2008 December | Malware Database

Archive for December, 2008

Dec

Phishing emails pointing to fake Classmates.com website featuring malware

By mwdisector 0 Comments

Categories: Database Update, Malicious Domains, Malware and Phishing

In the past couple months there has been phishing campaigns against Classmates.com. On a regular basis emails talking about class reunions containing links pointing to fake Classmates.com websites have spewed onto the Internet. These fake websites have fake videos which are actually malware (EXE file) designed to take control of your computer and using trojans and keyloggers. Oh and by the way, these EXE files will automatically try to download onto your PC without you clicking them.

WARNING: Websites hosting malicious content!

FROM ADDRESSES:
Classmates Alert Center
Classmates Community
Classmates Help Center
Classmates Management
Classmates Meeteng Center
Classmates Member Center
Classmates Messagebox#
Classmates Online Center
Classmates Reunion Center
Classmates Shedule Center
Classmates Support Center
Classmates Technical Support
Classmates Video Center

SUBJECTS:
Classmates Important Meeting Information
Classmates Organisation.Class Reunion Information
Classmates Organisation.Class Reunion Planner
Classmates Organiser Warning – Meeting high school and junior college classmates
Classmates Organiser Warning – This is a forum where you can make any suggestions for the Reunion.
Classmates Party invitation…
Classmates Party invitation…
Classmates Preview, public invitation
Classmates Reunion - Invitation
Classmates Reunion – Classmates Reunion – Special Preview Invitation
Classmates Reunion – Congratulations Today !
Classmates Reunion – Invitation: Ready
Classmates Reunion – Your Classmates Invitation – He’s Ready, Are You?
Classmates Reunion – unique invitation.
Classmates Reunion Soon – Classmates Organisation.What Have You Been Up To
Classmates Reunion Soon – Important Dates for Classmates Meeting
Classmates Video your personal invitation by John
Currently planning the 2009 Year Reunion
Do Not Miss Tonight’s Classmates Reunion !
Please Do Not Miss the Classmates Meeting!
Revised reunion date announced
Webster meetings among former classmates
Welcome to Classmates Personal Invitation
You have one new message. Classmates
Your Classmates Are Waiting – AN URGENT MESSAGE
Your classmates Day New Date..How can someone miss a Classmates meeting?
Your classmates Day New Date.A Meeting with my HighSchool Classmates
Your own unique invitations from classmates.

ROOT DOMAINS:
adobeflasplayer10.com
classmateqs.com
classmatersunion.com (24.136.176.91, 68.51.164.175, 75.63.170.53, 76.27.148.240, 98.217.125.105)
classmatesupdates.com
dnuemjsi.com
downloadservers7.com
downloadupdateadobe10.com
flashadobeplayer9.com
getinstallations.com
happynewyearclassmates.com
indexguideclassmates.com (68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240, 67.172.60.164)
installationsadobeflash10.com
keiortue.com
kertuierp.com
meetingclassmaterss.com
meetwithyourfriends.com
merrychristmassclass.com (208.78.242.184)
newflashadobe.com
newklassmates.com (208.73.210.121)
newyearclassmates.com
reinstallflash.com (67.172.60.164, 68.40.193.72, 75.58.247.185, 75.63.170.53, 76.27.148.240)
reunionclassmates.com
sdunsosdu.com
serveronlines.com
serversupdates.com
user-X1aR1qC1newclasshost.com
user-j1oz1zj1newklassmates.com
user-m1qa1nk1updatedclassmates.com
user-p1pc1iu1getinstallations.com
user-x1ar1qc1newclasshost.com
vreied.com
vreixs.com

FAKE VIDEO MALWARE FILE:
Adobe_Player10.exe
VT coverage 27/38:
https://www.virustotal.com/analisis/4d17de3d6ba580900af852ed5ad9a52f

–mwdisector

Dec

Several domains redirecting to rogue security site antispyware-scanner-free.com

By mwdisector 0 Comments

Categories: Database Update and Rogue Security Software

WARNING: Fraudulent/fake security website/application!

Found several domains that are redirecting to a domain hosting rogue security software called Web Spy Shield. This website claims to perform a scan of your PC than reports back that it found infections including nude/porn pictures. It even displays the porn pictures during and after the scan. Incidently the PC I scanned this on was clean – it was a fresh install.

Redirects:
fronthomepagez.com (94.247.3.22)
anotherdnserrorz.com (94.247.3.23)
AS12553 | 94.247.3.22 | PCEXPRESS-AS _DATORU EXPRESS SERVISS_ Ltd.

scanonlinefreee.com (64.27.18.54)
scan-onlinefreee.com (64.27.18.54)
AS7796 | 64.27.18.54 | ATMLINK – ATMLINK, INC.

Rogue/fake security software/scanner site:
scan.antispyware-scanner-free.com (78.26.179.130)
AS34187 | 78.26.179.130 | RENOME-AS Renome-Service: Joint Multimedia Cable Network

–mwdisector

Dec

New domain redirects to rogue security software VirusRemover 2008 / Winfixer

By mwdisector 0 Comments

Categories: Rogue Security Software

WARNING: Fraudulent website/application!

A newly registered domain redirects the visitor to a website featuring a fake security products called VirusRemover 2008 / Winfixer. This website will automatically start a scan of the system (although doesnt appear to be doing any scan at all) then reports your PC is infected (which is a lie).

Website:
online-spyware-detector.com (68.180.151.16)
redirects to powerfulvirusremover2008.com (78.157.142.47)

online-spyware-detector.com
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 2008-12-16

powerfulvirusremover2008.com
ICANN Registrar: TLDS, LLC DBA SRSPLUS
Created: 2008-08-29

EXE downloaded from site:
VirusRemover2008_Setup_Free_en.exe
VT scan 29/38: (detected as fraudtool Winfixer)
http://www.virustotal.com/analisis/f26a6ee6abf1ed9c1e8828a69ae439be

Dec

Fraudware security app on antispywerepro.com

By mwdisector 0 Comments

Categories: Database Update

WARNING: Fraudulent webiste/application!

Known fraudulent antispyware application called ‘SpywareStop’ is being hosted on antispywerepro.com. For those keeping score, it used to be called ‘SpywareBot’.