Monday, March 9th, 2009 / 1,370 views

Block Anti-virus-1 malicious Domains

   

Anti-virus-1 is classified as a rogue security software, a false anti-spyware application that claims to be the best in removing trojans and in real it does nothing. Following there is a list of the malicious domains used to spread and promote Anti-virus-1:

1
2
3
4
5
6
7
8
9

70.38.19.201 (online-download-av1.info)
70.38.11.165 (gravicapa.globmail.org)
70.38.19.201 (online-site-av1.info)
67.205.75.10 (online-scanner-av1.info)
N/A              (antivirus1-site.info)
N/A              (antivirus1-download.info)
N/A              (av1-site.info)
N/A              (av1-download.info)
N/A              (av1-scanner.info)

To block the above domains and IPs you can edit the Windows Hosts File that is located in C:\WINDOWS\system32\drivers\etc\hosts and adds these lines:

127.0.0.1 70.38.19.201
127.0.0.1 online-site-av1.info
127.0.0.1 online-download-av1.info
127.0.0.1 70.38.11.165
127.0.0.1 gravicapa.globmail.org
127.0.0.1 antivirus1-site.info
127.0.0.1 antivirus1-download.info
127.0.0.1 av1-site.info
127.0.0.1 av1-download.info
127.0.0.1 online-scanner-av1.info
127.0.0.1 67.205.75.10
127.0.0.1 av1-scanner.info

With these changes, you will redirect all the domains and IPs to 127.0.0.1 (localhost) and the trojans will not be able to download the malicious .EXE file from the above listed domains.

 

Internet traffic on port 80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

GET /admin/cgi-bin/get_domain.php?type=site HTTP/1.1
User-Agent: AV1
Host: 70.38.11.165
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
 
GET /collection.php?step=AV19_GetId_failure&id=none HTTP/1.1
User-Agent: AV1i
Host: online-site-av1.info
Connection: Keep-Alive
Cache-Control: no-cache
 
GET /collection.php?step=AV19_stage_one_complete&id=none HTTP/1.1
User-Agent: AV1i
Host: online-site-av1.info
Connection: Keep-Alive
Cache-Control: no-cache
 
GET /en/exe/Stage2.exe HTTP/1.1
User-Agent: AV1i
Host: online-download-av1.info
Connection: Keep-Alive
Cache-Control: no-cache
 
GET /admin/cgi-bin/get_domain.php?type=site HTTP/1.1
User-Agent: AV1
Host: 70.38.11.165
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

Posted by admin on Monday, March 9th, 2009 at 12:14 pm and filed under Rogue Software with tags , , . You can leave a response, or trackback from your own site.

Related Articles

One Approved Response

  1. Kami Says:
    March 9th, 2009 at 4:03 pm

    Thank you for the tip!!!

Leave a Reply