Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

ky331

3 Apprentice

 • 

15.3K Posts

11112

September 26th, 2005 16:00

Warning: Winfixer can be obtained by MIS-spelling "Symantec"

winfixer is the single-most-common piece of malware currently in circulation
 
there have been several reports offered as to it source...
as a warning / public-service, i will now list 3 alleged  BAD sites, that will create this problem.  
 
THESE SITES MUST BE AVOIDED ---- DO *NOT* GO TO THEM.
 
Please note that, as a precaution (to keep people from accidentally clicking on these),
I have suppressed the link format, by replacing " ." by the WORD "dot"
 
BAD site:   www dot Symant ic dot com      <==== BAD:  Do *NOT* go here
 
BAD site:   www dot 600pics dot com         <==== BAD:  Do *NOT* go here
 
BAD site:   www dot gasbuddies dot com   <==== BAD:  Do *NOT* go here
 
 
Key point:   the first site involves a deceptive MIS-spelling of Symantec....
the "i" is what makes that site bad... 
but with an "e", it's the legitimate site for Norton products.
 
And there are probably many other sites generating winfixer as well, also based on mis-spellings... so we all have to be extra-careful.
 
 
 
Documentation of my information/allegations:
 
symant ic source ( verified by the editors of C|Net / Download.com) : 
 
600pics source ( listed by Computer Associates International):    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094807
 
gasbuddies source ( alleged by various sites, all essentially similar): http://www.vegasgasprices.com/Forum_MSG.aspx?master=1&category=1055&topic=133293&page_no=1
 
 
 
[ with acknowledgement to RKinner, who helped get me started on this research, and who initially located a version of the 3rd site]

Message Edited by ky331 on 09-26-2005 03:01 PM

Bertha2

711 Posts

September 26th, 2005 16:00

Nice find ky331,
 
This is a common way for the Malware writers to get junk onto peoples systems,
 
Another one that springs to mind, but not necessarily installs winfixer is misspelling Google to:
 
www (dot) Googkle (dot) com
 
This is a simple slip of the key as "k" is close to "l"
 
The sneaky peeps :smileysad:
 
Bertha2

Midnight Star

4.8K Posts

September 27th, 2005 11:00

Here's the 'basic' Java trace:

=====

load: class BlackBox.class not found.
java.lang.ClassNotFoundException: BlackBox.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed.
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
load: class BlackBox.class not found.
java.lang.ClassNotFoundException: BlackBox.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed.
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more
load: class Mein.class not found.
java.lang.ClassNotFoundException: Mein.class
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed.
at sun.applet.AppletClassLoader.getBytes(Unknown Source)
at sun.applet.AppletClassLoader.access$100(Unknown Source)
at sun.applet.AppletClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
... 10 more

=====

It's interesting to see what someone else wants to do to YOUR computer WITHOUT your permission or even knowledge.

Mike.

Midnight Star

4.8K Posts

September 27th, 2005 11:00

On an additional note...

"Java" seems to be the way (vector) they are getting the "bad" files onto the target system (the one visiting those sites), at least on one of those sites (possibly all - didnt check) and their referee(s). A "Java" trace, shows three attempts to run a downloader program (a java based trojan downloader) which was embedded into the webpage, with an interesting finish...a window pops up saying

"Update done. Microsoft".

:)

=====

Mike.

Vandread

98 Posts

October 11th, 2005 19:00

If it seems to be spread by Java, use a browser with a java disabler, Avant is one you can disable java applets from running just using the browser :P, also comes with a popup blocker (doesn't work on everything), AD blocker, disable videos, sounds, flash and quite a few other things, plugins don't affect it, like a toolbar, a nifty ALT homepage incase you get hijacked you can switch to use the Secondary hompage function, and have it start as the default opened page, and it can't be changed.

View More

View All

No Events found!

Top