TOKYO (MacHouse) – We reported the existence of a fake PornTube website back in January. Since then, we’ve seen several other similar websites. And we found another one hosted with the domain of anykindclips.com. Actually, we first ran into a suspicious website hosted at another domain. It’s freese-x.net. (See Screenshot 01.) If you access this website, you will be instantly redirected to the website at anykindclips.com with an affiliate ID of 4078. (See Screenshot 02.) It’s a fake PornTube website obviously because the domain is not porntube.com. It’s a fake PornTube website because the clickable menu items (Sign Up, My Account, History…) at the top are intentionally disabled. And if you click on any of the video windows, you will be redirected to another website with the domain of anykindvids.com. (See Screenshot 03.) That’s where you will be forced to download a Mac-OS-based disk image (.dmg) file containing a computer virus.
 Screenshot 01 – Source: freese-x.net |
 Screenshot 02 – Source: anykindclips.com |
 Screenshot 03 – Source: anykindvids.com |
The disk image that you will be forced to download at anykindvids.com contains a Mac-targeting computer virus. Norton AntiVirus detects a computer virus called OSX.RSPlug.A. (See Screenshot 04-5.) According to Symantec, it’s a Trojan horse derivative designed to change DNS settings. (See Screenshot 06.)
 Screenshot 04 – Source: MacHouse |
 Screenshot 05 – Source: MacHouse |
 Screenshot 06 – Source: symantec.com |
Let’s see the surroundings of this case. Interestingly, they are all registered through the same company. It’s ESTDomains (www.estdomains.com). (See Screenshot 07-9.) It’s one of the world’s most popular domain companies supported by cyber criminals. Why? You ask them. We don’t know the exact reasons. We only suspect that one major reason is that ESTDomains was selling .info and .org domains as low as $1, each. That’s why we saw so many .info and .org spam domains last year.
 Screenshot 07 – Source: Completewhois.Com |
 Screenshot 08 – Source: Completewhois.Com |
 Screenshot 09 – Source: Completewhois.Com |
Finally, let’s see where these websites are hosted. The websites at the domains of freese-x.net, anykindclips.com and anykindvids.com don’t share the same IP location. After gathering information, we believe
We have heard of Ukr Tele Group before. They hosted the website at mynudenetwork.com. A cyber criminal group was distributing a file containing multiple computer viruses. Let’s take a good look at Screenshot 12. It says they are not accepting new applications because their clients don’t abide by terms of use. Hmm… That’s interesting. Back in March 21, we saw the same sign. Looking at Screenshot 09, anykindvids.com was registered just a few weeks ago. So their existing client is hosting this fake PornTube website? Or Ukr Tele Group occasionally accept applications?
 Screenshot 10 – Source: calpop.com |
 Screenshot 11 – Source: hiskyhost.net |
 Screenshot 12 – Source: ukrtelegroup.com.ua |
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Computer Viruses Confirmed at Malicious Website Hosted by Ukrainian Web Hosting Company
India’s 6th Most Popular Website Exploited with iFrame Injection, Possible Exposure to a Computer Virus
Warning: Fake PornTube Websites Found
Hi there. If you’ve downloaded one of these dmg’s, how do you find & destroy the trojan horse that has been put onto your system?
You need anti-virus software like Norton AntiVirus and McAfee VirusScan to detect and delete virus codes. For this particular virus, Norton AntiVirus detects it. I don’t know for McAfee.
Good luck
How i can removed this virus ?? i allrdy try all what us imagine .. please help me.
I would re-format HD and then reinstall OS.
So they are just targeting Mac Users? Every time people must be careful in surfing the internet, downloading everything, clicking on links,etc. We must be responsible in our own and we must not believe in all things that is written on the internet. We must also make sure that our computer is protected in all kinds of viruses.