I got hit by this. I am ashamed for opening it but it so seemed from the IRS.

Anyway. I searched on my computer for the file QTINTF.dll and it was not there. However, I did get a browser page that you showed informing me that the complaint was closed and to disregard further notifications. You suggest that this would only happen if the appropriate .dll was available. Does this mean that they have expanded to use other approaches?

When you say that "web form" data is sent, can that include passwords and credit card numbers?

I am very concerned.

Jim
Jim Brauker | 06.06.07 - 9:06 pm | #

Hi Adams,

Thanks for the post. Very informative and worth warning people about it.
Jerome | Homepage | 06.07.07 - 12:19 pm | #

Thanks Adam for helping me remove this beastie. Very good work and fast.

Jim
Jim | 06.07.07 - 4:13 pm | #

here4life.org looks like a compromised (and legitimate site). However, look at the server that business-complaints.com is hosted on (221.1.151.30) and there are a few interesting domains:

Login-myspace-com-fuseaction-mytoken- dfkjeieir34830.com
Login-myspace-com-sex-drugs-rock-n-roll.com
Northstartd.com
Profile-msdn-s.com

Looks like another bunch of phishing sites to me.
Conrad Longmore | Homepage | 06.08.07 - 4:22 am | #

Do you have, perhaps, checksums of both the "original" and "modified" binaries? That is to say, the one requiring QTINTF.dll and the one that doesn't.
Zach | 06.09.07 - 5:43 pm | #

9d0252348a2b470be5950c216993f7ce (required QTINTF.dll)
daa40521bd8cf5dc25958bfbc25a8d09 (did not require QTINTF.dll)
Anonymous | 06.10.07 - 12:21 am | #