kisswow.com.cn

[cconniejean]

hxxp://www.kisswow.com.cn/

The above is the most I can get, I got a iframe alert and my computer totally attacked.

I did look at this at vURL, so I kinda of see what it is doing.

[Evilcry]

Hello,

From a fast analysis the other extracted intersing Websites are:

Code: [Select]

hxxp://www.ririwow.cn/14.htm
hxxp://www.ririwow.cn/real.htm
hxxp://www.ririwow.cn/real11.htm
hxxp://www.ririwow.cn/07004.htm
hxxp://js.users.51.la/1866439.js

kisswow.com.cn implements an exploit (MDAC - MS06-14), you can see it by strcat()ting the clsid, tha is clsid:BD96C556-65A3-11D0-983A-00C04FC29E36

ririwow.cn/07004.htm implements another exploit Microsoft Windows VML Element Integer Overflow Vulnerability clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E

and from comes out another intersting link hxxp://www.ririwow.cn/14.htm

Code: [Select]

hxxp://dj.jueduizuan.com/ri.exe
that I'm going to reverse

Regards,
Evilcry

[sowhat-x]

...welcome on board,Evilcry - nice to have you around here

[Evilcry]

Thank you sowhat

ri.exe is  Trojan.Win32.Agent.lpv, better known as TR/Dropper.Gen

Regards,
Evilcry

[JohnC]

Thank you.

[cconniejean]

Thank you for the answers. I started out trying to check a link to a credit card portal and got a exploit alert from my software. So I tried to google the link instead and got hit with alerts again for exploits being blocked to my computer. Thanks again.