Winfixer raises it's ugly head again, via blog comments and site redirects
***WARNING - DO NOT GO TO THE MUNGED URLS IN THIS ARTICLE***
First I see a sudden jump in emails and comments asking for help to get rid of Winfixer popups - three comments asking for help with winfixer in the space of just 12 hours:
http://msmvps.com/blogs/spywaresucks/archive/2006/12/20/433987.aspx
Then I get this email today asking for help:
"i'm being bombarded with what appears to be actually written (not spam) comments containing a url.
this is the one: hXXp://www.sessit.port5.com
they are most definitely hand written as they are definitely referring to the post they're commenting on.
out of curiosity i opened that url up at home and Trend went beserk - so somebody, with the knowledge of spyware/naughty sites are purposedly listing it on my comments. Have you see anything like this before? eg, is it a VERY clever spam bot or some pimple-faced teenager with less brains that cardboard?"
I've just started trawling through my own blog spam and am finding more malware blog comments with URLs that redirect to systemdoctor.com and other domains, and try to convince victims to install winfixer.
So far I have found the following additional URLs in winfixer related malware comments (expect this list to be updated as I go through the comments):
hxxp://www.flryanair.org/uomo
hxxp://www.recpnsione.org/ferrari
hxxp://www.recpnsione.org/italia
hxxp://www.bovso.org/bambini
hxxp://www.bikini.741.com
hxxp://www.trenitalia.275mb.com
Being the curious type, and working on an extremely well protected box, I went to check out the URL in the email and other URLs I am finding in my comment spam.
I was, to be honest, shocked when the URL redirected to none other than www.systemdoctor.com - specifically:
hxxp://www.systemdoctor.com/download/2006/index.php?aid=swp_sdr_ed2&lid=5095&affid=pp_888314101&ex=1&ax=1
Not only that, an alert was also triggered for worm_nuwar.aai - I *think* that the alert was triggered by the primary URL before I was redirected to the systemdoctor site.
Yes, you guessed it, the malware known as winfixer is rearing it's ugly head again, trying yet another way to get on to systems, this time via blog comments.
Note that more than one person has been able to confirm that the URL in the blog comment only redirects to systemdoctor once. If you use the URL a second time you are redirected to www.true-search.net - another site that tried to install winfixer. The actual URL I was redirected to was:
hxxp://www.true-search.net/search.php?id=47206&said=&qq=sex
The site tries to redirect visitors to a winantiviruspro site, being:
hxxp://www.amaena.com/securityworm5/index.php?aid=swp_was7_au_en_ed2&lid=5095&affid=pp_6572714101&ax=1&p=was&ex=1&h=0&j=0
Again, being a curious type I downloaded the Systemdoctor scanner to see what virus check results I'd get back - yep, we got a slew of hits for winfixer when the installer was tested.
Note that I am also seeing the classic winfixer popups warning at the various malware URLs warning of various problems on visitors' computers that when closed trigger another pop-up warning that the scan is incomplete and offering only an OK button - all the normal winfixer tricks.
This incident is a new low in the fight against winfixer malware infiltration. Regular readers of this blog will know about the Messenger Plus! sponsor program advert infiltrations; they'll know about the MySpace advert infiltration; they'll know about the ActiveWin advert infiltration; they'll know about the Windows Live Messenger banner advert infiltration. Now those behind Winfixer are spreading their wings, and trying to get their malware on to our systems via blog comments.
I'm sure there will be more information to be revealed when I have had time to make a few calls about this, and send a few emails.
You can see the message source of the initial malware link in the blog comments here:
http://msmvps.com/files/folders/spywaresucks/entry627114.aspx
Message source from the second page here - note the winfixer entry at very bottom of the code:
http://msmvps.com/files/folders/spywaresucks/entry627156.aspx
Information about the malware worm_nuwar.aai here:
http://origin.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAAI&VSect=T
Here is a screenshot of most of the scan results for the systemdoctor download:
