Fake security
I was checking out a referrer on a forum where someone had gotten help with an HP computer.
Then I get a popup talking about the Bloodhound virus, and pushing an antivirus solution that’s unknown to me. It was a popup with an alert. The only way out for most people would be to click on OK, because the window didn’t respond. I used alt F4 to get out of it.
But even when I did, I was led to the next window. Apparently this company had popups with the Windows security center logo in the past, but it’s been removed now. I wasn’t about to download some unknown software. I suspected it was malware of some sort.
Sunbelt BLOG: Another fake security site.
But my question is, has my Firefox been infected by something, or did this popup get triggered by something on the pro-networks.org forum?
I checked the code, and although the forum is apparently ad free, there’s some code there that pops under ads from fastclick.com. I suspect this is the reason for the popup!
So, fastclick probably let in some rogue player. Maybe they should check their advertisers more thoroughly?
amaena.com whois:
Hostmaster, Amaena hostmaster@amaena.com
P.O. box1048
Chernigov, NA 14032
UA
+380 96 381 4557
IP:
66.244.254.64
66.244.254.63
MX records show a host from Quebec, Canada: setupahost.net
April 13th, 2006 at 3:52 am
The file they ask you to download is a virus.
Kaspersky detected it as “not-a-virus:Downloader.Win32.WinFixer.f ”
http://www.kaspersky.com/scanforvirus
I love the fact that I use Linux. The website (URL from the jpg at the linked blog) tried to tell me:
========================================================
Attention! Security Center has detected spyware on your PC sending private information and documents to remote computer. One of processes (Win32res.exe) has just sent this information:
IP address: XXX.XXX.XXX.XXX
Browser: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.11) Gecko/20050729
Computer OS: unknown
Full PC control: Gained
Sent Information: approximately 17 Megabytes
=========================================================
Now first, in Linux there IS NO Win32res.exe and “Full PC Control” was “Gained”? I don’t bloody think so. And I supposedly sent 17MB over a 768kb/s uplink in under a second? Not a chance.
You might want to contact abuse@bigpipeinc.com (the abuse contact for the IP addresses) and let them know they’re hosting a virus/trojan. Let them know that the same IP’s are being used by winantivirus.com and winantispyware.com to host the actual downloads. All three domains seem to have fake contact info.
April 13th, 2006 at 4:15 am
And the root of that site doesn’t even load. You have to go to this address to get that warning to load (for those with Linux if you want to test Brian’s statements):
amaena.com/securityworm5/
(add the www before the address. I had to take it out to avoid it hyperlinking on the blog).
April 13th, 2006 at 4:29 am
Now that’s interesting. I tried a Debian flavor. That page served the warning, then went into the other page where it reports its findings. And it said OS unknown… And STILL recommended the downloads - that won’t work on Linux.
Geez!
April 17th, 2006 at 8:47 pm
No, I think this is some new kind of spyware/adware. Runnking Win 2k & I’ve been dealing with this for about a week. I get the same fake alert telling me about the bloodhound virus, and it sends me to the same site. Weird thing is, I get it no matter were I’m browsing. Yahoo, Ebay, Google. I’ve updated and run 3 anti-spyware programs, and done 2 virus scans, and they haven’t picked up anything other than cookies. In the past couple of days it’s been sending me popups for online casinos also. It’s freaking me out that nothing can detect this thing. Any info will help.
April 19th, 2006 at 5:09 pm
i got this same problem, can anyone help?
April 20th, 2006 at 5:47 pm
I am also getting this. . and the online casinos are also popping up. Whats worse then online casinos??? Porn page ads while you 5 year old is sitting nearby. . . Course this has only happened to me since I signed up with Netzero a month ago ( also got rid of it a week later ). I to am still looking for a solution to this
April 20th, 2006 at 7:16 pm
i’ve got the same problem as well. any help is appreciated.
April 21st, 2006 at 3:05 pm
I only got that popup once on my machine, so I wasn’t infected. But then I use a slightly more secure browser than IE.
The best advice is to NOT download what they want you to download.
If it keeps popping up several times, check what kind of sites you frequent. Maybe it’s the neighborhood you’re surfing in that’s serving up those popups, not that your machine is infected.
Be especially wary of forums that you often go to. Some DO serve ads.
April 21st, 2006 at 7:41 pm
Okay, I got this same pop-up today, too… first time ever. Could someone please tell me if it means I am infected if I got the pop-up? I disconnected from the Internet straight-away the second time I saw it. I realized it actually popped-up a new version of one window that I was one, with an ad pasted into the window… I could x out of that window, and the same (real) window was beneath it.
I had been using an online auction site that does allow fastclick to send popups. I guess I won’t be going there anymore– at least not on my home PC. I’ll use the library’s. LOL.
How do I tell if this thing is on my system or not? When I reconnected to the Internet (I have dial-up), I got the same pop-up warning me that BloodHound Virus had been found on my computer — looked just like a Windows warning, but then I immediately disconnected again, then x’ed out of that window when I was offline… even though I was offline, it changed from that pop-up to the website for the window telling me I’d better download one of two programs (”easy” or “very easy”) in order to rid myself of this supposed virus.
Of course, I didn’t try to download anything… but, how do I tell if I downloaded something by accident/default? ? ? Should I clear my cookies? I think I’ll at least take a look at them.
Thanks !
April 23rd, 2006 at 7:06 am
I started getting this yesterday too! Not being detected by any of my anti virus /anti Adware/Anti Spybot software.
Anyone any idea how to get rid of this thing????
April 23rd, 2006 at 11:27 am
OK…I found this thread on a dell support forum
http://forum.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=51454
Looks like the problem is a Vundo Trojan. I downloaded the VundoFix program referenced in the link above…and it removed my problem! Good luck!
April 23rd, 2006 at 9:57 pm
The answer to the problem is the Vundo virus. It supposedly uses a hole in a version of Java. Norton doesn’t detect it, or fix it. You can read about how to fix it here: http://forums.us.dell.com/supportforums/board/message?board.id=si_hijack&message.id=29584
It appears to have worked for me.
What pisses me off, however, is that Norton hasn’t done anything to fix it or even detect it. I went through their customer service, and they said that I’d have to use the phone customer service at $$$ per minute. Doesn’t it seem that if you pay for protection, and the protection doesn’t work, then you shouldn’t have to pay to get it fixed??
Good luck,
Scott
April 24th, 2006 at 3:37 am
I run Firefox without Java enabled, so this Vundo thing isn’t the only explanation for the popups.
April 24th, 2006 at 9:03 am
“I run Firefox without Java enabled, so this Vundo thing isn’t the only explanation for the popups.”
Removing Vundo has eliminated my popups…so I think that Vundo is the explanation for the popups. What I don’t believe is that the Java hole is the only way the Vundo trojan gets onto a system. The Dell forum posts say that there is strong “speculation” that the Java hole is responsible… This isn’t really definitive though.
April 24th, 2006 at 9:27 am
I’ve had no more popups of the type since. And I verified that FastClick was serving up popups on the forum I went to. The popup even worked on a Linux machine, which obviously wouldn’t have been compromised by a Windows virus.
June 4th, 2006 at 5:14 am
I fuckin hate amaena
June 7th, 2006 at 11:47 am
I have not had the problem while surfing on AOL, only while AOL is shut down. Mcaffee will not detect it either.
June 25th, 2006 at 12:51 pm
i had the not-a-virus……. file also. Norton didn’t spot it coming in, but Ewido spotted it and deleted it for me.
January 10th, 2007 at 5:38 am
I keep getting a pop up that says “yay”… anyone ever seen this?
June 25th, 2007 at 7:45 am
I am having this problem on three different Linux machines, all with Firefox. Wondering what can cause it (I have no form of antivirus whatsoever, never needed it).
July 22nd, 2007 at 5:55 pm
I got the same thing. And it pisses me off BIG TIME! I got rid of it once. But then I went to a site that auto downloaded it on my computer. And I tryed to get rid of it like I did last time, with Ad-aware (an awsome scan program) and of course there was malware, so I removed it. But for some reason, its still poping up. Not to mention I get disgusting porn and hentai pop ups.
if some one could help me, that’d be great.