The Legacy Sunbelt Software Blog

The mid-series finale for Doctor Who (“A good man goes to war”, fact fans) is rapidly approaching, and big plot twists means lots of sites trying to take advantage of early spoilers. Oh, and making some spare change at your expense too.

Behold the wonders of Youtube:

Click to Enlarge

If I were a betting man, I’d be putting lots of money on the fact that none of the above sites actually contain “A good man goes to war”, but instead pop survey questions followed by random link dumps. Like this, for example:

Click to Enlarge

Yeah, you have to watch out for videos having “lenght” problems. Visit the site, and you can expect a content gateway and a collection of surveys to pick and choose from:

Click to Enlarge

All you’ll get for your trouble is a lack of good men going to war, and a drastic increase in sites that look like this:

Click to Enlarge

Whoops.

This isn’t the first time Doctor Who has been a magnet for scams – the same thing happened when the last series finale was due to air. There was also a bit of an issue with various Doctor Who games doing the rounds, too. As always: avoid. Everything we’ve seen so far is the usual fake video / survey nonsense, but there could well be Malware in the offing between now and Saturday. As the Doctor himself would say…

Christopher Boyd

The mid-series finale for Doctor Who (“A good man goes to war”, fact fans) is rapidly approaching, and big plot twists means lots of sites trying to take advantage of early spoilers. Oh, and making some spare change at your expense too.

Behold the wonders of Youtube:

Click to Enlarge

If I were a betting man, I’d be putting lots of money on the fact that none of the above sites actually contain “A good man goes to war”, but instead pop survey questions followed by random link dumps. Like this, for example:

Click to Enlarge

Yeah, you have to watch out for videos having “lenght” problems. Visit the site, and you can expect a content gateway and a collection of surveys to pick and choose from:

Click to Enlarge

All you’ll get for your trouble is a lack of good men going to war, and a drastic increase in sites that look like this:

Click to Enlarge

Whoops.

This isn’t the first time Doctor Who has been a magnet for scams – the same thing happened when the last series finale was due to air. There was also a bit of an issue with various Doctor Who games doing the rounds, too. As always: avoid. Everything we’ve seen so far is the usual fake video / survey nonsense, but there could well be Malware in the offing between now and Saturday. As the Doctor himself would say…

Christopher Boyd

Until you run it.

Then this happens:

Click to Enlarge

Rainbow propelled cat jacking your desktop ahoy!

The music from the Nyancat website plays in the background too (you know, just in case you still thought the above was a normal feature of Windows. It wouldn’t surprise me though).

Getting rid of it involves not panicking (always a good first step) and opening up Task Manager:

As you can see, Nyancat.exe has a habit of punching your memory usage in the face with a brick, so you may well find the PC gasping and rolling around on the floor a little as you kill the process off. While this is more annoying than malicious, it’s worth noting that a quick scan of search engines reveals Nyancat batch virus coding taking place and some other nasties floating around using the pretence of “strange yet friendly rainbow cat”.

Stay safe, meme fans…

Christopher Boyd

Until you run it.

Then this happens:

Click to Enlarge

Rainbow propelled cat jacking your desktop ahoy!

The music from the Nyancat website plays in the background too (you know, just in case you still thought the above was a normal feature of Windows. It wouldn’t surprise me though).

Getting rid of it involves not panicking (always a good first step) and opening up Task Manager:

As you can see, Nyancat.exe has a habit of punching your memory usage in the face with a brick, so you may well find the PC gasping and rolling around on the floor a little as you kill the process off. While this is more annoying than malicious, it’s worth noting that a quick scan of search engines reveals Nyancat batch virus coding taking place and some other nasties floating around using the pretence of “strange yet friendly rainbow cat”.

Stay safe, meme fans…

Christopher Boyd

The bad news for Detective Mills is “some rogue AV”.

It seems poor old Mr Pitt can’t catch a break, because if he isn’t dealing with serial killers doing amusing and inventive things with deadly sins he has websites like The Brad Pitt Fanclub (bradpittfanclub(dot)org/tmp/go(dot)php) directing users to rogue AV installs – and a box, which is as tenuous an excuse as I need to start making wise with the Se7en cracks.

Hitting the above URL will minimise your browser while sending you to defender-lkc(dot)in:

Click to Enlarge

At this point you’ll be offered the box download (well, it looks a bit like a crate but whatever, it’s a box) and opening it up will kickstart an install procedure laced with, oh, at least twenty deadly sins.

Click to Enlarge

Your final destination is “Windows Troubles Solver”, which is not only a name filled with humorous lies but also a horrible piece of rogue AV which you really should remove as soon as possible.

Click to Enlarge

Current VirusTotal scores are 13/42, and we detect this as FraudTool.Win32.PrivacyCenter.ek!a (v). As a bonus, here’s an interesting Kevin Spacey Se7en factoid.

Christopher Boyd

The bad news for Detective Mills is “some rogue AV”.

It seems poor old Mr Pitt can’t catch a break, because if he isn’t dealing with serial killers doing amusing and inventive things with deadly sins he has websites like The Brad Pitt Fanclub (bradpittfanclub(dot)org/tmp/go(dot)php) directing users to rogue AV installs – and a box, which is as tenuous an excuse as I need to start making wise with the Se7en cracks.

Hitting the above URL will minimise your browser while sending you to defender-lkc(dot)in:

Click to Enlarge

At this point you’ll be offered the box download (well, it looks a bit like a crate but whatever, it’s a box) and opening it up will kickstart an install procedure laced with, oh, at least twenty deadly sins.

Click to Enlarge

Your final destination is “Windows Troubles Solver”, which is not only a name filled with humorous lies but also a horrible piece of rogue AV which you really should remove as soon as possible.

Click to Enlarge

Current VirusTotal scores are 13/42, and we detect this as FraudTool.Win32.PrivacyCenter.ek!a (v). As a bonus, here’s an interesting Kevin Spacey Se7en factoid.

Christopher Boyd

Ourpcgame(dot)net would like it if you downloaded some of their games.

 Click to Enlarge

In the above example we’re looking at Portal 2, though a wide selection is on offer. Under each game, there’s a “Click here for free download” link. Do that, and you’ll end up with two tantalisingly named folders: “CD Keys” and “Game Direct Links”.

Ooh. Except it isn’t so much “Ooh” as “wait, both of these stupid folders are password protected”. That’s right, you’re dealing with what we in the business like to call “bait”. The Readme says this:

“To know password do follow steps:


1. go to ourpcgame(dot)net
2. Look on the left side. click on Babylon banner 
3. download the Babylon Toolbar which is 100% free and safe, install it. you will get  a message after completing the installation.
4. fifth word of that message is the password to open the game links folder.”

Yes. Of course it is.

These files are a little out of date, because the site now sports an eMule download instead. They were pulling this one back in July of 2010 (scroll down). Didn’t work then, either. You install the program regardless, hoping for some red hot password action:

Click to Enlarge

Click to Enlarge

Congratulations, you just installed eMule, Hotbar offer engine, blinkx beat, ShopperReports and QuestScan address bar search provider.

Now wait until the end of time for your free game passwords…

Christopher Boyd

Ourpcgame(dot)net would like it if you downloaded some of their games.

 Click to Enlarge

In the above example we’re looking at Portal 2, though a wide selection is on offer. Under each game, there’s a “Click here for free download” link. Do that, and you’ll end up with two tantalisingly named folders: “CD Keys” and “Game Direct Links”.

Ooh. Except it isn’t so much “Ooh” as “wait, both of these stupid folders are password protected”. That’s right, you’re dealing with what we in the business like to call “bait”. The Readme says this:

“To know password do follow steps:


1. go to ourpcgame(dot)net
2. Look on the left side. click on Babylon banner 
3. download the Babylon Toolbar which is 100% free and safe, install it. you will get  a message after completing the installation.
4. fifth word of that message is the password to open the game links folder.”

Yes. Of course it is.

These files are a little out of date, because the site now sports an eMule download instead. They were pulling this one back in July of 2010 (scroll down). Didn’t work then, either. You install the program regardless, hoping for some red hot password action:

Click to Enlarge

Click to Enlarge

Congratulations, you just installed eMule, Hotbar offer engine, blinkx beat, ShopperReports and QuestScan address bar search provider.

Now wait until the end of time for your free game passwords…

Christopher Boyd

Some insight into the many goings on in the virtual realm that is EVE Online:

Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls.

Full story at The Register.

Christopher Boyd

Some insight into the many goings on in the virtual realm that is EVE Online:

Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls.

Full story at The Register.

Christopher Boyd

Especially as the game isn’t even out yet.

Free games? T-shirts? Guns? Nope, a dating website.

Click to Enlarge

Maybe some of their dates end up resembling an armed conflict in the Balkans or something, but this is definitely not the free Call of Duty giveaway you’re looking for.

The above is fairly harmless (if annoying, assuming you actually expected to see something of value from a random Twitter spam message of course) but it probably won’t be long before all manner of rogue links are being pinged around. Treat any messages sent to you promising Call of Duty freebies with extreme caution.

Christopher Boyd

Especially as the game isn’t even out yet.

Free games? T-shirts? Guns? Nope, a dating website.

Click to Enlarge

Maybe some of their dates end up resembling an armed conflict in the Balkans or something, but this is definitely not the free Call of Duty giveaway you’re looking for.

The above is fairly harmless (if annoying, assuming you actually expected to see something of value from a random Twitter spam message of course) but it probably won’t be long before all manner of rogue links are being pinged around. Treat any messages sent to you promising Call of Duty freebies with extreme caution.

Christopher Boyd

Modern Warfare 2 raised a lot of questions. How did a regular Marine suddenly end up on a specialist covert mission? Why didn’t he just shoot the terrorists the moment they entered the airport? Why would a US General angry at losing so many troops in the first game decide to get his “revenge” by ensuring thousands more died in a Russian invasion of America? Why was it okay to show Russian tourists killed in an airport but not one single civilian (dead or otherwise) during the American levels? How did Price come to be captured anyway?

Who knows, but that launch trailer above is pretty sweet.

Anyway, Major Game Announcement = shenanigans.

There’s a group being pinged around on Facebook promoting a Modern Warfare 3 demo:

Click to Enlarge

The URL in question is modernwarfare3demo(dot)com(dot)nu, and is being zinged around gaming forums at the moment:

Click to Enlarge

MW3 demo? Haha yeah, nice try. As you’ve probably guessed, this is all about making some survey affiliate cash. The reason given for having to pop surveys this time around is that they’ve been “put in place to guarantee you are not a robot that is harvesting demo downloads”.

Click to Enlarge

I guess every last drop of bandwidth is crucial if you decide to serve demos from a chicken coop located in a field somewhere in Uzbekistan. Or maybe they’re just making poor excuses. Anyway, here’s the first popup:

Click to Enlarge

Pick a survey, fill things in, wave goodbye and good luck to your personal info as it lurches off toward some random third party marketing guy. A year’s supply of coco pops would be pretty cool though.

Anyway, you fill one of those in, click the “Download” link and you come to….another survey, preventing you from gaining access to the Sharecash hosted download.

Click to Enlarge

I don’t know about you guys, but I’m going to roll with “not going to end up with a Modern Warfare 3 demo” for this one.

For now, I’m fairly certain the closest you’ll get to experiencing the thrills of Modern Warfare 3 is this.

Or not…

Christopher Boyd (Thanks to Mr Tom for the tip)

Modern Warfare 2 raised a lot of questions. How did a regular Marine suddenly end up on a specialist covert mission? Why didn’t he just shoot the terrorists the moment they entered the airport? Why would a US General angry at losing so many troops in the first game decide to get his “revenge” by ensuring thousands more died in a Russian invasion of America? Why was it okay to show Russian tourists killed in an airport but not one single civilian (dead or otherwise) during the American levels? How did Price come to be captured anyway?

Who knows, but that launch trailer above is pretty sweet.

Anyway, Major Game Announcement = shenanigans.

There’s a group being pinged around on Facebook promoting a Modern Warfare 3 demo:

Click to Enlarge

The URL in question is modernwarfare3demo(dot)com(dot)nu, and is being zinged around gaming forums at the moment:

Click to Enlarge

MW3 demo? Haha yeah, nice try. As you’ve probably guessed, this is all about making some survey affiliate cash. The reason given for having to pop surveys this time around is that they’ve been “put in place to guarantee you are not a robot that is harvesting demo downloads”.

Click to Enlarge

I guess every last drop of bandwidth is crucial if you decide to serve demos from a chicken coop located in a field somewhere in Uzbekistan. Or maybe they’re just making poor excuses. Anyway, here’s the first popup:

Click to Enlarge

Pick a survey, fill things in, wave goodbye and good luck to your personal info as it lurches off toward some random third party marketing guy. A year’s supply of coco pops would be pretty cool though.

Anyway, you fill one of those in, click the “Download” link and you come to….another survey, preventing you from gaining access to the Sharecash hosted download.

Click to Enlarge

I don’t know about you guys, but I’m going to roll with “not going to end up with a Modern Warfare 3 demo” for this one.

For now, I’m fairly certain the closest you’ll get to experiencing the thrills of Modern Warfare 3 is this.

Or not…

Christopher Boyd (Thanks to Mr Tom for the tip)

Mylikeshub(dot)com:

Click to Enlarge

Filling in the CAPTCHA takes the user to de85(dot)info, where they’ll get an eyeful of a video about a dad walking in on his daughter doing a dance or whatever.

Click to Enlarge

While you watch the above video (yes, they actually give you a video to watch for a change) your Facebook profile will find itself with a new update:

Whatever words you type in the CAPTCHA are the words that appear on the Facebook post, so the CAPTCHA copy & paste in the example above says “ha haha” (which is probably what your friends will say when they see this appear on your wall).

Here’s videos(dot)lolvids(dot)be after you’ve ventured past the CAPTCHA stage:

Click to Enlarge

Yep, it’s our old friend “Mr Survey Popup box”.

Don’t bother with either of these two – although they are actually offering up content (instead of “rewarding” you with a screenshot of a Youtube video), the content is freely available anyway without having to fill in surveys or spam your profile walls to see it.

Christopher Boyd (Thanks to Wendy for additional research).

Mylikeshub(dot)com:

Click to Enlarge

Filling in the CAPTCHA takes the user to de85(dot)info, where they’ll get an eyeful of a video about a dad walking in on his daughter doing a dance or whatever.

Click to Enlarge

While you watch the above video (yes, they actually give you a video to watch for a change) your Facebook profile will find itself with a new update:

Whatever words you type in the CAPTCHA are the words that appear on the Facebook post, so the CAPTCHA copy & paste in the example above says “ha haha” (which is probably what your friends will say when they see this appear on your wall).

Here’s videos(dot)lolvids(dot)be after you’ve ventured past the CAPTCHA stage:

Click to Enlarge

Yep, it’s our old friend “Mr Survey Popup box”.

Don’t bother with either of these two – although they are actually offering up content (instead of “rewarding” you with a screenshot of a Youtube video), the content is freely available anyway without having to fill in surveys or spam your profile walls to see it.

Christopher Boyd (Thanks to Wendy for additional research).

You’d have thought Myspace would have snapped up myspac(dot)com, but it seems to have scampered past them in the night like a small scampery thing that scampers.

The Myspac(dot)com URL will bounce you through a whole bunch of different locations including 1939(dot)com, social-survey-spot(dot)com and socialrewardcenter(dot)com.

When you hit that last one, the “Social Reward Center” tries to make you feel all bad about not taking part in their birthday celebrations.

Did I say “birthday celebrations”? I sure did, because it’s their sixth birthday!

Click to Enlarge

Hooray! Wouldn’t you feel bad if you didn’t get involved?

The answer, of course, is “no”. It isn’t their birthday unless they have one every day as their site seems to claim, and even the Queen only has two a year (unless you’re in Australia, in which case she has at least three).

What do they want you to do? Well, funny you should ask:

Click to Enlarge

Limited quantities of free gifts, hurry up and click the button!

Click to Enlarge

You’re now at Myoffers(dot)co(dot)uk, and you’re asked to hand over your name, address and email. If this doesn’t float your boat (and I’m hoping it wouldn’t), that’s okay – there are plenty more offers to be had!

Click to Enlarge

The one above looks a bit more Facebook-ish, and fires a couple of totally generic and slightly rubbish questions at you of the “are you male / female”, “do you like social networks” variety.

Click to Enlarge

You’re then asked to hand over your mobile number and email address.

Click to Enlarge

Not sure I’ll be signing up to this one anytime soon, especially as the Site Advisor user reviews are so positive. I do like the sound of more birthdays though…

Christopher Boyd

You’d have thought Myspace would have snapped up myspac(dot)com, but it seems to have scampered past them in the night like a small scampery thing that scampers.

The Myspac(dot)com URL will bounce you through a whole bunch of different locations including 1939(dot)com, social-survey-spot(dot)com and socialrewardcenter(dot)com.

When you hit that last one, the “Social Reward Center” tries to make you feel all bad about not taking part in their birthday celebrations.

Did I say “birthday celebrations”? I sure did, because it’s their sixth birthday!

Click to Enlarge

Hooray! Wouldn’t you feel bad if you didn’t get involved?

The answer, of course, is “no”. It isn’t their birthday unless they have one every day as their site seems to claim, and even the Queen only has two a year (unless you’re in Australia, in which case she has at least three).

What do they want you to do? Well, funny you should ask:

Click to Enlarge

Limited quantities of free gifts, hurry up and click the button!

Click to Enlarge

You’re now at Myoffers(dot)co(dot)uk, and you’re asked to hand over your name, address and email. If this doesn’t float your boat (and I’m hoping it wouldn’t), that’s okay – there are plenty more offers to be had!

Click to Enlarge

The one above looks a bit more Facebook-ish, and fires a couple of totally generic and slightly rubbish questions at you of the “are you male / female”, “do you like social networks” variety.

Click to Enlarge

You’re then asked to hand over your mobile number and email address.

Click to Enlarge

Not sure I’ll be signing up to this one anytime soon, especially as the Site Advisor user reviews are so positive. I do like the sound of more birthdays though…

Christopher Boyd

Oh dear.

This isn’t the best of times for Sony. So far we’ve had:

1) Various Sony websites going offline under the weight of numerous DDoS attacks.

2) The PlayStation Network breached, with the personal information of anything up to 77 million users leaked to who knows where resulting in the PSN being offline for 24 days.

3) Anything up to 24 million users from the SOE service compromised (SOE handles MMORPG titles, like DC Universe, Star Wars Galaxies and the long dead Matrix Online which was the best thing ever).

4) A collection of data related to users who took part in a sweepstake a long time ago left sitting wide open.

5) Password reset questions using information that was compromised the first time around.

6) A Thai Sony website hosting a phishing page and a “virtual cash theft” from a Sony owned ISP.

Now we have what appears to be a dump of information from a Sony BMG Greece website appearing on Pastebin. There’s about 400 or so entries, each one containing various bits of information including Usernames, names, email addresses and what appears to be the odd phone number.

We haven’t even got to Monday yet!

Christopher Boyd

Oh dear.

This isn’t the best of times for Sony. So far we’ve had:

1) Various Sony websites going offline under the weight of numerous DDoS attacks.

2) The PlayStation Network breached, with the personal information of anything up to 77 million users leaked to who knows where resulting in the PSN being offline for 24 days.

3) Anything up to 24 million users from the SOE service compromised (SOE handles MMORPG titles, like DC Universe, Star Wars Galaxies and the long dead Matrix Online which was the best thing ever).

4) A collection of data related to users who took part in a sweepstake a long time ago left sitting wide open.

5) Password reset questions using information that was compromised the first time around.

6) A Thai Sony website hosting a phishing page and a “virtual cash theft” from a Sony owned ISP.

Now we have what appears to be a dump of information from a Sony BMG Greece website appearing on Pastebin. There’s about 400 or so entries, each one containing various bits of information including Usernames, names, email addresses and what appears to be the odd phone number.

We haven’t even got to Monday yet!

Christopher Boyd