Download this Codec(Virus) - GoFuckYourself.com

Quickdraw · 04-30-2007, 08:43 AM

Here is a gallery that is promoting Wildcash with the Moviebox/zlob trojan

porn-abc.com/ike/1666520193/1/
contains a javascript file here
porn-abc.com/js/cchrslib_t_1000.js
which contains this download on a domain registered a few days ago. This/these gallery(s) use to link to a different domain, so I assume they are trying to stay ahead of the scanners
use-play.com/download/use-play1000.exe

Their link to Wildcash is
wildpornreviews.com/mov/fromasstomouth.com/2/005/MTA1ODAxOjU6MTY
which makes their wildcash id 105801

Download this stuff and see how your surfers just won't make it anywhere that will make you money.

Quickdraw · 04-30-2007, 09:12 AM

This is Videoscash work, and it is stealing from you in a big way.
Here is another domain spreading this crap with more domains in the background.
Pagerank of 6
moviereality.com on ip 209.51.138.181, which contains 3 nameservers:
ns2.teenprofiles.com
ns1.moviereality.com
ns2.videoscash.com

Quickdraw · 04-30-2007, 09:29 AM

Here is a link to another GFY thread that details just a small portion of what this malware does.
https://gfy.com/fucking-around-and-business-discussion/720781-spyware-killing-industry-proof-inside-thread-video.html

Quickdraw · 04-30-2007, 09:43 AM

Did you know that Videoscash changes the binaries on these trojans which puts them 1 step ahead of the av companies?
Once a surfer is infected with this lureware, you have NO chance of making money with that surfer until they get 'cleaned'/reformatted.

Quickdraw · 04-30-2007, 09:48 AM

Why do you think this trojan scans the surfers computer for recent visits to adultwebmaster boards?
http://www.sophos.com/security/analyses/trojzlobpe.html

Quickdraw · 04-30-2007, 09:54 AM

When link is followed …
• Runs Malicious JavaScript (Troj/Pysme-DL)
• Exploits IE Vulnerability
• Downloads Troj/Dropper-MH
• Drops Troj/Bckdr-PPY used to ‘hide’ processes
• Also drops Troj/Proxy-EN which tells the backdoor what tohide
• Once installed, cannot be “seen”
• Main purpose – Troj/Proxy-EN used to ‘relay’ spam
Read more in this PDF by Sophos--
http://icsecurity.di.uniroma1.it/sto...rrisSophos.pdf

Doesn't appear people here care too much, but if you do, check your trades/links.
Your income depends on it.

martinsc · 04-30-2007, 09:58 AM

.....

Swish · 04-30-2007, 11:26 AM

Lame....

shoeaholicanon · 04-30-2007, 11:27 AM

**bump**

Adam_M · 05-01-2007, 04:59 PM

BE WARNED

If you are using adware in ANY promotion of our programs your account will be banned!

The account mentioned above has been removed.

Adam

Quickdraw · 05-01-2007, 05:04 PM

Quote:

Originally Posted by Adam_WildCash

BE WARNED

If you are using adware in ANY promotion of our programs your account will be banned!

The account mentioned above has been removed.

Adam

Awesome!!

toddy1999 · 05-01-2007, 05:07 PM

Quote:

Originally Posted by Adam_WildCash

BE WARNED

If you are using adware in ANY promotion of our programs your account will be banned!

The account mentioned above has been removed.

Adam

NTSS · 05-01-2007, 05:07 PM

Fucking scumbags man! This type of shit pisses me of. I guess the only thing that can be done is to out them to the related sponsor and hope they get removed.

Good work Quickdraw...way to go Adam

aico · 05-01-2007, 05:14 PM

Won't happen of course, but it would be nice if programs not only closed the accounts (well done Wild Cash), but make it known who the offending affiliate is so other programs can do the same. Because I am sure this guy/gal will just move on to the next one, and next one, and next one...

toddy1999 · 05-01-2007, 05:21 PM

Quote:

Originally Posted by aico

Won't happen of course, but it would be nice if programs not only closed the accounts (well done Wild Cash), but make it known who the offending affiliate is so other programs can do the same. Because I am sure this guy/gal will just move on to the next one, and next one, and next one...

Absolutely right.But what can we do?I would say big nothing

martinsc · 05-01-2007, 09:43 PM

Quote:

Originally Posted by Adam_WildCash

BE WARNED

If you are using adware in ANY promotion of our programs your account will be banned!

The account mentioned above has been removed.

Adam

Zoose · 05-01-2007, 11:02 PM

Quote:

Originally Posted by toddy1999

Absolutely right.But what can we do?I would say big nothing

I don't see why not, a shared blacklist would not be hard to accomplish. A lot of the big linklists have been doing it for years - http://bl.usefulscripts.com

Gabriel Night · 05-01-2007, 11:10 PM

Quote:

Originally Posted by Adam_WildCash

BE WARNED

If you are using adware in ANY promotion of our programs your account will be banned!

The account mentioned above has been removed.

Adam

[ Nate ] · 05-01-2007, 11:33 PM

That zlob trojan is a muther to get out. I had to deal with that about a week ago!!!!!

garce · 05-02-2007, 01:49 AM

Quote:

Originally Posted by Gabriel Night

You've posted the same thing 472 times in a month. Hurray! Thanks for contributing.

u-Bob · 05-02-2007, 02:19 AM

porn-abc.com = registered @ ESTdomains (no surprise there).
porn-abc.com = hosted @ cernel.net (no surprise there).

Where ever there's a trojan, you can find EST domains, EST host, cernel, intercage, inhoster or attrivo.

toddy1999 · 05-02-2007, 02:40 AM

Quote:

Originally Posted by [ Nate ]

That zlob trojan is a muther to get out. I had to deal with that about a week ago!!!!!

Heh, yeah, pain in the ass.I had that shit too.Very nasty

Adam_M · 05-02-2007, 09:01 PM

After a deeper investigation we feel the need to clarify a few things..

First of all, about the WildCash affiliate mentioned in this thread: It is
entirely possible and likely that he has absolutely no knowledge of the
MovieBox trojan or porn-abc.com.

porn-abc.com is a completely independent domain.

We investigate all these matters very seriously, and although this stuff has
nothing to do with Wildcash at all we're reporting what we've found to the
community.

The following we know to be 100% certain:

An independent malicious party is downloading gallery pages from the web and
re-hosting them on their own servers with the videos removed and links to a
fake-codec (MovieBox trojan) inserted.

As QuickDraw mentioned, there is also JavaScript added to the page that
attempts to install the malware automatically. If the surfer's browser does
not allow this automatic installation there is still a chance the surfer, in
all his horniness, will download and install the fake codec manually.

They are hosting these spidered galleries on at least 233 domains spread
across at least 56 IP addresses.
All the domains are registered through ESTDOMAINS.
All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at
INTERCAGE).

It is important to note that galleries from many programs and many different
affiliates have been downloaded and re-hosted by these guys, and that in
almost all cases it's entirely likely the affiliate and program have no
knowledge of this.

Ok, that's great, so what can we do?

As a surfer:
* Keep your system up to date with the latest security patches
* Don't download untrusted .EXE's (no matter how horny you are)

As a gallery hoster:
* Blacklist the offending IP addresses from spidering your galleries

As a gallery submission site:
* Blacklist the submission of entries containing the offending domain names
* Blacklist the submission of entries whose domain names resolve to
offending IP addresses

As a motivated onlooker:
* Report URLs like this to StopBadware.org, then there's a good chance they
will show up with a warning in Google search results like this one:

http://www.google.com/search?hl=en&q...2705851%2F1%2F

To find more galleries like this, the following Google search terms give
pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net)

aico · 05-02-2007, 09:04 PM

Quote:

Originally Posted by Adam_WildCash

After a deeper investigation we feel the need to clarify a few things..

First of all, about the WildCash affiliate mentioned in this thread: It is
entirely possible and likely that he has absolutely no knowledge of the
MovieBox trojan or porn-abc.com.

porn-abc.com is a completely independent domain.

We investigate all these matters very seriously, and although this stuff has
nothing to do with Wildcash at all we're reporting what we've found to the
community.

The following we know to be 100% certain:

An independent malicious party is downloading gallery pages from the web and
re-hosting them on their own servers with the videos removed and links to a
fake-codec (MovieBox trojan) inserted.

As QuickDraw mentioned, there is also JavaScript added to the page that
attempts to install the malware automatically. If the surfer's browser does
not allow this automatic installation there is still a chance the surfer, in
all his horniness, will download and install the fake codec manually.

They are hosting these spidered galleries on at least 233 domains spread
across at least 56 IP addresses.
All the domains are registered through ESTDOMAINS.
All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at
INTERCAGE).

It is important to note that galleries from many programs and many different
affiliates have been downloaded and re-hosted by these guys, and that in
almost all cases it's entirely likely the affiliate and program have no
knowledge of this.

Ok, that's great, so what can we do?

As a surfer:
* Keep your system up to date with the latest security patches
* Don't download untrusted .EXE's (no matter how horny you are)

As a gallery hoster:
* Blacklist the offending IP addresses from spidering your galleries

As a gallery submission site:
* Blacklist the submission of entries containing the offending domain names
* Blacklist the submission of entries whose domain names resolve to
offending IP addresses

As a motivated onlooker:
* Report URLs like this to StopBadware.org, then there's a good chance they
will show up with a warning in Google search results like this one:

http://www.google.com/search?hl=en&q...2705851%2F1%2F

To find more galleries like this, the following Google search terms give
pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net)

Thanks for the update and actually taking the time to investigate the issue.

Quickdraw · 05-03-2007, 07:20 AM

Great information Adam.
Now that you mention it, I do remember someone saying their galleries had been stolen and used like this.
Okay, found it. Gleem posted about it here and I even posted in the thread. :/ I should have remembered and mentioned it.
https://gfy.com/fucking-around-and-business-discussion/725401-guy-stealing-galleries-using-install-viruses-look.html

Good on you guys for investigating further and posting the information here. Thanks

04-30-2007, 08:43 AM	#1
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Download this Codec(Virus) Here is a gallery that is promoting Wildcash with the Moviebox/zlob trojan porn-abc.com/ike/1666520193/1/ contains a javascript file here porn-abc.com/js/cchrslib_t_1000.js which contains this download on a domain registered a few days ago. This/these gallery(s) use to link to a different domain, so I assume they are trying to stay ahead of the scanners use-play.com/download/use-play1000.exe Their link to Wildcash is wildpornreviews.com/mov/fromasstomouth.com/2/005/MTA1ODAxOjU6MTY which makes their wildcash id 105801 Download this stuff and see how your surfers just won't make it anywhere that will make you money.

04-30-2007, 09:58 AM	#7
martinsc Too lazy to set a custom title Industry Role: Join Date: Jun 2005 Location: 127.0.0.1 Posts: 27,047	..... __________________ Make Money

04-30-2007, 11:26 AM	#8
Swish Confirmed User Join Date: Mar 2006 Location: San Diego, CA Posts: 1,421	Lame.... __________________ Naughty America - Director of Technology It's a CELEBRATION bitches!! For the hottest content promote Naughty America! swish at naughtyamerica dot com \| ICQ: 226 737 620 \| See Who I Am At AdultWhosWho.com!

05-01-2007, 04:59 PM	#10
Adam_M Confirmed User Industry Role: Join Date: Mar 2006 Location: Australia Posts: 3,800	BE WARNED If you are using adware in ANY promotion of our programs your account will be banned! The account mentioned above has been removed. Adam __________________ DiscountedPorn.Com ReviewedPorn.com

05-01-2007, 05:07 PM	#13
NTSS Confirmed User Join Date: Mar 2005 Location: Da Hood Posts: 5,688	Fucking scumbags man! This type of shit pisses me of. I guess the only thing that can be done is to out them to the related sponsor and hope they get removed. Good work Quickdraw...way to go Adam __________________ ICQ: 150-803-430 Email: marketing7(at)cox(dot)net

04-30-2007, 09:12 AM	#2
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	This is Videoscash work, and it is stealing from you in a big way. Here is another domain spreading this crap with more domains in the background. Pagerank of 6 moviereality.com on ip 209.51.138.181, which contains 3 nameservers: ns2.teenprofiles.com ns1.moviereality.com ns2.videoscash.com

04-30-2007, 09:29 AM	#3
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Here is a link to another GFY thread that details just a small portion of what this malware does. https://gfy.com/fucking-around-and-business-discussion/720781-spyware-killing-industry-proof-inside-thread-video.html

04-30-2007, 09:43 AM	#4
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Did you know that Videoscash changes the binaries on these trojans which puts them 1 step ahead of the av companies? Once a surfer is infected with this lureware, you have NO chance of making money with that surfer until they get 'cleaned'/reformatted.

04-30-2007, 09:48 AM	#5
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Why do you think this trojan scans the surfers computer for recent visits to adultwebmaster boards? http://www.sophos.com/security/analyses/trojzlobpe.html

04-30-2007, 09:54 AM	#6
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	When link is followed … • Runs Malicious JavaScript (Troj/Pysme-DL) • Exploits IE Vulnerability • Downloads Troj/Dropper-MH • Drops Troj/Bckdr-PPY used to ‘hide’ processes • Also drops Troj/Proxy-EN which tells the backdoor what tohide • Once installed, cannot be “seen” • Main purpose – Troj/Proxy-EN used to ‘relay’ spam Read more in this PDF by Sophos-- http://icsecurity.di.uniroma1.it/sto...rrisSophos.pdf Doesn't appear people here care too much, but if you do, check your trades/links. Your income depends on it.

04-30-2007, 11:27 AM	#9
shoeaholicanon Confirmed User Join Date: Feb 2007 Posts: 1,003	bump

05-01-2007, 05:14 PM	#14
aico Moo Moo Cow Join Date: Mar 2004 Location: Washington State Posts: 14,748	Won't happen of course, but it would be nice if programs not only closed the accounts (well done Wild Cash), but make it known who the offending affiliate is so other programs can do the same. Because I am sure this guy/gal will just move on to the next one, and next one, and next one...

05-01-2007, 11:33 PM	#19
[ Nate ] Confirmed User Industry Role: Join Date: Mar 2007 Location: Asia Posts: 1,468	That zlob trojan is a muther to get out. I had to deal with that about a week ago!!!!! __________________ Ladyboy Inc. / Asian Money Machine

05-02-2007, 02:19 AM	#21
u-Bob there's no $$$ in porn Industry Role: Join Date: Jul 2005 Location: icq: 195./568.-230 (btw: not getting offline msgs) Posts: 33,063	porn-abc.com = registered @ ESTdomains (no surprise there). porn-abc.com = hosted @ cernel.net (no surprise there). Where ever there's a trojan, you can find EST domains, EST host, cernel, intercage, inhoster or attrivo.

05-02-2007, 09:01 PM	#23
Adam_M Confirmed User Industry Role: Join Date: Mar 2006 Location: Australia Posts: 3,800	After a deeper investigation we feel the need to clarify a few things.. First of all, about the WildCash affiliate mentioned in this thread: It is entirely possible and likely that he has absolutely no knowledge of the MovieBox trojan or porn-abc.com. porn-abc.com is a completely independent domain. We investigate all these matters very seriously, and although this stuff has nothing to do with Wildcash at all we're reporting what we've found to the community. The following we know to be 100% certain: An independent malicious party is downloading gallery pages from the web and re-hosting them on their own servers with the videos removed and links to a fake-codec (MovieBox trojan) inserted. As QuickDraw mentioned, there is also JavaScript added to the page that attempts to install the malware automatically. If the surfer's browser does not allow this automatic installation there is still a chance the surfer, in all his horniness, will download and install the fake codec manually. They are hosting these spidered galleries on at least 233 domains spread across at least 56 IP addresses. All the domains are registered through ESTDOMAINS. All the hosting is at CERNEL and INTERCAGE (55 IPs at CERNEL; 1 IP at INTERCAGE). It is important to note that galleries from many programs and many different affiliates have been downloaded and re-hosted by these guys, and that in almost all cases it's entirely likely the affiliate and program have no knowledge of this. Ok, that's great, so what can we do? As a surfer: * Keep your system up to date with the latest security patches * Don't download untrusted .EXE's (no matter how horny you are) As a gallery hoster: * Blacklist the offending IP addresses from spidering your galleries As a gallery submission site: * Blacklist the submission of entries containing the offending domain names * Blacklist the submission of entries whose domain names resolve to offending IP addresses As a motivated onlooker: * Report URLs like this to StopBadware.org, then there's a good chance they will show up with a warning in Google search results like this one: http://www.google.com/search?hl=en&q...2705851%2F1%2F To find more galleries like this, the following Google search terms give pretty decent results: inurl:load=1 inurl:id +(site:.com OR site:.net) __________________ DiscountedPorn.Com ReviewedPorn.com

05-03-2007, 07:20 AM	#25
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	Great information Adam. Now that you mention it, I do remember someone saying their galleries had been stolen and used like this. Okay, found it. Gleem posted about it here and I even posted in the thread. :/ I should have remembered and mentioned it. https://gfy.com/fucking-around-and-business-discussion/725401-guy-stealing-galleries-using-install-viruses-look.html Good on you guys for investigating further and posting the information here. Thanks