Dangerous Domains to Avoid: Microsoft Visual Studio 2005 Vulnerability Attack, Computer Viruses Targeting Mac and Windows Users (2)
TOKYO (MacHouse) - In our last report, we advised Internet users on both Mac and Windows OS to avoid accessing several domains including tembi.cn and takari.cn. After accessing them, we ended up being forced to download 2 Mac files and 4 Windows files (1023.dmg, red-codec.v.1.363.dmg, 3913086.exe, MediaTubeCodec_ver1.376.0.exe, setup.exe, XXXmediaCodec_ver1.5051.0.exe). Not surprisingly, we’ve found that those two Mac files contain a Trojan horse derivative designed to change DNS settings. (See Screenshot 01.)
 Screenshot 01 - Source: MacHouse |
 Screenshot 02 - Source: freeworldaccess.info |
 Screenshot 03 - Source: freeworldaccess.info |
Meanwhile, the entire virus operation appears to revolve around one domain. Whether you access tembi.cn or takari.cn, your web browser will be led to freeworldaccess.info. Nonetheless, if you access http://freeworldaccess.info with a web browser, you will see a page that says ‘This account has been suspended.’ (See Screenshot 02.) As we noted before, this is just a silly trick to deceive Internet users. As shown in Screenshot 03, the website through this domain is actually hosting a fake PornTube website even right now.
 Screenshot 04 - Source: netdirekt |
 Screenshot 05 - Source: Ukr Tele Group |
This fake YouTube website and viruses seem to be hosted by a web hosting company called netdirekt, which is based in Frankfurt, Germany. (See Screenshot 04.) The IP location is 78.159.122.10. How about the website at takari.cn? Its IP location is 78.159.122.10. And it’s likely to be hosted by netdirekt. How about the website at tembi.cn? Again, its IP location is 78.159.122.10.
And another group of websites is hosted by a familiar web hosting company. We mentioned two other domains in our last report. Content accessible through the http protocol at promostart.gribokk.com (IP location: 85.255.120.234) and xxxhotvidsonline.com (IP location: 85.255.120.234) is hosted by Ukr Tele Group. (See Screenshot 05.) This web hosting company’s server is also used for a remote attack, which Symantec calls HTTP MS Unsafe ActiveX Obj Instantiation.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Symantec: HTTP MS Unsafe ActiveX Obj Instantiation
Beware of SCANNER.VAV-SCANNER.COM: Attack on Microsoft Visual Studio 2005 Vulnerability (2)
Beware of SCANNER.VAV-SCANNER.COM: Attack on Microsoft Visual Studio 2005 Vulnerability (1)
********** ********** ********** ********** ********** ********** ********** **********
MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?
Leave a Reply
You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.
Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.
Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.