Per hpHosts blog, a fake VirusTotal site is serving trojans and fake av. VirusTotal(www.VirusTotal.com)(Figure 1) is one of the most famous on-line virus scan and suspicious URL detection website, which facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.

 

 Figure 1

    The fake VirusTotal domain name is "new-virustotal.tk"(was suspedned by registrar), once innocent people get into the website, they will be redirected to the following site and forced to download the malicious file:

  • readman.pf-control.de/java/
  • readman.pf-control.de/java/signedapplet.jar
  • readman.pf-control.de/java/bot.exe 

    AegisLab warns you be careful while surfing the internet, don't trust and click any unknown links from mail or IM.

 

2011-05-27 Updated:

$ host new-virustotal.tk
  • new-virustotal.tk has address 93.170.52.30 
  • new-virustotal.tk has address 93.170.52.20 
These 2 IPs were found in 25th Jan. 2010 and pointed to "www.qqwg.tk".
Since 24th May 2011, the new domain "www1.trustzone-41p.tk" with same IPs also hosted FakeAV pages.
AegisLab found that there are 345 malicious sites pointed to these 2 IPs.

 

By AegisLab