«
»

PC Optimizer Pro Virus Ate my PC

September 20, 2011 | Author

One of our readers got infected with the Rogue PC Optimizer Pro virus. The user was trying to play a Yahoo Video and it downloaded a codec file from the malware  site. The We-care.com site delivered the PC Optimizer virus payload by redirecting to cdn.we-care.com.

Now the users PC was rendered useless. The IE Browser was hijacked and the  fake PC Optimizer alerts have damaged the Windows 7.0 system.


The user had no choice but to re-image the system.

We have analyzed the We-care.com and it leads to quite a few nasty malware sites that include TDSS, Fake AV and Virut attack.

Malware Site:

  • We-care.com
    184.72.245.78
    plugin.we-care.com.
    Network: AS14618 /AMAZON-AES-IAD

Malware Found:

  • Trojan-Dropper.Win32.Injector!
  • TR/Spy.Banker.3297280.1.
  • WORM/Ainslot.A.1088
  • TR/Spy.Agent.307200
  • TR/Injector.1014272
  • BDS/Backdoor.Gen
  • Rogue Antivirus / WinWebSec – SystemSecurity
  • Trojan GameThief OnlineGames
  • Trojan Zbot
  • Backdoor Turkojan.A

Redirects to adnxs.com

  • Trojan-PWS.WOW.DCC
  • TDSS Root-kit
  • W32/Downldr2.FZKV
  • Packed.Win32.Krap.ao
  • WebToolbar.Win32.Zango.jf

Redirects to didit.com

  • Key loggers
  • Browser Hijack

Redirects to invitemedia.com:

  • Trojan-Dropper.Win32.TDSS.elf [Kaspersky Lab]
  • W32.Virut.CF [Symantec]
  • Virus.Win32.Virut.ce [Kaspersky Lab]

See the Analysis for InviteMedia.com at the MS Post

Google Tags:

  • ASPCA nets over $200K from We-Care.com, Congrats All Around! … wildlife to humans such H1N1, avian flu, SARS, West Nile virus and the deadly Nipah virus. …

Google Update on We-care.com and its Network.

  • Over the past 90 days, we found 22 site(s) on this network, including, for example, tentaculos.net/, verican.ws/, feedsportal.com/, that appeared to function as intermediaries for the infection of 36 other site(s) including, for example, buenastareas.com/, sanfernandosun.com/, vagos.es/.
  • Has this network hosted sites that have distributed malware?
    Yes, this network has hosted sites that have distributed malicious software in the past 90 days.  We found 23 site(s), including, for example, usuc.us/, runa.com/, widgetserver.com/, that infected 61 other site(s), including, for example, phpscriptsdirectory.com/, totalvac.com/, linuxlandit.blogspot.com/.

HTTP Traffic:

  • http://www.we-care.com/Templates/AC_RunActiveContent.js
  • http://www.we-care.com/Templates/wc.js
  • http://www.we-care.com/Templates/fat.js
  • http://cdn.we-care.com/Content/SWF/root.swf
  • http://cdn.we-care.com/Content/SWF/titles.swf?tvalue=Responsible+Shopping+and+the+We-Care.com+Community&tcolor=0xFF6600
  • http://tag.didit.com/js/tman_iframe.js
  • http://www.we-care.com/Templates/reset-fonts-grids.css
  • http://tag.didit.com/didit/tman.cgi/tmpageid=3129&levyouruid=0.9099430928408502&tmpageref=1&tmlogit=0&tmtag=js

DNS Traffic:

  • we-care.com
  • 184.72.245.78
  • cdn.we-care.com
  • 205.251.205.112
  • 205.251.205.54
  • 205.251.205.151
  • 205.251.205.211
  • 205.251.205.107
  • 205.251.205.249
  • 205.251.205.58
  • 205.251.205.188

HTTP Redirects:

  • hxxp://we-care.com/    hxxp://www.we-care.com/
  • hxxp://ib.adnxs.com/getuidu?hxxp://tag.didit.com/diditdata/tman.cgi/tmad=i&tmcampid=37&tmclickref=$UID&tmplaceref=InvitePixelID50113&levref=&tmcustom=contid:3129&tmloc=hxxp://segment-pixel.invitemedia.com/pixel?pixelID=50113&partnerID=4&clientID=23&key=segment&partner_uid=$UID&returnType=js    hxxp://tag.didit.com/diditdata/tman.cgi/tmad=i&tmcampid=37&tmclickref=0&tmplaceref=InvitePixelID50113&levref=&tmcustom=contid:3129&tmloc=hxxp://segment-pixel.invitemedia.com/pixel?pixelID=50113&partnerID=4&clientID=23&key=segment&partner_uid=$UID&returnType=js
  • hxxp://tag.didit.com/diditdata/tman.cgi/tmad=i&tmcampid=37&tmclickref=0&tmplaceref=InvitePixelID50113&levref=&tmcustom=contid:3129&tmloc=hxxp://segment-pixel.invitemedia.com/pixel?pixelID=50113&partnerID=4&clientID=23&key=segment&partner_uid=$UID&returnType=js    hxxp://segment-pixel.invitemedia.com/pixel?pixelID=50113&partnerID=4&clientID=23&key=segment&partner_uid=$UID&returnType=js
  • hxxp://m.didit.com/seg?add=105145&t=1    hxxp://ib.adnxs.com/seg?add=105145&t=1

Malware Payload

  • hxxp://cdn.we-care.com/Content/SWF/root.swf
  • hxxp://cdn.we-care.com/Content/SWF/titles.swf?tvalue=Responsible+Shopping+and+th e+We-Care.com+Community&tcolor=0xFF6600

Rogue Connections:

  • Remote Host    Port Number
  • 174.129.142.186    80
  • 174.36.176.242    80
  • 208.43.57.101    80
  • 208.70.72.89    80
  • 209.59.195.20    80
  • 209.59.195.240    80
  • 211.95.79.170    80
  • 212.117.177.140    80
  • 218.93.205.19    80
  • 218.93.205.30    80
  • 174.36.176.242    81
  • 70.42.138.14    443

Reference:  Google / Malware URL / Malware Domain

Posted in Command and Control, Malicious ISP, Rootkit, Spyware, Survival, Trojan, Virus, Web Threats | Tags: , , , ,

Leave a Reply

«
»
MS Categories

Kaspersky Lab E-Store

Which Kaspersky Protection is Right for YOU?

Created by the Survival Crew!

Powered by WordPress and WordPress Theme created with Artisteer.