Jahewi's Anti-Malware Information
Back to Index
The hijacked IE-homepage; the art of repetition ... again
Everything about these fake codecs (and other ZLob-installers, like the PornPass Manager) seems to be about repetition, doesn't it?

As you can see in my list of fake codecs, there are new variations on the same theme allmost every week ... but they all have the same payload:
- a fake codec, wich in fact is a Trojan.Downloader.ZLob-variant
- a fake malware-scanner, at this moment usually VirusBursters, wich is a repetition in itself because it really is Virusburster, wich started it's life
  as VirusBurst.
- Public Messenger ver 2.03 ... also a ZLob-variant
- Safety Alerter 2006, Recognizable as the small icon, wich is screaming, from your taskbar, about the danger your computer is in.
  Click it and you're screwed even more. It will download another Smitfraud-variant ... giving you even more trouble.
- Internet Explorer Security Plugin. Generates popups and, depending on the version, a toolbar (wich i already discussed a while ago).

Now, one of the things you would notice if you installed a fake codecs (except for the fake scanner, the flashing icons and the popups) is that Internet Explorer lost it's way ... Your startpage has been altered and there is no way you can get it back to your own startpage.
IE's startpage (among others) has been hijacked.
It now points to a website with the catchy label "Internet Security".

... and again, the name of the game is repetition.
Look at these six pictures below ... It's the same site, right?
WRONG! They are actually six different sites, all of them offcourse courtesy of ESTDOMAINS INC

hxxp://theuptodatesafety.net
Domain Name: THEUPTODATESAFETY.NET
Registrant: Eugenie Schmitz-Wagner       
Creation Date: 17-Jul-2006 

hxxp://iesecurepage.com
Domain Name: IESECUREPAGE.COM
Registrant: Philip Harrison
Creation Date: 27-Oct-2006 

hxxp://iewarning.com
Domain Name: IEWARNING.COM
Registrant: Philip Harrison
Creation Date: 27-Oct-2006 

hxxp://safeiepage.com
Domain Name: SAFEIEPAGE.COM
Registrant: Oscar Luis Justo
Creation Date: 13-Oct-2006 

hxxp://eprotectpage.com
Domain Name: EPROTECTPAGE.COM
Registrant: Andersen Claus
Creation Date: 8-nov-2006 

hxxp://esafetypage.com
Domain Name: ESAFETYPAGE.COM
Registrant: Andersen Claus
Creation Date: 8-nov-2006 

(now, i assume that those who read my stuff also know that visiting these sites is dangerous and unhealthy for a computer ....)

But why, you'll probably wonder, are they changing domain often but leave the site like it is?
It's like moving to another city, taking not only the furniture with you but the house aswell ...

Again this is quite simply a matter of trying to avoid detection in a very quick manner.
They just change the name of the domain and leave the site itself intact.
That way, they try to stay unknown as being a site wich offer fake malware-scanners ... hoping people fall in their trap and download/install one of the fakes that they offer on the page.

I hope my message is clear ... If you run into a fake codec (or simular ZLob-installer) and your IE-homepage looks like this, then leave IE alone and use f.e. FireFox instead ... at least untill you are relieved of this pest.

Forums that are glad to help you to get rid of them:
Hijackthis.nl (my Dutch home-forum)
Security Cadets (The English forum of Andyathull ... it's just like home to me ... ;-) )



jahewi, nov. 2, 2006 (Updated nov. 16 2006)