I've retitled this post and added this preface due to a comment I received today:
I've seen several versions of the install file over the past week which is an indication that someone is up to no good. The source was: hxxp://xponlinescanner.com/2008/downloadSo it looks like this was part of an attack of some sort. The Minneapolis Star Tribune site may have been compromised or it may be an unwitting attack vector. I couldn't find a good email address to notify them yesterday, but I did find a "feedback" form that looked like it might work. They really need to have a link to notify them of website issues in general and malware attacks in particular.
XPantivirus2008_v77011816.exe
XPantivirus2008_v880136.exe
XPantivirus2008_v77024205.exe
XPantivirus2008_v880181.exe
I submitted these files to TrendMicro and they all came back as malware containing a Trojan downloader.
--
I click on the StarTribune National News link and my Firefox page vanishes. Instead I see:
I have to kill Firefox from the XP application list to get free. Talk about "erratic PC behavior, PC freezes and creahes".
There actually is a vendor selling this product. So this might not be a simple phishing attack; maybe the bot virus is embedded in a supposed commercial product instead. Maybe my XP box isn't really infected and this really was something the Strib's ad supplier tossed up.
Or not. [jf: see comments. Looks like a malware attack.]
I just can't tell. McAfee SiteAdvisor connects the vendor to spam, so I'm leaning towards my machine NOT being infected and XPonlinescanner.com being a shady enterprise with a good probability of a nasty "backdoor" in their "antiviral" "security" product.
I really do need to get rid of my last XP box. Using XP on the net is like waving a wad of bills in a port bar of old Bangkok.
Update 9/14/09: A similar attack hit the New York Times
