Jump to content

Two infections for the price of one

Starbuck
 Share

Recommended Posts

  • ExTS Admin
Starbuck Newbie

Starbuck

Posted
  • ExTS Admin
Posted

2GCash and Windows System Optimizator rogue from one fake codec scam.

 

Today we came across this fake codec scam that delivered two pieces of malware for those unfortunate enough to stumble across it. The malicious site offers Megan Fox and Carmen Electra sex videos (among other things.)

 

http://img.photobucket.com/albums/v708/starbuck50/Reg/Exclusividorg_to_FakePlayMovie.jpg

 

After installing a fake video viewer, it throws up fake Microsoft Security Essentials alerts and installs the Windows System Optimizator rogue.

 

http://img.photobucket.com/albums/v708/starbuck50/Reg/MSE-FakeAlert.jpg

 

http://img.photobucket.com/albums/v708/starbuck50/Reg/FakeSoluitionFound_Reboot.jpg

 

http://img.photobucket.com/albums/v708/starbuck50/Reg/windows_system_optimizator2.png

 

# 1. 2GCash (VIPRE detection: VirTool.Win32.Obfuscator.hg!b1)

 

The 2GCash malware has been one of the major downloaders. It’s been used by thousands of affiliate sites since 2008. Its main purpose is to generate profits through click fraud transmissions from infected computers and search engine result hijackings.

 

VIPRE detects the 2GCash malware as VirTool.Win32.Obfuscator.hg!b1 (v). Kaspersky detects it as *.codecpack, Sophos as FakeAV-CX and Microsoft as Renos.

 

It uses online scanner scams, third party bundled downloads, fake codec scam sites and fake crack serial sites.

 

The file video_part_##.exe is detected as Trojan.Win32.Generic.pak!cobra

 

# 2. Windows System Optimizator rogue

 

Windows System Optimizator is a rogue what uses a fake Microsoft Security Essentials alert. VIPRE detects it as Trojan.Win32.Generic.pak!cobra.

 

It’s a rebranding of the Windows Optimization Center rogue.

 

2GCash

 

2GCash is the name we gave the detection when the group behind it began an affiliate program with a site named go-go-cash.com in December of 2008.

 

The page for affiliates was titled "Go Go Cash."

 

http://img.photobucket.com/albums/v708/starbuck50/Reg/go-go-cashcom_ICQs405771879_397393138_401579314.jpg

 

 

Source:

GFI LABS Blog: Two infections for the price of one

Member of:

UNITE

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...