Select Page

Our researcher Patrick Jordan ran one of the installers from, which is an old fake serial crack site where one can get infected waaaaay too easily. It created a run32.dll which functions as a redirector. When a victim of this searches for the string “remove spyware,” his infected computer re-directs to the web page of security firm Webroot. Clicking on the “Business” tab will take the browser to a redirect site.


On the left is the Webroot page redirect from an infected box and the right is the same action from a clean box.

The sites that it redirects to are typical info-stealing sites with a cheap pay-per-click search pages.

Sunbelt already detects the installer and dll as Trojan.Win32.Generic!BT

Just to clarify: this is not a Webroot issue, the Trojan simply redirects a victim’s browser to the Webroot page to give an appearance of authenticity before redirecting it on to a malicious site.

Thanks Patrick

Tom Kelchner

Fatal error: Uncaught wfWAFStorageFileException: Unable to save temporary file for atomic writing. in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php:34 Stack trace: #0 /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php(658): wfWAFStorageFile::atomicFilePutContents('/home/eckelberr...', '<?php exit('Acc...') #1 [internal function]: wfWAFStorageFile->saveConfig('livewaf') #2 {main} thrown in /home/eckelberry1966/public_html/sunbeltblog/wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php on line 34