I today received a Christmas greeting card from a close friend in China. When I clicked the e-card link in Firefox, the page could not be displayed as I have disabled JavaScript and Cookies in Firefox by default. I then copied and pasted the URL from Firefox to
Safari, the only browser having JavaScript and Cookies enabled by default on my
iMac.
Something happened then. A page of
123greetings.com flashed on the screen followed by a few splashes showing me an animation of scanning through the system folders of my computer. After that, the following XP style window appeared on my
Leopard desktop and forced me to download two PC executable files with randomized filename. The active web page has been redirected to
scanner2.malware-scan.com.
As I illustrated in the screenshot above, it was a malware attack.
As for Cookies, only 123greetings.com left several items in Safari's Cookie records, as shown below. malware-scan.com didn't leave its trace.
The downloaded executable files were identical except their filenames. I ran one file in a disconnected Windows 2000 Server box (a virtual machine), the file's process appeared in Task Manager. It seemed nothing happened (of course it's not ture). I ran the executable several times, several individual processes appeared in Task Manager, as follows.
I also noticed that this executable file created a Windows registry item at:
HKCU\Software\Microsoft\Windows\CurrentVersion\ADP = "&swp=1&apx=%s" (where %s is the filename of this downloaded file)
I enabled the network connection on the W2K virtual machine. After a while, a "professional" anti-spyware program, MalwareAlarm 2.1, appeared on the screen, and has already started scanning the system. This bloody scanner reported that I had nine threats, and asked me to buy online in order to activate its Threats Removel function.
TCPView showed that this program (MalwareAlarm.exe) was downloaded from
69.50.175.18.
There was a business behind this
anti-spyware spyware. It even showed me such a screen.
Now, you should have known how the kind of anti-malware program works, humm? :-)
Futhermore, I did a google search for this, and found that someone already reported the
a similar spyware two days ago, on 21 December 2007.