« Iframes, PDF exploits and RBN
Conficker / Downadup / Kido to get nastier on April 1st?? »

The Return of the Hijacked Desktop

March 23rd, 2009

Is this really a return? Maybe not, since it never went away. But I was surprised nonetheless to see that it was still exploited.

It starts with an Acrobat Reader exploit… pushing an executable (wJQs.exe):

warn4

A few seconds later, your desktop is changed to display this:

warn1

A few more seconds later, a rogue anti-spyware program pops up. This one is Antivirus XP Pro.

warn3

I checked its main site and found some disturbing contradictions in their “About Page”.

Other than the ridiculous marketing propaganda, it looks like the good old ‘copy and paste’ went awol. In particular, it mentions AVSystemcare… Yes, you heard it right!
Same folks? It is quite likely. Or maybe they were just lazy and re-used a template. 

warn2

Jerome

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.