Yahoo! Answers is a community oriented site where Internet users ask and answer each other’s questions:
There a couple hundred pages pushing this right now, although most them are getting cleaned up.
The link redirects you to a fake Yahoo! Answers page hosted at answers-yahoo-z.tk where you can “download” (answers-yahoo-z.tk/answer.exe) your answer:
Here is some background information on the domain:
The server’s IP (109.230.246.214) is located in Germany.
Of course, there is no such thing and the file is a Trojan. (VirusTotal report 9/43)
Dynamic analysis of answer.exe shows the creation of the following malware files:
If you really want to know what the payload is, you need to fire Wireshark and inspect the network traffic:
Similar DNS queries are performed against various domain names: onlinedatingsecretfriends.com, telephonebaseonline.com, onlineinstitute.com and so on. Each domain has been compromised and is hosting a spambot, such as gbot.
A closer look at the network packets shows the real deal:
That’s right, this is a spam email.
The other payload you might get is FakeAv. This time, a different set of files get dropped:
Two IPs get incriminated:
193.105.134.190 (Sweden)
95.64.9.41 (Romania)
As always, poor grammar comes with the package:
I did a bit more research on the ASN (AS197043) which hosts the malware file. It points to “Germany Xsserver.eu Dedicated Servers“.
These guys are well known for having bad customers and yet not acting to get rid of them.
“Sending of unsolicited e-mail (SPAM) from XSserver.Eus servers, or any other server that refers to content on the XSserver.Eu server, or sending such e-mail with a XSserver.Eu hosted web site listed as the contact address;
Information or other material that contains a virus, corrupted data or other harmful or damaging component.”
Both of these have been violated and yet they are still turning a blind eye. How much longer can they operate like this?
Jerome Segura
Update:
Our good friend Steven Burn never misses a thing. He notes it’s more than just one domain involved in distributing the ‘answer.exe‘ file. They are following a simple pattern of ‘b-to-z’:
answers-yahoo-b.tk/answer.exe
answers-yahoo-c.tk/answer.exe
answers-yahoo-d.tk/answer.exe
answers-yahoo-e.tk/answer.exe
answers-yahoo-f.tk/answer.exe
answers-yahoo-g.tk/answer.exe
answers-yahoo-h.tk/answer.exe
answers-yahoo-i.tk/answer.exe
answers-yahoo-j.tk/answer.exe
answers-yahoo-k.tk/answer.exe
answers-yahoo-l.tk/answer.exe
answers-yahoo-m.tk/answer.exe
answers-yahoo-n.tk/answer.exe
answers-yahoo-o.tk/answer.exe
answers-yahoo-p.tk/answer.exe
answers-yahoo-q.tk/answer.exe
answers-yahoo-r.tk/answer.exe
answers-yahoo-s.tk/answer.exe
answers-yahoo-t.tk/answer.exe
answers-yahoo-u.tk/answer.exe
answers-yahoo-v.tk/answer.exe
answers-yahoo-w.tk/answer.exe
answers-yahoo-x.tk/answer.exe
answers-yahoo-y.tk/answer.exe
answers-yahoo-z.tk/answer.exe
Thanks Steven 
Leave a reply
how do you get rid of this?? i have a “yahoo!” toolbar and i dont know how it got there and i cant get rid of it and i have tons of pop ups saying the source is zonedg.com