DATE: Nov. 1, 2007

Tucson Newspapers detects infected online advertisements

Tucson (AZ) - Tucson Newspapers detected an infection Thursday in an online advertisement circulating among news companies and Internet businesses in the country.

The Web sites are not involved with the infection, only the banner advertisement. The ad in question was removed immediately from the Tucson Newspapers Web sites.

So far, the ads identified with the bug are for poetry.com and shoe-shop.com and have appeared on major news sites across the country.

When a user visits a Web site with the infected banner ad, they are redirected to a site called malware_scan.com, which then attempts to install an application. In some cases, a file called "xpupdate.exe" has been installed on a user's PC and a registry entry made called "Windows update loader".

In most cases, there are two dialogue boxes that appear to users: "MallwareAlarm will scan your systems for threats" and "MallwareAlarm will perform a quick and completely FREE scan of your system." A fake scanner screen shows up. If a user is running Internet Explorer on Windows, they will see the prompts at the top of the page.

To prevent this hijack attempt, Tucson Newspapers recommends users block access to malwarealarm.com, newbieadguide.com, and malware-scan.com. And delete the files from your PC and registry.

Tucson Newspapers is the agency that handles all business functions for Tucson's two daily newspapers, the Arizona Daily Star (morning and Sunday) and the Tucson Citizen (evening), and its three major Web sites, azstarnet.com, tucsoncitizen.com and tucson.com.

For further information, please contact:
Dru Meredith
Tucson Newspapers
dmeredith2@tucson.gannett.com
(520) 434-4099