Malicious advertisement at lyricsmania.com

This incident was reported via a comment on my blog.

The malicious advertisement is visually identical to the myjewelrybox SWF already featured on this blog.

When I first tested this advertisement I was simply redirected to Google, but now the campaign has been activated and I ended up at xpantivirus.com.

First let's look at the advertisement on its own.  We start with the advertisement loading:

209.50.243.101/openads/adimage.php?filename=728x90.swf&contenttype=swf&clickTAG=
http : //209.50.243.101/openads/adclick.php%3Fbannerid=102%26zoneid=2%26source=%26dest=
http%3A%2F%2Fwww.myjewelrybox.com

From there we bounce to:

openadstream.net/ad0.php?url=http : //pagead2.googlesyndication.com/pagead/bid=28/nxtgcbb8029000012
5ave/direct/wi/ai&key=V24567233828272323&c=129600064

And on to:

iexplorer-security.org/?id=583400064

As well as:

mystats.com

and

bestsexworld.info/soft.php?aid=011812&d=1&product=XPA

Then finally on to:

xpantivirus.com/2008/1/freescan.php?aid=77011812

------

209.50.243.101 seems to belong to srv.angolotesti.it, but is *located* in the United States, specifically at ServInt Corp, 6861 Elm Street, Suite 4-E, McLean, VA 22101.

------

Advertisement in situ:

 image

Now, I must admit, despite this being a very serious situation I could not help laughing at the error window that appeared - I quote:

"If your computer is infected, you could suffer data loss, erratic PC behaviour, PC freezes and CREAHES".

Not only are the people behind the malicious advertisements the lowest scum of the earth, they also can't spell or proof read ;o)

image

Eventually we end up here:

image

Published Monday, March 10, 2008 10:22 PM by sandi
Filed under: ,

Comments

# re: Malicious advertisement at lyricsmania.com

"If your computer is infected, you could suffer data loss, erratic PC behaviour, PC freezes and CREAHES". The "crahes" is to prove the data loss ;)

Tuesday, March 11, 2008 7:58 AM by daniel

# re: Malicious advertisement at lyricsmania.com

Also can be found on other lyrics sites

Monday, March 31, 2008 7:28 PM by jay

# re: Malicious advertisement at lyricsmania.com

how do u get rid of it

Saturday, August 09, 2008 10:02 PM by hayden

# re: Malicious advertisement at lyricsmania.com

how do we get rid of it??

Tuesday, September 16, 2008 8:44 PM by tucker

# re: Malicious advertisement at lyricsmania.com

I suspect there's nothing to get rid of. If you see it, DO NOT click OK or Cancel, both buttons are probably rigged to the same result. Don't even hit the red X. Save whatever you're doing and force-quit Internet Explorer. Right-clicking the task bar won't work so hit Ctrl-Alt-Delete to bring up the Task Manager, click Applications, and click the offending IE window (whichever one you can't close by right-clicking.) Click End Task and give it a minute. If the Not Responding dialogue comes up, hit End Task again (or whatever the button says). You can expect that all your open IE windows and Folder windows will now crash and take you back to the desktop. At this point I would recommend running Spybot, etc. and restarting your computer, but this may not be necessary. I think the point of this warning is simply to trick you into voluntarily paying for and downloading fake software you can't get rid of. I don't think that you are infected by just seeing the message. But I could be wrong.

Sunday, September 21, 2008 12:24 AM by flyby