NirBlog

A few days ago, I reported that Allopass company decided to close the account of msnpass.info scam. So it seems that they simply lied to me.
After a few days, I saw that msnpass.info Web site is still very active, so I contacted Allopass again, and now their representative says that they are not going to close the account.

The reason: The owner of msnpass.info told them that msnpass.info sell a software developed by msnpass.info team, and this Web site doesn’t sell the utilities of NirSoft at all.
This is probably the reason for the screenshot change, that I reported a few days ago.

The owner of msnpass.info created a fake screenshot of a software that doesn’t really exist, and told the Allopass company that msnpass.info sell the software shown in the screenshot, which doesn’t look like the MessenPass utility of NirSoft.

But according to reports that I received in the last days from 2 people that fell into msnpass.info scam, after users pay through the payment system of Allopass, they are still sent to download my MessenPass and Mail PassView utilities.
The fake screenshot in the landing page of msnpass.info was just created to give Allopass a good excuse for not closing the account.

The sad fact is – Both msnpass.info and Allopass company have interest of keeping msnpass.info account open and to continue making a lots of money from this nasty scam.

In the last few weeks, I was in contact with a few employees of Allopass company regarding this scam, and in all this time, they just wasted my time and protected the side of the criminals.
Instead of suspending the account of msnpass.info and require this Web site owner to stop the nasty MSN spamming activities and to stop selling the software of others,
Allopass simply sent my complaint to msnpass.info owner. msnpass.info owner answered them that he sell his own software and not my software, and Allopass simply accepted this answer, and decided to keep the account open.

Just to remind you again – msnpass.info and msn-blocked.com are a pair of scam Web sites in french that use very nasty way to get a large amount of traffic and… money.
The first one, msn-blocked.com – asks innocent users to type their MSN user/password, and then floods all their contacts with fake instant messages that invite them to join msn-blocked Web site, and enter their user/password too.
The second one, msnpass.info – offer the users of msn-blocked.com to purchase the MessenPass utility of NirSoft through the SMS payment system of allopass.com, misleading french users that don’t know that this utility is available for free at www.nirsoft.net.

For more information about how this scam works, read this post.

msn-blocked.com blocked by Firefox, so other domains are used

Due to complains of many users about msn-blocked Web site, Firefox and Google blocked this domain for ‘Reported Web Forgery’.
So the owner of this scam started to redirect Firefox users to other domains like msn-block.info, msn-blocking.com, msn-check.info, and possibly others.
msn-block.info and msn-blocking.com domains are already completely blocked by Firefox too, while msn-check.info is only partly blocked.

So for, Firefox/Google are the only good side in this world that do something against this scam.
I already reported about this scam to Microsoft (for MSN Messenger abuse), to GoDaddy (The domain registrar), to Domains By Proxy (the privacy protection company), to EURO-WEB Servers renting (the current hosting company), and to some other organizations that handle these kind of scams. So far, there is no any action from any of them.

BlueScreenView is a new utility that allows you to watch the details of all ‘Blue Screen of Death’ crashes that occurred in your system.

It automatically scans all your minidump files created during ‘blue screen of death’ crashes, and displays the information about all crashes in one table. For each crash, BlueScreenView displays the minidump filename, the date/time of the crash, the basic crash information displayed in the blue screen (Bug Check Code and 4 parameters), and the details of the driver or module that possibly caused the crash (filename, product name, file description, and file version).
BlueScreenView also displays the list of all drivers loaded during the crash, as well as it allows you to view a blue screen window which is very similar to the one that Windows displayed during the crash.

For more information about this utility, go to BlueScreenView Web page.

MetarWeather utility has a new feature that allows you to watch the latest METAR weather reports from Google Earth map.
In order to use this feature, simply selected the desired METAR report lines, go to ‘Save Selected Items’ (Ctrl+S), choose the KML in the file type combo-box, and save the file. After that, you can open the saved .kml file in Google Earth, and watch the METAR reports on earth map.

Here’s a sample result of METAR reports in Google Earth:

As I already reported in the past, MessenPass, my password recovery tool for Messenger applications, is falsely detect as Virus/Trojan/Malware by many Antivirus programs.

Currently, according to this virustotal report, 18 out of 41 Antivirus programs shows a virus alert for MessenPass utility.

So I decided to make a nice test. I took the same code of MessenPass, and recompiled it with different compiler optimization options.
I also left it without UPX compression that I usually do with all my utilities.
I posted the new build of MessenPass for testing in VirusTotal Web site, and here’s the amazing result:

Only 2 out of 41 Antivirus programs trigger a virus alert for the new build of MessenPass.
Just to be clear – It’s still the same version of MessenPass (v1.26) like the original MessenPass with the 18 Antivirus alerts.
I simply compiled the same code of MessenPass with different compiler options.
avoiding from UPX compression also helped a little, because after compressing the same file with UPX, I got 5 virus alerts.

Currently, this build of MessenPass is only posted in this blog, while the I left the original build in the MessenPass Web page.
It’s interesting to see whether the Antivirus companies read or scan my blog.
If they do, the number of virus alerts in this MessenPass build will increase very soon…

After a few hours with the new ‘who loves you’ scam Web site, msn-blocked Web site once again redirect all users to msnpass.info
But now msnpass.info shows a new screenshot of password-recovery software, instead of the screenshot of MessenPass. I don’t know if this screenshot is based on a real existing software, or it’s just a completely fake screenshot created by msnpass.info owner.

Finally, the owner of msnpass.info decided to stop selling my MessenPass software.
The Web page of msnpass.info still exists, but all visitors of msn-blocked.com are now redirected to a new Web site that is hosted in the same IP addresses of msnpass.info
The new Web site is oh-love.me, and like msnpass.info, it’s hosted with multiple host names, like http://d.oh-love.me, http://c.oh-love.me, http://b.oh-love.me, and others.

This Web site is also in french, so I used Google Translator to find out what exactly this Web site offer the users, and here’s the result:
Welcome to oh-love.me, You always wanted to be able to read minds of others? Power who secretly pinching for you? Your dream will come true soon! With oh-love.me, you will be able to know the name of the boy or girl who secretly loves you! It’s super easy, you simply send an SMS that you will be shown by clicking on the flag of your country. By entering the code magic optenu on the site, you immediately know the name of your claim or your pr?tendante secret!

I don’t know what exactly the users get when they send the SMS, but there is no any utility in NirSoft Web site that can do that 🙂

Also, Firefox/Google blocked the entire domain of msn-blocked.com, so now all the Firefox visitors are redirected to msn-block.info domain (like s502.msn-block.info and many others)
while the users of Internet Explorer are still redirected to msn-blocked.com domain, because IE doesn’t block them.

It looks like whoever is behind these scams, works around the clock just to keep them alive…

And just more good news… I received another email from Allopass, and now they say that they are going to cut the account that was used for selling my MessenPass software.
I guess that even after closing the Allopass account, the scam owner won’t give up, and will open a new account in Allopass or in other similar payment company.

msn-blocked.com and msnpass.info are a pair of scam Web sites in french that are extermly active in the last few weeks.
The first one, msn-blocked.com – asks innocent users to type their MSN user/password, and then floods all their contacts with fake instant messages that invite them to join msn-blocked Web site, and enter their user/password too.
The second one, msnpass.info – offer the users of msn-blocked.com to purchase the MessenPass utility of NirSoft through the SMS payment system of allopass.com, misleading french users that don’t know that this utility is available for free at www.nirsoft.net.

As I already reported in my previous posts, these Web site were hosted in ovh.net hosting company, but in the last few days the owner of these scams moved most of the servers into another hosting company – EURO-WEB Servers renting, which is also an hosting company in France. Although most of the activity moved to the new hosting company, some of the servers are still active in the previous hosting company – ovh.net

The host names in the new hosting company are:
a.msnpass.info
b.msnpass.info
c.msnpass.info
d.msnpass.info
e.msnpass.info
f.msnpass.info
a2.msn-blocked.com
b2.msn-blocked.com
c1.msn-blocked.com
d1.msn-blocked.com
f5.msn-blocked.com

…And there are possibly more…

Ridiculous Answer From Allopass.com

I the previous post, I reported that there was no answer from Allopass payment company that is used as a part of msnpass.info/msn-blocked.com scam.
So after a while, they sent me their ridiculous answer to my complaint about these scams, and here’s the quote from their response:
“Please apologize for this late answer. As a payment system provide, Allopass is not entitled to take side in this kind of dispute. However, we just notified the publisher of http://www.msnpass.info/ of your complaint, and now look forward to his reply.“

So Allopass don’t want to “take side” in this issue, but they actually enjoy to take their side in sharing the revenue with msnpass.info owner.
Each time that a new innocent victim pays for my MessenPass software in msnpass.info Web site, Allopass company also get their side in the SMS revenue, together with msnpass.info scam owner.
But the main problem with msnpass.info is not the action of illegally selling NirSoft software, but the fact that this Web site get all the traffic by spamming the MSN Messenger accounts of innocent people with fake messages generated by msn-blocked.com Web site.

As you can see from Alexa ranking, the traffic of msn-blocked.com Web site continue to grow, and in the last days the it reached to a new record:

most of the traffic of msn-blocked.com comes from countries with french speakers – France, Belgium, Switzerland, and a few more.

How This Scam Works

If you still don’t understand how exactly this scam works, and how these scam Web sites get so much traffic, here’s a simple explanation of the viral spreading made in these Web sites.
For the examples below – User X, User Y, and User C are french speakers that constantly use MSN or Live Messenger to chat with their friends.

1. User X get an instant message in MSN from his good friend, User Y, that recommend him to visit msn-blocked.com Web site (And User X doesn’t know yet that this is fake message generated by msn-blocked.com Web site)

   

2. User X Visit msn-blocked Web site and put his MSN user name and password, assuming that it’s a safe Web site, because User Y, his good friend that he trust, sent him to this site.

   

   
   

3. After giving his MSN user name/password to msn-blocked, this Web site connect to the MSN account of User X, and send fake instant messages to all his contacts !!
4. Now User C, D, E, F, and others, which are in the contacts list of User X, receive the fake invitation message from User X, and some of them, like User X, do the same mistake, and go to msn-blocked Web site and give their user name/password.
5. In the User X side, msn-blocked page is loaded and display his contacts list for a few seconds.
6. After a few seconds, the Web site is suddenly redirected to www.msnpass.info Web site.
7. www.msnpass.info Web site offers User X to download my MessenPass Software by using the SMS payment system of allopass.com
   User X still doesn’t know that all his contacts received the fake instant messages in his name, and he think that msnpass.info is good Web site recommended by his friend, and of course, User X doesn’t know that MessenPass utility is available to download for free at NirSoft Web site.
8. User X send an SMS and get the code for downloading my MessenPass Software, assuming that User Y recommeneded him to do so.

   

9. When User X send the SMS, the payment is shared between the scam owner, Allopass payment company, and the phone company.
10. After a while, User C, a friend of User X, ask him about the link he sent him earlier.
    User X doesn’t remember that he sent any link to User C, and he start to understand that msn-blocked.com sent fake messages to all his contacts.
    But it’s already too late. Some of the User X contacts, the received the same fake invitation message, already gave their MSN user/password, and continued the viral spreading of msn-blocked scam.
11. User X, angry about the embarrassment that this Web site caused him, browse into msn-blocked.com link again, and report it as ‘Web Forgery’ from the Web browser interface.
    After a while, the Web address reported by User X will be blocked by Firefox/Google and other Web site blockers, but it won’t help much to the next victims, because the scam owner constantly modifies the Web site address. For example: If User X, received the Web site address as s12.msn-blocked.com, the next victims will get a new address like s35.msn-blocked.com, and thus it won’t be blocked for the next victims.

12. The owner of mspass.info and msn-blocked sites, accumulates more and more money from the SMS system, allowing him to pay more for the hosting services and to extend his scam Web sites to more servers.
13. Due to the nature of “viral spreading” like in this scam, the number of users visit these sites grows exponentially, and the scam owner rent more and more servers in order serve all the site “visitors”.
    The scam owner probably relies on payments from Allopass system for paying the new hosting servers.
14. Allopass company also enjoy the scam of msnpass.info, and get their part of the revenue, without caring about the nasty way that the visitors are sent into msnpass.info Web site, and without caring about violation of my intellectual property rights, even if it’s against their own conditions of use.
15. It’s possible that all MSN user/passwords provided by users in msn-blocked Web sites, are collected into a large database of passwords for using it later for
    identity theft and other crimes.

That’s all for now.

You are welcome to add your comment about Allopass behaviour in this matter, and whether they should continue to provide their payments services for the nasty scam Web sites that I described above.

LiveContactsView is a new utility that allows you to easily view all your contacts stored by
Windows Live messenger, inside the contacts.edb database.
Like in all NirSoft utilities, you can select the desired contacts and export them into text,csv,html, and xml file, or you can copy them to the clipboard and paste into a spreadsheet application.

LiveContactsView is available to download from here.

As I predicted in my previous post about MessenPass false positives , the number of false positives alerts in the new version of MessenPass increased to 17, according to VirusTotal report.

The new false alerts are:

a-squared – Trojan.Generic!IK
AntiVir – SPR/PSW.Messen.DC
Antiy-AVL – PSWTool/Win32.Messen.gen
Comodo – UnclassifiedMalware
Fortinet – HackerTool/Messen
McAfee-GW-Edition – Riskware.PSW.Messen.DC
ViRobot – Not_a_virus:PSWTool.Messen.64512.B

A few days ago, I released a new version of MessenPass. According to VirusTotal Web site, so far there are only 10 Antivirus programs that detect a threat or infection inside mspass.zip:

If you wonder what is the reason that I say the word ‘Only’, that’s because the previous of MessenPass (v1.24) has false alerts in 25 Antivirus programs:

The reason of the False Positive decrease is probably because most Antivirus programs don’t find the bytes sequence that they used to detect the previous version of MessenPass.
Unfortunately, in the next days/weeks, these Antivirus companies will probably add the new MessenPass into their database, and the number of false alerts will increase back to around 25.
In the next few days, I’ll watch closely the changes in MessenPass false positives, and I’ll post an update when the number of false alerts significantly increase.