Strange Virus Activity – NewHeur_PE

China Modern Search Attack
China Modern Search Attack

I’ve noticed some recently increasing activity on the unsolicited comments front to my Crawling Chaos blog as well as trackbacks and pingbacks. This has culminated with something I picked up using my “digital fingerprint”. It’s a link that goes to a webpage like this:

NewHeur_PE_virus_dumpIt’s supposedly a simple search string but it fires up my NOD32 with a nice reply shown at right as soon as the page is moved or refreshed. This is especially activated on a page refresh. After activation, it keeps coming back even after doing the correct NOD32 stuff. Finally, the browser crashes out. It takes about 6 goes on NOD32 to terminate and close the virus with the tow-step “Terinate” and “Close AV Warning” steps… And it crashes Firefox as well. This means it’s pretty young as it’s a heuristic detection and the proper terminations are upsetting the system.

As you see, it’s blocking an executable being served from Retaguilas.com The whois return on this name is like this. Which is not a lot to go on. They seem to want to be alone or at least, private; which goes at odds with their actions of spamming loads of sites. When I checked, all there was was the simple Apache server first page including the CentOS mention.

So that’s that then! My advice, don’t follow the links through. Every single page on the so-called modernsearch.cn page is a duffer. And something in the page tries to install onto the local PC. There are two javascript bits. The first is a toggle that swaps the text supplied from a file between one of two selections, out of user sight. The second is a twat counter button sending back to Russia. There may be more. Life is too short. Just remember, they are all twats.

By Strangely

Founding member of the gifted & talented band, "The Crawling Chaos" from the North-East of England.