Once installed, malware calls home to prestotunerst.cn:
GET http://prestotunerst.cn/reports/get_product_domains.php?abbr=WINPS&pid=3 HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
Accept: text/html, */*
Host: prestotunerst.cn
Proxy-Connection: Keep-Alive
Response back includes domains for which to talk to:
[td_site]
http://windowsprotectionsuite.com
http://winprotection-suite.com
[td_update]
http://update1.windowsprotectionsuite.com
http://update2.windowsprotectionsuite.com
http://update1.winprotectionsuite.com
http://update2.winprotectionsuite.com
[td_presale]
http://pay1.winprotectionsuite.com
http://pay2.winprotectionsuite.com
Also contacts paymentvirusmelt.cn to produce html/image content for the fraud payment site:
http://paymentvirusmelt.cn/index.php?uid=7&mid=15edf56585c7bc5a46d843def95b7c48&wv=wvXP&bid=b_Unknown&sid=11011&ls=1&verint=601&errors=0&nid=MainWindow_16&abbr=WINPS&pid=3
Fraudulant payment processing is handled by ridebullet.com:
https://ridebullet.com/payment/?sku_name=WIPS_EN,WIPS_EN_00,WIPS_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&nid=15edf56585c7bc5a46d843def95b7c48&affid=7&lid=wvXP;b_Unknown;1;11011;0;0;-1;10
Some of the domains are in the MDL, but the following domains are not and should be considered for being added to MDL:
prestotunerst.cn
winprotection-suite.com
winprotectionsuite.com
paymentvirusmelt.cn
ridebullet.com
Topic: Windows Protection Suite (Read 4573 times)