Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Malware Alert: Antivir64 Rogue Antispyware

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Antivir64, a new rogue antispyware is on the prowl, it seems to be installing from scanner.antivir64.com with an affiliate id 1050 (scanner.antivir64.com/?aff=xxxx). The victims are redirected -probably through .htaccess file hack- from certain pages of legitimate but hacked websites. A quick google search shows first reports of blog sites getting hacked to redirect visitors to entice them to install antivir64 a variant of antispyware2008. I came across this malware accidentally when I happened to visit a page in connectedinternet.co.uk earlier today. My Firefox 3 hung in Windows Vista and I was forced to terminate it in not so graceful manner.

I decided to visit the hacked Website using Internet Explorer 8 beta, as expected IE8 was redirected to the malware site via 87.248.180.90 through an encrypted link. antivir64.com is a domain controlled by four nameservers at estboxes.com. All of them are on the same IP network. antivir64.com has two IP records. 78.47.168.82 and the one mentioned earlier. Both of them hosts the following domains: antispyware-2008-buy.com, antispyware-2008-download.com, antispyware-2008.info, antispyware2008.org, antispyware2008a.com, antispyware2008buy.com, antispyware2008y.com, antivir64.com, antivirus2008pro-download1.com, antivirus2008pro-download2.com among others. (Thanks robtex)

antivir64001 Malware Alert: Antivir64 Rogue Antispyware

On redirection, the following dialog box popped up antivir64002 Malware Alert: Antivir64 Rogue Antispyware

On clicking either of the buttons, the antivir64 fradulent virus scanning animation starts and goads the user by displaying scary messages about the health of the system.

antivir64016 Malware Alert: Antivir64 Rogue Antispyware

Once the user is convinced to click on the “Protect now” button the full rogue antispyware software is downloaded in the form of setup_1096_MTA1MHwzNXww_.exe with a size of about 770.80KB (Virustotal). One still needs to get past the blocked download bar of Internet Explorer to start the download. This warning clearly shows that this site wants to download a plugin setup.cab from Nooly Systems.

antivir64003 300x207 Malware Alert: Antivir64 Rogue Antispyware

The downloaded software does not run by itself, user needs to run the software to install the unwanted rogue antispyware. Numerous taskbar alerts scares you to install the downloaded software. I choose to install the software to test it out as usual, the bogus software comes with a bogus license agreemet with only one button called “Continue“, you can close the Window though, the last line of the agreement really caught my eye:

antivir64022 Malware Alert: Antivir64 Rogue Antispyware

At the end of the scan the software fradulently finds non-existent infections.

antivir64006 Malware Alert: Antivir64 Rogue Antispyware

If you choose to “continue unprotected” you will be bombarded with deceptively worded warnings about the non-existent infections. I chose “Get full version of antivir64 now!“. The program switched to “secure activation window” and offered various subscription options. On choosing one of the subscription options the application directed me to secure.paymentbit.net, not before Internet Explorer 8 issued three warnings one by one about the security certificate of the site.

A not so comprehensive analysis of the system showed the following changes:

Process added
c:\program files\antivir64\antivir64.exe

Registry Key added
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c:\program files\antivir64\antivir64.exe

It further adds a few files in antivir64 folder in the Program Files folder.

It looks like it just adds a registry entry to start itself on every Windows boot in order to goad the hapless victim to purchase the rogue antispyware. A moderately vigilant internet user should have no problem in avoiding this infection as the Internet Explorer itself provides morethan 3 warnings about the impending danger.

More Antivir64 screenshots (Click to view the full image.)

antivir64004 150x150 Malware Alert: Antivir64 Rogue Antispywareantivir64005 150x150 Malware Alert: Antivir64 Rogue Antispywareantivir64007 150x150 Malware Alert: Antivir64 Rogue Antispyware
antivir64008 150x150 Malware Alert: Antivir64 Rogue Antispywareantivir64012 150x150 Malware Alert: Antivir64 Rogue Antispywareantivir64015 150x150 Malware Alert: Antivir64 Rogue Antispyware

Update1: The hacked pages now redirect to internet-defense2009.com which promotes another rogue antispyware Antivirus 2009 Online Security Scanner.

Update2: I have given the procedure for the manual removal of Antivir64 in the post Malware: Antivir64 Manual Removal.

You may also like to read



{ 21 comments… read them below or add one }

Tom Ross August 16, 2008 at 1:59 AM

Thanks for the description. I am experiencing the same. However, unless I missed it, how do I remove this piece of crap Antervir64? Thanks.

Reply

Shanmuga August 16, 2008 at 12:42 PM

Tom, thanks for your comments, you can find manual removal instructions here Malware: Antivir64 Manual Removal

Reply

vic August 17, 2008 at 12:51 AM

someone hacked one of my sites to include this redirect in the admin section of the site behind a login prompt. i checked with my host and the htaccess seems normal so we arent sure where it’s happening… any ideas where to locate it within the code?

Reply

Shanmuga August 17, 2008 at 9:08 AM

Did you check all of your .htaccess files, even those in sub-directories? You can find more expert help at Official Google Webmaster Help group

Reply

joe August 24, 2008 at 3:57 AM

I tried PC Tools Spyware Doctor. It is free and was effective in eliminating the Antivir64 malware. Webroot was totally ineffective and a waste of 30 bucks. Norton’s Antivirus was oblivious to it too.

Reply

Diana August 24, 2008 at 10:22 AM

I kept having this screen pop up and just continued to exit out of it, then today I had it so many times, I did a search and came up with your blog – which I appreciate very much. I did a search for this program/file folder and I don’t seem to have it. Am I correct in assuming if you don’t do the download, it will not automatically infect your system? As I said, it did not show up on an extensive search today – so I thank you for all of this information.

Reply

Shanmuga August 24, 2008 at 1:19 PM

Diana, If you are still getting those fake alerts, I would suggest a quick scan with free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware.

Reply

joe August 25, 2008 at 3:11 AM

Diana

Try my approach with Spyware Doctor. A good word of advice is to avoid using tools that specifically target Antiver64. They are more likely than not made by the jerks who produced the Malware to begin with. Your pc will be more infected than ever or you will be dollars lighter after paying what essentially amounts to extortion to fix the problem that the jerks gave you.

Reply

Bob August 29, 2008 at 8:20 AM

Someone here said PC Tools Spyware Doctor is free. I downloaded the free version. Now, Spyware Doctor insists that I Purchase Online to allow correction of threats found. Am I doing something wrong?

Reply

Shanmuga August 29, 2008 at 9:13 AM

Spyware Doctor is not free. Please download one of the free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware. Both are effective in cleaning this infection when I tested.

Reply

joe August 29, 2008 at 10:33 AM

That is odd. My basic version was free and updates itself without hassle. The premium version includes more advanced monitoring. Perhaps my version was no cost at the time of download but has since changed to paid. At any rate, any of the programs recommended by others in this blog should work as well.

Reply

Shanmuga August 29, 2008 at 11:06 AM

joe, probably you have one of those Starter Editions that comes bundled with Google Pack.

Reply

Bob August 30, 2008 at 12:24 AM

Joe & Shanmuga,
Thanks for the assist. You are both correct. Spyware Doctor tries very hard to get a payment, and then when you uninstall, they offer the free bundles, like Google Pack. Shrewd (but aggravating) marketing. Malware Byte’s Anti-Malware (free version) seems to be doing a good job

Reply

Dick Macguyver September 3, 2008 at 7:43 PM

How do you stop the damn antivir64 from harrassing you. I have to constantly keep clicking the x to close it. Then it pops up another window which starts scanning against my will as if it is trying to rape my computer and I have to close that window out.I try to block the damn thing and when I paste the domain in my restricted sites it shows up with a star in front. Now there is a bunch of sites in my restricted sites and I dont even know what these sites are. Then the antivir64 bastard put sites under my trusted sites and I removed them. I just would like to know how to block this bastard’s harrassing popups for good.
Thanks
Dick Macguyver

Reply

Shanmuga September 3, 2008 at 8:16 PM

One of the free editions of either SUPERAntiSpyware or Malwarebytes’ Anti-Malware should clean this infection.

Reply

Jason September 11, 2008 at 5:34 PM

Hey I work at a local computer shop in Burley Idaho and have noticed this particular virus loaded on a multiple number of machines. I was notified over an overview of the virus that it is also spreading quickly through email. I had one lady who reported getting antivir64 a couple of days after we hunted down and deleted the sucker! System restore was turned off. I just wanted to know where this malicious software can come from. It is everywhere.

Reply

Shanmuga September 11, 2008 at 7:33 PM

Antivir64 generally enters a system through redirects from hacked web pages, the malicious urls are also propagated through spam mails.

Reply

Jason September 13, 2008 at 10:00 AM

Shanmuga– I am trying to learn more about this one. Can you please cite your sources for Antivir64 origins. Thank you.

Reply

Jay September 15, 2008 at 3:43 AM

I got hit hard by same virues. Did anyone get software to fix? “Internet Antivirus”, is what kept popping up everytime I went to IE. I am no English teacher, but the ad, was grammer challanged. If you bout this software you went to PaymentBit.net. BTW, you cant call them, hmmm, net only. In researching, with a family member, for several hours. She is so qualified, to do this too, mine stuff came from a religious group. The group making news alot in past and recently.

Im still working on my thing here. any suggestions? pls feel free!

Jay

Reply

Shanmuga September 15, 2008 at 4:16 AM

Jay, the freeware edition of Malwarebytes’ Anti-Malware should clean this “Internet antivirus” infection. Let us know how it goes.

Reply

j davis October 30, 2008 at 12:26 AM

I was getting ready to submit an article to articleblotter.com, a site I had used in the past, when a dialog box appeared for antivirus 2008. As soon as the box appeared the homepage disappeared and I had to quickly disconnect to avoid a drive by install. I could not notify the site owners they had been hacked due to the dialog box. I wish these criminals could be jailed for a long time!! By the way the FTC does investigate complaints.

Reply

Leave a Comment

{ 1 trackback }

Previous post:

Next post: