Just before we pop corks at the arrival of 2010 and the passing of 2009, let’s take a quick look at the second half of 2009.

Our post last week warned on a group moving their FakeAv-Koobface-Vundo-Spyware "softwarefortubeview" phony codec downloader to a new home last week, and this week, we are examining a similar scheme that downloads, surprise, surprise, Koobface, FakeAv prompting BHOs like iehelper.dll's prompts for "Antivirus system PRO", performs some level of click fraud, installs podmena.dll and podmena.sys...this one also includes a nice ftp credential stealing component, stealing passwords from File

We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware.

Please note that their downloaders have been moved to a new home at 65.110.50.141. There are multiple domains currently resolving to that ip managed by "Sago Networks". One we know of currently serving softwarefortubeview.40019.exe executables is wile-exe.com. The move appears to have happened on June 1st. Avoid executables from that domain for now.

Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation.

In this blog, we normally analyze nasty Trojans or other nasty stuff that is – in almost all cases – so new that very few Antivirus Engines can pick it up and protect the user (see e.g. the post about the yaludle/Silentbanker Trojan).

However, today the story is about a typical internet user, about Joe the Plumber, about the Hockey-Mum, about an old Trojan and about the reality out there in the world wide web.