10 More Websites with Chinese Domains Designed to Infect Mac Users with a Trojan Horse Virus

Posted on June 10, 2008 by Administrator

anti spam






TOKYO (MacHouse) – We have found another 10 websites hosted with Chinese domains (.cn). These websites are installed to infect Mac users with a computer virus. Symantec calls this computer virus OSX.RSPlug.A. It’s a Trojan horse derivative designed to change DNS settings and redirect Mac users to unwanted websites. Just as in the case of other websites with Chinese domains that we reported before, the origin of the file containing the virus is different. And it appears again that the virus-distributing website is hosted by cernel.net.





nitro-codec.com cernel.net OSX.RSPlug.A
Screenshot 01 – Source: lesbiana-madura.vgmvo8.cn		   nitro-codec.com cernel.net OSX.RSPlug.A
Screenshot 02 – Source: lesbiana-madura.vgmvo8.cn		   nitro-codec.com cernel.net OSX.RSPlug.A
Screenshot 03 – Source: MacHouse





  • vgmvo8.cn
  • icuvl8.cn
  • rexno8.cn
  • rpxev8.cn
  • hwgrb8.cn
  • krkbu8.cn
  • kuyef8.cn
  • juujo8.cn
  • gwctz8.cn
  • asotv8.cn






    • The story is the same as before. The websites hosted through the domains shown above are hosted not in China but in Germany. The web host is Hetzner Online AG. Each domain comes with a few dozen subdomains. For example, if you access http://vgmvo8.cn or http://lesbiana-madura.vgmvo8.cn, as shown in Screenshot 01, you will see the gate page where it says ‘+18 Enter.’ If you click on the link, the page content will switch, and you will be forced to download a file labeled nitro-codec.v.4.221.dmg. (See Screenshot 02.) This disk image contains a Trojan virus derivative, which Symantec calls OSX.RSPlug.A. (Screenshot 03-4)

    As shown at the bottom of Screenshot 02, the source of the virus-containing disk image file is http://nitro-codec.com. The website at the domain of nitro-codec.com is hosted by a California-based web hosting company called cernel.net. This is just one of a few dozen virus-distributing websites hosted by cernel.net.





    nitro-codec.com cernel.net OSX.RSPlug.A
    Screenshot 04 – Source: MacHouse    		   nitro-codec.com cernel.net OSX.RSPlug.A
    Screenshot 05 – Source: nitro-codec.com    		   nitro-codec.com cernel.net OSX.RSPlug.A
    Screenshot 06 – Source: cernel.net










    References:

    How Guilty Is CERNEL.NET?
    Warning: 10 Websites with Chinese Country Domains Distributing Mac-Targeting Computer Virus (2)
    Warning: 10 Websites with Chinese Country Domains Distributing Mac-Targeting Computer Virus (1)
    What happened to HQCODECVIP.COM?
    Multiple Hacked Websites and Possible Trojan Attack Targeting Mac Users

    This entry was posted in Internet security and tagged , , , . Bookmark the permalink.

    Leave a Reply

    Your email address will not be published.

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Comment spam protected by SpamBam

    Notify me of followup comments via e-mail. You can also subscribe without commenting.