JS.Fortnight.B@mm( S/Fortnight-B, JS/FortNight.B )
SYMPTOMS: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\URL\\DefaultPrefix\\= \"http://www.pixpox.com/cgi-bin/click.pl?url=\" TECHNICAL DESCRIPTION: The mass-mailer arrives in infected e-mails, that have the signature as a s.htm file, so when the infected e-mail is open, using IFRAME, the virus remotely executes its infector (another html) and infects the current user.Once run, the virus modifies the registry keys: HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Control Panel\\SecurityTab=1 HKCU\\Software\\Policies\\Microsoft\\Internet Explorer\\Control Panel\\AdvancedTab=1 HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\URL\\DefaultPrefix\\= http://www.pixpox.com/cgi-bin/click.pl?url= This way, any url entered in Internet Explorer will be redirected through the url above. It drops file s.htm in Windows folder and sets all Outlook signature files to s.htm. Creates file hosts in Windows folder thus subverting to two IP addresses: 66.159.17.25 and 66.159.16.110 any of the following URLs: the.sextracker.com lobby.sexlist.com in.paycounter.com adv.sexcounter.com rd1.hitbox.com refer.ccbill.com www.ccbill.com secure.ibill.com select.2000charge.com secure.2000charge.com www.signup.globill-systems.com secure.visionbill.net www.dibill.com secure.dpbill.com secure.dutchbilling.com secure.pswbilling.com www.maximumcash.com www.adultrevenueservice.com www.eroticacash.com www.oxcash.com track.oxcash.com potd.oxcash.com clicks2.oxcash.com www.webmastersmakemoney.com clicks.nastydollars.com www.lightspeedcash.com db.fetishcash.com ctc.amateurpages.com www2.karupspc.com www.iteens.com click.payserve.com vip.mtree.com c.fsx.com adultfriendfinder.com www.danni.com network.nocreditcard.com php.offshoreclicks.com links.lifetimebucks.com cgi.gammae.com click.passiondollars.com www.fatpockets.com link.siccash.com www.clickcash.com www.scoreland.com www.makingitpay.com www.hpic.com referral.topbucks.com www.platinumbucks.com partner.globill-systems.com www.pornstardollars.com traffic.acpay.com www.cashforlink.com click.silvercash.com clickcash.webpower.com www.dollars4babes.com www.sexfantasyzone.com www.twistyscash.com www.freeticketcash.com www.hawgscash.com www.freeezinebucks.com www.nastydollars.com ads.sexplanets.com www.deluxepass.com clicks.oxcash.com ww2.amateur-pages.com stats.allliquid.com secure1.websitebilling.com www.adultmovienetwork.com www.totally4freecash.com network.nocreditcard.com php.offshoreclicks.com www.nocreditcard.com media.fastclick.net clicks.uni-cash.com www.clubpix.com programs.wegcash.com in.cybererotica.com www.cybererotica.com cybererotica.com dollartraffic.com www.xxxesscash.com www.maturemoney.com www.xpays.com www.trueclicks.com www.sexhit.com www.blacksonblondes.com partners.hotgold.com www.thecashzone.com db.smutcash.com www.eroticcash.com home.vividvip.com www.stiffycash.com gotd.stiffycash.com cash.helmy.com adultmegacash.com amc2.adultmegacash.com www.candidclicks.com clicks.filthyclicks.com www.eazybucks.com www.bigpay.com www.fatclicks.com stats1.pussypayments.com www.adultbucks.com www.babylon-x.com www.dollartraffic.com www.tv69.com ww2.amateur-pages.com ctc.japanesegirls.com www.entertainmentcash.com www.mtreexxx.net join.pibcash.com www.n69.com www.intergal.com www2.seductiveamateurs.com porndollar.com www.porndollar.com www.albionmedical.com www.pillscash.com cart.penispill.com www.pillsmoney.com www.pillmedics.com www.big-penis.com www.pluspills1.com www.morepenis.com www.1shoppingcart.com www.herbalo.com www.penilesecrets.com www.penispill.com penismedical.net www.penismedical.net www.herbalbucks.com www.vigrx.com www.rsac.org www.netnanny.com www.cyberpatrol.com www.safesurf.com www.spyglass.com www.asacp.org www.icra.org www.cybersitter.com www.surfwatch.com as well as mt.???.mtree.com where ??? is a number in the range 1..200 Removal instructions:
ANALYZED BY: Patrik VicolBitDefender Virus Researcher |