A link that was blacklisted today on malwareblacklist.com got my attention:
The Registrant’s address is even deceiving as it seems to match the “.uk” domain:
5 East Street
In fact, browsing to that link redirects you to:
which is the official mobile URL for Facebook’s site.
So, is this link just another redirection for UK users? Well, let’s check out where this domain is hosted.
Its IP address is: 126.96.36.199; location: Russia. Hmm, interesting wouldn’t you say?
And the hosting company is the well known WEBALTA-AS OAO.
It turns out there is malware on this site: mfacebook.co.uk/1.exe – VirusTotal (2/44 detections).
Upon running it queries api.wipmania.com to determine what your IP address and country are. Then it goes on to download a long list of antivirus URLs (1310 entries) that includes download sites for virus definitions and Windows updates as well. Finally, it downloads its main component again (possibly to get the latest build??)
The piece of malware puts itself under the Application Data folder by first creating a user-level rootkit and then hiding itself:
As mentioned above part of the payload is to block access to a large list of security products, including Microsoft Security Essentials:
All is not lost! For some reason the free rootkit removal tool GMER is not being blocked. If you do a full scan, it will find that file hiding in the %appdata% folder and you can right-clik on the entry and chose “delete”.
When done, restart your computer and download the antivirus of your choice
Leave a reply