Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Quick Launch toolbar spyware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Launch toolbar spyware

We received a few reports of e-mails advertising the 'quick launch' spyware as
an anti virus tool. A typical e-mail reads:

--------------------------------------------------------------------------------

Subject: Windows Update Notification

WINDOWS SECURITY WARNING!!

A VIRUS HAS BEEN DETECTED ON YOUR COMPUTER. IN ORDER FOR YOUR COMPUTER


NOT

TO CRASH YOU WILL NEED TO GO TO:

HTTP://WWW.WINDOWSUPDATENOW.COM

AND IT WILL AUTOMATICALLY UPDATE YOUR COMPUTERS SECURITY PATCHES.

SIMPLY TYPE IN HTTP://WWW.WINDOWSUPDATENOW.COM INTO YOUR BROWSER. OTHERWISE

YOU WILL KEEP RECEIVING THIS SECURITY ALERT EMAIL EVERY DAY

---------------------------------------------------------------------------------
Note the use of a 'plausible' domainname: windowsupdatenow.com

**This domain does not belong to Microsoft:

( This Domain is For Sale )
Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US


Domain Name: WINDOWSUPDATENOW.COM
Administrative Contact -

This Domain Is For Sale - joshuathaninvest@aol.com

( This Domain is For Sale ) Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US

Phone - 501-2-31244

Fax - 501-2-34222



Technical Contact -

This Domain Is For Sale - joshuathaninvest@aol.com

( This Domain is For Sale ) Joshuathan Investments, Inc.

62 Cleghorn Street

Belize City, Belize none

US

Phone - 501-2-31244

Fax - 501-2-34222

Once you enter on this page it will redirect you to another
URL (http://www.quicklaunch.com/perl/detection.pl).

When visiting the URL, it will attempt to install the
quicklaunch toolbar ( http://download.quicklaunch.com/quicklaunch154.cab ),
a known spyware program.

Removal instructions are available here:
http://www.doxdesk.com/parasite/BrowserAid.html
Handlers

76 Posts
Anonymous

Sign Up for Free or Log In to start participating in the conversation!