Maximus root kit downloads via MySpace social engineering trick.

Published: 2008-04-22
Last Updated: 2008-04-23 17:56:24 UTC
by donald smith (Version: 3)
0 comment(s)

A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.

“Clicking anywhere on the page (on large css layer on top) and your
browser initiates a download session from an ftp at
microsofpsupports.cn and you are asked to download and/or run (no!)
the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
http://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus

Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb

UPDATE

Thanks to Ned who pointed out that

"!Maximus" is the name of the  heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

0 comment(s)
Diary Archives