VirusRescue ?

There are questions about this program some people would like to know .. Including me.

http://www.spywarewarrior.com/viewtopic.php?t=22305
http://securityticker.blogspot.com/2006/08...new-trojan.html
http://www.securitycadets.com/2006/08/new-...ue-virusrescue/
http://www.securitycadets.com/2006/08/my-r...to-virusrescue/

Is this just another new rogue antispyware program posing as a legit Spyware remover that costs $49 before it will remove anything it finds.. [ and what actual threats will it find ? ]

Sure looks like it so far , despite their claims that :



It really really removes all infections , or they just really want us all to believe that it really does .. ?

I'm not paying $50 dollars to find out , but you can be sure there will be someone out there who gets tricked into buying it.


Virusrecue.com
IP Address: 85.255.118.146




The registrant details seem to be changing around a lot recently , trying to hide something guys ?

http://whois.domaintools.com/virusrescue.com







Now the DNS records show here another email address:


virusrescue.com IN SOA server: managedns1.estboxes.com
email: david.alant.gmail.com
serial: 2006070105
refresh: 7200
retry: 7200
expire: 2419200
minimum ttl: 38400
38400s (10:40:00)


Results from 13 days ago...

Now take a note of this guys name- David taylor



Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http:// www.estdomains.com

Domain Name: VIRUSRESCUE.COM

Registrant:
SunShine Ltd
David Taylor @gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Creation Date: 16-Mar-2006
Expiration Date: 16-Mar-2007

Domain servers in listed order:
managedns1.esthost.com
managedns2.esthost.com


Administrative Contact:
SunShine Ltd
David Taylor@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Status:ACTIVE

Retrieving DNS records for virusrescue.com...

DNS servers
managedns4.estboxes.com
managedns3.estboxes.com
managedns2.estboxes.com [69.50.183.26]
managedns1.estboxes.com [69.50.182.18]

Answer records
virusrescue.com 1 A 85.255.118.146 38400s
virusrescue.com 1 SOA server: managedns1.estboxes.com
email: david@alant.gmail.com
serial: 2006070104
refresh: 7200
retry: 7200
expire: 2419200
minimum ttl: 38400
38400s
virusrescue.com 1 NS managedns1.estboxes.com 172800s
virusrescue.com 1 NS managedns2.estboxes.com 172800s
virusrescue.com 1 NS managedns3.estboxes.com 172800s
virusrescue.com 1 NS managedns4.estboxes.com 172800s


--------------------------------------------------------------


David Taylor can also be found in the registrant details for Spyware Strike and Spyfalcon at the very least..

http://blogs.zdnet.com/Spyware/?p=770







How about this , updateyourwindows domain which shares the same IP as Spyfalcon.. ?

I can't think of any other purpose of this site , besides the intentional confusion it will cause to hijacked users who might think it is the real microsoft windows update site.




Popular guy. He sure likes his rogue spyware apps.. If it's even a real person.

Is there a connection between VirusRescue and these other rogue scam anti-spyware apps ? You tell me.

---------------------------------------------------------------------------------

And another interesting thing is their choice of webhost , who we have totally blocked in the B.I.S.S malware blocklist due to the shocking amount of malware coming from there.




Now if you were setting up a legit anti-spyware company would you choose to associate your business next door to the very same people you are targetting ? Obviously not something that was considered here if you are to believe for a moment that they are legit..

Inhoster are very well known as one of the preferred webhosts by malware pushers.. Netcat hosting in the ukraine, Intercage/Atrivotech/Atrivohell in San Francisco USA and various russian federation webhosts being some of the other high level ones.

Traceroute even shows the connection passes through nlayer and an atrivo named node , which belongs to the malware infested Atrivohell/Intercage network.



Seems that its anything goes on these networks , with the amount of malware being traced back as originating from there.

These malware pushers love to use it for hijacking unsuspecting users with the most dangerous spyware/trojan/rootkit hijackers they can.

The real kicker though , is that they also install their preferred anti-spyware removal program of the moment and force their victims to pay up to remove these very same hijacks..

--

Not surprisingly , Inhoster/estdomains is actually hosted by Intercage / AtrivoHell :

estdomains.com = 69.50.183.26

--



---

CIDR: 69.50.160.0/19
NetName: INTERCAGE-NETWORK-GROUP
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM

Domain Name: ESTDOMAINS.COM
Registrant:
Estdomains Inc
110 W. Ninth Street #688
Wilmington
Delaware,19801
US
Tel. +1.3027224217

Creation Date: 19-Aug-2004
Expiration Date: 19-Aug-2010

Domain servers in listed order:
ans2.esthost.com
ns6.esthost.com
ans1.esthost.com
ns5.esthost.com


As you can see here - http://ow.bbclone.de/2005/11/09/esthost-or...lc-equals-spam/ , Inhoster actually was Esthost at some point in the past , until they decided to try and cover their tracks :

Previous:
inetnum: 85.255.112.0 - 85.255.127.255
netname: EstHost
descr: Inhoster hosting company
descr: OOO Inhoster, ul.Antonova 5, Kiev, 03186, Ukraine

Now:
inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine


---------------------------------------------------------------------------------

Even more details of the trail these gangsters leave behind :

Intercage with lots of wmf exploits
http://spamhuntress.com/2006/01/07/interca...f-wmf-exploits/

ISPs hosting spyware - who are they?
http://blogs.zdnet.com/Spyware/?p=763

SpywareQuake scum on the run?
http://netrn.net/spywareblog/archives/2006...cum-on-the-run/



The Webhelper has a growing collection of Intercage/AtrivoHell malware IP's:
http://www.webhelper4u.com/CWS/cwsal_atrivo_ips.html

=---------------------


An absolute must read topic , where even an Atrivo/Intercage employee admits things are beyond their control , and by cutting off the gangsters abusng their network would cause them to lose out on the profits they are making from the illegal activities running amok on their network:


http://lists.sosdg.org/pipermail/sosdg-nan...ber/009861.html

There is no "network of esthost". The network in which Esthost resides
is our network.

Esthost is one of our larger clients, They are very
successful in the industry of web hosting and domain registration. They
just recently became an ICANN Accredited Registrar. I won't comment on
"why" they're so successful... But for some, that may be obvious.

I believe an investigation by law enforcement is a very corrective
step... That would definately clean Esthost up .

I can honestly say, there are 2 of our major clients who are very
successful... and with both of those comes occasional abuse. On one,
it's the occasional spam via exploit. The other... Esthost... Well... A
lot worse abuse then just spam.


Re: Atrivo/InterCage Abuse
http://lists.sosdg.org/pipermail/sosdg-nan...hread.html#9857

Russ at Atrivo.com wrote in news:1125683278.320264.138150
@f14g2000cwb.googlegroups.com:

> If I had the ability... I would cut Esthost as a client... But, in
> doing so, it causes nearly a quarter if not half of the company's
> monthly revenue to be cut. That is not too good of a move nor
> reasonably possible



--------------------------------------------------------------------------------------------


A common hijack coming from the malware ridden 85.255* net range is this codec scam below.

I picked up xpassword manager off of a victims computer who was infected with SpywareQuake just recently - http://www.bluetack.co.uk/forums/index.php?showtopic=14961

85.255.118.10

getpornmag.com
intcodec.com
mdcodec.com
xpasswordmanager.com

zipcodec.com - 85.255.118.14


Intcodec/zipcodec , they are the scam codec people that hijack your computer after getting you to installing their movie codecs.. shortly after the popups saying you are infected via scam security programs follow.




http://research.sunbelt-software.com/threa...;threatid=44478
http://www.symantec.com/security_response/...-99&tabid=2
http://forum.sysinternals.com/forum_posts....46&get=last





Somewhere in the fine print , for those that bother to look , you will find these details:




================



More to follow yet I'm sure..

================

/edit:

http://www.vitalsecurity.org/2006/08/virus...-rescue-me.html

================

Extra IP info ..

Wherever you see Intercage/Atrivohell you will no doubt find a trail of trojans and malware.

=========================================

Ref: SBL36702

85.255.112.0/20 is listed on the Spamhaus Block List (SBL)

04-Jun-2006 08:35 GMT | SR04

DNSChanger Trojan home

http://vil.mcafeesecurity.com/vil/content/v_136602.htm

Symptoms

* Presence of the file:
o %SYSTEMROOT%\SYSTEM32\HGQHP.EXE
* Having DNS entries in any of your network adaptors with the values:
o 85.255.112.132
o 85.255.113.13
* Finding traffic targeting:
o 195.95.218.100

______

DNS also @85.255.114.36

[85.255.112.132] spbg9.mydomain.com
[85.255.113.13] mercury.xhpro.com
[85.255.114.36] dns12.esthost.com
[195.95.218.100] annyme.esthost.com

________

AS | IP | AS Name
26627 | 85.255.112.0 | AS-PILOSOFT - Pilosoft, Inc.

AS | IP | AS Name
27595 | 85.255.113.0 | INTERCAGE - InterCage, Inc.

AS | IP | AS Name
27595 | 85.255.114.0 | INTERCAGE - InterCage, Inc.

AS | IP | AS Name
27595 | 85.255.115.0 | INTERCAGE - InterCage, Inc.
________

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filtered

organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: abuse@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: support@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filtered

person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filtered

person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20, Solomenskaya street. room 201.
address: UA
phone: +357 99 117759
e-mail: support@fwebhost.com
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered

_____


inetnum: 195.95.218.0 - 195.95.219.255
netname: ESTHOST
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filtered

organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: abuse@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: support@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filtered

person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filtered

person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20, Solomenskaya street. room 201.
address: UA
phone: +357 99 117759
e-mail: support@fwebhost.com
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered

___________

http://isc.sans.org/diary.php?storyid=997

<quote>

I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

</quote>