how not to get a virus

I came across the following virus site when following up on an internet search.… (I have not listed the whole link to protect the reader!)

A quick lookup shows that the IP address is owned by “Jamaica research center” from Titan-net LTD. The IP address is being managed on the Internet by ECOMD-COLOQUEST out of the Ukraine. (Yet, the IP address appears to be physically located in Chicago.)

If you are sent to the website, you are greeted with a pop-up window telling you that your system might be infected. The alert says ”

Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs.” (this is the exact quote from the message.)
Then, the browser window looks like a scan is being performed. Check out this image…

Virus Main Screen

 While the pop up messages sound pretty dire, I didn’t see any virus yet. And, whatever you do, don’t accept a virus scan from any of these pop-ups. Instead, just close the windows by pressing the red “X” in the upper right corner of the browser windows.

When you try to close the browser, you will be greeted by one more message.

Exit warning

After you encounter this screen, the site will try to download a program onto your system. This appears to the virus, and during my analysis the virus executable was name “inst.exe”. Presumably, this is the “install program” that the virus site is claiming is the virus scanning program.

Again, whatever you do, don’t download this file. It is certainly untrusted, especially since it comes from a site with no valid DNS name! Currently, I have not seen a virus scanner that detects that this program bad.

Bottom line is that virus scanners are necessary, but not enough. Be very suspicious when a website claims to have a virus. Be even more suspicious when the same website offers to fix the viruses.

For the techies, this virus site was very interesting. The javascript downloaded from the website is encrypted. The decrypted javascript is available here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s