Archive for January, 2009

Security System has detected spyware infection!

Tuesday, January 27th, 2009

Not really, but its popup will tell you that it has detected all sorts of things.

A pretty well organized group of fraudsters have been sending out messages and setting up websites to fool users into downloading and running TubeViewer.ver.6.exe. The file, in turn, is not a video codec, it is a familiar installer that drops a.exe, b.exe, ~tmpc.exe and several other dlls installed as a Bho, sometimes named msxml71.dll. The .exe components are Fakealert components, and popup phony scare tactics from the system tray, like the title of this post. We’ve blogged previously about AV2009, AV360, and others.

What’s new is the addition of various ad popups, and not simply FakeAV scams, like the popup shown here:

Multiple windows continue to perform phony AV scans and present phony AV results.
One of the active sites includes, which serves up “Security System”.

The site will offer up install.exe, which installs executables with randomly numberic names to the “All users” %appdata% directory. Avoid running these files or visiting these sites.

Valentine’s Day Waledac Theme

Friday, January 23rd, 2009

In their most predictable fashion, the distributors of Waledac are engineering a new valentine’s day scheme for their malware delivery. The ThreatFire community is preventing you.exe, meandyou.exe, and onlyyou.exe from being run on desktops. The web servers appear to be serving the same file from each site with the names above, which ThreatExpert identifies accurately.

The distributors currently are using
to serve up some these files and the nice graphics above with a cute question “Guess, which one is for you?”. Old sites listed at Shadowserver and other sites are being re-used as well with the new valentine’s day theme. A screenshot of one of the sites is above.
Along with the visual pleasantries, we are also seeing the standard set of commodity exploits served up to unsuspecting visitors via a redirection to a “google-analysis.js” obfuscated javascript.


Compare to last year’s Valentine’s day Storm theme that we described in a post, which they served up “With love!”:

And another of Storm’s themes that we posted about here.

Fresh Free?

Thursday, January 22nd, 2009

Believe it or not, there is not a munificent, all-giving internet presence bestowing upon you and your tired, bloodshot eyes all the “Fresh Free Hardcore Movies” that you can download. If you are on your parents’ or a library computer, you shouldn’t be trying to download this stuff anyways. Avoid the site.

Setup.exe” is being offered at hxxp://, along with a misleading guarantee that the software was “100% checked by antivirus”. To be sure, the file may have been checked by antivirus, but the results certainly aren’t posted on that site. Do NOT run the file.

As can be seen on the ThreatExpert report, the file installs a “CMVideo.dll” Bho. Aside from downloading other malware, the Bho component will redirect any google search result link to a set of affiliate servers. So, clicking on a google results link will pop open a new browser to “”:

This somewhat more sophisticated adware technique is becoming commonplace nowadays. Popups have been clearly defined as “badware”. Sleuthing down additional behavior like this adware’s can be involved, tiresome and not quite as intrusive.

Also interesting are some of the links that the setup file drops on the user’s desktop. Currently, the “Cheap Software” link directs the user to hxxp:// The site seems to offer a $4.95 a month service, and claims to serve up “over 1,400,000 files for you, consisting of over 1,200,000 GB of data. If you’re looking for it online, you’ll be sure to find it with us.”
Over at a complaints forum, there are a few other descriptions of the site, along with a comment that a user has filed a complaint with the Internet Crime Complaint Center (IC3) regarding the site this past Wednesday.