While trying to access Google today, I accidentally typed googlez.com and it led me to the following page:

The page is almost blank save for an IP address centered at the top. I decided then to research further by deleting the last number and I stumbled upon goglez.com.

This could happen to users anyway as typos are common when they are in a hurry. That typo brought me to a Web page offering free porn. I clicked the link and ended up here:

This is a French Web site. Clicking anywhere on the page prompts users to download the file HotTv.exe to be able to watch porn for free:

Once executed, the file HotTv.exe displays a EULA in French. It says that the Web site is hosted in Russia and that some information are being transfered from one’s machine to the site owners’ servers and vice versa for some updates.

But what this EULA is not saying is that once a user agrees, a malicious file is dropped in C:\Documents and Settings\Administrateur\Local Settings\Application Data. The dropped file may have the following file names:

• {random file name}.dat
• {random file name}.exe
• {random file name}_nav.dat
• {random file name}_navps.dat

Trend Micro detects these files, as well as HotTV.exe, as TROJ_AGENT.MP. We blogged about a spoofed Facebook site earlier this week, which interestingly had a misspelled URL. Users are advised to make sure that they key in the correct addresses when accessing Web sites. Our users are already protected by the Trend Micro Smart Protection Network.