What is a virus i-worm trojan anyways? Well, it’s not a legitimate detection with a valid CARO name, it’s gibberish to lead a user to “Click ‘Ok’ to Install System Security Antivirus”, either on XP:
Or with a more sleek look on Vista:
The distributors of System Security Antivirus, another rogueware or FakeAv product, are redirecting Turkish users to a site encouraging them to download the malware with a familiar scheme: To watch this video you must have the Flash Player installed.
It appears that the group is worming through Windows Live Messenger to attract downloads in increasing prevalence. We’ll be investigating it in depth and posting details here.
The phony video page this time appears in Turkish, hosted on a Turkish server:
“Flash Player version uyumsuzlugu:
Tarayiciniz bu videoyu goruntuleyemiyor.
Bu videoyu izleyebilmek icin Flash Player yaziliminizin guncel olmasi gerekiyor.
Flash Player yaziliminizi guncellemek icin «Devam» butonuna tiklayiniz.”
The downloaded file, flashplayerupdate_01.exe, drops and runs advhost.exe from system32 to perform the dirty work and injects adlaunch32.dll into all newly started applications.
An interesting characteristic for the flashplayer_01 executable is its use of a spoofed, invalid digital signature, supposedly signed from Microsoft:
Conveniently, the english version of the attacking web page is hosted on the same server:
Of course, the payload appears to be a bit different, serving up a doctored install_flash_player_9.04.exe package that includes the legitimate mIRC client.
