Beware of malicious Rapidshare links sent to you by a friend.

I’ve got this e-mail from my former classmate about a week ago:

Followed by another one last night:

Needless to say, the links point to malware. The first URL was taken down. But the last one is still active, though I hope the abuse team at will see my report soon enough.

The e-mail’s To: address list includes other friends and relatives of the sender. This suggests that the e-mail was sent by the malware running on his computer, through his Yahoo! Mail account using his address book and not through spam. This trend may create challenges to e-mail filtering software and gives a certain amount of credibility to the message itself that may fool many people.

The URL leads you to an executable that then downloads various malicious software from “” affiliate network and its related sites.

The “The Installs” network is one of the so-called PPI (Pay Per Install) partner sites, where an affiliate can earn $0.15 for installing “special” software on a US-based PC. One method to earn an “install” is to spread malicious e-mails like the one described above. The most common end result is “fake anti-virus” software deployed to a controlled PC forcing its owner to pay ~$40 to stop being annoyed for awhile.

The site appears to be owned and operated by a Russian gang and was known to be malicious since early 2008

So far it has managed to avoid the fate of other Russian partner networks responsible for “rogue anti-virus” software distribution.

The network graph below reveals other related PPI sites, like the YA! which is ready to share 70% of its “pay-per-install” revenue with those who bring the “installs”.

$ whois
OrgName: Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US
network:IP-Network-Block: -