Patrick came across a new Trojan today that uses the CloneCashSystem site (WHOIS registration date Oct. 2).
“My iframedollars downloaded a Trojan from a VX Catus site dl.guarddog2009.com/bookmark.exe.
“The 3 kb Trojan’s only function is to change the users start page to: join. clonecashsystem com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w, which is one of those free report sites. It tries to get you to buy a get-rich-quick scheme.
“The start page is similar to the old CWS hijacking start page Trojans. I have named it Trojan.StartPage.CloneCashSystem.”
[NOTE: only go to the URLs mentioned here with caution.]
Update 11/9: We changed the description of CloneCash in the blog post since it is merely a site pointed to by iframedollars/virut. Patrick wrote the following after further investigating:
“The CloneCashSystem is really only free videos of how to make money on the Internet and not a scam, however, its URL is used in a TrojanStartPage with the file coming from a malicious site.
“The bookmark.exe has changed now to using join.123cashsurveys.com as the StartPage Hijacking.
“Due to the change and as I now have over 100 sites that could end up being used and may come under 3 business aliases, I have changed the threat from Trojan.StartPage.CloneCashSystem to Trojan.StartPage.SSSPP
“For eternal use the SSSPP will stand for Schemes, Scams, Spams, and Pyramid Plans. “