13 replies to this topic

[nosirrah]

http://www.antispyshield.com

This has replaced malwareburn as one of the top pushed rogues through Zlob .

[nosirrah]

These guys reused way to much on this one and named their rogue way to close to another . I had to add nothing to MBAM on this one , it already completely removes it .

[nosirrah]

Man Google indexes Castlecops fast .

It took less than an hour for google to index my post as the first hit for this rogue .

[AVBMENON]

Hey Nosirah !!

The downloaded installer doesn't seem to work, this one reminds me of malwarealarm. Did you manage to get a good installer?

regards
Ak

[nosirrah]

No installer at this point , just a downloader . That works just fine though . The downloader on their home page connects to 69.50.167.26 and downloads the rest .

I may try a few permission tricks I know to try and trap the actual installer .

[AVBMENON]

nosirrah, on Sep 12 2007, 10:20 AM, said:

No installer at this point , just a downloader . That works just fine though . The downloader on their home page connects to 69.50.167.26 and downloads the rest .

I may try a few permission tricks I know to try and trap the actual installer .

But do you get any error messages on using this downloader ?

[nosirrah]

Nope , installs just fine . I bet you have some security software in place (hosts file , firewall ...) that is giving this a no go for you .

BTW I tried again for the heck of it and it is still installs just fine .

[nosirrah]

Could also be VM aware , if you use that .

[AVBMENON]

nosirrah, on Sep 12 2007, 10:38 AM, said:

Nope , installs just fine . I bet you have some security software in place (hosts file , firewall ...) that is giving this a no go for you .

BTW I tried again for the heck of it and it is still installs just fine .

All my firewalls are disabled, host file seems to not redirect/block anything either, I seem to get an error saying the downloader crashed owing to some fault.

File name: AntiSpywareShieldSetup.exe
MD5: 447abed3d2e00a8dddb6b568d768d6b8
Size: 51200


Is it the same one for you? btw thanks for taking the extra effort

regards
Ak

[AVBMENON]

nosirrah, on Sep 12 2007, 10:46 AM, said:

Could also be VM aware , if you use that .

Now thats a possibility !! If you manage to isolate the installer, let me know. thanks for that.

[nosirrah]

I vote VM aware (any of my fellow experts want to test this , feel free) . Zlob is VM aware and this comes from Zlob so it would not be surprising .

I tried both crippling delete permissions on all temp locations and running process guard , no secondary installer could be found . The small downloader seems to be designed to make automated testing a little harder . The best I can tell the small downloader is an installer , it just grabs its data from the web instead .

@AVBMENON If you can swing the price of a low end PC it would make malware testing a lot more fun . I could not live without my test box .

[nosirrah]

Their home page is down .

[nosirrah]

Now its back .

[SwampDiner]

Added 155