Download this Codec(Virus)

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Quickdraw
    Confirmed User
    • Mar 2004
    • 1717

    #1

    Download this Codec(Virus)

    Here is a gallery that is promoting Wildcash with the Moviebox/zlob trojan

    porn-abc.com/ike/1666520193/1/
    contains a javascript file here
    porn-abc.com/js/cchrslib_t_1000.js
    which contains this download on a domain registered a few days ago. This/these gallery(s) use to link to a different domain, so I assume they are trying to stay ahead of the scanners
    use-play.com/download/use-play1000.exe

    Their link to Wildcash is
    wildpornreviews.com/mov/fromasstomouth.com/2/005/MTA1ODAxOjU6MTY
    which makes their wildcash id 105801

    Download this stuff and see how your surfers just won't make it anywhere that will make you money.
  • Quickdraw
    Confirmed User
    • Mar 2004
    • 1717

    #2
    This is Videoscash work, and it is stealing from you in a big way.
    Here is another domain spreading this crap with more domains in the background.
    Pagerank of 6
    moviereality.com on ip 209.51.138.181, which contains 3 nameservers:
    ns2.teenprofiles.com
    ns1.moviereality.com
    ns2.videoscash.com

    Comment

    • Quickdraw
      Confirmed User
      • Mar 2004
      • 1717

      #3
      Here is a link to another GFY thread that details just a small portion of what this malware does.
      http://www.gfy.com/showthread.php?t=720781

      Comment

      • Quickdraw
        Confirmed User
        • Mar 2004
        • 1717

        #4
        Did you know that Videoscash changes the binaries on these trojans which puts them 1 step ahead of the av companies?
        Once a surfer is infected with this lureware, you have NO chance of making money with that surfer until they get 'cleaned'/reformatted.

        Comment

        • Quickdraw
          Confirmed User
          • Mar 2004
          • 1717

          #5
          Why do you think this trojan scans the surfers computer for recent visits to adultwebmaster boards?
          http://www.sophos.com/security/analyses/trojzlobpe.html

          Comment

          • Quickdraw
            Confirmed User
            • Mar 2004
            • 1717

            #6
            When link is followed …
            • Runs Malicious JavaScript (Troj/Pysme-DL)
            • Exploits IE Vulnerability
            • Downloads Troj/Dropper-MH
            • Drops Troj/Bckdr-PPY used to ‘hide’ processes
            • Also drops Troj/Proxy-EN which tells the backdoor what tohide
            • Once installed, cannot be “seen”
            • Main purpose – Troj/Proxy-EN used to ‘relay’ spam
            Read more in this PDF by Sophos--
            http://icsecurity.di.uniroma1.it/sto...rrisSophos.pdf

            Doesn't appear people here care too much, but if you do, check your trades/links.
            Your income depends on it.

            Comment

            • martinsc
              Too lazy to set a custom title
              • Jun 2005
              • 27047

              #7
              .....
              Make Money

              Comment

              • Swish
                Confirmed User
                • Mar 2006
                • 1421

                #8
                Lame....


                Naughty America - Director of Technology
                It's a CELEBRATION bitches!! For the hottest content promote Naughty America!
                swish at naughtyamerica dot com | ICQ: 226 737 620 | See Who I Am At AdultWhosWho.com!

                Comment

                • shoeaholicanon
                  Confirmed User
                  • Feb 2007
                  • 1003

                  #9
                  **bump**

                  Comment

                  • Adam_M
                    Confirmed User
                    • Mar 2006
                    • 3800

                    #10
                    BE WARNED

                    If you are using adware in ANY promotion of our programs your account will be banned!

                    The account mentioned above has been removed.

                    Adam
                    DiscountedPorn.Com
                    ReviewedPorn.com

                    Comment

                    • Quickdraw
                      Confirmed User
                      • Mar 2004
                      • 1717

                      #11
                      Originally posted by Adam_WildCash
                      BE WARNED

                      If you are using adware in ANY promotion of our programs your account will be banned!

                      The account mentioned above has been removed.

                      Adam
                      Awesome!!

                      Comment

                      • toddy1999
                        Confirmed User
                        • Feb 2006
                        • 5122

                        #12
                        Originally posted by Adam_WildCash
                        BE WARNED

                        If you are using adware in ANY promotion of our programs your account will be banned!

                        The account mentioned above has been removed.

                        Adam

                        Comment

                        • NTSS
                          Confirmed User
                          • Mar 2005
                          • 5688

                          #13
                          Fucking scumbags man! This type of shit pisses me of. I guess the only thing that can be done is to out them to the related sponsor and hope they get removed.

                          Good work Quickdraw...way to go Adam
                          ICQ: 150-803-430
                          Email: marketing7(at)cox(dot)net

                          Comment

                          • aico
                            Moo Moo Cow
                            • Mar 2004
                            • 14748

                            #14
                            Won't happen of course, but it would be nice if programs not only closed the accounts (well done Wild Cash), but make it known who the offending affiliate is so other programs can do the same. Because I am sure this guy/gal will just move on to the next one, and next one, and next one...

                            Comment

                            • toddy1999
                              Confirmed User
                              • Feb 2006
                              • 5122

                              #15
                              Originally posted by aico
                              Won't happen of course, but it would be nice if programs not only closed the accounts (well done Wild Cash), but make it known who the offending affiliate is so other programs can do the same. Because I am sure this guy/gal will just move on to the next one, and next one, and next one...
                              Absolutely right.But what can we do?I would say big nothing

                              Comment

                              • martinsc
                                Too lazy to set a custom title
                                • Jun 2005
                                • 27047

                                #16
                                Originally posted by Adam_WildCash
                                BE WARNED

                                If you are using adware in ANY promotion of our programs your account will be banned!

                                The account mentioned above has been removed.

                                Adam
                                Make Money

                                Comment

                                • Zoose
                                  Confirmed User
                                  • Aug 2006
                                  • 268

                                  #17
                                  Originally posted by toddy1999
                                  Absolutely right.But what can we do?I would say big nothing
                                  I don't see why not, a shared blacklist would not be hard to accomplish. A lot of the big linklists have been doing it for years - http://bl.usefulscripts.com

                                  Comment

                                  • Gabriel Night
                                    Confirmed User
                                    • Mar 2007
                                    • 602

                                    #18
                                    Originally posted by Adam_WildCash
                                    BE WARNED

                                    If you are using adware in ANY promotion of our programs your account will be banned!

                                    The account mentioned above has been removed.

                                    Adam
                                    Call me Cedric
                                    GNC DNS
                                    Best BDSM sponsor ever Kinky Dollars

                                    Comment

                                    • [ Nate ]
                                      Confirmed User
                                      • Mar 2007
                                      • 1468

                                      #19
                                      That zlob trojan is a muther to get out. I had to deal with that about a week ago!!!!!
                                      Ladyboy Inc. / Asian Money Machine

                                      Comment

                                      • garce
                                        Confirmed User
                                        • Oct 2001
                                        • 7103

                                        #20
                                        Originally posted by Gabriel Night
                                        You've posted the same thing 472 times in a month. Hurray! Thanks for contributing.

                                        Comment

                                        • u-Bob
                                          there's no $$$ in porn
                                          • Jul 2005
                                          • 33063

                                          #21
                                          porn-abc.com = registered @ ESTdomains (no surprise there).
                                          porn-abc.com = hosted @ cernel.net (no surprise there).

                                          Where ever there's a trojan, you can find EST domains, EST host, cernel, intercage, inhoster or attrivo.

                                          Comment

                                          • toddy1999
                                            Confirmed User
                                            • Feb 2006
                                            • 5122

                                            #22
                                            Originally posted by [ Nate ]
                                            That zlob trojan is a muther to get out. I had to deal with that about a week ago!!!!!
                                            Heh, yeah, pain in the ass.I had that shit too.Very nasty

                                            Comment

                                            • Adam_M
                                              Confirmed User
                                              • Mar 2006
                                              • 3800

                                              #23
                                              After a deeper investigation we feel the need to clarify a few things..

                                              First of all, about the WildCash affiliate mentioned in this thread: It is
                                              entirely possible and likely that he has absolutely no knowledge of the
                                              MovieBox trojan or porn-abc.com.

                                              porn-abc.com is a completely independent domain.

                                              We investigate all these matters very seriously, and although this stuff has
                                              nothing to do with Wildcash at all we're reporting what we've found to the
                                              community.

                                              The following we know to be 100% certain:

                                              An independent malicious party is downloading gallery pages from the web and
                                              re-hosting them on their own servers with the videos removed and links to a
                                              fake-codec (MovieBox trojan) inserted.

                                              As QuickDraw mentioned, there is also JavaScript added to the page that
                                              attempts to install the malware automatically. If the surfer's browser does
                                              not allow this automatic installation there is still a chance the surfer, in
                                              all his horniness, will download and install the fake codec manually.

                                              They are hosting these spidered galleries on at least 233 domains spread
                                              across at least 56 IP addresses.
                                              All the domains are registered through ESTDOMAINS.
                                              All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at
                                              INTERCAGE).

                                              It is important to note that galleries from many programs and many different
                                              affiliates have been downloaded and re-hosted by these guys, and that in
                                              almost all cases it's entirely likely the affiliate and program have no
                                              knowledge of this.

                                              Ok, that's great, so what can we do?

                                              As a surfer:
                                              * Keep your system up to date with the latest security patches
                                              * Don't download untrusted .EXE's (no matter how horny you are)

                                              As a gallery hoster:
                                              * Blacklist the offending IP addresses from spidering your galleries

                                              As a gallery submission site:
                                              * Blacklist the submission of entries containing the offending domain names
                                              * Blacklist the submission of entries whose domain names resolve to
                                              offending IP addresses

                                              As a motivated onlooker:
                                              * Report URLs like this to StopBadware.org, then there's a good chance they
                                              will show up with a warning in Google search results like this one:

                                              http://www.google.com/search?hl=en&q...2705851%2F1%2F

                                              To find more galleries like this, the following Google search terms give
                                              pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net)
                                              DiscountedPorn.Com
                                              ReviewedPorn.com

                                              Comment

                                              • aico
                                                Moo Moo Cow
                                                • Mar 2004
                                                • 14748

                                                #24
                                                Originally posted by Adam_WildCash
                                                After a deeper investigation we feel the need to clarify a few things..

                                                First of all, about the WildCash affiliate mentioned in this thread: It is
                                                entirely possible and likely that he has absolutely no knowledge of the
                                                MovieBox trojan or porn-abc.com.

                                                porn-abc.com is a completely independent domain.

                                                We investigate all these matters very seriously, and although this stuff has
                                                nothing to do with Wildcash at all we're reporting what we've found to the
                                                community.

                                                The following we know to be 100% certain:

                                                An independent malicious party is downloading gallery pages from the web and
                                                re-hosting them on their own servers with the videos removed and links to a
                                                fake-codec (MovieBox trojan) inserted.

                                                As QuickDraw mentioned, there is also JavaScript added to the page that
                                                attempts to install the malware automatically. If the surfer's browser does
                                                not allow this automatic installation there is still a chance the surfer, in
                                                all his horniness, will download and install the fake codec manually.

                                                They are hosting these spidered galleries on at least 233 domains spread
                                                across at least 56 IP addresses.
                                                All the domains are registered through ESTDOMAINS.
                                                All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at
                                                INTERCAGE).

                                                It is important to note that galleries from many programs and many different
                                                affiliates have been downloaded and re-hosted by these guys, and that in
                                                almost all cases it's entirely likely the affiliate and program have no
                                                knowledge of this.

                                                Ok, that's great, so what can we do?

                                                As a surfer:
                                                * Keep your system up to date with the latest security patches
                                                * Don't download untrusted .EXE's (no matter how horny you are)

                                                As a gallery hoster:
                                                * Blacklist the offending IP addresses from spidering your galleries

                                                As a gallery submission site:
                                                * Blacklist the submission of entries containing the offending domain names
                                                * Blacklist the submission of entries whose domain names resolve to
                                                offending IP addresses

                                                As a motivated onlooker:
                                                * Report URLs like this to StopBadware.org, then there's a good chance they
                                                will show up with a warning in Google search results like this one:

                                                http://www.google.com/search?hl=en&q...2705851%2F1%2F

                                                To find more galleries like this, the following Google search terms give
                                                pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net)
                                                Thanks for the update and actually taking the time to investigate the issue.

                                                Comment

                                                • Quickdraw
                                                  Confirmed User
                                                  • Mar 2004
                                                  • 1717

                                                  #25
                                                  Great information Adam.
                                                  Now that you mention it, I do remember someone saying their galleries had been stolen and used like this.
                                                  Okay, found it. Gleem posted about it here and I even posted in the thread. :/ I should have remembered and mentioned it.
                                                  http://www.gfy.com/showthread.php?t=725401

                                                  Good on you guys for investigating further and posting the information here. Thanks

                                                  Comment

                                                  Working...