Author Topic: Windows Protection Suite  (Read 4335 times)

0 Members and 1 Guest are viewing this topic.

August 26, 2009, 06:53:23 pm
Read 4335 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Once installed, malware calls home to prestotunerst.cn:

Code: [Select]
GET http://prestotunerst.cn/reports/get_product_domains.php?abbr=WINPS&pid=3 HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
Accept: text/html, */*
Host: prestotunerst.cn
Proxy-Connection: Keep-Alive

Response back includes domains for which to talk to:
Code: [Select]
[td_site]
http://windowsprotectionsuite.com
http://winprotection-suite.com

[td_update]
http://update1.windowsprotectionsuite.com
http://update2.windowsprotectionsuite.com
http://update1.winprotectionsuite.com
http://update2.winprotectionsuite.com

[td_presale]
http://pay1.winprotectionsuite.com
http://pay2.winprotectionsuite.com


Also contacts paymentvirusmelt.cn to produce html/image content for the fraud payment site:

http://paymentvirusmelt.cn/index.php?uid=7&mid=15edf56585c7bc5a46d843def95b7c48&wv=wvXP&bid=b_Unknown&sid=11011&ls=1&verint=601&errors=0&nid=MainWindow_16&abbr=WINPS&pid=3

Fraudulant payment processing is handled by ridebullet.com:
https://ridebullet.com/payment/?sku_name=WIPS_EN,WIPS_EN_00,WIPS_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&nid=15edf56585c7bc5a46d843def95b7c48&affid=7&lid=wvXP;b_Unknown;1;11011;0;0;-1;10

Some of the domains are in the MDL, but the following domains are not and should be considered for being added to MDL:
prestotunerst.cn
winprotection-suite.com
winprotectionsuite.com
paymentvirusmelt.cn
ridebullet.com