MalwareTeks Blog

January 2009
Mon	Tue	Wed	Thu	Fri	Sat	Sun
« Dec
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

09 Oct 2006 @ 1:20 AM

Well, What do we have here? Security scam hijacker sites

I’m a little slow on the up take with this one; but I was reading the SunbeltBLOG last Sunday. When I came across this item of interest; New new security scam hijacker sites. So, I decided to visit one of the sites listed in the SunbeltBLOG article.

Why, would I do such a thing? The blog article says these are scam sites pushing “Rogue” Anti-Spyware applications. Those who work in the world of PC security and Malware Removal, know exactly why I would do such a thing. To find out exactly what is being pushed onto the unsuspecting, uninformed Internet traveler.

So, I paid a visit to uptodateprotection(dot)com; and this is what I found. Upon the page opening I was immediately greeted by a pop-up, see figure 1, warning me about the W32.Myzor.FK@yf virus. Which, I suspect is meant to lead one to believe that their system is infected by this little nasty.

Figure 1 Contents of Pop-up window. Edited for Clarity

Warning! W32.Myzor.FK@yf is a virus that infects files with .exe extensions. It attempts to steal passwords and private information from the infected computer.

Type: Virus infection
Length: 138,293 bytes
Systems Affected: 95, 98, ME, NT (all versions), 2003, Windows XP (all service packs)
Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netwear, OS/2

Technical Details:
1. Creates files in %Windir%\ directory. By default this is C:\Windows
2. Adds values to registry keys: HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Scans the hard drive for .exe files and infects any executable files. Searches for passwords/information, which it may send to a remote attacker.

Recommendations: Click “OK” to download officially approved security software Always keep your patch level up-to-date.

What is W32.Myzor.FK@yf?

W32.Myzor.Fk is a threat detected by rogue antispyware program. It displays a warning: “W32.Myzor.FK@yf. is a virus that infects files with .exe extensions.”

It also hijacks your Browser and redirects the webpage.

Of particular note is the Systems Affected by this Trojan. It doesn’t say Windows 2000 (all service packs) is affected. That’s interesting since 2000 is an NT based OS. If all versions of NT are affected and every Windows version after 2000 is affected then it stands to reason that Windows 2000 would also be affected.

Make a note of the Systems Not Affected. I will revisit that item a little later in the article.

In the Technical Details it tells you that W32.Myzor.FK@yf creates files in the %Windir%\ directory. Which, by default is C:\Windows. %Windir% is the system variable for the Windows directory. Which can be C:\Windows or C:\Winnt. It depends on which OS is installed.

Adds values to the Registry Key: HKEY_LOCAL_MNACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

This is not a valid Windows Registry Key. The correct Registry Key would be: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

Recommendations: Click “OK” to download officially approved security software. Always keep your patch level up-to-date.” ‘Officially approved’ by who? Microsoft? I don’t think so. The last part of that statement is actually good advice; always keep your OS and software updated

Clicking “OK” on the pop-up redirects to a new page, see figure 2.

Figure 2This is not a virus or a Trojan. It is a “Rogue Anti-Spyware Application“. This application, Malwarewipe, claims to remove unwanted malicious programs. It is known to be associated with some versions of the Puper Trojan. In order to clean or delete any elements it finds, you must first enter a valid serial number to activate the full version or click on the “Buy Online” button and purchase the full version. The software also appears to be related to or possibly a re-branding of Spyaxe.So, what happens if I don’t click “OK” and click “Cancel” instead? Here’s what happens, see Figure 3.

Figure 3This an interesting page. This site is actually the URL your Web Browser redirects to when you open your Web Browser. This type of behavior is what is classified as a Hijacker.There are several links to Anti-Spyware applications on this page. Be careful, every one of these applications are collectively referred to as “Rogue Anti-Spyware applications.” None of them, not a single one is a legitimate Anti-Spyware Application.In the System Security Status: Warning table you will see a warning that my system is vulnerable and intruders can gain access to my system. Well, that isn’t entirely a true statement. This warning is meant to mislead you into believing that your system has been compromised, and to goad you into downloading the program linked to in the warning. Clicking on this link will take you to the Spy Heal web site. Spy Heal is another “Rogue;” do not download it.Now in the Investigation Report: Summary table on this web page displays a few items of interest. Namely my IP address, Browser and OS. Don’t be overly alarmed by that fact. Your browser transmits that information and a few more things about your system, to any web site you visit. If it didn’t then you wouldn’t be able to view most web sites; least not the way they were meant to be viewed.

Getting back to the information displayed about my system. The browser type detected is: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060915 CentOS/1.0.5-0.1.el4.centos4 SeaMonkey/1.0.5. Looks a little cryptic, but really isn’t. The browser used during this session is Mozilla Sea Monkey 1.0.5 and my language setting is English (US). Now this is were it gets a little interesting. The site was not able to properly detect my OS. Well that information was transmitted by my browser; and if you look back at the information about my browser, you will see the OS. Which, in this case is Linux i686; specifically CentOS.

Let’s go back to the pop-up when I first opened the site. Do you remember which, OS’ were not affected by the W32.Myzor.FK@yf virus? Just so that you don’t have to scroll all the way back to the beginning of the article; I’ll list them here again. Systems Not Affected: DOS, EPOC, Linux, Macintosh, Novell Netwear, OS/2.

That’s funny, my OS is listed as VULNERABLE; but I’m running Linux. So, the author’s of this want me to believe my system is infected with a virus that will only execute on Windows; and that an intruder can gain access to:

- \Windows\System32
- \Program Files\Internet Explorer
- \My Documents
- Drive C:\ files

Files and Folders.

In all seriousness, I am running Linux on this system; but the vast majority of PC users are using Windows. Be it 98, ME, or XP; but it is Windows and is vulnerable to exactly this type of attack.

The people who create these sites and programs rely on “Social Engineering” to get you to click on one of the many links on this type of page and install a program that will not perform as advertised. These programs will install several Trojans on your system.

If you have fallen victim to this type of scam. Start a new thread in the Malware Removal Forum of this site.

(You must Register before posting anywhere on this board. Registering is 100% FREE)

We ask that you first complete all the steps outlined in our Malware Cleaning Guide before starting a thread in the Malware Removal Forum.

It is highly recommended that you read the article, Protect Yourself From Malware: Tools And Tips, and adjust your practices, software, and settings as necessary.

Before considering or installing an Anti-Spyware product, please check out this excellent resource: Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

Share our articles with others by publishing them to:

Tags: Rogue Applications
Categories: Uncategorized Posted By: ShadowPuterDude
Last Edit: 04 Nov 2006 @ 09 38 PM
392 views
E-mail • Permalink