Thursday, December 11, 2008

Intervalhehehe


According to multiple forum posts, there are a number of people who seem to be infected with a mysterious virus that pops up every 10 minutes or so and displays a message "Intervalhehehe".

This threat is most likely distributed as a cracked version of the popular software WinRAR. Its file is a WinRAR self-extractor (report here) that unpacks and runs WinRAR installer itself, plus a file named explore.exe, which is a trojan horse.


The trojan modifies hosts file to redirect users from google.com, yahoo.com and other legitimate sites into the websites hosted at 61.157.217.210, 123.251.143.110, and 123.16.197.121 and being used to distribute rogue antivirus and antispyware solutions:


This trojan is a Visual Basic program built on a Chinese system.

In some way (mostly in its annoyance, of course) it reminds an old DOS-era virus "Skaji Bebe - Fig Tebe".