I was just looking for Google images of an american actor of a serie. Then my browser was trapped, as one of the Google Image results lead it to:
http://www.google.fr/imgres?imgurl=http://www.celebritylatest.com/wp-content/uploads/premieres/marg_helgenberger_mr_brooks_premiere_3.jpg&imgrefurl=http://www.mainstream.fr/img/-%%%%%-dating.html&usg=__grAZHQrnfxcFdhmvNprdLlOKD70=&h=808&w=1000&sz=70&hl=fr&start=17&sig2=jTOL3-NJ0X06PCeKxHJQ0Q&zoom=1&tbnid=SBAcGCvMS_01OM:&tbnh=120&tbnw=149&ei=KJXZTYXXMoub-gbgwuHGAQ&prev=/search%3Fq%3D
and celebritylatest.com has most likely been hacked. Therefore, my browser went to: http://bervert. osa.pl/2.php
I came to that link:
There is first a nice warning, telling me my computer was at risk of being infected by a malware...
Then, whatever I do, my browser will be send to this webpage:
There is also another URL that does the same:
Now, obviously, if I click on the "remove all" button (which I do NOT recommend you to do), an exefile shows up as a download... how interesting!
Here is the real URL of the website hosting the file:
http://www2.save-mastermme .byinter.net/qjsh106_328.php?kan9=j87XprDK182Q0ofo3cmvoJ%2BdkdHXnbCUnMaPz9OwxLi5k9nYqJKeb5nQ6aKk45iZ1s7Wqs%2FErsngqODGnNCc2szlscfs4tLd0tGUnNaevLdT1tGwrJegn6CcmZKlbKGSroug4cLn6divk%2BTOz56mcKaH6tmZqpWkpJqmnp%2BW0JenX%2BfUs5ZgnZekpJmkoKSLz9DbmtzPs9yk5JSh58bo0s%2FN18XTn9jP6cpb2ZProsrnk%2BXWz8bPdubU386Q1dKZ5srYqtXZ39GTbLSGqKtSn6fV2dfo0t%2FZmdDhmqHR4opfs5Oh5M3ik%2BDazaTbnbDU29ORs8rf2Yk%3D
What does VT says for this sample, well... only 10 out of 43 engines do detect it :( and Kaspersky Security Network did not help.
Antivirus | Version | Last update | Result |
---|---|---|---|
AhnLab-V3 | 2011.05.23.00 | 2011.05.22 | - |
AntiVir | 7.11.8.93 | 2011.05.22 | TR/Dropper.Gen2 |
Antiy-AVL | 2.0.3.7 | 2011.05.22 | - |
Avast | 4.8.1351.0 | 2011.05.22 | Win32:Delf-PIK |
Avast5 | 5.0.677.0 | 2011.05.22 | Win32:Delf-PIK |
AVG | 10.0.0.1190 | 2011.05.22 | - |
BitDefender | 7.2 | 2011.05.22 | - |
CAT-QuickHeal | 11.00 | 2011.05.22 | - |
ClamAV | 0.97.0.0 | 2011.05.22 | - |
Commtouch | 5.3.2.6 | 2011.05.22 | - |
Comodo | 8797 | 2011.05.22 | - |
DrWeb | 5.0.2.03300 | 2011.05.23 | - |
Emsisoft | 5.1.0.5 | 2011.05.22 | Trojan-Dropper.Gen2!IK |
eSafe | 7.0.17.0 | 2011.05.22 | - |
eTrust-Vet | 36.1.8339 | 2011.05.20 | - |
F-Prot | 4.6.2.117 | 2011.05.22 | - |
F-Secure | 9.0.16440.0 | 2011.05.22 | Rogue:W32/FakeAv.BI |
Fortinet | 4.2.257.0 | 2011.05.22 | W32/Injector.fam!tr |
GData | 22 | 2011.05.23 | Win32:Delf-PIK |
Ikarus | T3.1.1.104.0 | 2011.05.22 | Trojan-Dropper.Gen2 |
Jiangmin | 13.0.900 | 2011.05.22 | - |
K7AntiVirus | 9.103.4693 | 2011.05.20 | - |
Kaspersky | 9.0.0.837 | 2011.05.22 | - |
McAfee | 5.400.0.1158 | 2011.05.23 | - |
McAfee-GW-Edition | 2010.1D | 2011.05.22 | - |
Microsoft | 1.6903 | 2011.05.22 | - |
NOD32 | 6142 | 2011.05.22 | Win32/TrojanDownloader.FakeAlert.BHH |
Norman | 6.07.07 | 2011.05.22 | - |
nProtect | 2011-05-22.01 | 2011.05.22 | - |
Panda | 10.0.3.5 | 2011.05.22 | Suspicious file |
PCTools | 7.0.3.5 | 2011.05.19 | - |
Prevx | 3.0 | 2011.05.23 | - |
Rising | 23.58.06.03 | 2011.05.22 | - |
Sophos | 4.65.0 | 2011.05.22 | - |
SUPERAntiSpyware | 4.40.0.1006 | 2011.05.23 | - |
Symantec | 20111.1.0.186 | 2011.05.23 | - |
TheHacker | 6.7.0.1.202 | 2011.05.20 | - |
TrendMicro | 9.200.0.1012 | 2011.05.22 | - |
TrendMicro-HouseCall | 9.200.0.1012 | 2011.05.23 | - |
VBA32 | 3.12.16.0 | 2011.05.20 | - |
VIPRE | 9359 | 2011.05.22 | - |
ViRobot | 2011.5.21.4472 | 2011.05.22 | - |
VirusBuster | 13.6.367.0 | 2011.05.22 | - |
MD5: 6075aad44942356f46c5f33be00f7726 |
SHA1: 905329745352f85fd20901491ea9aacdacc790d0 |
SHA256: e8f307051d84cfc90e5d7a7973a5b9a503136771bee9137325719b840ad28ee0 |
File size: 302080 bytes |
Scan date: 2011-05-22 22:40:47 (UTC) |
More to come (my cat reminds me time's up :) )
Update 1 (24 hours later):
Chromium does alert while trying to access the URL:
Update 2 (48 hours later):
Only 2 URL scanners do detect the URL, according to VT:
http://www.virustotal.com/url-scan/report.html?id=8a27b11a8ec194015b0bd305ca94b5b9-1306353987
URL Analysis tool | Result |
---|---|
Avira | Clean site |
BitDefender | Malware site |
Dr.Web | Error |
Firefox | Clean site |
G-Data | Malware site |
Google Safebrowsing | Clean site |
Malc0de Database | Clean site |
MalwareDomainList | Clean site |
Opera | Clean site |
ParetoLogic | Error |
Phishtank | Clean site |
TrendMicro | Clean site |
Websense ThreatSeeker | Clean site |
Wepawet | Unrated site |
Normalized URL: http://www1.smartyauscanner.co. cc/6zf9gss?jtkay6=jt3j2t6hsNrF1uzyw5vozMWroZeqkOTUxbZpmc7D1Oa2sci6ic3hq5aioZra1Lat6aSH1N3dntfSps |
URL MD5: 8a27b11a8ec194015b0bd305ca94b5b9 |
And while browsing my disk drive, Kaspersky antivirus did pop up a warning regardng the file that had been downloaded after the "fake antivirus scan":
KAV did not alert by itself, I had to access the folder where the file formerly undetected is.
This proves again it is strongly recommended to let the antivirus software do a full system scan, on a regular basis (at least, very week, or more often if you have any doubt).