TOKYO (MacHouse) – East Tennessee State University‘s medical school Quillen College of Medicine has its subdomain website at http://com.etsu.edu. (See Screenshot 01.) The forums found at http://com.etsu.edu/epic/files/forums/ seems to be run by its Department of Pediatrics. (See Screenshot 02.)
 Screenshot 01 – Source: Quillen College of Medicine |
 Screenshot 02 – Source: East Tennessee State University |
 Screenshot 03 – Source: East Tennessee State University |
There are two main topics so far at these forums, RDS and Pyelonephritis. And these two main topics are filled with thousands of spam comments posted by a user named guest. For example, if I enter RDS, you will find posts titled Zac efron nude, Zelda hentai, Youtube sexy, Youtube porn, Your mom… (See Screenshot 03.) If I further click on Zac efron nude… I can immediately get redirected to a fake anti-virus scan website hosted at http://scan.online-security-check.com. The webpage is titled Antivirus 2008. (See Screenshot 04.) After going through a fake virus scan, I’m forced to download a file titled setup_100705_3_.exe. (See Screenshot 05.) It seems that this spam operation at the forum website run by Quillen College of Medicine is orchestrated by the same group behind spam exploitations at Kuwait University and Virginia Commonwealth University’s forums.
 Screenshot 04 – Source: scan.online-security-check.com |
 Screenshot 05 – Source: scan.online-security-check.com |
 Screenshot 06 – Source: dnld.securitydwl.com |
As shown in Screenshot 05, this suspicious file itself is hosted elsewhere. It comes from http://dnld.securitydwl.com/load/. If you access this URL, you will get to download a different file, which is titled setup_1_1_.exe.
So how did we find these spam comments at Quillen College of Medicine’s forum website? We simply subscribe to spam comments. An organized cyber criminal group has circulated at least one spam comment for the past several hours to send Internet users to Quillen College of Medicine’s forum website. (See Screenshot 07.)
 Screenshot 07 – Source: MacHouse |
 Screenshot 08 – Source: MacHouse |
 Screenshot 09 – Source: Ukr Tele Group |
We have scanned both setup_100705_3_.exe and setup_1_1_.exe with Sophos Anti-Virus, which detects no suspicious codes so far. (See Screenshot 08.) These files are most likely to contain new Trojan Horse derivatives.
Where are these two websites hosted? They are both hosted in Ukraine. Does Ukr Tele Group (ukrtelegroup.com.ua) ring you a bell? (Screenshot 09 shows the index page of Ukr Tele Group’s website.) The web server of the website at scan.online-security-check.com has the IP address of 85.255.119.150. Also, the IP address of the web server hosting the website at dnld.securitydwl.com is 85.255.115.132. These two IP addresses both belong to the notorious Ukrainian hosting company.
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
Two Websites Determined to Distribute Files Containing Trojan Horse Derivatives
Singapore’s Ngree Ann Polytechnic’s Website Exploited and Used As Redirection Point to Send Internet Users to Fake PornTube Website
Kuwait University’s Forums Flooded with Spam Comments Redirecting Internet Users to New Fake Anti-Virus Scan Website 02
Kuwait University’s Forums Flooded with Spam Comments Redirecting Internet Users to New Fake Anti-Virus Scan Website 01
Virginia Commonwealth University’s Partnership for People with Disabilities Exploited for Fake Malware Scan (2)
Virginia Commonwealth University’s Partnership for People with Disabilities Exploited for Fake Malware Scan (1)
Sophos has confirmed that the files mentioned in the article both contain a Trojan Horse derivative, which they call Troj/FakeAV-BZ