Thursday, August 31, 2006

VirusBurst, Another Fake Spyware Program

While I was posting about SiteAdvisor in my earlier posts today, Bleeping Computer announced they found yet another fake antispyware program, VirusBurst. While the name is different, it looks pretty much the same as SpywareQuake to me.

Looking at the registration info for VirusBurst.com, I can see the usual suspect is involved with this site as well. Estdomains is the registration provider. They seem to always be near questionable programs and websites.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: VIRUSBURST.COM

Registrant:
Burst Technology GesmbH
Judi Stewart (Whois Privacy and Spam Prevention by Whois Source)
Davidgasse 87
Vienna
null,A-1100
AT
Tel. +431.3365073

Creation Date: 10-Aug-2006
Expiration Date: 10-Aug-2007

I'm sure the above info contains fake information. Most of the time when these rogue programs are registered, the info is not real.

Bleeping computer reports that the following file is responsible for installing this pest. When it gets on your system, it will download VirusBurst and download software without permission.

C:\Windows\System32\eowygj.dll

You will see a warning balloon above the clock on your coputer. Right now they spell balloon wrong, baloon. If they can't get that right, makes you wonder what else they did wrong. Here's what it says:

"System detected virus activities. They may cause critical system failure. Please, use antimalware software to clean and protect your system from parasite programs. Click this baloon to get all available software.”

This is not the same one, but it looks like this one:












Right now, you can use the VirusBurst removal instruction at Bleeping Computer to fix this pest. More details as they become available. Update, S!ri's SmitFraudfix will now remove VirusBurst as well.

Edit to update: Here's some more info on Virusburst.com

VIRUSBURST.COM = [ 195.225.177.121 ]

Domain servers in listed order:
ns4.tokiodrift.biz
ns3.tokiodrift.biz
ns2.tokiodrift.biz
ns1.tokiodrift.biz

Right now, tokiodrift.biz is a SpyAxe download page, which is also a Rogue program. Here are other sites on the same IP address as tokiodrift:

1. almanah.biz
2. spyaxe.biz
3. spyaxe.com
4. spyaxe.net
5. spywarestrike.com

So I would say that VirusBurst.com is no good and so is the program VirusBurst.

OK, one more update. Paperghost at Vitalsecurity noticed the EULA for VirusBurst is the same one for SpywareQuake. They changed the main title, but eveything in the long wordy part says SpywareQuake. Look at the end of his post for this.

1 comments:

AndyAtHull said...

Hi Nick/Nel,

Did you realise they have a .org parked?

I just found it ranked number one in G00gle.

Just visit my blog, I did an update about it.

Sitemeter