Sunday, March 8, 2009

Web Poisoning: Youtube video lead to Rogue Antispyware - Antivirus360

Web Poisoning - Youtube video lead to fake antispyware. Antivirus360

On the end of 2008 more than 1000 videos were uploaded by the
users below on the "Youtube"websiteto promote Antivirus360

AntiVirusOnlyOk - 32
AntiVirusSpywareMalw - 2
AtackOfVirusStop - 32
AtolkaProgs - 19
AtolProgrammer - 21
LortFastSpyware - 30
LostprogramsCheck - 20
MalwareAtackNoForeve - 32
MalwareSopsCode - 29
OkLastOneTr - 31
OkThisJustAnti - 33
OnlineTutorialsOp - 32
OpStopAnti - 29
OrtorStopMalware - 34
PortSaleFirm - 21
Progsdfgdfgdfg
ProgsNowBest - 22
ProgsOnOk - 23
ProgramsCheck - 23
ProgramsCheckdfg - 20
ProgramsCheckugdf - 22
Progsdfgdfgdfg
ProgsNowBest - 22
ProgramsChecker - 21
ProgramsCheckdfg - 20
ProgramsOnlineCheck - 22
ProgramsOnsdgfsdf - 21
ProgramsOkeys - 25
ProgramsQuick - 25
ProgrEssKom - 23
ProgrmmerStop - 25
ShopVirusStoper - 33
SpywareWarOnly - 27
StartAntiSpyware - 35
StockPrograms - 23
TutorialsOkOn - 30
TutorialsAntiVirus - 35
VirusAtackersStop - 36
VirusRemovalOk - 36

http://www.youtube. [BLOCKED]com/watch?v=VKnu5uE-SG4
http://www.youtube. [BLOCKED]com/watch?v=dj-2ECUm-jM
http://www.youtube. [BLOCKED]com/watch?v=SzDjTgcx9Ro
http://www.youtube. [BLOCKED]com/watch?v=zOOjqZzvn4w

The video ask users to enter the site antiviruson.com and download a certain
file (detected as Fake-AV variant InternetAntivirus or Antivirus360)after showing
a false report about suspicious files detected on your computer.

The first site antiviruson [BLOCKED].com has a javascript code trying to redirect you to another site

top.location = 'hxxp://whreismyplugnplay [BLOCKED].cn/soft.php?aid=0817&d=1&refer=69edbfbf4'
w.resizeTo(x * 10, x * 11 - 7)
window.attachEvent('onunload', ext);

A redirection to: whreismyplugnplay [BLOCKED].cn (78.47.91. [BLOCKED]153)

hxxp://whreismyplugnplay [BLOCKED].cn/soft.php?aid=0817&d=1&refer=69edbfbf4

(Status-Line):HTTP/1.1 302 Found
Date:Sun, 08 Mar 2009 08:48:07 GMT
Server:Apache
X-Powered-By:PHP/5.2.8
Set-Cookie:soft=1; expires=Mon, 09-Mar-2009 08:48:07 GMT
Location:hxxp://fastantimalwarescan [BLOCKED].com/promo/1/freesc
an.php?nu=880817&back=%3DDQw4jj1NAMMMI%3DO
Keep-Alive:timeout=5, max=500
Connection:Keep-Alive
Transfer-Encoding:chunked
Content-Type:text/html


Finally: hxxp://fastantimalwarescan [BLOCKED].com/promo/1/freescan.php?
nu=880817&back=%3DDQw4jj1NAMMMI%3DO

IP: 83.133.123 [BLOCKED].174

(Status-Line):HTTP/1.1 200 OK
Transfer-Encoding:chunked
X-Powered-By:PHP/5.2.8
Content-type:text/html
Date:Sun, 08 Mar 2009 08:48:07 GMT
Server:lighttpd

Some pop up messages appear

Your computer remains infected by threats!
They can cause data loss and file damages and need to be cured as soon as possible.
'Return to Antivirus 360 and download it secure to your PC

Warning!!!

Your computer contains various signs of viruses and malware programs presence.
Your system requires immediate anti viruses check!
Antivirus 360 will perform a quick and free scanning of your PC for viruses and malicious programs.

Harmful and malicious software detected. These programs may damage your computer and steal your private information. Online Security Scanner requires Antivirus 360 components to repair your computer. Please click OK to download and install Antivirus 360 components.

Using Javascript every click on the page or if you are trying to leave be clicking
the browser close button a file will be downloaded.

Virustotal Report:

MD5: b91cec2f638b9d2c7df22d70277f3938
SHA1..: 15b3eb6ad8e63d7d505e033a16c43c0445bfc1ef
SHA256: eac2c976243dc876716d9386b0ca4f9a2a2295a4480e3e1a29bf837d787c8bb6
SHA512: b93369ee9acecd1e2dd49fd345e1269c214c293f4b5bd8f43d0df8079d4770fc
ab9f4c7389e96ac4b380af30e6c8aa2df5483743e57ae6d33962e2e0828382cb
First received: 03.07.2009 18:22:00 (CET)
Date: 03.08.2009 08:38:23 (CET) [<1D]
Results: 5/39 (12.83%)

Permalink: http://www.virustotal.com/analisis/f0077d5adb9e9857206b393f0a5bd48b

Filesize: 172,032 bytes

Sample

InstallAVg_880817.exe

What's been found after running this file
Attempts to use BITS (Background Intelligent Transfer Service).
Some threats are known to use BITS to evade firewall filtering
and download files without firewall inspection.

Downloads/requests other files from Internet.

************
update.microsoft.com 65.55.13.158:80

Request: GET /windowsupdate/v6/thanks.aspx
Response: 200 "OK"

A hit to the thanks page of the Microsoft Windows Update site
************
securedupdateslive [BLOCKED].cn 78.47.91. [BLOCKED]153

Request: GET /order_xp.php?ver=1
Response: 200 "OK"

A hit to the Antivirus360 purchase page
************
proupdatessoftware [BLOCKED].com 89.149.208. [BLOCKED]212

Request: GET /download/security.bmp
Response: 200 "OK"

An image error file


Alias: InternetAntivirus, Antivirus360, Antivirus2009, XpPoliceAntivirus,
, RogueAntiSpyware.AntiVirusPro, Downloader.MisleadApp,
Trojan.Win32.FakeXPA

Trojan.Win32.FakeXPA [Ikarus] is known to be created as:
%System%\xppolice.exe

Trojan.Win32.FakeXPA [Ikarus] has the following possible countries of origin:

Russian Federation
Ukraine

*************************

A common template in the FakeAV familiy.
Same title "My computer Online Scan"

Sample

The fake scanner display file related to some known application like Microsoft Windows
Media Player and files related to the Microsoft Windows Operating System "XP and XP SP2"

File list below is displayed in a loop

winnt$.inf,12520437.cpx,12520850.cpx,6to4svc.dll,aaaamon.dll,aaclient.dll,
AboutRepliGo.dll,ac3acm.acm,access.cpl,acctres.dll,accwiz.exe,acelpdec.ax,
acledit.dll,aclui.dll,activeds.dll,activeds.tlb,actmovie.exe,actxprxy.dll,ADME.DLL,
admparse.dll,admwprox.dll,admxprox.dll,adptif.dll,adsiis.dll,adsldp.dll,adsldpc.dll,
adsmsext.dll,adsnds.dll,adsnt.dll,adsnw.dll,advapi32.dll,advpack.dll,agas.dll,
ahui.exe,alg.exe,alrsvc.dll,amcompat.tlb,amstream.dll,ansi.sys,apcups.dll,
append.exe,apphelp.dll,appmgmts.dll,appmgr.dll,appwiz.cpl,ArmAccess.dll,
arp.exe,asctrls.ocx,asferror.dll,asfsipc.dll,asr_fmt.exe,asr_ldm.exe,asr_pfu.exe,
asycfilt.dll,at.exe,AtalaImg2.dll,AtalaIS.dll,AtalCtrl.ocx,athprxy.dll,ati2cqag.dll,
ati2dvag.dll,ati2edxx.dll,ati2evxx.dll,ati2evxx.exe,Ati2mdxx.exe,ati2sgag.exe,
ati3duag.dll,ATIDDC.DLL,ATIDEMGR.dll,ATIDEMGX.dll,atifglpf.xml,atiicdxx.dat,
atiiiexx.dll,atikvmag.dll,atioglx1.dll,atioglx2.dll,atioglxx.dll,atiok3x2.dll,atipdlxx.dll,
atitvo32.dll,ativcoxx.dll,ativva5x.dat,ativva6x.dat,ativvaxx.dat,ativvaxx.dll,
atkctrs.dll,atl.dll,atl71.dll,AtlColor.ocx,atmadm.exe,atmfd.dll,atmlib.dll,
atmpvcno.dll,atrace.dll,attrib.exe,Audiodev.dll,audiosrv.dll,auditusr.exe,
authz.dll,autochk.exe,autoconv.exe,autodisc.dll,AUTOEXEC.NT,autofmt.exe,
autolfn.exe,avicap.dll,avicap32.dll,avifil32.dll,avifile.dll,avmeter.dll,avtapi.dll,
avwav.dll,basesrv.dll,bass.dll,BASSMOD.dll,basswma.dll,batmeter.dll,batt.dll,
BCGCBPRO800.dll,BCGCBPRO800u.dll,BCGPOleAcc.dll,bidispl.dll,bios1.rom,
bios4.rom,bitsprx2.dll,bitsprx3.dll,blackbox.dll,blastcln.exe,bootcfg.exe,
bootok.exe,bootvid.dll,bootvrfy.exe,bopomofo.uce,browselc.dll,browser.dll,
browseui.dll,browsewm.dll,bt2k_ins.dll,BtAudioHelper.dll,btbigbmp.dll,btbip.dll,
btcpl.cpl,btcpl.cpl.manifest,btcss.dll,btcss.dll.manifest,btdev.dll,bthci.dll,bthcrp.dll,
bthcrpui.dll,bthprops.cpl,bthserv.dll,btins.dll,BTNCopy.dll,BTNCopy.tlb,
BTNeighborhood.dll,BTNeighborhood.dll.manifest,BTNeighborhood.tlb,
btosif.dll,btosif_notes.dll,btosif_ol.dll,btosif_olx.dll,btpanui.dll,btprn2k.dll,
btrez.dll,btrezxp.dll,btsec.dll,btsendto.dll,btsendto_ie.dll,btsendto_lnagent.nsf,
btsendto_notes.dll,btsendto_office.dll,btsendto_wab.dll,btwhidcs.dll,BtWiaExt.dll,
BtWizard.dll,btwpimif.dll,btw_ci.dll,BTXPPanel.dll,BTXPPanel.tlb,BtXpShell.dll,
C-XLS.dll,cabinet.dll,cabview.dll,cacls.exe,calc.exe,camocx.dll,capesnpn.dll,
cards.dll,catsrv.dll,catsrvps.dll,catsrvut.dll,ccfgnt.dll,ccrpbds6.dll,ccrpprg6.ocx,
cdfview.dll,cdm.dll,cdmodem.dll,cdosys.dll,cdplayer.exe.manifest,CDRip3.dll,
certcli.dll,certmgr.dll,certmgr.msc,CEWMDM.dll,cfgbkend.dll,cfgmgr32.dll,
charmap.exe,ChCfg.exe,chcp.com,chkdsk.exe,chkntfs.exe,ciadmin.dll,
ciadv.msc,cic.dll,cidaemon.exe,ciodm.dll,cipher.exe,cisvc.exe,ckcnv.exe,
clb.dll,clbcatex.dll,clbcatq.dll,cleanmgr.exe,cliconf.chm,cliconfg.dll,cliconfg.exe,
cliconfg.rll,clipbrd.exe,clipsrv.exe,clspack.exe,clusapi.dll,cmcfg32.dll,cmd.exe,
cmdial32.dll,CMDIALOG.SRG,cmdl32.exe,cmdlib.wsc,CmdLineExt.dll,cmmgr32.hlp,
cmmon32.exe,cmos.ram,cmpbk32.dll,cmprops.dll,cmsetACL.dll,cmstp.exe,
cmutil.dll,cnbjmon.dll,cnetcfg.dll,cnvfat.dll,colbact.dll,comaddin.dll,comcat.dll,
comct232.ocx,comct332.ocx,COMCTL.SRG,COMCTL2.SRG,comctl32.dll,
comctl32.ocx,comdlg32.dll,comdlg32.ocx,comm.drv,command.com,commdlg.dll,
COMMTB32.DLL,comp.exe,compact.exe,CompareFilesX.ocx,compatUI.dll,
compmgmt.msc,compobj.dll,compstui.dll,comrepl.dll,comres.dll,comsnap.dll,
comsvcs.dll,comuid.dll,config.hsp,CONFIG.NT,CONFIG.TMP,confmsp.dll,
conime.exe,console.dll,control.exe,convert.exe,convlog.exe,corpol.dll,
country.sys,credui.dll,crtdll.dll,crypt32.dll,cryptdlg.dll,cryptdll.dll,cryptext.dll,
cryptnet.dll,cryptsvc.dll,cryptui.dll,cscdll.dll,cscript.exe,cscui.dll,CSH.DLL,
csrsrv.dll,csrss.exe,csseqchk.dll,CSVSpecialProcessing.dll,ctfmon.exe,ctl3d32.dll,
ctl3dv2.dll,ctype.nls,c_037.nls,c_10000.nls,c_10006.nls,c_10007.nls,
c_10010.nls,c_10017.nls,c_10029.nls,c_10079.nls,c_10081.nls,c_10082.nls,
c_1026.nls,c_1250.nls,c_1251.nls,c_1252.nls,c_1253.nls,c_1254.nls,c_1255.nls,
c_1256.nls,c_1257.nls,c_1258.nls,c_20127.nls,c_20261.nls,c_20866.nls,
c_20905.nls,c_21866.nls,c_28591.nls,c_28592.nls,c_28593.nls,C_28594.NLS,
C_28595.NLS,C_28597.NLS,c_28598.nls,c_28599.nls,c_28603.nls,c_28605.nls,
c_437.nls,c_500.nls,c_737.nls,c_775.nls,c_850.nls,c_852.nls,c_855.nls,c_857.nls,
c_860.nls,c_861.nls,c_863.nls,c_865.nls,c_866.nls,c_869.nls,c_874.nls,c_875.nls,
c_932.nls,c_936.nls,c_949.nls,c_950.nls,d3d8.dll,d3d8caps.dat,d3d8thk.dll,
d3d9.dll,d3d9caps.dat,d3dim.dll,d3dim700.dll,d3dpmesh.dll,d3dramp.dll,
d3drm.dll,d3dx9_24.dll,d3dx9_25.dll,d3dx9_26.dll,d3dx9_27.dll,d3dx9_28.dll,
d3dx9_29.dll,d3dx9_30.dll,d3dx9_31.dll,d3dx9_32.dll,d3dxof.dll,danim.dll,
dataclen.dll,datime.dll,davclnt.dll,daxctle.ocx,dbgeng.dll,dbghelp.dll,dbmsrpcn.dll,
DBMSSHRN.DLL,DBMSSOCN.DLL,dbnetlib.dll,dbnmpntw.dll,Dcache.bin,dciman32.dll,
dcomcnfg.exe,ddeml.dll,ddeshare.exe,ddraw.dll,ddrawex.dll,debug.exe,defrag.exe,
desk.cpl,deskadp.dll,deskmon.dll,deskperf.dll,desktop.ini,devenum.dll,devmgmt.msc,
devmgr.dll,dfrg.msc,dfrgfat.exe,dfrgntfs.exe,dfrgres.dll,dfrgsnap.dll,dfrgui.dll,
dfshim.dll,dfsshlex.dll,dgnet.dll,dgrpsetu.dll,dgsetup.dll,dhcpcsvc.dll,dhcpmon.dll,
dhcpsapi.dll,diactfrm.dll,diantz.exe,DiffDoc.CNT,DiffDoc.HLP,digest.dll,dimap.dll,
dinput.dll,dinput8.dll,diskcomp.com,diskcopy.com,diskcopy.dll,diskmgmt.msc,
diskpart.exe,diskperf.exe,dispex.dll,dllhost.exe,dllhst3g.exe,dmadmin.exe,
dmband.dll,dmcompos.dll,dmconfig.dll,dmdlgs.dll,dmdskmgr.dll,dmdskres.dll,
dmime.dll,dmintf.dll,dmloader.dll,dmocx.dll,dmremote.exe,dmscript.dll,
dmserver.dll,dmstyle.dll,dmsynth.dll,dmusic.dll,dmutil.dll,dmview.ocx,
dns-sd.exe,dnsapi.dll,dnsrslvr.dll,dnssd.dll,docprop.dll,docprop2.dll,doskey.exe,
dosx.exe,dpcdll.dll,dplay.dll,dplaysvr.exe,dplayx.dll,dpmodemx.dll,dpnaddr.dll,
dpnet.dll,dpnhpast.dll,dpnhupnp.dll,dpnlobby.dll,dpnmodem.dll,dpnsvr.exe,
dpnwsock.dll,dpserial.dll,dpvacm.dll,dpvoice.dll,dpvsetup.exe,dpvvox.dll,
dpwsock.dll,dpwsockx.dll,Drake.dll,DrakeCom.dll,driverquery.exe,drmclien.dll,
drmstor.dll,drmupgds.exe,drmv2clt.dll,drprov.dll,DRVSSRVR.HLP,DRVVFP.CNT,
DRVVFP.HLP,drwatson.exe,drwtsn32.exe,ds16gt.dLL,ds32gt.dll,dsauth.dll,
dsdmo.dll,dsdmoprp.dll,dskquota.dll,dskquoui.dll,dsound.dll,dsound.vxd,
dsound3d.dll,dsprop.dll,dsprpres.dll,dsquery.dll,dssec.dat,dssec.dll,dssenh.dll,
dsuiext.dll,dswave.dll,DTCCM.DLL,DTCTRACE.DLL,DTCUTIL.DLL,dumprep.exe,
DUNZIP32.DLL,duser.dll,dvdplay.exe,dvdupgrd.exe,dwwin.exe,dx3j.dll,dx7vb.dll,
dx8vb.dll,dxdiag.exe,dxdiagn.dll,dxmasf.dll,dxtmsft.dll,dxtrans.dll,DZIP32.DLL,
EBLang.dll,EBLang_407.dll,edit.com,edit.hlp,edlin.exe,efsadu.dll,ega.cpi,
ehETW.dll,els.dll,emptyregdb.dat,encapi.dll,encdec.dll,english.dic,EqnClass.Dll,
ersvc.dll,es.dll,esent.dll,esent97.dll,esentprf.dll,esentprf.hxx,esentprf.ini,
esentutl.exe,eudcedit.exe,eula.txt,eventcls.dll,eventcreate.exe,eventlog.dll,
eventtriggers.exe,eventvwr.exe,eventvwr.msc,exe2bin.exe,expand.exe,
expsrv.dll,exstrace.dll,extmgr.dll,extrac32.exe,exts.dll,fastopen.exe,faultrep.dll,
fc.exe,fde.dll,fdeploy.dll,feclient.dll,ff_vfw.dll,ff_vfw.dll.manifest,FifX.ocx,
filemgmt.dll,filevw80.ocx,find.exe,findstr.exe,finger.exe,firewall.cpl,fixmapi.exe,
fldrclnr.dll,fldrvw80.ocx,fltlib.dll,fltmc.exe,FM20.DLL,FM20ENU.DLL,fmifs.dll,
FNTCACHE.DAT,fontext.dll,fontsub.dll,fontview.exe,forcedos.exe,format.com,
framebuf.dll,freecell.exe,fsmgmt.msc,fsquirt.exe,fsusd.dll,fsutil.exe,ftp.exe,
ftpctrs.h,ftpctrs.ini,ftpctrs2.dll,ftpsapi2.dll,ftsrch.dll,fwcfg.dll,g711codc.ax,
Gauge32.OCX,gb2312.uce,gcdef.dll,gdi.exe,gdi32.dll,gdiplus.dll,geo.nls,
getmac.exe,getuname.dll,glmf32.dll,glu32.dll,gpedit.dll,gpedit.msc,gpkcsp.dll,
gpkrsrc.dll,gpresult.exe,gptext.dll,gpupdate.exe,graftabl.com,graphics.com,
graphics.pro,grfcxl32.dll,grid32.ocx,grpconv.exe,grsapx32.dll,gsdll32.dll,
h323.tsp,h323log.txt,h323msp.dll,h5dlg32.dll,h5icon32.dll,h5krnl32.dll,
h5menu32.dll,h5rtf32.dll,h5tool32.dll,hal.dll,haspdos.sys,haspvdd.dll,hccoin.dll,
HdAProp.dll,HdAShCut.exe,HdAudRes.dll,hdwwiz.cpl,help.exe,hhctrl.ocx,
hhsetup.dll,hid.dll,hidphone.tsp,himem.sys,hlink.dll,HLP95EN.DLL,hnetcfg.dll,
hnetmon.dll,hnetwiz.dll,homepage.inf,hostname.exe,hotplug.dll,HPBHEALR.DLL,
HPBMMON.DLL,HPDOMON.DLL,hticons.dll,html.iec,httpapi.dll,htui.dll,huffyuv.dll,
hypertrm.dll,I263_32.drv,i420vfw.dll,iac25_32.ax,Iacenc.dll,iasacct.dll,iasads.dll,
iashlpr.dll,iasnap.dll,iaspolcy.dll,iasrad.dll,iasrecst.dll,iassam.dll,iassdo.dll,iassvcs.dll,
icaapi.dll,iccvid.dll,icfgnt5.dll,icm32.dll,icmp.dll,icmui.dll,iconv.dll,icudt20.dll,
icuin20.dll,icuuc20.dll,icwdial.dll,icwphbk.dll,ideograf.uce,idq.dll,ie4uinit.exe,
ieakeng.dll,ieaksie.dll,ieakui.dll,iedkcs32.dll,ieencode.dll,iepeers.dll,iernonce.dll,
iesetup.dll,ieuinit.inf,iexpress.exe,ifmon.dll,ifsutil.dll,igmpagnt.dll,iisext.dll,
iismap.dll,iismui.dll,iisreset.exe,iisrstap.dll,iisrtl.dll,iissuba.dll,ils.dll,imaadp32.acm,
imagehlp.dll,imapi.exe,IMC32.acm,imeshare.dll,imgutil.dll,imm32.dll,imon1.dat
,impact.qlm,inetcfg.dll,inetcomm.dll,inetcpl.cpl,inetcplc.dll,inetmib1.dll,
inetpp.dll,inetppui.dll,inetres.dll,inetsloc.dll,INETWH32.dll,infoadmn.dll,
infoctrs.dll,infoctrs.h,infoctrs.ini,infosoft.dll,initpki.dll,INKED.DLL,input.dll,
inseng.dll,instcat.sql,intl.cpl,iologmsg.dll,ipconf.tsp,ipconfig.exe,iphlpapi.dll,
ipmontr.dll,ipnathlp.dll,ippromon.dll,iprop.dll,iprtprio.dll,iprtrmgr.dll,ipsec6.exe,
ipsecsnp.dll,ipsecsvc.dll,ipsmsnap.dll,ipv6.exe,ipv6mon.dll,Ipx32d56.dll,
Ipx32_56.dll,ipxmontr.dll,ipxpromn.dll,ipxrip.dll,ipxroute.exe,ipxrtmgr.dll,
ipxsap.dll,ipxwan.dll,ir32_32.dll,ir41_32.ax,ir41_qc.dll,ir41_qcx.dll,ir50_32.dll,
ir50_qc.dll,ir50_qcx.dll,irclass.dll,irftp.exe,irmon.dll,irprops.cpl,isign32.dll,
isqlext.dll,isrdbg32.dll,itircl.dll,itss.dll,iuengine.dll,ivfsrc.ax,Ixpert.qlm,ixsso.dll,
iyuv_32.dll,java.exe,JavaAccessBridge.dll,javacpl.cpl,javacypt.dll,javaee.dll,
javaprxy.dll,javart.dll,javasup.vxd,javaw.exe,javaws.exe,jdbgmgr.exe,jet500.dll,
jgaw400.dll,jgdw400.dll,jgmd400.dll,jgpl400.dll,jgsd400.dll,jgsh400.dll,jit.dll,
jobexec.dll,joy.cpl,jscript.dll,jsproxy.dll,jupdate-1.5.0_05-b05.log,
jupdate-1.5.0_09-b01.log,jview.exe,kanji_1.uce,kanji_2.uce,
kb16.com,KBDAL.DLL,kbdaze.dll,kbdazel.dll,kbdbe.dll,kbdbene.dll,kbdblr.dll,
kbdbr.dll,kbdbu.dll,kbdca.dll,kbdcan.dll,kbdcr.dll,kbdcz.dll,kbdcz1.dll,kbdcz2.dll,
kbdda.dll,kbddv.dll,kbdes.dll,kbdest.dll,kbdfc.dll,kbdfi.dll,kbdfi1.dll,kbdfo.dll,
kbdfr.dll,kbdgae.dll,kbdgkl.dll,kbdgr.dll,kbdgr1.dll,kbdhe.dll,kbdhe220.dll,
kbdhe319.dll,kbdhela2.dll,kbdhela3.dll,kbdhept.dll,kbdhu.dll,kbdhu1.dll,
kbdic.dll,kbdinbe1.dll,kbdinben.dll,kbdinmal.dll,kbdir.dll,kbdit.dll,kbdit142.dll,
kbdkaz.dll,kbdkyr.dll,kbdla.dll,kbdlt.dll,kbdlt1.dll,kbdlv.dll,kbdlv1.dll,kbdmac.dll,
kbdmaori.dll,kbdmlt47.dll,kbdmlt48.dll,kbdmon.dll,kbdne.dll,kbdnec.dll,kbdno.dll,
kbdno1.dll,kbdpl.dll,kbdpl1.dll,kbdpo.dll,kbdro.dll,kbdru.dll,kbdru1.dll,kbdsf.dll,
kbdsg.dll,kbdsl.dll,kbdsl1.dll,kbdsmsfi.dll,kbdsmsno.dll,kbdsp.dll,kbdsw.dll,
kbdtat.dll, kbdtuf.dll,kbdtuq.dll,kbduk.dll,kbdukx.dll,kbdur.dll,kbdus.dll,kbdusl.dll,
kbdusr.dll, kbdusx.dll,kbduzb.dll,kbdycc.dll,kbdycl.dll,kd1394.dll,kdcom.dll,
kerberos.dll, kernel32.dll,key01.sys,keyboard.drv,keyboard.sys,keymgr.dll,
kmddsp.tsp, korean.uce,krnl386.exe,ksproxy.ax,ksuser.dll,l3codeca.acm,
l3codecp.acm, l3codecx.ax,label.exe,lameACM.acm,lame_acm.xml,
LAME_ENC.DLL,langwrbk.dll, lanman.drv,LAPRXY.dll,lcppn201.dll,lcppn21.dll,
LegitCheckControl.dll,lhacm.acm, libeay32.dll,libmysql5a.dll,librfc32.dll,librfc32u.dll,
libsapu16.dll,licdll.dll,licmgr10.dll, licwmi.dll,lights.exe,linkinfo.dll,lmhsvc.dll,lmrt.dll,
lnkstub.exe,loadfix.com,loadperf.dll, locale.nls,localsec.dll,localspl.dll,localui.dll,
locator.exe,lodctr.exe,logagent.exe, loghours.dll,login.cmd,logman.exe,
logoff.exe,logon.scr,logonui.exe,logonui.exe.manifest,lpk.dll,lpq.exe,lpr.exe,
lprhelp.dll,lprmonui.dll,lsasrv.dll,lsass.exe,lusrmgr.msc,lz32.dll,lzexpand.dll,
l_except.nls,l_intl.nls,magnify.exe,mag_hook.dll,main.cpl,makecab.exe,
MALSLIB.DLL,mapi32.dll,mapistub.dll,mapisvc.inf,MBLLNK.CPL,mcastmib.dll,
mcd32.dll,mcdsrv32.dll,mchgrcoi.dll,mciavi.drv,mciavi32.dll,mcicda.dll,
mciole16.dll,mciole32.dll,mciqtz32.dll,mciseq.dll,mciseq.drv,mciwave.dll,
mciwave.drv,mdhcp.dll,mdimon.dll,mdminst.dll,mdwmdmsp.dll,mem.exe,
mf3216.dll,mfc40.dll,mfc40u.dll,mfc42.dll,MFC42ENU.DLL,mfc42u.dll,
mfc71.dll,mfc71u.dll,mfcans32.dll,mfcsubs.dll,mfcuia32.dll,mfcuiw32.dll,
MFPLAT.dll,mgmtapi.dll,mib.bin,midimap.dll,miglibnt.dll,migpwd.exe,
mimefilt.dll,mlang.dat,mlang.dll,mll_hp.dll,mll_mtf.dll,mll_qic.dll,
MM32DCMP.DLL,mmc.exe,mmcbase.dll,mmcndmgr.dll,mmcshext.dll,
mmdriver.inf,mmdrv.dll,mmfutil.dll,mmsys.cpl,mmsystem.dll,mmtask.tsk,
mmutilse.dll,mnmdd.dll,mnmsrvc.exe,mobsync.dll,mobsync.exe,mode.com,
modemui.dll,modex.dll,more.com,moricons.dll,mountvol.exe,mouse.drv,
mp3fhg.acm,MP43DECD.dll,MP43DMOD.dll,MP4SDECD.dll,MP4SDMOD.dll,
mpeg2data.ax,mpg2splt.ax,MPG4DECD.dll,MPG4DMOD.dll,mpg4ds32.ax,
mplay32.exe,mpnotify.exe,mpr.dll,mprapi.dll,mprddm.dll,mprdim.dll,
mprmsg.dll,mprui.dll,mqad.dll,mqbkup.exe,mqcertui.dll,mqdscli.dll,
mqgentr.dll,mqise.dll,mqlogmgr.dll,mqoa.dll,mqoa.tlb,mqoa10.tlb,
mqoa20.tlb,mqperf.dll,mqperf.ini,


Looking at the source file reveal this suspicious line:

<!-- base href="http://91.211.64. [BLOCKED]111/f/" -->

The IP is not responding at this time.No site found

-------------------------------------------------------------------------------------------------------------------

http://www.google.com/safebrowsing/diagnostic?site=antiviruson [BLOCKED].com
http://www.google.com/safebrowsing/diagnostic?site=whreismyplugnplay.cn
http://www.google.com/safebrowsing/diagnostic?site=fastantimalwarescan.com
http://www.google.com/safebrowsing/diagnostic?site=securedupdateslive.cn

 
WHOIS antiviruson [BLOCKED].com ?
  The first site appear to be in Russia

antiviruson [BLOCKED].com (89.111.176 [BLOCKED].21)

Queried whois.internic.net with "dom antiviruson.com"...

Domain Name: ANTIVIRUSON.COM
Registrar: CENTROHOST CLOSED JOINT STOCK COMPANY
Whois Server: whois.centrohost.ru
Referral URL: http://centrohost.ru
Name Server: NS1.HC.RU
Name Server: NS2.HC.RU
Status: ok
Updated Date: 19-dec-2008
Creation Date: 19-dec-2008
Expiration Date: 19-dec-2009

Queried whois.centrohost.ru with "antiviruson [BLOCKED].com"...

domain: ANTIVIRUSON [BLOCKED].COM
nserver: NS1.HC.RU
nserver: NS2.HC.RU
state:REGISTERED, DELEGATED
nic-hdl: AKTITOL-CTH
person: Vladimir V Popov
phone:+7 370 86456456
fax-no: +7 370 86456456
e-mail: support@balticaffiliate.com
reg-till: 2009-12-19
created: 2008-12-19
changed: 2008-12-20

Queried whois.ripe.net with "-B 89.111.176. [BLOCKED]21"...

inetnum:89.111.176.0 - 89.111.176.31
netname:RU-HC-RBC-route-1
descr: Hosting Centre RBC, Ltd.
country:RU
remarks:------------------------
remarks:Abuse and other questions:
remarks:
remarks:E-mail: support@hc.ru
remarks:Phone: +7.495.544-5566
remarks:------------------------
org: ORG-JC13-RIPE
admin-c:HCRU-RIPE
tech-c: HCRU-RIPE
status: ASSIGNED PA
mnt-by: AS5537-MNT
mnt-lower:AS5537-MNT
mnt-routes: AS5537-MNT
mnt-domains: AS5537-MNT
source: RIPE
changed:pavel@gpt.ru 20090115

organisation: ORG-JC13-RIPE
org-name: JSC Centrohost
org-type: OTHER
descr: JSC Centrohost
address:78, Profsojuznaya str.,
address:Moscow, Russia, 117393
phone: +7 495 3630309
phone: +7 495 3630318
e-mail: abuse@hc.ru
admin-c:HCRU-RIPE
tech-c: HCRU-RIPE
mnt-ref:AS5537-MNT
abuse-mailbox: abuse@hc.ru
mnt-by: AS5537-MNT
source: RIPE
changed:pavel@gpt.ru 20081023

role: HCRU NOC
address:Hosting-Center LTD
address:5 donskoy proezd, 15, bld 4
address:119344 Moscow
address:Russia
phone: +7 495 5445566
fax-no: +7 495 5140957
abuse-mailbox: abuse@hc.ru
e-mail: noc@hc.ru
remarks:******************************************
remarks:Points of contact:
remarks:routing & peering noc@hc.ru
remarks:SPAM & network security abuse@hc.ru
remarks:mail & newspostmaster@hc.ru
remarks:customer support support@hc.ru
remarks:******************************************
admin-c:IE-RIPE
tech-c: IE-RIPE
nic-hdl:HCRU-RIPE
changed:ivan@hc.ru 20080220
changed:ivan@hc.ru 20080220
changed:ivan@hc.ru 20080220
changed:chashchin@hc.ru 20080813
changed:efremov@hc.ru 20090204
mnt-by: HCRU-NOC
source: RIPE

% Information related to '89.111.176.0/20AS41126'

route: 89.111.176.0/20
descr: JSC Centrohost route
origin: AS41126
mnt-by: AS5537-MNT
source: RIPE
changed:pavel@gpt.ru 20080520

*****************

WHOIS whreismyplugnplay [BLOCKED].cn ?
 

Queried whois.cnnic.net.cn with "whreismyplugnplay [BLOCKED].cn"...

Domain Name: whreismyplugnplay.cn
ROID: 20090217s10001s94221871-cn
Domain Status: clientTransferProhibited
Administrative Email: RoderickKiewiet@gmail.com
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.basicstechnology.com
Name Server:ns2.basicstechnology.com
Name Server:ns3.basicstechnology.com
Registration Date: 2009-02-17 00:28
Expiration Date: 2010-02-17 00:28

************************************************
Queried whois.ripe.net with "-B 78.47.91.153"...

inetnum:78.47.91.152 - 78.47.91.159
netname:SIARHEI-SHANDROKHA
descr: Siarhei Shandrokha
country:DE
admin-c:SS9049-RIPE
tech-c: SS9049-RIPE
status: ASSIGNED PA
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe-dbm-updates@robot.first-ns.de 20080126
source: RIPE

person: Siarhei Shandrokha
address:Senpai IT Solutions
address:Unit 10, College Court
address:Lower Kevin Street
address:Dublin 8
address:IRELAND
phone: +35314791837
e-mail: info@senpai-it.com
nic-hdl:SS9049-RIPE
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070221
changed:ripe-dbm-updates@robot.first-ns.de 20070429
source: RIPE

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070416
source: RIPE

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address:Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
Germany
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c:GM834-RIPE
admin-c:HOAC1-RIPE
admin-c:MH375-RIPE
admin-c:RB1502-RIPE
admin-c:SK2374-RIPE
mnt-ref:HOS-GUN
mnt-ref:RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE



WHOIS fastantimalwarescan [BLOCKED].cn ?
 

Queried whois.internic.net with "dom fastantimalwarescan [BLOCKED].com"...

Domain Name: FASTANTIMALWARESCAN [BLOCKED].COM
Registrar: TODAYNIC.COM, INC.
Whois Server: whois.todaynic.com
Referral URL: http://www.NOW.CN
Name Server: NS1.BASICSTECHNOLOGY.COM
Name Server: NS2.BASICSTECHNOLOGY.COM
Name Server: NS3.BASICSTECHNOLOGY.COM
Status: clientTransferProhibited
Updated Date: 06-mar-2009
Creation Date: 03-mar-2009
Expiration Date: 03-mar-2010

Queried whois.todaynic.com with "fastantimalwarescan [BLOCKED].com"...

Domain name: fastantimalwarescan [BLOCKED].com
Status: Active

Registrant:
Name: Wilkinson S Judy
Address: Unit 17 Circuit Drive
City: Hendon
Province/state: Adelaide
Country: AU
Postal Code: 201423

Administrative Contact:
Name: Wilkinson S Judy
Organization: n/a
Address: Unit 17 Circuit Drive
City: Hendon
Province/state: Adelaide
Country: AU
Postal Code: 201423
Phone: +6.1883472889
Fax: +6.1883472889
Email: info@go2util.com

Technical Contact:
Name: Wilkinson S Judy
Organization: n/a
Address: Unit 17 Circuit Drive
City: Hendon
Province/state: Adelaide
Country: AU
Postal Code: 201423

Nameserver Information:
ns1.basicstechnology.com
ns2.basicstechnology.com
ns3.basicstechnology.com

Create: 2009-03-03 20:46:33
Update: 2009-03-06
Expired: 2010-03-03
QueryTimes: 812

Queried whois.ripe.net with "-B 78.47.91.153"...

inetnum:78.47.91.152 - 78.47.91.159
netname:SIARHEI-SHANDROKHA
descr: Siarhei Shandrokha
country:DE
admin-c:SS9049-RIPE
tech-c: SS9049-RIPE
status: ASSIGNED PA
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe-dbm-updates@robot.first-ns.de 20080126
source: RIPE

person: Siarhei Shandrokha
address:Senpai IT Solutions
address:Unit 10, College Court
address:Lower Kevin Street
address:Dublin 8
address:IRELAND
phone: +35314791837
e-mail: info@senpai-it.com
nic-hdl:SS9049-RIPE
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070221
changed:ripe-dbm-updates@robot.first-ns.de 20070429
source: RIPE

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070416
source: RIPE

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address:Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
Germany
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c:GM834-RIPE
admin-c:HOAC1-RIPE
admin-c:MH375-RIPE
admin-c:RB1502-RIPE
admin-c:SK2374-RIPE
mnt-ref:HOS-GUN
mnt-ref:RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE


WHOIS securedupdateslive [BLOCKED].cn ?
 

Queried whois.cnnic.net.cn with "securedupdateslive [BLOCKED].cn"...

Domain Name: securedupdateslive [BLOCKED].cn
ROID: 20090210s10001s49519232-cn
Domain Status: clientTransferProhibited
Registrant Organization: null
Administrative Email: info@upclan.fi
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.voguebestchoice.com
Name Server:ns2.voguebestchoice.com
Name Server:ns3.voguebestchoice.com
Registration Date: 2009-02-10 00:40
Expiration Date: 2010-02-10 00:40

Queried whois.ripe.net with "-B 78.47.91.153"...

inetnum:78.47.91.152 - 78.47.91.159
netname:SIARHEI-SHANDROKHA
descr: Siarhei Shandrokha
country:DE
admin-c:SS9049-RIPE
tech-c: SS9049-RIPE
status: ASSIGNED PA
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe-dbm-updates@robot.first-ns.de 20080126
source: RIPE

person: Siarhei Shandrokha
address:Senpai IT Solutions
address:Unit 10, College Court
address:Lower Kevin Street
address:Dublin 8
address:IRELAND
phone: +35314791837
e-mail: info@senpai-it.com
nic-hdl:SS9049-RIPE
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070221
changed:ripe-dbm-updates@robot.first-ns.de 20070429
source: RIPE

route: 78.46.0.0/15
descr: HETZNER-RZ-NBG-BLK5
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
changed:ripe@hetzner.de 20070416
source: RIPE

organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address:Hetzner Online AG
Attn. Martin Hetzner
Stuttgarter Str. 1
91710 Gunzenhausen
Germany
phone: +49 9831 610061
fax-no: +49 9831 610062
e-mail: info@hetzner.de
admin-c:GM834-RIPE
admin-c:HOAC1-RIPE
admin-c:MH375-RIPE
admin-c:RB1502-RIPE
admin-c:SK2374-RIPE
mnt-ref:HOS-GUN
mnt-ref:RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE