Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Shell fraud business with Trojan.Mayachok.1 payload

August 15, 2012

Anti-virus company Doctor Web has issued a warning for Russian users about fake installer files being spread widely via file-sharing services under ZIPRO affiliate programs. The supposed distribution files of popular applications have recently come to conceal Trojan.Mayachok.1. Whereas previously a fraud victim would just lose money by sending paid short messages to extract archived content, now they are also letting into their system a dangerous Trojan horse, Trojan.Mayachok.1, and installing a popular toolbar.

Affiliate programs on the Internet are popular not only among ordinary users who want to make a quick fortune, but also with larger players on the market. In particular, virus writers and online fraudsters use such programs, about which Doctor Web has often reported in its news posts.

In February 2010, Doctor Web warned users about a ZIPRO partner program that enabled fraudsters to generate fake installers capable of accurately mimicking the interface of the installation wizards of popular programs.

screen

The generator is an application that allows you to configure a final visual style and offers a variety of payment options. Thus, criminals can place junk code into the fake archive and get paid for it.

screen

These files are detected by Dr.Web as Trojan.SMSSend. However, the authors don't stop there, but regularly modify and repackage their crafts. ZIPPRO’s home page reports on this directly, describing themselves as “the first and only partner program featuring protection from anti-viruses.

screen

The user, who downloaded such a file and sendta paid SMS message to open it, got nothing. But a ZIPPRO partner received their share of the profit. Thus, a business model has developed in which returns are generated by chargeable SMS and subscriptions to unwanted mobile services.

screen

Subsequently, the scheme underwent some changes; in addition to creating fake wizards of various freeware, ZIPPRO began installing the Sputnik@Mail.Ru toolbar. Interestingly, ZIPPRO makers promise to distribute the Internet@Mail.ru browser under the scheme.

screen

The tables above show that ZIPPRO partners did rather well. But, as is often the case in , in the pursuit of high profits, the service owners developed their business even further. While their partners were unaware of it, they decided to make a profit by spreading more dangerous malware. At the moment, all users who fall for the trick and download any Trojan.SMSSend file also get Trojan.Mayachok.1, in addition to the guaranteed Mail.Ru toolbar. And partners thus create an offline ZIPPRO botnet.

According to statistics gathered by Dr.Web CureIt!, it is Trojan.Mayachok.1 that takes the top spot on the list of the most urgent threats this summer. This program fakes pages of the most popular websites.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040