Home / malware Trojan:HTML/Redirector.CH
First posted on 20 December 2012.
Source: MicrosoftAliases :
Trojan:HTML/Redirector.CH is also known as Trojan.HTML.Redirector.AN (Kaspersky), HTML/Redirector.DY (Avira), Trojan.HTML.Redirector.AW (BitDefender), Trojan.HTML.Redirector (Ikarus), Troj/Redir-O (Sophos).
Explanation :
Installation
Trojan:HTML/Redirector.CH may be detected on your computer if you visit a malicious HTML webpage.
Payload
When you open an Internet browser, Trojan:HTML/Redirector.CH will display the following text in a large font size:
"You are here because one of your friends have invited you. Page loading, please wait...."
The trojan will then redirect you to the following website that masquerades as a CNBC website article, The website has the following naming format:
<maximum of any 8 characters>market<maximum of any 16 characters>online<maximum of any 8 characters>.com/?12/
For example:
- marketnewsonline10.com
- marketnewsonline11.com
- marketnewsnext7online.com
The article may change at any time, depending on the preferences of the malware author. In the wild, it has been known to display the following title:
"Mom Earns $6,795/Month Part-Time"
The article contains numerous references to the following website, which may be an attempt to scam you:
work<removed>homedigital.com
Some samples have also been reported to redirect to google.com.
Analysis by Daniel Chipiristeanu
Last update 20 December 2012
