nickvth2009 wrote:I see you guys talking about Zentom System Guard. Perhaps the following link is it? I just saw this floating around and it has the stamp Zentom System Guard.yup, that it.
Code: Select allhxxp://unders.in/utrsid70.exe
A forum for reverse engineering, OS internals and malware analysis
nullptr wrote:The only times I've seen the name BlueFlare Antivirus is in the decrypted strings of some malware I've looked at.Agree, have 2 week old, infected vbox with cycbot running, see some strings from csrss.exe.txt....
refer to http://www.kernelmode.info/forum/viewto ... 7110#p7110 - Cycbot strings
Code: Select all
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/91
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
gKZEtzy
%s?v%d=%d&tq=%s
LSSRCHE
\gb_%d.bat
@echo off
del "%s"
if exist "%s" goto a
del %%0
cmd.exe /c "%s"
0123456789ABCDEF
{%d5D9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
list<T> too long
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{6988405C-71C3-427c-975A-0398706E79EE}
BlueFlare Antivirus
ms.conf
AID
s-internals.com
http://core%s.%s/s.php?id=%s&c=121
system-reports.com
http://xprstats.com/images/logo.png
old
vista
hwid=%s&ver=%d&os=%s&av=%s&wd=%d
t=ml&q=%s
exec|
GET %s HTTP/1.0
Host: %s
User-Agent: mozilla/2.0
Connection: close
Content-Length:
id=1000&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&port=%d
vector<T> too long
err1007
%s_1_%d_%s
err079
%s_2_%d_%s
err077
stop
exec
run
uncheck
encheck
%s_3_%d_%s
%s_4_%d_%s
err094
PING_LS_TM
hwid=%s&id=%s
err053
u.exe
%s up%s
err085
err062
err061
err086
_PRM_NAME_TASK_LOADER_1
_PRM_NAME_TASK_LOADER_2
_PRM_NAME_TASK_LOADER_3
_PRM_NAME_TASK_LOADER_4
_PRM_NAME_TASK_LOADER_5
_PRM_NAME_TASK_LOADER_6
_PRM_NAME_TASK_LOADER_7
_PRM_NAME_TASK_LOADER_8
_PRM_NAME_TASK_LOADER_9
_PRM_NAME_TASK_LOADER_A
_PRM_NAME_TASK_LOADER_B
_PRM_NAME_TASK_LOADER_C
_PRM_NAME_TASK_LOADER_D
_PRM_NAME_TASK_LOADER_E
_PRM_NAME_TASK_LOADER_F
PARAM_PROXY_PORT_NUMBER
%PROGRAMFILES%
%PROGRAMFILES(X86)%
avgnt.exe
Avira*
ccsvchst.exe
Norton*
Symantec*
AvastUI.exe
Alwil Software*
Avast*
mcagent.exe
McAfee*
none
avira
norton
avast
mcafee
err1026
err1025
err1027
err1028
err1029
err1030
err1031
avg
bitdef
kasper
drweb
nod32
SOFTWARE\Microsoft\Windows Defender
DisableAntiSpyware
err1011
err1010
err1012
err1013
err1005
If-Modified-Since
If-None-Match
Proxy-Connection
Keep-Alive
Cache-Control
close
Connection
GET
HTTP/1.x
Referer
google.com
http://www.google.com
PUT
POST
HTTP/1.1 302 Found
Connection: close
Location: %s
Content-Length: 0
id=%s&type=%d&ppcid=%s
Host:
X-Moz
prefetch
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
user_pref
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
[Proxy]
INST_IE
err1015
err1017
SEND_INSTALL_REPORT
err1024
err1018
id=%s&hwid=%s&step=1&wd=%d&av=%s
id=%s&hwid=%s
exec|%s
err1032
http=
err051
err093
HTTP/1.0 200 OK
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Expires: -1
Connection: close
Content-length:
<HTML>
<HEAD>
<TITLE>
</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</HEAD>
<BODY style="overflow: hidden;margin:0 0 0 0; padding:0 0 0 0;">
<iframe src="
" frameborder="no" scrolling="auto" style="margin:0 0 0 0; padding:0 0 0 0;" height="100%" width="100%" ></iframe>
</BODY>
</HTML>
google.
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
gstatic.
.yimg.com
.bing.net
yahoo.
aolcdn.
scorecardresearch.com
brightcove.com
.aol.
aolsvc.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
.2mdn.
ytimg.
doubleclick.
/complete/search
start=
start=0
/imglanding
/images
http%3A%2F%2F
/gen_204
err069
bing.com/search
search.yahoo.com/search
aol/search
&query=
?query=
imdb.
wikipedia.
youtube.
facebook.
twitter.
amazon.
blogger
msn
ebay.
flickr
wikimedia.
googleusercontent.
googlesyndication.
google-analytics.
jpeg
.jpg
.bmp
.gif
.ico
.png
.css
.xml
LSSRCHTP1
err060
err%d%s_%d_%d
err0%s_%d_%d
User-Agent
&useragent=%s
&referer=%s
Accept-Language
&lang=
&type=%d
%s:443/?ver=91&system=%d&id=%s&hwid=%s&search=%s
href
err099
TITLE_CLICK
PPC_CLICK
%s_%s_%s
err098
err097
err1009
referer
Content-Type
text
err1016
Transfer-Encoding
Content-Encoding
gzip
deflate
Content-Length
www.www.ru
Content-Disposition
err1023
Location
https://
application
html
script
xval
eval
</script
<script
Content-length
BlueFlare
Sophos
Blue Flare
.doubleclick.net
ads
doubleclick.net
msn.com
err1033
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
<xframe
<iframe
</xframe
</iframe
<xpplet
<applet
</xpplet
</applet
HTTP/1.0
Connection: closeAll associated files attached.
Attachments
(634.35 KiB) Downloaded 57 times
Arrogance led me to my Ignorance
BlueFlare antivirus fakeav confirmed.
Xylitol wrote:BlueFlare antivirus fakeav confirmed.Indeed I just read on Twitter the message of Siri > http://siri-urz.blogspot.com/2011/07/bl ... virus.html
The sample has been posted to the private MBAM board by S!Ri.
