Wednesday, July 9, 2008

Update on Trojan-Downloader-CodecPack Distributing sites

Update on Trojan-Downloader-CodecPack Distributing sites

A while ago I wrote about Trojan-Downloader-CodecPack Distributing site, now here is some facts about this Trojan and the sites involved in this campaign.

The following porn site lures user to download and install missing missing "Video ActiveX object" to view porn online.

Site Name: Just-tube.com
IP Address: 74.50.117.84

The Trojan is then downloaded from the following site:

Site Name: Codecupgrade.com
IP Address: 74.50.117.84

The following Crack site sharing the same IP also delivers similar Trojan:

Site Name: Best-cracks.com
IP Address: 74.50.117.84

The following sites also share the same IP:

Updatehost.com ->Malware call home

Once the Trojan is installed it displays the following balloon message:

When you click on the balloon message the Trojan then makes use of the following site to advertise rogue security application

Site Name: Stopbadware2008.com
IP Address: 74.50.117.84

Screenshot of the Stopbadware2008.com home page


Following are some of the links that is used in this campaign:
Stopbadware2008(dot)com/0/baloon.php
Stopbadware2008(dot)om/0/c1.php
Stopbadware2008(dot)com/0/c2.php

The Trojan either redirects users to either "Antivirus 2008" or "WinSpywareProtect" or "Antivirus 2009" scare/fake scanner pages

Antivirus 2008 rogue distributing sites:

Antivirus-scanner.com
Antivirus-scanonline.com
Infectionscanner.com
Topvirusscan.com
Topantivirus-scan.com
Virus-scanonline.com
Virusbestscan.com
Virusbestscanner.com

WinSpywareProtect rogue distributing sites:

Wspscanner.com
Winspywareprotectdl.com
Winantivirus2008.org
Surf-scanner.com
Scanner-tool.com

Antivirus 2009 rogue distributing sites:

Antivirus2009-freescan.com
Virus-webscanner.com
Virus9-webscanner.com
Windows-scanner.com

All these sites should go to your block list, stay away from all these sites.

Bharath M N

blog comments powered by Disqus