[Xylitol]

Anyone heard of the new FakeAv 'BlueFlare Antivirus' ?
http://www.2-viruses.com/remove-blueflare-antivirus

Seem only PC Tools affiliates talk about this infection
They have released a screenshot here:


That make me perplex, even Malwarebytes' guys have not see the color of this one.
And i'm sure you have noticed on the screenshot the window title 'Windows Steady Work'
A lame hex edit from malware author (I've never see that on Tritax FakeAV family) or a fake infection for says 'only us detect this one' ?
Also in computer helping forums/communities, seem no one got infected or talk about BlueFlare.

Affil site who released a screenshot:


Site design remind me this campaign on twitter with random detection name submitted each ~30secs:

Advertising ParetoLogic product and some others.



And here:
http://deletemalware.blogspot.com/2011/ ... virus.html
This blog who relayed info (shit got virals in other helping sites)
Entry was posted 16 Jul, we are now the 19 and no one have a MD5.

[nickvth2009]

This is a rogue, yes, but nobody has the binary file of it, so it think this is fake.

[Cody Johnston]

Seems that it is a real infection. This website is reputable and seems that they have already helped repair it. If any of my floor techs come across it, I will upload the binary ASAP. I have 80+ techs on the lookout so shouldn't be long...

http://www.computing.net/answers/securi ... 36458.html

Regards

[bitx]

The funny thing is that deletemalware blog only raised public awareness of possible new rogue AV, they never said that this rogue actually exists.

We've have been receiving complaints about a program called BlueFlare Antivirus for a couple of days. From what we've heard about this application, it could be rogue anti-virus software.

They do not have the binary, only complaints and log files from visitors. They made a decision to inform people about possible new threat and told them scan the computer with free anti-malware if anything similar pop ups on users computer screens.

Unfortunately, we couldn't find anything related to BlueFlare Antivirus and it certainly raises our suspicion of fraud. We are currently investigating this threat and will provide more information as it becomes available.

It's a warning not an analysis of malware. However, other websites probably assumed that it's a real rogue and some of them even made screenshots that are clearly fake. Well, raising public awareness is one thing, but giving a full analysis of rogue that may not even exist and suggesting commercial removal tool "desinged to remove BlueFlare Antivirus" is another story.

[Xylitol]

Seem there is also some fake screenshot with the FakeAV 'Zentom System Guard'



the interface i know is


edit:
SiR! did something like that a while back for warn:
http://siri-urz.blogspot.com/2009/10/se ... rogue.html

[EP_X0FF]

I think they are all Photoshop/Paint work, 80 level.

[bitx]

Yes, I remember Siri's experiment :) It's not the fist time and probably not the last one.

[nullptr]

The only times I've seen the name BlueFlare Antivirus is in the decrypted strings of some malware I've looked at.
refer to http://www.kernelmode.info/forum/viewto ... 7110#p7110 - Cycbot strings

[Xylitol]

lol, 2-viruses.com have removed their article about BlueFlare Antivirus.

[nickvth2009]

I see you guys talking about Zentom System Guard. Perhaps the following link is it? I just saw this floating around and it has the stamp Zentom System Guard.

Code: Select all

hxxp://unders.in/utrsid70.exe