HOLY SHIZNET!Originally Posted by F-SecureF-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked - a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.
The name of the malicious website is 'Googkle.com'. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.
Our investigation revealed that the whole infection starts from the 'googkle.com' website. This website, as well as a few related websites are owned by people with Russian names. Also several malicious files that are downloaded from these websites have Russian texts.
When the 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the following websites:
The 'ntsearch.com' website downloads and runs the 'pop.chm' file and the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces Windows Media Player application.
In addition these websites launch a stream of webpages with different exploits than end up in downloading and running 2 files from the 'daosearch.com' website:
See the description of these files below.
As far as the JAR archive is concerned. the actual malware functionality is in Installer.class, which downloads file from the same location as the JAR file is being loaded.
First the applet looks for filename to download from Applet parameter ModulePath (is specified in the HTML tag). If the parameter is not specified the applet defaults to msxmidi.dat.
After the file is downloaded the applet gets the location of Windows directory with GetWindowsDirectory() and saves the downloaded executable as 'web.exe' and executes it.
As said above, two CHM files get downloaded and activated on a computer. The 'pop.chm' file drops the 'sp.exe' file and runs it. The dropped 'sp.exe' file is detected as 'Trojan.Win32.Spooner.f'.
The 'ddfs.chm' file drops the 'frame.exe' file and runs it. The 'frame.exe' file is a trojan downloader that is detected as 'Trojan-Downloader.Win32.Small.apf'. It has the functionality to automatically reply to security questions asked by Windows to ensure that its process has connection to Internet. This downloader downloads and runs the following files from the 'toolbarpartner.com' website:
The 'xz.exe' file is a trojan dropper that is detected as 'Trojan-Dropper.Win32.Small.vv'. It drops a DLL named 'winloadhh.dll', detected as 'Trojan-Downloader.Win32.Small.anu' to the root folder of C: drive. This DLL is another downloader that connects to 2 different websites to get the list of files to download:
Last time we checked these sites, they contained the following list of files to download:
The 'sturfajtn.com' website:
The 'toolbarpartner.com' website:
These files are currently detected as follows:
So as you see, a nice malware package get installed on an affected computer: 2 backdoors, 2 trojan droppers, a proxy trojan, a spying trojan (that steals bank-related information) and a trojan downloader.
The 'winran.exe' file that is downloaded from 'pillz.info' website is a trojan dropper. It copies itself to Windows System folder with a random name and drops a DLL also with a random name to the same folder. The DLL modifies HOSTS file to block connection to the following websites:
The 'svchosts.exe' file is a trojan dropper. It drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop. The alert looks like that (original spelling preserved):
YOUR PC IS INFECTED!
IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!
The consequences of spyware and virus presence on your pc might belike:
loosing all the data, data might be stolen, your secrets might beexposed.
PROTECT YOUR PC!
REMOVE ALL VIRUSES NOW!
This fake alert is created by placing the HTML file on a desktop, so a user could click on the alert and go to a pre-defined website. The link from this fake alert points to the following website:
This website offers links to different websites that offer anti-virus and spyware cleaners for download. The motto of this site is 'Top Antivirus - We help people.'. Unfortunately the way people are directed to that website is somewhat deceptional.
The 'toolbar.exe' is an adware installer, that installs an adware toolbar known as 'Perez'.
The 'pic10.jpg' file is a trojan dropper similar to 'frame.exe'. It also drops a DLL named 'winloadhh.dll' to the root of C: drive. This DLL has the same functionality as the DLL, detected as 'Trojan-Downloader.Win32.Small.anu' mentioned above.
The 'web.exe' file is also a trojan downloader that is identical to the 'pic10.jpg' file described above.