Gadgetell | Tech News, Reviews, and Interesting Things

Scammers are now using Google AdWords to distribute malware.  The new campaign uses the service to spread a compromised copy of the popular WinRAR compression software, directing anyone who clicks their ad links to a fake version of Download.com where they are prompted to download the software. 

When downloaded, the user does indeed receive a full copy of WinRAR, but with malware along for the ride.  The installation also installs a program called explore.exe into the system32 folder.  The program immediately performs a browser hijack by altering the hosts file so that popular homepage sites like Yahoo.com and Google.com instead point to a fake Microsoft Security Center site. 

It also displays a pop up message box once a minute with the message “interval hehehe!!!!!”.  When the user attempts to do a search on the web to find out what’s going on, they are redirected to the fake Microsoft site which tells them they’ve been infected by a virus or spyware and directs the user to “Download AntiSpyware Now to Fix!”  The link leads to a slick looking site for AntiSpyware 2009.

A fake scan runs and tells the user they’ve been infected by “‘intervalhehehe” and urges them to download AntiSpyware 2009 to fix their systems for a mere $39.99.  The program does clean the infection-the infection the scammer put there to get your $39.99!  This is a ransomware-like technique.  True ransomware locks down the users computer until they pay up.  This scheme simply annoys them until they do.

The moral of the story?  Be very very careful what you download!  As of now the malicious links are still coming up on Google searches and there has been no comment from Google about the situation.

Read[ZDNet]