CastleCops® - SpyFalcon, a nightmare rebranded

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Spyware: SpyFalcon, a nightmare rebranded

Anti-Terror

Last time we wrote about a rebrand of SpyAxe called SpywareStrike, this time we alert you to SpyFalcon courtesy of Sunbelt-Software. First, if you think you're infected, read our removal tutorial on the whole SpyAxe issue. And there is an interesting twist... the webhost provider is dishing out the WMF Exploit!

This domain was registered on 16-Jan-2006 by David Taylor under the guise of SunShine Ltd. It uses the "ANTISPYDNS.BIZ" domain for its DNS traffic. The domain is hosted by NetcatHosting who owns its IP: 195.225.176.79. What is interesting even more about the netblock is this...

This hosting company has a wmf file available for download listed (do not download this!):

traff4ppc.biz/parthner3/xpl.wmf

Guess what, yes you got it... this is the Win32/Exploit.WMF trojan. This webhosting company is hosting some nefarious stuff and should be shut down immediately. Responsible upstream providers ought to shut off the juice for them.

If you haven't heard about the WMF Exploit, or want to see a full FAQ about it, then read this article. Other sites are hosted at NetcatHosting which I didn't research for this article (although by association I'd be very wary):

looking-for.cc

aboutme.4click.biz

195.225.176.77

www.nospywaresoft.com

Courtesy of Sunbelt-Software, this is what the Spyfalcon program looks like:

The site concerning the title of this article looks like this:

SpyFalcon's content looks awfully familiar to SpywareStrike just on looks alone eh?

Stay clear of this tool and others like it!

Posted on Wednesday, 08 February 2006 @ 21:56:36 UTC by Paul (29641 reads)
[ Trackback ]

"Spyware: SpyFalcon, a nightmare rebranded" | Login/Create an Account | 5 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: SpyFalcon, a nightmare rebranded (Score: 1)
by spytestster on Friday, 10 February 2006 @ 08:43:03 UTC
(User Info | Send a Message)

i have come across this at night
while i was trying to get some JAVA SCRIPT code this site attempted to install winfixer to my computer

from the link

hxxp://resources.bravenet.com/articles/ site_building/javascript/ open_links_in_a_new_window/

i have taken a short movie of the site which can be seen here

http://go.iking.biz/winfixer.02.htm

please tell the world
n hoffman

Re: SpyFalcon, a nightmare rebranded (Score: 1)
by perfect-games on Saturday, 11 February 2006 @ 17:00:43 UTC
(User Info | Send a Message)

i got this lastnight after accesing nukecops.com after there was attack over there.

good thing my macfee is up to date :)

]

Re: SpyFalcon, a nightmare rebranded (Score: 1)
by Paul on Saturday, 11 February 2006 @ 17:35:10 UTC
(User Info | Send a Message) http://www.laudanski.com

What link over there?

]

Re: SpyFalcon, a nightmare rebranded (Score: 1)
by perfect-games on Saturday, 11 February 2006 @ 20:22:03 UTC
(User Info | Send a Message)

last night i was struggling to access nukecops.com when it did come back on this wmf file downloaded by itself and each time i changed page it keprt trying to download again and macfee each time says it deleted an infected file.

could be something on nukecops server or there banners or the security issue thats with phpbb with that html hack where you can xss hack,

which everway i got the virus i think i have the log in macfee which might explain more that i will look into

thanks

steve

]

Re: SpyFalcon, a nightmare rebranded (Score: 1)
by misterwide on Sunday, 12 February 2006 @ 03:02:11 UTC
(User Info | Send a Message)

NetcatHost of Ukraine (195.225.176.0 - 195.225.179.255) is a source of quite a few Internet pests. I've twice seen ExploitByteVerify attempts (failed) from them. The following is a partial list of MVPS HOSTS sites that I recently ping'ed to NetcatHost; most are CWS-related:

195.225.176.07 drusearch.com; daily-search.com
195.225.176.16 absoluagency.com
195.225.176.27 6o9.com; 8ad.com; go-advertising.com
195.225.176.30 web-free-hosting.net; spyeraser.net
195.225.177.09 makemesearch.com
195.225.177.13 bin.wordsx.cc
195.225.177.17 www.toolbarplace.com
195.225.177.18 www.foxik.com
195.225.177.21 2awm.com; 4count.com; www.check-wire.com
195.225.177.22 dl.ad-ware.cc; count.cc; vv1.s12.dupx.cc
195.225.177.27 www.212-229-05.com; www.39-93.com
195.225.177.33 69sexsearch.com
195.225.177.34 ewizard.cc

WebHelper4U has the latest scoop on full CWS associations. 195.225.176.0 - 195.225.179.255 are firewalled on this machine as a result of their past history.

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · PHP HomePage · HotScripts · W3 Consortium · More about Anti-Terror · News by Paul Most read story about Anti-Terror: SpyFalcon, a nightmare rebranded

	Article Rating

	Average Score: 4 Votes: 4 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 29ppm 1.519s (0.047s) Making cybercriminals unhappy since 2002*