choose to “continue unprotected” you will be bombarded with deceptively worded warnings about the non-existent infections. I chose “Get full version of antivir64 now!“. The program switched to “secure activation window” and offered various subscription options. On choosing one of the subscription options the application directed me to secure.paymentbit.net, not before Internet Explorer 8 issued three warnings one by one about the security certificate of the site.
A not so comprehensive analysis of the system showed the following changes:
Registry Key added
It further adds a few files in antivir64 folder in the Program Files folder.
It looks like it just adds a registry entry to start itself on every Windows boot in order to goad the hapless victim to purchase the rogue antispyware. A moderately vigilant internet user should have no problem in avoiding this infection as the Internet Explorer itself provides morethan 3 warnings about the impending danger.
Update1: The hacked pages now redirect to internet-defense2009.com which promotes another rogue antispyware Antivirus 2009 Online Security Scanner.
Update2: I have given the procedure for the manual removal of Antivir64 in the post Malware: Antivir64 Manual Removal.