Something happened then. A page of 123greetings.com flashed on the screen followed by a few splashes showing me an animation of scanning through the system folders of my computer. After that, the following XP style window appeared on my Leopard desktop and forced me to download two PC executable files with randomized filename. The active web page has been redirected to scanner2.malware-scan.com.
As I illustrated in the screenshot above, it was a malware attack.
As for Cookies, only 123greetings.com left several items in Safari's Cookie records, as shown below. malware-scan.com didn't leave its trace.
The downloaded executable files were identical except their filenames. I ran one file in a disconnected Windows 2000 Server box (a virtual machine), the file's process appeared in Task Manager. It seemed nothing happened (of course it's not ture). I ran the executable several times, several individual processes appeared in Task Manager, as follows.
I also noticed that this executable file created a Windows registry item at:
HKCU\Software\Microsoft\Windows\CurrentVersion\ADP = "&swp=1&apx=%s" (where %s is the filename of this downloaded file)
I enabled the network connection on the W2K virtual machine. After a while, a "professional" anti-spyware program, MalwareAlarm 2.1, appeared on the screen, and has already started scanning the system. This bloody scanner reported that I had nine threats, and asked me to buy online in order to activate its Threats Removel function. TCPView showed that this program (MalwareAlarm.exe) was downloaded from 188.8.131.52.
There was a business behind this anti-spyware spyware. It even showed me such a screen.
Now, you should have known how the kind of anti-malware program works, humm? :-)
Futhermore, I did a google search for this, and found that someone already reported the a similar spyware two days ago, on 21 December 2007.