I came across the following virus site when following up on an internet search. http://18.104.22.168/index.php?q=B5AF6D87821K0M332YPU6SPKL92L67Q302… (I have not listed the whole link to protect the reader!)
A quick lookup shows that the IP address 22.214.171.124 is owned by “Jamaica research center” from Titan-net LTD. The IP address is being managed on the Internet by ECOMD-COLOQUEST out of the Ukraine. (Yet, the IP address appears to be physically located in Chicago.)
If you are sent to the website, you are greeted with a pop-up window telling you that your system might be infected. The alert says ”
While the pop up messages sound pretty dire, I didn’t see any virus yet. And, whatever you do, don’t accept a virus scan from any of these pop-ups. Instead, just close the windows by pressing the red “X” in the upper right corner of the browser windows.
When you try to close the browser, you will be greeted by one more message.
After you encounter this screen, the site will try to download a program onto your system. This appears to the virus, and during my analysis the virus executable was name “inst.exe”. Presumably, this is the “install program” that the virus site is claiming is the virus scanning program.
Again, whatever you do, don’t download this file. It is certainly untrusted, especially since it comes from a site with no valid DNS name! Currently, I have not seen a virus scanner that detects that this program bad.
Bottom line is that virus scanners are necessary, but not enough. Be very suspicious when a website claims to have a virus. Be even more suspicious when the same website offers to fix the viruses.