TOKYO (MacHouse) – As we reported earlier, an organized cyber criminal group is currently running a dangerous campaign to possibly infect Internet users with computer viruses. Social networking websites or similar such as those at webjunction.org, work.com and wis.dm are exploited with spam profiles. (See Screenshots 01-3.) All these spam profiles contain links to http://vbestserv.org/ds/go.php?sid=1. The criminal group uses this domain to redirect Internet users to various malicious websites.
 Screenshot 01 – Source: WebJunction |
 Screenshot 02 – Source: Work.com |
 Screenshot 03 – Source: wis.dm |
Redirected by vbestserv.org, one of destinations is a fake video website titled YuoTube. (See Screenshot 04.) The same fake video website is hosted by more than a dozen servers, whose IP addresses include 66.249.155.147, 70.254.144.26, 67.176.243.41, 76.105.33.169, 84.75.179.194, 79.37.67.246, 88.160.254.35 and 99.187.194.59. A couple of servers are hosted by Comcast Cable Communications. One of them is hosted by SBC Internet Services. As we reported several hours ago, these servers are all exploited to make Internet users download a file titled setup.exe.
 Screenshot 04 – Source: YuoTube |
 Screenshot 05 – Source: MacHouse |
 Screenshot 06 – Source: MacHouse |
The updated definition of Norton Internet Security may not find anything suspicious in the setup file. Screenshot 05 shows that scanning the file itself has led nowhere even right after updating the virus definition. So we double-clicked on the setup file. Screenshot 06 shows that the same anti-virus application has detected several malicious codes that include ld01.exe, .MH690, Trojan Horse and Downloader. Furthermore, if we scan the entire C drive… Norton Internet Security finds malicious cookies tracking websites at yieldmanager.com, doubleclick.net, ad.yieldmanager.com and so forth. (See Screenshot 07.)
 Screenshot 07 – Source: MacHouse |
 Screenshot 08 – Source: MacHouse |
So who is behind the redirection website hosted at the domain of vbestserv.org? This domain points to a pair of nameservers, which are ns0.hqhost.net and ns1.hqhost.net. Running a traceroute search on these nameservers individually, we end up with the IP addresses of 88.214.192.200 and 88.214.228.200. According to RIPE, these IP addresses are assigned to an organization called UAOnline HQHost or similar. (See Screenshot 08.) This organization seems to have Ukraine and Russian connections. We won’t show you why we thinks so this time.
Can we have the malicious redirection website at vbestserv.org shut down? Chances are that we can. But we won’t waste our valuable time for now.
The following QuickTime documentation video shows what happened after double-clicking on the setup file downloaded at http://88.160.254.35.
Click on the button to watch a short documentation video. 
Click on the button to watch more documentation videos.
Related stories:
Security Alert: Beware of YuoTube Secret Video – Part 1
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 2
LIVEVIDEO.COM and Other Websites Continuing to Send Internet Users to Fake Codec Websites with Trojan Horse Viruses – Part 1
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 2
Junk Profiles at LIVEVIDEO.COM Sending Internet Users to Fake Codec Websites – Part 1
Beware of Fake PornTube Website at KUKUZHMUKU.COM Hosted in California – Part 2
Beware of Fake PornTube Website at KUKUZHMUKU.COM Hosted in California – Part 1
i clicked on the yuotube system and now my facebook makes it my status everytime i log in. My computer is also having a hard time accessing the internet. is there a possible way for you to set up a section on your site with the information you know so that we may try to deal with some of the problem ourselves? If you have anyinformation on how to clear this virus from my computer, please email me.