Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    While trying to access Google today, I accidentally typed and it led me to the following page:

    The page is almost blank save for an IP address centered at the top. I decided then to research further by deleting the last number and I stumbled upon

    This could happen to users anyway as typos are common when they are in a hurry. That typo brought me to a Web page offering free porn. I clicked the link and ended up here:

    This is a French Web site. Clicking anywhere on the page prompts users to download the file HotTv.exe to be able to watch porn for free:

    Once executed, the file HotTv.exe displays a EULA in French. It says that the Web site is hosted in Russia and that some information are being transfered from one’s machine to the site owners’ servers and vice versa for some updates.

    But what this EULA is not saying is that once a user agrees, a malicious file is dropped in C:Documents and SettingsAdministrateurLocal SettingsApplication Data. The dropped file may have the following file names:

    • {random file name}.dat
    • {random file name}.exe
    • {random file name}_nav.dat
    • {random file name}_navps.dat

    Trend Micro detects these files, as well as HotTV.exe, as TROJ_AGENT.MP. We blogged about a spoofed Facebook site earlier this week, which interestingly had a misspelled URL. Users are advised to make sure that they key in the correct addresses when accessing Web sites. Our users are already protected by the Trend Micro Smart Protection Network.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice