A single individual or a group of individuals of which tracks lead to turkish people and chinese hosting or chinese partners is spreading viruses though infected files and setup installations shared in vBulletin forums. It seems these individuals have a registration bot with captcha bypass mechanism for vBulletin 3.7.xx versions (may be other versions too) and they are using it to spread all kinds of malware.
I first found this when examining another Kaspersky 2009 installation located at:
http://www.httpshare.net/%E4%E5%F8%E3%E5%FA-%FA%E5%EB%F0%E5%FA-%7C-software-download/427522-kaspersky-antivirus-2009-full-34-p-ece-test-key-no-problem.html
The username spreading this message is "hakan_72_123" and with a simple google search we can see:
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Ahe%3Aofficial&hs=sgc&q=hakan_72_123&btnG=Search
Hakan is not very shy to use the bot with his own name, go figure maby he is infecting thousands of forums manually?!
Anyway he in www.vbhackers.com/members/hakan_72_123/ which explains a lot :)
So what did he do? he took the time to upload Kaspersky 2009 to
http://rapidshare.com/files/115362254/Kaspersky_2009_Full_Sueruem_by_hakan.rar
Well I just checked and it has been 2 month since I found it and the bad guy extended the business for torrents too, this is the same virus under the title "Kaspersky Antivirus 2009 Full + Key [App][www.zonatorrent.com] ":
http://isohunt.com/download/44622492/kaspersky.torrent
Inside the rar there is a txt file with the text:
1- program demo deðil full sürümdür.What they did is instead of the standard shared .msi file, they put a WinRAR self-extracting archive with an icon of an msi file. They made the archive so that WinRar's shell extension doesn't recognize it as extractable. Once executed it drops a file called svchost.exe in "%ProgramFiles%\Outlook Express\" which is a refreshing path to drop a trojan downloader in :)
2- key girmek için þu sýrayý takip et
license-merge-activate using key-brovse= buradan keyleri
çýkarttýðýn klasörü seçip listenin en altýndakin üzerine çýft týklayýp
keyi gir.
HAZIRLAYAN: Hakan
www.avrasyaforum.net
It executes the svchost.exe (compressed with MiniPE) which then executes
the trojan downloaded to %temp%\wmoptimizer.dll using rundll32.exe:
rundll32.exe "%temp%\wmoptimizer.dll", RunSetup_Installsvchost.exe uses the classic URLDownloadToFileW and ShellExecuteW to download and execute: http://loansquotesinsurance.com/f/Resident.bin
These is the whois information for http://loansquotesinsurance.com:
Registration Service Provided By: Chinese DQ Network Tech Corp.The email xixipai@hotmail.com also registers "http://3290.com"
Contact: xixipai@hotmail.com
Domain name: loansquotesinsurance.com
Registrant Contact:
Shawn Lee
Shawn Lee
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN
Administrative Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN
Technical Contact:
Shawn Lee
Shawn Lee (webmasters@loansquotesinsurance.com)
+86.02033875805
Fax: +86.02033875805
B-902,Zhongxing Huayuan,No.1102,Zhongshan Dadao,Tianhe Distr
Guang Zhou, Guangdong 510660
CN
Registration Service Provided By: Chinese DQ Network Tech Corp.Well this is the part where I can only say, if you are reading this and in some kind of cyber police, DO SOMETHING!!!
Contact: xixipai@hotmail.com
Domain name: 3290.com
Administrative Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN
Technical Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng (xixipai@hotmail.com)
+1.05306260800
Fax: +299.05306260803
ZhongHuaDonglu 1038hao
HeZe, 274000
CN
Registrant Contact:
Chinese DQ Network Tech Corp.
Ren XiaoFeng
ZhongHuaDonglu 1038hao
HeZe, 274000
CN