View Full Version : Fake Google site installs malware

2008-02-02, 00:10

- http://blog.trendmicro.com/another-italian-job-or-a-gooogle-job/
February 1, 2008 - "Yesterday we received reports of a malicious website that targets Italian users. This particular malicious website purports itself to be a tour and travel operator for India... Once the file “Registrazione” is installed on a system, it automatically redirects to a horoscope website, which in fact has nothing to do with Travel Tour Operator... Note that the file registrazione.exe (TROJ_AGENT.AAFY) downloads other malware components, such as TROJ_AGENT.ZTH. After the download and installation are completed, the browser application indicates that an error occured during loading the ‘desired’ web site. The easiest and fastest way to continue when Internet Explorer (IE) browser crashes, is to open a new browser — but upon doing so, the user will find out that the IE start page points to a new website, www .qoogler .com, which poses as the legitimate Google website... As anyone may wonder, this is not a typographical error from our part, but it is indeed “qoogler.com” which poses to be the Google search engine. Have a look closer at the page, and note that Google became “GOOOGLE”. It also has an “AstroGooogle” link, which sends you back to the first astrology website we mentioned above. This is another social engineering technique that this malware employs to fool users into downloading its components... The file GobbaEvo.exe is also detected as TROJ_AGENT.AAFX. In the infection stage... the search result page asks for installation of a new program to resolve yet an other issue with Internet Explorer. The downloaded file is, of course, yet more malware that redirects the user to an adult page, but still under the guise of qoogler .com..."

(Screenshots available at the URL above.)