LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 2

Posted on January 9, 2009 by Administrator

anti spam






TOKYO (MacHouse) – As we reported several hours ago, a junk comment circulated by an organized cyber criminal group contained hyperlinks leading to spam profiles or forums topics at such websites as kaboodle (www.kaboodle.com), Livevideo.com (www.livevideo.com) and VideoCodeZone (www.videocodezone.com). (See Screenshot 01.) Livevideo.com and kaboodle both have more than 1 million visitors monthly.





LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 01 – Source:
MacHouse		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 02 – Source:
kaboodle		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 03 – Source:
tube-work-sell.net






Accessing any of the URLs in the spam post, one of your final destinations will be a fake PornTube website at tube-work-sell.net. If you access http://www.kaboodle.com/blowjobmovies, for example, you will land at a spam profile with a fake video screen. (See Screenshot 02.) The underlying URL is http://vbestserv.org/ds/go.php?sid=1. A few days ago, we mentioned that the redirection website at vbestserv.org was hosted by a web server in the U.K. It’s still the same web server with the IP address of 88.214.204.100. That is, it’s hosted by a disgraced U.K. network company known as Real International Business Corp. Anyway, clicking on the fake video screen, you can be forwarded to the fake PornTube website. If you further click on any of the pornographic images, you will be forced to download a file labeled TubePlayer.ver.6.exe. (See Screenshot 03.)





LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 04 – Source:
MacHouse		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 05 – Source:
tube-work-sell.net		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 06 – Source:
MacHouse






Earlier, using the Windows version of Norton Internet Security, we found out that a suspicious file that we had downloaded at tube-work-sell.net (delivered from pure-download-new.net) two days ago contained a Trojan Horse variant. (See Screenshot 04.) The file that we downloaded at tube-work-sell.net through http://www.livevideo.com/nudebeach a few hours ago has the same file name. It was also delivered from pure-download-new.net. But Norton Internet Security has found no suspicious code, which suggests that it contains a new Trojan Horse variant. (See Screenshot 5-6.)  

Okay. Let’s find out who the guilty parties are behind this Trojan Horse campaign. The web server hosting the fake PornTube website at tube-work-sell.net is traced to the IP address of 64.27.18.55. It belongs to an organization called Hollywood Interactive, Inc. We mention the name of this organization from time to time. We never knew till today who is behind this organization. But let’s see. According to ARIN, the IP address of 64.27.18.55 belongs to Hollywood Interactive, Inc. (See Screenshot 07.) Oops, sorry… I already said that a few seconds ago. Their registered address is






600 W. 7th Street, Ste. 360
Los Angels






Hmm… We know who is located at this address. It’s a Los Angels/California-based web hosting company called CalPOP.com. (Screenshot 08 shows the index page of CalPOP.com’s website.) In fact, you can find the exactly same address at web hosting company’s contact web page. (See Screenshot 09.)





LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 07 – Source:
MacHouse		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 08 – Source:
CalPOP.com		   LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 09 – Source:
CalPOP.com






Next, let’s see where the virus-distributing website is hosted. The server hosting the website at pure-download-new.net is traced to 94.247.3.228. It’s hosted in the Baltic nation of Latvia. We mentioned the name a few days. The website is hosted by ZlKon. (Screenshot 10 shows the index page of ZlKon’s website.)





LiveVideo.com kaboodle downloader Troj/Renos-CH fake PornTube pure-download-new.net
Screenshot 10 – Source:
ZlKon






We don’t know if CalPOP.com runs the fake PornTube website. We don’t know if they represent Hollywood Interactive, either. Nonetheless, if anybody wants to know who is behind Hollywood Interactive, we are quite certain that CalPOP.com has very good leads.






Click on the button to watch a short documentation video. VTC
Click on the button to watch more documentation videos. VTC






Related stories:

LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 1
YouTube And kaboodle, Spam-Vandalized Side by Side – Spam Campaign Sponsored by US Drugstore (US-DS.COM)
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 2
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 1

This entry was posted in Internet security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comment spam protected by SpamBam

Notify me of followup comments via e-mail. You can also subscribe without commenting.