/////AMG
04-30-2005, 04:00 AM
A malicious website has been detected by F-secure, that utilizes a spelling error when typing the name of popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked.
The name of the malicious website is 'Googkle.com'. F-secure advises users to strictly stay away from this site, since simply accessing it allows a lot of different malware to get automatically downloaded and installed. Trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan are some of the malware that get installed. A few adware-related files are installed.
When 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the ntsearch.com and toolbarpartner.com. The 'ntsearch.com' website downloads and runs the 'pop.chm' file and the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces Windows Media Player application.
In addition these websites launch a stream of webpages with different exploits and eventually end up in downloading and running 2 files from the 'daosearch.com' website; web.exe and classload.jar.
Basically, a malware package gets installed on an affected computer: 2 backdoors, 2 trojan droppers, a proxy trojan, a spying trojan (that steals bank-related information) and a trojan downloader.
The entire virus packaga also includes the 'svchosts.exe' file, which is a trojan dropper. It drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop.
This fake alert, in turn leads users to a site, which claims to fix the issue. Unfortunately the way people are directed to that website is somewhat deceptional.
F-secure claims to have already reported this issue to the authorities.
http://www.cxotoday.com/cxo/jsp/article.jsp?article_id=3484&cat_id=909
The name of the malicious website is 'Googkle.com'. F-secure advises users to strictly stay away from this site, since simply accessing it allows a lot of different malware to get automatically downloaded and installed. Trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan are some of the malware that get installed. A few adware-related files are installed.
When 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the ntsearch.com and toolbarpartner.com. The 'ntsearch.com' website downloads and runs the 'pop.chm' file and the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces Windows Media Player application.
In addition these websites launch a stream of webpages with different exploits and eventually end up in downloading and running 2 files from the 'daosearch.com' website; web.exe and classload.jar.
Basically, a malware package gets installed on an affected computer: 2 backdoors, 2 trojan droppers, a proxy trojan, a spying trojan (that steals bank-related information) and a trojan downloader.
The entire virus packaga also includes the 'svchosts.exe' file, which is a trojan dropper. It drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop.
This fake alert, in turn leads users to a site, which claims to fix the issue. Unfortunately the way people are directed to that website is somewhat deceptional.
F-secure claims to have already reported this issue to the authorities.
http://www.cxotoday.com/cxo/jsp/article.jsp?article_id=3484&cat_id=909