TOKYO (MacHouse) – Several hours ago, we wanted to collect more information on the fake anti-virus scan website at antivirus-scanonline.com, which we found a few days ago. So we turned to Google for help. The search phrase was antivirus-scanonline.com, and Google found 18 matches. One of the search hits caught our interest. The title is ‘WARNING! New dangerous virus – SlickDeals.net Forums.’ (See Screenshot 01.) It’s good to know that somebody found the article I have written useful. But I was shocked when I read a counter-comment.
 Screenshot 01 – Source: Google |
 Screenshot 02 – Source: forums.slickdeals.net |
 Screenshot 03 – Source: wmco.org |
So somebody wrote and said that he or she did not trust us. This person wrote
Also, I would not put to much faith in that website, after looking at the sites they claimed where infected, I did not find a single redirect on any of them.
He or she continues by saying
1 of the sites was even taken down as of Jan 1st of this year so It’s odd they would claim it’s a “new” infection.
In fact, we know which website this person is talking about. If you go to the website located at wmco.org, it says ‘Sorry, We’re Closed.’ (See Screenshot 03.) At the bottom of the page, it says ‘Up-dated January 1, 2008.’ So I suppose this is the website that the person who calls himself/herself Fun-Gi was talking about.
So if the website is no longer updated, does that mean it cannot be exploited? That’s definitely not true. If you access this URL, depending on a few factors, you can be redirected to the fake anti-virus scan website of antivirus-scanonline.com. If the status bar says ‘Waiting for antivirus-scanonline.com…,’ you have a few seconds to shut the page. (See Screenshot 04.) Or you will be involuntarily redirected to the website of antivirus-scanonline.com and forced to download a file containing a Trojan virus.
 Screenshot 04 – Source: wmco.org |
 Screenshot 05 – Source: MacHouse |
 Screenshot 06 – Source: MacHouse |
By the way, this isn’t the first time the website of wmco.org is/was used as a redirection point for a fake anti-virus scan website. This website is still used as a redirection point for the fake anti-virus scan website of antivirus-scanner.com. In fact, I tried to contact the webmaster of the website a week ago. However, their contact e-mail address is not listed at the website. So I found a couple of e-mail addresses after checking out their WhoIs registration for the domain. And I sent an e-mail notification, but they have not removed ill files. (See Screenshot 05.)
I run this website mostly by myself with a few helpers, sometimes. We are not funded by tax payers’ money. So far, not a single person has made a donation. Despite our limited time and funding, we try our best to contact and give victims of exploitation kind notification though we are obligated to do so whenever we can. Writing to victims of exploitation does not let us pay our bills for sure.
I also tried to contact a couple of people at Lehigh University because multiple department websites have been exploited for redirection to antivirus-scanonline.com. (See Screenshot 06.) The problem is that many victims ignore our kind notifications or don’t even check their messages. Some of them are definitely destined to become victims in this respect.
Finally, as for the person who posted a silly comment at forums.clickdeals.net, failure is not ours but his/hers. If you take a simple look at the article Fun-Gi refers to, there are a couple of screenshots showing the exact URLs where the websites are exploited. (See Screenshot 07-9.) So much for the person who says he ‘did not find a single redirect on any of them,’ huh!?
 Screenshot 07 – From Article of May 23 |
 Screenshot 08 – Reproduction of Screenshot 01 from p=355 |
 Screenshot 09 – Reproduction of Screenshot 02 from p=355 |
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
WARNING! New dangerous virus – SlickDeals.net Forums
The Name of A Next Anti-Virus Scan Domain Will Be…
File Determined to Contain Troj/FakeVir-BF
What Do We Know About These Fake Anti-Virus Scan Websites?
Lehigh University’s Multiple Department Websites Exploited for Redirection to ANTIVIRUS-SCANONLINE.COM
ANTIVIRUS-SCANONLINE.COM: 15 Websites Victimized in the Latest ‘?prj’ Exploitation Scheme
Warning: A New Fake Anti-Virus Scan Website Discovered
The Official Website of British Band Camera Obscura Exploited for Fake Anti-Virus Scan
Sitemap Hack, ANTIVIRUS-SCANNER.COM Invading At Least 10 Websites Including Arizona State University’s Site
ANTIVIRUS-SCANNER.COM and Troj/Dwnldr-HDG
Warning: A New Hack Scheme Discovered Involving Anti-Virus Scan Website
