TOKYO (MacHouse) – A few days ago, we reported that an organized cyber criminal group managed to create spam profiles at livevideo.com to send Internet users to fake codec websites and to possibly infect them with malware. A downloaded file was labeled exclusivemovie.1630.exe. We subsequently attempted to contact the webmaster of Livevideo.com and informed them that their website was used to send Internet users to malicious websites. (See Screenshot 01.) However, our kind notification has apparently been ignored, and the same junk profiles are still found at livevideo.com. (See Screenshot 02.)
 Screenshot 01 – Source: Livevideo.com |
 Screenshot 02 – Source: MacHouse/Livevideo.com |
 Screenshot 03 – Source: Sophos |
We were not sure of the exact nature of the file that was delivered from codecdownload.filesstorage4you.com. So we sent a copy to Sophos, an Internet security expert, for analysis. More than 24 hours ago, a security company representative notified us by e-mail that the sample file contained a Trojan Horse variant. (See Screenshot 03-4.) They call it Troj/Renos-CH. Moreover, the Mac version of Norton AntiVirus and the Windows version of Norton Internet Security with the latest virus definitions also detect a suspicious code in the file of exclusivemovie.1630.exe. Symantec calls this code Downloader. (See Screenshot 05-6.)
 Screenshot 04 – Source: Sophos |
 Screenshot 05 – Source: MacHouse |
 Screenshot 06 – Source: MacHouse |
 Screenshot 07 – Source: MacHouse |
 Screenshot 08 – Source: Livevideo.com |
 Screenshot 09 – Source: tube-work-sell.net |
Furthermore, a spam post circulated possibly by the same cyber criminal group in January 7 contained hyperlinks to websites including Open Office (www.openoffice.org.uk), iPhone Underground Forums (iphoneunderground.com), Particular Tastes (particulartastes.com), Livevideo.com (www.livevideo.com) and kaboodle (www.kaboodle.com). (See Screenshot 07.) Accessing spam profiles/topics at these websites, a redirection website at vbestserv.org sent us to a fake PornTube website at tube-work-sell.net. (See Screenshot 08-9.) According to Norton Internet Security, the file delivered through pure-download-new.net contains a Trojan Horse variant. (See Screenshot 10.)
 Screenshot 10 – Source: MacHouse |
 Screenshot 11 – Source: MacHouse |
 Screenshot 12 – Source: tube-work-sell.net |
Several hours ago, an organized cyber criminal group circulated another suspicious post to advertise spam profiles/forum topics. (See Screenshot 11.) The hyperlinks in the spam post include URLs to kaboodle (www.kaboodle.com), Livevideo.com (www.livevideo.com) and VideoCodeZone (www.videocodezone.com). One final destination after accessing any of these URLs is the fake PornTube website at tube-work-sell.net. (See Screenshot 12.) Clicking on a pornographic image, one can end up downloading a file named TubePlayer.ver.6.exe.
In several hours, we will find out where the PornTube website and others are hosted. Stay tuned.
Related stories:
YouTube And kaboodle, Spam-Vandalized Side by Side – Spam Campaign Sponsored by US Drugstore (US-DS.COM)
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 2
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 1
Troj/Renos-CH Trojan – Sophos security analysis
