Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 1148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/FakeAV-CLJ

RRR

Hi there,

here's more information:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavclq.html

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavclj.html

Just in case I have blocked already 91.217.162.99 which should be repoiury.com even though the site was already taken down by authorities i guess. 

Are there any honeypot operators in here who could tell the source of this malware? We get swamped with it and I would like to have the sites blocked from where it originates.

Thanks for any insight given. I appreciate it.

Edit

Sophos blocked files with the following names/keywords:

%random%.htm

bugguardpc.htm
coverlightswitch.htm
annefrankbio.htm
blocklightreach.htm

GandhiAntivirus.htm

:9567


This thread was automatically locked due to age.
Parents
  • 0

    Just found another payload .EXE linked to FakeAV-CLJ: freesystemscan.exe detected as Sus/Corrupt and at the same time there is also a FakeAV-IO detection. Unfortunately SEC3.1 doesn't always show path and filenames so I don't know if FakeAV-IO is the same file as Sus/Corrupt. I would love to collect samples, but I don't have the time to create and manage a new policy and push them down to 1000s of clients and then remote in, disable Sophos )n-Access and FTP it. I'm glad 9.5 has sample collection as a feature even though this is only for unknown HIPS files. Or does Sophos 9.5 also send samples of _known_ malware to the labs in order to improve detection? In this case it would be helpful.

    :9863
Reply
  • 0

    Just found another payload .EXE linked to FakeAV-CLJ: freesystemscan.exe detected as Sus/Corrupt and at the same time there is also a FakeAV-IO detection. Unfortunately SEC3.1 doesn't always show path and filenames so I don't know if FakeAV-IO is the same file as Sus/Corrupt. I would love to collect samples, but I don't have the time to create and manage a new policy and push them down to 1000s of clients and then remote in, disable Sophos )n-Access and FTP it. I'm glad 9.5 has sample collection as a feature even though this is only for unknown HIPS files. Or does Sophos 9.5 also send samples of _known_ malware to the labs in order to improve detection? In this case it would be helpful.

    :9863
Children
No Data