how to shut down this stupid page?
in [Viruses]
|
From: ArameFarpado on 14 Feb 2010 09:20 hzzp://security-tool2010.org/username it induces non informated users to install a rogue anti virus that blocks the windows system the site is a complete fake, i don't have a c:\ drive and it shows 358 viruses in my c:\ drive
From: Gordon Darling on 14 Feb 2010 09:41 On Sun, 14 Feb 2010 14:20:53 +0000, ArameFarpado wrote: > hzzp://security-tool2010.org/username > > it induces non informated users to install a rogue anti virus that > blocks the windows system > the site is a complete fake, i don't have a c:\ drive and it shows 358 > viruses in my c:\ drive Found 300 Trojans on my c: drive (on a Linux machine!) Whois Domain ID:D158322157-LROR Domain Name:SECURITY-TOOL2010.ORG Created On:09-Feb-2010 13:17:56 UTC Last Updated On:09-Feb-2010 13:21:26 UTC Expiration Date:09-Feb-2011 13:17:56 UTC Sponsoring Registrar:UK2 Group Ltd. (R123-LROR) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:DI_11145153 Registrant Name:Joshua Curry Registrant Organization:n/a Registrant Street1:145 Lochmere Lane Registrant Street2: Registrant Street3: Registrant City:Hartford Registrant State/Province:Illinois Registrant Postal Code:06103 Registrant Country:US Registrant Phone:+860.4171945 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:softvseo(a)gmail.com Admin ID:DI_11145153 Admin Name:Joshua Curry Admin Organization:n/a Admin Street1:145 Lochmere Lane Admin Street2: Admin Street3: Admin City:Hartford Admin State/Province:Illinois Admin Postal Code:06103 Admin Country:US Admin Phone:+860.4171945 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:softvseo(a)gmail.com Tech ID:DI_11145153 Tech Name:Joshua Curry Tech Organization:n/a Tech Street1:145 Lochmere Lane Tech Street2: Tech Street3: Tech City:Hartford Tech State/Province:Illinois Tech Postal Code:06103 Tech Country:US Tech Phone:+860.4171945 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:softvseo(a)gmail.com Name Server:NS1.FFUJI.COM Name Server:NS2.FFUJI.COM Regards Gordon
From: VanguardLH on 14 Feb 2010 10:01 ArameFarpado wrote: > hzzp://security-tool2010.org/username > > it induces non informated users to install a rogue anti virus that blocks > the windows system > the site is a complete fake, i don't have a c:\ drive and it shows 358 > viruses in my c:\ drive If using IE8, why didn't you report it as an unsafe web site (Tools -> Smartscreen filter -> Report as Unsafe)? http://stopbadware.org/home/faq "How can I report a badware application or website?" http://www.google.com/safebrowsing/report_badware/ To report a site with malicious software http://securitylabs.websense.com/content/reportMalicious.aspx http://www.mvps.org/winhelp2002/criteria.htm Use the "Contact" link. Never used their hosts file. Looks like this is how you get a host added to their hosts file.
From: Ant on 14 Feb 2010 12:24 "ArameFarpado" wrote: > hzzp://security-tool2010.org/username Redirects to: security-tool2010.com/online-scanner/index.html which has a frame to: 89.248.171.83/hitin.php?land=21&affid=16278 which redirects to: 89.248.171.83/index.php?c=0&affid=16278 which contains the encoded script for the page. Randomly generates filenames in the fake scan: var listname = new Array('$winnt$', '37', '12520850', '6to4svc', 'aaaamon',... var listras = new Array('inf', 'cpx', 'dll', 'acm', 'cpl', 'exe', 'ax',... filetext = "Now scanning: " + listname[Math.floor(Math.random() * listname.length)] + "." + listras[Math.floor(Math.random() * listras.length)]; The exe payload is at: 89.248.171.83/6_671cd6.php?affid=16278 89.248.171.83 is Ecatel LTD in the Netherlands. admin[at]ecatel.net (or abuse[at]ecatel.net).
From: Virus Guy on 14 Feb 2010 23:09
Ant wrote: > The exe payload is at: > 89.248.171.83/6_671cd6.php?affid=16278 The IP address 89.248.171.83 is (or - was) the A-record for fitvup83.shortlouse.net. The domain shortlouse.net apparently expired Dec 2008. That IP address (alone) will serve up the fake AV scan and the payload without needing any particular URL (as indicated above). I just submitted the payload to VT. VT did not claim to have seen or scanned it before. Only 6/41 hit rate (15%). Comodo TrojWare.Win32.FraudTool.ST.~GGI eTrust-Vet Win32/Fraud!packed Panda Suspicious file Rising Packer.Win32.Agent.bb Symantec Suspicious.Insight TrendMicro Cryp_Krap-9 The file, when run, creates a .bat and .exe file with a numeric name (probably random) here: C:\Documents and Settings\All Users\Application Data\20541517\20541517.bat C:\Documents and Settings\All Users\Application Data\20541517\20541517.exe And creates a Run key pointing to the .exe file. (I don't have those files - this is from anubis analysis). |