Sponsored by..

Friday, 27 March 2009

"Shanghai QiPeng Network Information Technology" / "Sopper Investment Co. LTD"

This particular pitch has been around for a long time - a domain name registrar (or reseller) who is "checking" about a domain registration that might infringe on your trademarks. Of course, registrars are not responsible for checking trademarks (can you imagine how complicated and expensive the process would be!)

Usually this approach is an attempt to get you to register useless domain names at inflated prices.. and in all probability these domain names they are warning about will never even be registered. If you really are concerned, then register them through a reputable registrar, else you are best off ignoring it.

Subject: Domain Issues for "[redacted]"
From: "Ramon zhang"
Date: Fri, March 27, 2009 9:20 am

If you are not the person who is in charge of this, please forward to the right person/department. Thank you)

Dear CEO,

We , a registrar organization in China, have something to check with you. We received an application today One South Korea company called " Sopper Investment Co. LTD" is applying for "[redacted]" as internet brand and following Asian/.CN domain names to use.
[redacted].com.tw
[redacted].hk
[redacted].in
[redacted].net.cn
[redacted].org.cn
[redacted].tw

After our initial checking, we found the internet brand and keyword of these domain names are as same as your company¡¯s.Because of it involves your company's intellectual property, so we need to check this with your company. If the aforesaid company is your subsidiary company or your business partner, please DO NOT reply us, we will approve the application automatically. If you have no any relationship with this company, please contact us within 7 workdays. If out of the deadline, we will approve the application submitted by "Sopper Investment Co. LTD" unconditionally.
Look forwarding to hearing from you.Thanks.

Best Regards,

Ramon Zhang
Leader Checker
Shanghai QiPeng Network Information Technology Co.,Ltd
Tel£º +86-21-6992-9440 Fax£º +86-21-6992-9447

Postal Code£º 200063
website:http://www.qipeng.org.cn


Shanghai QPNIC Web Property Solutions Limited is a comprehensive company engaged in the Internet intellectual property services that mainly provides network-based service, network intellectual property service.
Company objective: The good faith first, the customer is supreme.

The same approach can be seen here and here.

Thursday, 26 March 2009

dns@nisource.com Joe Job

NiSource is a US electricity and gas provider. This spam appears to be a Joe Job aimed at the DNS support mailbox at that company. In this case the originating IP is 166.156.53.33.

From: Mabel Mcdaniel [mailto:dns@nisource.com]
Sent: 26 March 2009 14:55
To: [redacted]
Subject: Replica Watches

A lot of brands, 100-300 usd.
Mail to order: dns@nisource.com

Since the email is soliciting replies via email, it is most likely a revenge attack for something or other.

Monday, 23 March 2009

Video: Beware of the Monkeys

Don't give the monkeys a socket set (source: IET)

songmeanings.net compromised?

songmeanings.net is a popular and relatively crud-free lyrics site that attracts millions of visitors a year. Alexa ranks it as about the 5000th most popular site in the world (dynamoo.com ranks in at about 290,000).

Unfortunately, the email database at songmeanings.net appears to have been compromised and the email addresses are now receiving "Canadian Pharmacy" spam routed via spaces.live.com. It is unknown if any other details have been taken, in all likelihood this is probably a trojan that has taken email addresses only.

(They are not the only one. Tradedoubler is an advertising network that has been similarly compromised).

Pozde.com domain valuation scam

A copy of the recent Pedma.com domain appraisal scam, this time with the name pozde.com. The pitch is something similar to the following:

Dear sir,

we are interested to buy your domain name [REDACTED] and offer to buy it from you for 70% of the appraised market value.

As of now we accept appraisals from either one of the following leading appraisal companies:

sedo.com
pozde.com
moniker.com
accuratedomains.com

If you already have an appraisal please forward it to us.

As soon as we have received your appraisal we will send you our payment (we use Paypal for amounts less than $2,000 and escrow.com for amounts above $2,000) as well as further instructions on how to complete the transfer of the domain name.

We appreciate your business,

Thanks,

P. Jackson
Pozde.com is the fake appraisal site, and because it is cheaper than the others (which are legitimate) there's a chance you will try to use it. Although this time they have remembered to give you a box to specify your domain (they didn't with the old version), you should be under no doubt that this is an attempt to defraud.

The WHOIS entry for pozde.com is a crude fake:

Registrant:
Richard Smith
563 queen st
bruckberg, er 54767
Iceland

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 20-Mar-09

Administrative Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Technical Contact:
Smith, Richard admin@bizing.biz
563 queen st
bruckberg, er 54767
Iceland
+1.9024312570 Fax --

Domain servers in listed order:
NS1.IPNAMES.NET
NS2.IPNAMES.NET
In fact, it is actually registered to:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: POZDE.COM
Created on: 19-Nov-08
Expires on: 19-Nov-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024312570 Fax --
You should also consider the domains tysoo.com (recently bought by Manuel Fichter) and dexpay.com as suspect, because it seems that there is a pattern emerging here.

So why is it a scam? Pedma.com was definitely a scam - when you sent off your PayPal payment there was no way to specify what you wanted appraising, the fact that Pozde.com has added this in is immaterial. The WHOIS entry is fake (the registrant is in Canada, not Iceland).

Site is hosted on 124.217.231.173 in Kuala Lumpur. Send abuse reports to abuse -at- piradius.net.

If you feel that you have been defrauded and you live in Canada, you can file a complaint with the RCMP.

Added: some other domains to watch out for, owned by the same person are:

  • veecs.com
  • grooc.com
  • usbabes.info
  • tysoo.com (being transferred)
  • dexpay.com
  • bizing.biz
  • fastbooster.com
  • moviesforme.org
  • casinocrew.com

Tuesday, 17 March 2009

pedma.com domain appraisals?

From time-to-time I get a unsolicited offers to buy domains that I hold, so it isn't wholly unexpected to get the occasional email about them. Here's one that came in today:

Subject: Regarding your domain [REDACTED].COM
From: "James Johnson" j.johnson98@rocketmail.com

Hello,
I came across your domain name [REDACTED]COM and I would be interested in buying it from you.
Here is my offer, you have to send me a professional appraisal from one of the following companies. and I will pay you 85% of the appraised price.
For payments under $2000 I prefer to use paypal. And for larger amounts of money I prefer if we used escrow.com

I accept appraisals from any of these companies:

-sedo.com
-pedma.com
-accuratedomains.com

If you already have an appraisal from one of those companies please forward it to me, and we will do business.

Regards,
James Johnson
For reference, the relevant mail headers are:

Received: from eatfire.nexcess.net (208.69.122.200)
by [redacted] with SMTP; 17 Mar 2009 10:07:22 -0000
Received: (qmail 10697 invoked by uid 108); 17 Mar 2009 10:06:16 -0000
Received: from unknown (HELO LYNKSIS) (admin@1nb0x.com@174.133.179.205)
by eatfire.nexcess.net with ESMTPA; 17 Mar 2009 10:06:16 -0000
From: "James Johnson"
Subject: Regarding your domain [redacted]
To: [redacted]
Well, my spidey sense started to tingle. The domain in question is not great and I'm really holding it for a future project that I haven't gotten around to. So I have certainly never had it professionally appraised.

So, let's say that I'm interesting in selling this domain and want to get a professional appraisal. Sedo charge $29, Accurate Domains charge $27 and Pedma charges $22.95. What's more, Pedma promises to refund your appraisal money or buy the domain itself if you don't sell it within 6 months.

Pedma looks like the best option. But who are they exactly?

Here's the thing - there is almost nothing about them in Google. It looks like they have been in the domain appraisal business for hardly any time at all. So isn't it odd that they are being recommended?

Let's look at the WHOIS details:

Registrant:
Billy McDOW
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 12-Mar-09

Administrative Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
McDOW, Billy support@pedma.com
366 Kingswood Dr
Bedford, Nova Scotia B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
NS1501.HOSTGATOR.COM
NS1502.HOSTGATOR.COM
It's hard to say if the details are genuine or not, but it certainly isn't an obvious fake. But a few days ago, pedma.com was registered to someone else:

Registrant:
Manuel Fichter
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada

Domain Name: PEDMA.COM
Created on: 01-Jul-08
Expires on: 01-Jul-09
Last Updated on: 05-Mar-09

Administrative Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Technical Contact:
Fichter, Manuel admin@bizing.biz
38 Matthew Drive
Hammonds Plains, NS B4B 1T8
Canada
9024950112 Fax --

Domain servers in listed order:
DNS53-1.NEXCESS.NET
DNS53-2.NEXCESS.NET
About the same time, the IP address of pedma.com changed from 208.69.122.200 to 174.132.194.58. Now, the 208.x.x.x address was mentioned a few days ago on another blog for questionable domain practices, so you might suggest that this is not a coincidence.

The site itself seems to be free of malware, so poking around at the pedma.com site reveals a few other interesting things.

Click through to the Contact page:

The following contact details are listed:

20 Crawford Street
London
W1H 1PJ
United Kingdom

Email: support@pedma.com
It looks like this may be an accommodation address or perhaps a virtual office of some sort, probably located above a shop [sorry, IE required]. Definitely not Canada. (Update: it looks like a branch of Mail Boxes Etc thanks to Google's new UK streetview.)

Clicking through on the "Buy Now" link takes you to a PayPal page, also mentioning Canada:


The payee is "Unique Desktop". Whoever they are. This is one of the weakness of PayPal - I don't really have an idea who I am dealing with here. I don't advise that you pay them anything, indeed there is no part of the payment process that actually specified what domain you want appraising or your contact details.

A further clue that something is wrong comes from their "Service" page which contains the following text:


How much is your domain really worth? An expert evaluation of a domain name's value is critical intelligence for domain buyers and sellers looking to determine a fair market price. An appraisal is your first step to making a great sale!

Every appraisal individually researched by domain industry pros, because no software is a substitute for real-world experience.

Your domain name could be worth thousands of dollars and may even be tax deductible!

Join many others who discovered what their domains were worth using our Domain Name Appraisal Service! Your domain will be appraised based on a number of separate factors including marketability, brand recognition, unique type in traffic, and comparison with other domain name sales. In addition to the following criteria:

* TLD Value
* Length
* Hyphen
* Web Frequency
* Search Frequency
* Industry Value

After you make your first purchase we will email you your Pedma Account log in information. Once you are logged in, you will find all your domain appraisals neatly organized (including appraisal reports, and appraisal banners). We make it easy to keep track of all your appraisals!
In fact, the majority of this text is stolen directly from Sedo and Moniker - it's a straight copy-and-paste job.

So: this "appraisal" site appears to have been active for just a few days, the site content is stolen from others, the contact details on the page do not match the WHOIS, the payment process does not allow you to specify the domain to appraise and your contact details, and the IPs have recently been connected to another dubious domain name pitch.

It looks on the surface as if this is an attempt to get people to sign up for this so-called appraisal service, and nothing more. Pedma.com is certainly not a recognised or trustworthy site, so it is likely that the offer to buy the domain is similarly dubious. Of course, if you work for Pedma.com, please feel free to correct any errors in the comments section below.

If you have spent any money on the appraisal, then I would advise you to start a PayPal dispute to recover the money as there is some evidence to suggest that the original offer is not genuine.

Additional information:
a bit more research shows indicates the domain pedma.com was sold via eBay item #170253846100 in August 2008 to a member called unique*money, presumably this is Manuel Fichter.





Now, it might be that Mr Fichter sold the domain on and perhaps it is a coincidence that the new owner lives in the same area and has used exactly the same telephone number. Note that the seller "bargaindomains" is a reputable eBay seller who just sold the domain on in August.

About the London address: there is no company by the name of "Pedma" operating in the UK, according to Companies House.

The PayPal billing name of "Unique Desktop" is connected with the domain "fastbooster.com". The terse WHOIS details for that mention an email address of willyfichter@googlemail.com, but earlier last year it had a rather more full domain description:

Owner Contact:
Willy Fichter
Immo-World24 Limited
Am Soeldnermoos 17
Hallbergmoos, 85399, DE

Punycode Name: fastbooster.com
Unicode Name: fastbooster.com

Admin Contact
Willy Fichter

willyfichter@googlemail.com
Am Soeldnermoos 17
Hallbergmoos, 85399, DE
phone: +49 89381684552

Technical Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Zone Contact
Hostmaster Strato Rechenzentrum
Cronon AG Professional IT-Services
hostmaster@cronon-isp.net
Emmy-Noether-Str. 10
Karlsruhe, D-76131, DE
phone: +49 72166320305

Record expires on: 2009-05-04 20:35:24

Domain servers in listed order:

shades02.rzone.de
docks18.rzone.de

It is hard to be 100% certain who is sending out these "offers". But at a guess, one of these Mr Fichters might have an idea.

Update:
pedma.com has been suspended by HostGator. Yeay.



Another update (18/3):
The owner of pedma.com is now desperately trying to punt the domain name on Sedo for $1000, which is a bit rich considering that he ripped off Sedo's text for the fake appraisal site!


Friday, 13 March 2009

Adobe9.0-PDF.com

Here's an oddity when typing "Adobe" into Google.

The first ad refers to a web site called Adobe9.0-PDF.com - that's not Adobe, surely?


Nope.. it doesn't look like Adobe. Let's scroll down a bit


The bit at the bottom is interesting:


All tademarks and copyrights are used for comparison and/or compatibility purposes only and are the property of their respective owners. This website has no affiliation whatsoever with the owner of this software program and does not re-sell or license software. All software is freeware and/or shareware with the understanding that the user may need or want to pay for it later. Membership is for unlimited access to our site's resources. We provide an organized website with links to third party freeware and shareware software, technical support, tutorials and step by step guides.
To cut a long story short, you have to pay to download this free software (this is for "support").. of course you could just download it directly from Adobe.

So, this is kind of curious. Who's running this site? A look at the WHOIS for 0-pdf.com shows an anonymous registration, so no clue there.

The site is hosted on 208.118.54.244 along with several others:

  • 0-pdf.com
  • 1-pdf.com
  • Burning-toolz.com
  • Downzfree.com
  • E-s0ftware.com
  • Es0ftware.com
  • Freedownloadhq.com
  • Freedownloadsnow.net
  • Grafix-viewer.com
  • Internet-callz.com
  • Mediaplayer-stop.com
  • Populartitlez.com
  • Security-bundle.com
  • Virus-tools.com
  • Xtremesoftware-ltd.com
They are all anonymous registrations apart from the last one:

Registrant: Xtreme Software Ltd.
7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

Domain Name: XTREMESOFTWARE-LTD.COM
Created on: 13-Apr-07
Expires on: 13-Apr-09
Last Updated on: 13-Apr-08
Administrative Contact:
Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.
7 Petworth Road
Haslemere,
Surrey GU27 2JB
United Kingdom
8007843167 Fax --
Technical Contact: Software Ltd, Xtreme Support@XtremeSoftware-Ltd.com
Xtreme Software Ltd.

7 Petworth Road

Haslemere,
Surrey GU27 2JB

United Kingdom

8007843167 Fax --

Domain servers in listed order:

NS1.COVERTTECHNOLOGY.NET
NS3.COVERTTECHNOLOGY.NET
NS2.COVERTTECHNOLOGY.NET


Incidentally, shuffle across a few IPs to 208.118.54.247 and there seems to be another server belonging to the same outfit.
  • 11-now.com
  • 7-now.com
  • 8-now.com
  • 8-pdf.com
  • 8-software.com
  • 8-ultra.com
  • 9-express.com
  • 9-now.com
  • 9-ultra.com
  • Anti-viruz.net
  • Antiviruz-now.com
  • Avast-hq.com
  • D0wnloadz.net
  • Download-9.com
  • Downloadcenterz.com
  • Downloadzcenter.com
  • Downloadznow.net
  • Downloadzsoftware.com
  • Dvdshrink-hq.com
  • Ed0wnloads.com
  • Esoftware-now.com
  • Irfanview-center.com
  • Irfanview-hq.com
  • Mediaplayer-hq.com
  • Panda-hq.com
  • Pdf-now.com
  • Pdf-soft.net
  • Powerdvd-7.com
  • Rarsoftware.com
  • S0ftware-now.com
  • S0ftware.com
  • S0ftwarez.com
  • Software-hq.net
  • Softwarecenterz.com
  • Swhq-cs.com
  • Tutorial-hq.com
  • Winamp-hq.com
  • Winrar-hq.com
So, it looks like a UK company - and indeed Companies House lists XTREME SOFTWARE LTD (company 05604124) at being associated with that address, but states that it is dissolved. Another company, XTREME-SOFT LTD 05723281 is listed at the same address.

Company records for Xtreme Software Ltd indicate that it was forcibly dissolved, and the director was:

DIRECTOR: SHULLICK, DAVE
Appointed: 07/11/2005
Date of Birth: (redacted)
Nationality: HUNGARIAN
No. of Appointments: 1
Address: 6434 BAY CEDAR LANE
BRADENTON
MANATEE
FLORIDA 34203
USA

Dave Shullick is also linked with the domain xtremetransactions.com and Xtreme Innovations, LLC of Ohio. Shullick and another site was mentioned in the Guardian article enetitled Money for nothing in 2006. But as the company was forcibly dissolved in December 2008, the who is running these web sites?

Xtremetransactions.com is also linked to from the Adobe9.0-PDF.com site, showing that the two are closely related.



The UK address isn't much of a clue - it belongs to a company called Fletcher Kennedy, who specialise in forming other companies. Fletcher Kennedy are nothing to do with the site, but they have fulfilled the legal role of company secretary for both "Xtreme" companies, but they appear to have terminated that relationship.

Is the other XTREME-SOFT company any relation? It's odd that they both have very similar names and the same address, but the only director listed for XTREME-SOFT LTD is in Saudi Arabia:

DIRECTOR: QUBAISI, MOHSEN
Appointed: 22/03/2006
Nationality: SAUDI
No. of Appointments: 1
Address: 31952 KOBAR STREET
SAUDI ARABIA
It's not clear if these two entities are actually related in any way.

So, here's an outfit that is hiding its details and appears to have been operating by a firm that had been forcibly dissolved. So who exactly is running it now?

Anyway, that's enough foreplay. Let's get down to the money shot. Let's say that you want to download the software, first there's a registration screen.. then you get to see what this is all about:

Yup, they're trying to stiff you with a £27 charge plus 83p per month to download a free bit of software. Goodness only knows what "download accelerator plus" is.

Here we go.. £37 for something that you can get for free. My advice? Avoid this one at all costs!



If you have paid money to this company any want a refund, this RipoffReport suggests the following:

MONEY RETRIEVED!

Don't let these people get away with what they do.

Keep on emailing them as well as the third-party that bills their accounts. I got a full refund, including the so-called $5.99 service charge.

Explore you options on the next. Report them to the internet fraud site. Contact your bank and report them. In fact, do everything that you need to do.

I did not stop, until I got everything back.
Allegedly, the contact email address is support@software-hq.net (and that domain seems to have generated a lot of complaints) but you may be better off contacting your bank if you believe that you have been misled in any way.

Thursday, 12 March 2009

Did the BBC just break the law?

The BBC's lightweight tech program "Click" took over a botnet of 20,000 machines to demonstrate the perils of zombie PCs. The BBC insists that this is perfectly legal: "If this exercise had been done with criminal intent it would be breaking the law."

So was it legal? Well, not according to the Computer Misuse Act. The BBC states that "the owners of unprotected PCs have been made aware that they are vulnerable to future attacks" and
"Click advised them on what steps to take to make their systems more secure". In fact, you can see precisely what they did on this video clip.

So.. did they just alter the data on the compromised PCs? It certainly looks like it - and because they have both gained unauthorised access to a PC and have altered information on it, then that is potentially a criminal offence under section 3 of the act.

3 Unauthorised modification of computer material

(1) A person is guilty of an offence if—

(a) he does any act which causes an unauthorised modification of the contents of any computer; and

(b) at the time when he does the act he has the requisite intent and the requisite knowledge.
Certainly the BBC carried out an unauthorised modification. But did they have the requisite intent?

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing—

(a) to impair the operation of any computer;

(b) to prevent or hinder access to any program or data held in any computer; or

(c) to impair the operation of any such program or the reliability of any such data.
Clearly, the BBC did not have malicious intent to carry out a) b) or c), so under UK law they are probably just about in the clear.

But that's just UK law (and they are skating on thin ice as it is). In some other countries, unauthorised access and alteration of data for any reason is likely to be a criminal offence. The BBC probably did this with good intent, but it was quite possibly an ill-advised thing to do.

Added:
Copied from the comments (thanks Joel!)

Erm... why did you miss out the important bit - which is (1):

(Computer Misuse Act 1990)

1 Unauthorised access to computer material (1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

As I understand it, this means that you only have to secure access to a program or data (i.e. ANY ACCESS AT ALL) without authorisation to have acted illegally. Hence, what they have done is certainly illegal. I doubt anyone will be punished though...

Joel

El Reg is covering this here, they quote Graham Cluley of Sophos who says that he believes the BBC did break the law. It looks like there is a storm brewing.

Now, I don't think the BBC breached security to access any data. Unauthorised access to a bot application is tricky, but the question revolves around them changing the wallpaper. It was certainly ill-advised in my view.

Tuesday, 10 March 2009

PIFTS.EXE

Well, this is interesting. Users of Norton Antivirus are finding an application calls PIFTS.EXE that is try to call out. But every time anyone posts a query on the Norton support forum, it gets deleted immediately (see this search).

PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:

  • http://stats.norton.com/n/p?module=2667
  • The ping url is %s PATCH021809DB
  • d:\perforce\entiredepot\consumer_crt\patchtools\patch021809db\release\PIFTS.pdb
  • SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine
When run, it calls home to the following URL: http://stats.norton.com/n/p?module=2667&product=unknown&version=-1&e=-1&f=-1&g=-1&h=-1&i=0&j=-1 hosted on 67.134.208.160 at Swapdrive in Washington. Swapdrive is owned by Symantec, who make Norton.. so there's nothing suspicious there.

One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.

PIFTS.EXE appears to be contacting a statisitical tracking server, possibly to report back on the installed version. Perhaps this violates Symantec's privacy policy, perhaps it's part of the testing process that was accidentally included in the update.

Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.

VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.

Classmates trojan: "Should I leave my Crazy Fat Wife for a younger woman?"

An unusual bit of social engineering here:

Subject: Classmates personal message: Please help me to decide which way to choose
From: "Gold - Classmates" online@groups.classmates.com

Special video report March 10, 2009
Message from your group member:

"Should I leave my Crazy Fat Wife for a younger woman? Please look video and Help me
to decide, please ........I need your help,
if possible - Write your opinion on the page wall"


Proceed to open full message text:

(removed)

Sincerely, Leslie Burks.
2009 Classmates Message Center.

If you click on the link (not advisable) you get the following page (hosted on a botnet somewhere):



You are then prompted to install and run a file called Adobemedia10.exe at which things will start to go seriously wrong.

The VirusTotal report indicates a very low detection rate for the binary (VBA32 flags it up as Embedded.Rootkit.Win32.Agent.ex). However, the ThreatExpert prognosis shows just how much damage this does, and identifies a C&C server at 58.65.232.17 which is a well-known malware server hosted by black hat hosting outfit Hostfresh.

This looks like a fairly horrible thing to try to clean up, and probably best to recover data, reformat and reinstall.