My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Shell fraud business with Trojan.Mayachok.1 payload

August 15, 2012

Anti-virus company Doctor Web has issued a warning for Russian users about fake installer files being spread widely via file-sharing services under ZIPRO affiliate programs. The supposed distribution files of popular applications have recently come to conceal Trojan.Mayachok.1. Whereas previously a fraud victim would just lose money by sending paid short messages to extract archived content, now they are also letting into their system a dangerous Trojan horse, Trojan.Mayachok.1, and installing a popular toolbar.

Affiliate programs on the Internet are popular not only among ordinary users who want to make a quick fortune, but also with larger players on the market. In particular, virus writers and online fraudsters use such programs, about which Doctor Web has often reported in its news posts.

In February 2010, Doctor Web warned users about a ZIPRO partner program that enabled fraudsters to generate fake installers capable of accurately mimicking the interface of the installation wizards of popular programs.


The generator is an application that allows you to configure a final visual style and offers a variety of payment options. Thus, criminals can place junk code into the fake archive and get paid for it.


These files are detected by Dr.Web as Trojan.SMSSend. However, the authors don't stop there, but regularly modify and repackage their crafts. ZIPPRO’s home page reports on this directly, describing themselves as “the first and only partner program featuring protection from anti-viruses.


The user, who downloaded such a file and sendta paid SMS message to open it, got nothing. But a ZIPPRO partner received their share of the profit. Thus, a business model has developed in which returns are generated by chargeable SMS and subscriptions to unwanted mobile services.


Subsequently, the scheme underwent some changes; in addition to creating fake wizards of various freeware, ZIPPRO began installing the Sputnik@Mail.Ru toolbar. Interestingly, ZIPPRO makers promise to distribute the browser under the scheme.


The tables above show that ZIPPRO partners did rather well. But, as is often the case in , in the pursuit of high profits, the service owners developed their business even further. While their partners were unaware of it, they decided to make a profit by spreading more dangerous malware. At the moment, all users who fall for the trick and download any Trojan.SMSSend file also get Trojan.Mayachok.1, in addition to the guaranteed Mail.Ru toolbar. And partners thus create an offline ZIPPRO botnet.

According to statistics gathered by Dr.Web CureIt!, it is Trojan.Mayachok.1 that takes the top spot on the list of the most urgent threats this summer. This program fakes pages of the most popular websites.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments