Wednesday, September 9, 2009

Decoded Reference File - PC Antispyware 2010

This reference file is related to this CA Global Security Advisor blog entry -
PC Antispyware 2010's Scheming Password Protection

The decoded file contains the following
- RAR password used to decompress downloaded files
- Registry keys to create
- Malware related domains (update, download and report)
- Download username and password

Users are advised to avoid surfing the URLs mentioned below; except for the domains in DOMAINS_SKIP, those are legit websites.

-------------------------------------------------------------------------

[REGISTRY]
REG_AUTORUN=Software\Microsoft\Windows\CurrentVersion\Run
REG_MICROSOFT_SC=SOFTWARE\Microsoft\Security Center

[ALIEN]
EXE=%system%\pphcjkrj0etfg.exe
EXE=%programfiles%\rhcnkrj0etfg\rhcnkrj0etfg.exe
MISC=%windows%\qegbdmwf.dll
MISC=%windows%\pntqkflv.dll

[MISCELLANEOUS]
RAR_PASSWORD=abcd012345efgh
DWN_USERNAME=user
DWN_PASSWORD= :D
IE_BLOCK_CONTENT=1
IE_OUR_WINDOW_ONLY=0

[DOMAINS]
DOMAINS_SKIP=aol,att,btconnect,bellsouth,charter,comcast,mail,msn,traust,yahoo,google
DOMAINS_SKIP=youtube,facebook,live.com,blogger,wikipedia,baidu,myspace,qq.com,twitter
DOMAINS_SKIP=rapidshare,microsoft,sina.com,bing.com,ebay,craigslist,fc2,yandex,amazon
DOMAIN_FEEDBACK=hulieropedaso {dot} com
DOMAIN_FEEDBACK=rvertundfertug {dot} com
DOMAIN_FEEDBACK=xcuidflofertun {dot} com
DOMAIN_FEEDBACK=ertubedewse {dot} com
DOMAIN_FEEDBACK=huladopkaert {dot} com
DOMAIN_FEEDBACK=iobacebauiler {dot} com
DOMAIN_FEEDBACK=ewaxertulio {dot} com
DOMAIN_FEEDBACK=arosakilomen {dot} com
DOMAIN_FEEDBACK=osaertugern {dot} com
DOMAIN_FEEDBACK=koliopewaqs {dot} com
DOMAIN_FEEDBACK=kasonkertub {dot} com
DOMAIN_FEEDBACK=tahulavumbak {dot} com
DOMAIN_BILLING=paysecuresystem {dot} com
DOMAIN_BILLING=pay-solution24 {dot} com
DOMAIN_BILLING=billing-365-solution {dot} com
DOMAIN_BILLING=cc-payment-sys24 {dot} com
DOMAIN_BILLING=billing365solution {dot} com
DOMAIN_BILLING=ccpaymentsys24 {dot} com
DOMAIN_BILLING=cc-pay-system {dot} com
DOMAIN_BILLING=cc-paysystem {dot} com
DOMAIN_BILLING=pay-cc-24 {dot} com
DOMAIN_BILLING=payment-solution365 {dot} com
DOMAIN_BILLING=pay-securesystem {dot} com
DOMAIN_BILLING=billsolution365 {dot} com
DOMAIN_BILLING=cred-card365 {dot} com
DOMAIN_BILLING=pay-cc24 {dot} com
DOMAIN_BILLING=bill-solution-365 {dot} com
DOMAIN_BILLING=billsystem-24 {dot} com
DOMAIN_BILLING=bill-service-365 {dot} com
DOMAIN_BILLING=cc-process24 {dot} com
DOMAIN_BILLING=365daysbilling {dot} com
DOMAIN_BILLING=payment-cc24 {dot} com
DOMAIN_BILLING=gateway-pay24 {dot} com
DOMAIN_BILLING=billsystem365 {dot} com
DOMAIN_BILLING=paymentsystem24 {dot} com
DOMAIN_BILLING=paymentnow24 {dot} com
DOMAIN_BILLING=processing-24 {dot} com
DOMAIN_UPDATE=hulieropedaso {dot} com
DOMAIN_UPDATE=rvertundfertug {dot} com
DOMAIN_UPDATE=xcuidflofertun {dot} com
DOMAIN_UPDATE=ertubedewse {dot} com
DOMAIN_UPDATE=huladopkaert {dot} com
DOMAIN_UPDATE=iobacebauiler {dot} com
DOMAIN_UPDATE=ewaxertulio {dot} com
DOMAIN_UPDATE=arosakilomen {dot} com
DOMAIN_UPDATE=osaertugern {dot} com
DOMAIN_UPDATE=koliopewaqs {dot} com
DOMAIN_UPDATE=kasonkertub {dot} com
DOMAIN_UPDATE=tahulavumbak {dot} com
DOMAIN_DOWNLOAD=hulieropedaso {dot} com
DOMAIN_DOWNLOAD=rvertundfertug {dot} com
DOMAIN_DOWNLOAD=xcuidflofertun {dot} com
DOMAIN_DOWNLOAD=ertubedewse {dot} com
DOMAIN_DOWNLOAD=huladopkaert {dot} com
DOMAIN_DOWNLOAD=iobacebauiler {dot} com
DOMAIN_DOWNLOAD=ewaxertulio {dot} com
DOMAIN_DOWNLOAD=arosakilomen {dot} com
DOMAIN_DOWNLOAD=osaertugern {dot} com
DOMAIN_DOWNLOAD=koliopewaqs {dot} com
DOMAIN_DOWNLOAD=kasonkertub {dot} com
DOMAIN_DOWNLOAD=tahulavumbak {dot} com

[XP Antispyware 2009]
EXE=XP_Antispyware
REG_MAIN|=Software\XP_Antispyware

[AntiSpywareXP 2009]
EXE=AntiSpywareXP2009
REG_MAIN|=Software\AntiSpywareXP2009

[Antivirus Pro 2009]
EXE=AntivirusPro2009
REG_MAIN|=Software\AntivirusPro2009

[XP Protection Center]
EXE=XPProtectionCenter
REG_MAIN=Software\XPProtectionCenter

[Home Antivirus 2009]
DOMAIN_UNREG=homeantivirus2009 {dot} com
DOMAIN_UNREG=home-antivirus2009 {dot} com
DOMAIN_UNREG=home-anti-virus2009 {dot} com
DOMAIN_UNREG=homeantivirus-2009 {dot} com
DOMAIN_UNREG=homeanti-virus-2009 {dot} com
DOMAIN_UNREG=home-antivirus-2009 {dot} com
DOMAIN_UNREG=home-anti-virus-2009 {dot} com
DOMAIN_UNREG=homeavirus2009 {dot} com
DOMAIN_UNREG=home-avirus2009 {dot} com
DOMAIN_UNREG=homeavirus-2009 {dot} com
DOMAIN_UNREG=home-a-virus-2009 {dot} com
DOMAIN_UNREG=homeantiv2009 {dot} com
DOMAIN_UNREG=home-antiv2009 {dot} com
DOMAIN_UNREG=homeantiv-2009 {dot} com
DOMAIN_UNREG=home-anti-v2009 {dot} com
DOMAIN_REGED=home-anti-v-2009 {dot} com
DOMAIN_REGED=homeav2009 {dot} com
DOMAIN_REGED=home-av2009 {dot} com
DOMAIN_REGED=homeav-2009 {dot} com
DOMAIN_REGED=home-av-2009 {dot} com
DOMAIN_REGED=home-a-v-2009 {dot} com
DOMAIN_REGED=hantivirus2009 {dot} com
DOMAIN_REGED=h-antivirus2009 {dot} com
EXE=HomeAntivirus2009
REG_MAIN=Software\HomeAntivirus2009

[AntiSpywareHome 2009]
DOMAIN_UNREG=ash2009 {dot} com
DOMAIN_REGED=ash2009 {dot} com
EXE=AntiSpywareHome2009
REG_MAIN=Software\AntiSpywareHome2009

[PC Security 2009]
DOMAIN_UNREG=pcsecurity-2009 {dot} com
DOMAIN_UNREG=pc-security-2009 {dot} com
DOMAIN_UNREG=pcsecurity09 {dot} com
DOMAIN_UNREG=pc-security09 {dot} com
DOMAIN_UNREG=pcsecurity-09 {dot} com
DOMAIN_UNREG=pc-security-09 {dot} com
DOMAIN_UNREG=pcsecurity2009 {dot} com
DOMAIN_UNREG=pc-security2009 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecuritysupp {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pc-security-supp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com
EXE=PC_Security2009
REG_MAIN=Software\PC_Security2009

[Home Antivirus 2010]
DOMAIN_UNREG=homeantivirus2010 {dot} com
DOMAIN_UNREG=home-antivirus2010 {dot} com
DOMAIN_UNREG=homeantivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus-2010 {dot} com
DOMAIN_UNREG=home-antivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus-2010 {dot} com
DOMAIN_UNREG=homeav2010 {dot} com
DOMAIN_UNREG=home-av2010 {dot} com
DOMAIN_UNREG=homeav-2010 {dot} com
DOMAIN_UNREG=home-av-2010 {dot} com
DOMAIN_REGED=homeantivirussupport {dot} com
DOMAIN_REGED=home-antivirussupport {dot} com
DOMAIN_REGED=homeanti-virussupport {dot} com
DOMAIN_REGED=home-anti-virussupport {dot} com
DOMAIN_REGED=home-antivirus-support {dot} com
DOMAIN_REGED=home-anti-virus-support {dot} com
DOMAIN_REGED=home-avsupport {dot} com
DOMAIN_REGED=homeav-support2010 {dot} com
DOMAIN_REGED=home-avsupport2010 {dot} com
EXE=HomeAntivirus2010
REG_MAIN=Software\HomeAntivirus2010
CODE_NAME=ha21

[PC Antispyware 2010]
DOMAIN_UNREG=pc-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcanti-spyware-2010 {dot} com
DOMAIN_UNREG=pc-antispy2010 {dot} com
DOMAIN_UNREG=p-c-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware20-10 {dot} com
DOMAIN_UNREG=pc-antispyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware2010 {dot} com
DOMAIN_UNREG=pc-antispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-2010 {dot} com
DOMAIN_UNREG=pc-antispyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-20-10 {dot} com
DOMAIN_UNREG=pc-antispyware-20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware-20-10 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com
EXE=PC_Antispyware2010
REG_MAIN=Software\PC_Antispyware2010
CODE_NAME=pca21

[Antivirus Pro 2010]
DOMAIN_UNREG=avp21 {dot} com
DOMAIN_REGED=avp21 {dot} com
EXE=AntivirusPro2010
REG_MAIN=Software\AntivirusPro2010
CODE_NAME=avp21

-------------------------------------------------------------------------

Have a malware free day!