Malware Domain List

Malware Related => Malicious Domains => Topic started by: sowhat-x on March 01, 2008, 12:34:08 pm

Title: Few unsorted - Part 2
Post by: sowhat-x on March 01, 2008, 12:34:08 pm
Ok,since 'part 1' turned out to be quite long,rotfl...
thought it's about time we spawn a new thread...  ;)

Quote
hxxp://086074.service-google.cn/vip/Zn6430.htm
hxxp://086196.service-google.cn/vip/Cn51903.htm
hxxp://20080203.service-google.cn/614.exe
hxxp://20080203.service-google.cn/bf.exe
hxxp://20080203.service-google.cn/qvod.exe
hxxp://20080203.service-google.cn/real2.exe
hxxp://aaa.tesekl.info/winint.exe
hxxp://aaa.tesekl.info/winsys.inf
hxxp://ccc.969222.com/bak.css
hxxp://cool.e0shop.cn/down.exe
hxxp://exe.xinniankl.com/014.exe
hxxp://exe.xinniankl.com/bf.exe
hxxp://exe.xinniankl.com/lz.exe
hxxp://exe.xinniankl.com/pps.exe
hxxp://exe.xinniankl.com/rl.exe
hxxp://ga.mm5208.com/g.htm
hxxp://niu.xinniankl.com/web/1.js
hxxp://niu.xinniankl.com/web/6601220.htm
hxxp://ppp.imsee.info/news.html
hxxp://s101-cnzz.com/w6.htm
hxxp://www.10wip.com/yahoo/07033.htm
hxxp://www.10wip.com/yahoo/Ajax.gif
hxxp://www.10wip.com/yahoo/baidu.htm
hxxp://www.10wip.com/yahoo/Bfyy.gif
hxxp://www.10wip.com/yahoo/cx.htm
hxxp://www.10wip.com/yahoo/Lz.gif
hxxp://www.10wip.com/yahoo/Ms06014.htm
hxxp://www.10wip.com/yahoo/Ms07004.html
hxxp://www.10wip.com/yahoo/Pps.gif
hxxp://www.10wip.com/yahoo/QVod.html
hxxp://www.10wip.com/yahoo/Real.js
hxxp://www.10wip.com/yahoo/XunLei.gif
hxxp://www.10wip.com/yahoo/yes.exe
hxxp://www.xiuxian888.cn/index.htm
hxxp://xx.ckabc.net/Ajax.gif
hxxp://xx.ckabc.net/Bfyy.gif
hxxp://xx.ckabc.net/Lz.gif
hxxp://xx.ckabc.net/Ms06014.htm
hxxp://xx.ckabc.net/QVod.html
hxxp://xx.ckabc.net/Real.js
hxxp://xx.ckabc.net/XunLei.gif
hxxp://xxx.ayehao.com/0.exe
hxxp://xxx.haoqq1680.com/Bfyy.gif
hxxp://xxx.haoqq1680.com/dod.exe
hxxp://xxx.haoqq1680.com/Lz.gif
hxxp://xxx.haoqq1680.com/Pps.gif
hxxp://xxx.haoqq1680.com/QVod.html
hxxp://xxx.haoqq1680.com/Real.js
hxxp://xxx.haoqq1680.com/XunLei.gif
hxxp://xxx.htm1.ws/ww/aa.exe
hxxp://xxx.wofala.info/ww/la.exe

Play with numbers/names and the like,
it needs way too much time moving around in circles...
Edit:Removed a couple that were already spotted...
Title: Re: Few unsorted - Part 2
Post by: JohnC on March 01, 2008, 05:10:14 pm
Thank you, these will be added during next update.
Title: Re: Few unsorted - Part 2
Post by: sowhat-x on March 02, 2008, 03:01:15 pm
...was googling for service-google.cn above,and came across this nice thread here...
some of them we've also seen before - these lamers certainly don't intent to give up at anytime:
http://forums.mozine.cn/lofiversion/index.php/t20845.html
I copy/paste them here for the sake of easiness,credits of course go up to kaji...

Quote
hxxp://08647.service-google.cn/vip/Cn1707.htm
hxxp://20080203.service-google.cn/baidu.cab
hxxp://20080203.service-google.cn/lz3.exe
hxxp://20080203.service-google.cn/pps.exe
hxxp://202.104.57.161
hxxp://37586.com/r.htm
hxxp://37586.com/real.exe
hxxp://37586.com/uuu/r.htm
hxxp://37586.com/uuu/uuu.exe
hxxp://37586.com/uuu/web.htm
hxxp://88.881215.com/88.htm
hxxp://88.881215.com/in.htm
hxxp://a1.sbb22.com/a.htm
hxxp://acc.jqxx.org/live/index.htm
hxxp://boc.sbb22.com/home/index.htm
hxxp://boc.sbb22.com/sb.htm
hxxp://dd.749571.com/bb/014.exe
hxxp://dd.749571.com/bb/bb.exe
hxxp://dd.749571.com/bb/bd.cab
hxxp://dd.749571.com/bb/newgl.exe
hxxp://dd.749571.com/bb/newrl.exe
hxxp://dd.749571.com/bb/pp.exe
hxxp://down.malasc.cn/614.exe
hxxp://down.malasc.cn/baidu.cab
hxxp://down.malasc.cn/bf.exe
hxxp://down.malasc.cn/lz3.exe
hxxp://down.malasc.cn/pps.exe
hxxp://down.malasc.cn/qvod.exe
hxxp://down.malasc.cn/real2.exe
hxxp://dv.55189.net/
hxxp://ga.mm5208.com/w.htm
hxxp://is.749571.com/bb/a.exe
hxxp://ppp.buyaoni.com/dm/11.js
hxxp://ppp.buyaoni.com/dm/bb.js
hxxp://ppp.buyaoni.com/dm/diao.htm
hxxp://ppp.buyaoni.com/dm/pp.js
hxxp://ppp.buyaoni.com/dm/rl.htm
hxxp://ppp.buyaoni.com/dm/rr.htm
hxxp://ppp.buyaoni.com/ww/new82.htm
hxxp://ppp.chsip.net/wm/11.js
hxxp://ppp.chsip.net/wm/bb.js
hxxp://ppp.chsip.net/wm/lz.js
hxxp://ppp.chsip.net/wm/ppp.js
hxxp://qi.ccbtv.net/btv.htm
hxxp://qi.ccbtv.net/h.htm
hxxp://qqq.521town.com/down.exe
hxxp://qqq.aishengho.com/down.exe
hxxp://qqq.hao1658.com/down.exe
hxxp://sf.070808.net/sf.htm
hxxp://sp.070808.net/23.htm
hxxp://sp.070808.net/8.htm
hxxp://user.6liang8.cn/vip/Zn3703.htm
hxxp://user1.3332210.net/Baidu.cab
hxxp://user1.3332210.net/bak.css
hxxp://user1.3332210.net/GLWORLD.html
hxxp://user1.3332210.net/ms06014.js
hxxp://user1.3332210.net/real.js
hxxp://user1.3332210.net/StormII.html
hxxp://vccd.cn
hxxp://w.aeaer.com/ae.htm
hxxp://w.aeaer.com/i.htm
hxxp://web.47255.com/uuu/uuu.exe
hxxp://www.123dongfang.cn/gg.htm
hxxp://www.99391.net/s6.html
hxxp://www.999da.cn/hhh.htm
hxxp://www.zjsme.com/home/aboutus/contactus.htm
hxxp://xxx.9yimeiyuan.com/xx.htm?id=017
hxxp://xxx.hao1680.com/wm/jh.htm
hxxp://xxx.hao1680.com/wm/rl.js
hxxp://xxx.hao1680.com/xx.htm?id=017
hxxp://xxx.jsppp.us/dgll1.htm?id=tt
hxxp://xxx.jsppp.us/ww/dod.exe
hxxp://xxx.sbwip.cn/Ajax.gif
hxxp://xxx.sbwip.cn/Bfyy.gif
hxxp://xxx.sbwip.cn/index336511.htm?gr?2
hxxp://xxx.sbwip.cn/Lz.gif
hxxp://xxx.sbwip.cn/Ms06014.htm
hxxp://xxx.sbwip.cn/Pps.gif
hxxp://xxx.sbwip.cn/QVod.html
hxxp://xxx.sbwip.cn/Real.js
hxxp://xxx.sbwip.cn/XunLei.gif
hxxp://xxx.sbwip.cn/xxx.exe
hxxp://yun.yun878.com/14.exe
hxxp://yun.yun878.com/ad.cab
hxxp://yun.yun878.com/bf.exe
hxxp://yun.yun878.com/g.exe
hxxp://yun.yun878.com/me.exe
hxxp://yun.yun878.com/pps.exe
hxxp://yun.yun878.com/web/0.htm
hxxp://yun.yun878.com/web/1.js
hxxp://yun.yun878.com/web/3.htm
hxxp://yun.yun878.com/web/6619038.htm
hxxp://yun.yun878.com/web/6681666.htm
hxxp://yun.yun878.com/web/bf.js
hxxp://yun.yun878.com/web/pps.js

First page of google results also returned this...
Quote
hxxp://www.jkpk1000.com/url.txt
Title: Re: Few unsorted - Part 2
Post by: tjs on March 03, 2008, 09:08:30 pm
Quote
hxxp://www.868wg.com/1/1/2.exe
hxxp://www.868wg.com/1/1/3.exe
hxxp://www.868wg.com/1/1/4.exe
hxxp://www.868wg.com/1/1/5.exe
hxxp://www.868wg.com/1/1/6.exe
hxxp://www.868wg.com/1/1/7.exe
hxxp://www.868wg.com/1/1/8.exe
hxxp://www.868wg.com/1/1/9.exe
hxxp://www.868wg.com/1/1/10.exe
hxxp://www.868wg.com/1/1/11.exe
hxxp://www.868wg.com/1/1/12.exe
hxxp://www.868wg.com/1/1/13.exe
hxxp://www.868wg.com/1/1/14.exe
hxxp://www.868wg.com/1/1/15.exe
hxxp://www.868wg.com/1/1/16.exe
hxxp://www.868wg.com/1/1/17.exe
hxxp://www.868wg.com/1/1/18.exe
hxxp://www.868wg.com/1/1/19.exe
hxxp://www.868wg.com/1/1/20.exe
hxxp://www.868wg.com/1/1/21.exe
hxxp://www.868wg.com/1/1/22.exe
hxxp://www.868wg.com/1/1/23.exe
hxxp://www.868wg.com/1/1/24.exe
hxxp://www.868wg.com/1/1/25.exe
hxxp://www.868wg.com/1/1/26.exe
hxxp://www.868wg.com/1/1/27.exe
hxxp://www.868wg.com/1/1/28.exe
hxxp://www.868wg.com/1/1/29.exe
hxxp://www.868wg.com/1/1/30.exe
hxxp://www.868wg.com/1/1/31.exe
hxxp://www.868wg.com/1/1/32.exe
hxxp://www.868wg.com/1/1/33.exe
hxxp://www.868wg.com/1/1/34.exe
hxxp://www.868wg.com/1/1/35.exe
Title: Re: Few unsorted - Part 2
Post by: tjs on March 03, 2008, 09:56:48 pm
Quote
hxxp://jx.llzjz.cn/images/right_h3_game_mh[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_dh[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_qqhx[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_cs[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_dh3[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_qj[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_wmsj[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_wmgj[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_zt[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_jz[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_wl[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_jh[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_zyhx[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_wd[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_ms[1].gif
hxxp://jx.llzjz.cn/images/right_h3_game_my[1].gif

All win32 binaries...
Title: Re: Few unsorted - Part 2
Post by: sowhat-x on March 10, 2008, 01:52:13 am
_pusher_ was kind enough to supply me with these forum spammers' addresses,  :)
http addresses pointing to malware there as well...

Quote
195.2.114.31
87.118.70.8
87.118.116.245
87.99.92.34
87.99.92.35
87.99.92.36
87.99.92.37

Quote
hxxp://abmradar.com
hxxp://mynastysite.info/
hxxp://shorttext.com/qfkp2
hxxp://shorttext.com/7i1iq
hxxp://shorttext.com/6g37kp
hxxp://shorttext.com/537vrw
hxxp://shorttext.com/g6tu0s
hxxp://shorttext.com/wgtfv
hxxp://zcsterlingcorp.net
Title: Re: Few unsorted - Part 2
Post by: sowhat-x on March 10, 2008, 04:34:11 am
Quote
hxxp://520sb.cn/dir/index_pic/1.js
hxxp://520sb.cn/dir/index_pic/csrss.pif
Search around in there,there are various exploits...
We already had a domain '1.520sb.cn' in the list,
didn't played around by changing the number though...
Title: Re: Few unsorted - Part 2
Post by: sowhat-x on March 21, 2008, 02:18:04 am
Quote
hxxp://1.fockfock.com/1.txt
hxxp://66.186.34.138/1.exe
hxxp://66.186.34.138/2.exe
hxxp://66.186.34.138/3.exe
hxxp://66.186.34.138/4.exe
hxxp://66.186.34.138/5.exe
hxxp://66.186.34.138/6.exe
hxxp://66.186.37.130/7.exe
hxxp://66.186.37.130/8.exe
hxxp://66.186.37.130/9.exe
hxxp://66.186.37.130/10.exe
hxxp://66.186.37.130/11.exe
hxxp://66.186.37.130/12.exe
hxxp://67.43.158.42/13.exe
hxxp://67.43.158.42/14.exe
hxxp://67.43.158.42/15.exe
hxxp://67.43.158.42/16.exe
hxxp://67.43.158.42/17.exe
hxxp://67.43.158.42/18.exe
hxxp://67.43.158.42/19.exe
hxxp://67.43.158.42/20.exe
hxxp://67.43.158.42/21.exe
hxxp://67.43.158.42/22.exe
hxxp://67.43.158.42/24.exe
hxxp://67.43.158.42/25.exe
hxxp://67.43.158.42/27.exe
hxxp://67.43.158.42/28.exe
hxxp://aaa.xia000.com/35.exe
hxxp://aaa.xia000.com/36.exe
hxxp://b.wyfdc.com/20080312/3.gif
hxxp://c.wacsy.com/ok.exe
hxxp://cc.fockfock.com/mm2/aa1.exe
hxxp://cc.fockfock.com/mm2/aa10.exe
hxxp://cc.fockfock.com/mm2/aa11.exe
hxxp://cc.fockfock.com/mm2/aa12.exe
hxxp://cc.fockfock.com/mm2/aa13.exe
hxxp://cc.fockfock.com/mm2/aa14.exe
hxxp://cc.fockfock.com/mm2/aa15.exe
hxxp://cc.fockfock.com/mm2/aa16.exe
hxxp://cc.fockfock.com/mm2/aa17.exe
hxxp://cc.fockfock.com/mm2/aa18.exe
hxxp://cc.fockfock.com/mm2/aa19.exe
hxxp://cc.fockfock.com/mm2/aa2.exe
hxxp://cc.fockfock.com/mm2/aa20.exe
hxxp://cc.fockfock.com/mm2/aa21.exe
hxxp://cc.fockfock.com/mm2/aa22.exe
hxxp://cc.fockfock.com/mm2/aa23.exe
hxxp://cc.fockfock.com/mm2/aa24.exe
hxxp://cc.fockfock.com/mm2/aa25.exe
hxxp://cc.fockfock.com/mm2/aa26.exe
hxxp://cc.fockfock.com/mm2/aa27.exe
hxxp://cc.fockfock.com/mm2/aa3.exe
hxxp://cc.fockfock.com/mm2/aa4.exe
hxxp://cc.fockfock.com/mm2/aa5.exe
hxxp://cc.fockfock.com/mm2/aa6.exe
hxxp://cc.fockfock.com/mm2/aa7.exe
hxxp://cc.fockfock.com/mm2/aa8.exe
hxxp://cc.fockfock.com/mm2/aa9.exe
hxxp://cc.fockfock.com/mm2/up.exe
hxxp://d.wacsy.com/a1.exe
hxxp://d.wacsy.com/a10.exe
hxxp://d.wacsy.com/a11.exe
hxxp://d.wacsy.com/a12.exe
hxxp://d.wacsy.com/a13.exe
hxxp://d.wacsy.com/a14.exe
hxxp://d.wacsy.com/a15.exe
hxxp://d.wacsy.com/a16.exe
hxxp://d.wacsy.com/a17.exe
hxxp://d.wacsy.com/a18.exe
hxxp://d.wacsy.com/a19.exe
hxxp://d.wacsy.com/a2.exe
hxxp://d.wacsy.com/a20.exe
hxxp://d.wacsy.com/a21.exe
hxxp://d.wacsy.com/a22.exe
hxxp://d.wacsy.com/a3.exe
hxxp://d.wacsy.com/a4.exe
hxxp://d.wacsy.com/a5.exe
hxxp://d.wacsy.com/a6.exe
hxxp://d.wacsy.com/a7.exe
hxxp://d.wacsy.com/a8.exe
hxxp://d.wacsy.com/a9.exe
hxxp://iii.chsip.net/down.exe
hxxp://iii.chsip.net/list.txt
hxxp://iii.chsip.net/sta.exe
hxxp://jx.llzjz.cn/bottom.gif
hxxp://jx.llzjz.cn/down/cqsj.exe
hxxp://jx.llzjz.cn/down/dh2.exe
hxxp://jx.llzjz.cn/down/dj.exe
hxxp://jx.llzjz.cn/down/hx.exe
hxxp://jx.llzjz.cn/down/jh.exe
hxxp://jx.llzjz.cn/down/mh.exe
hxxp://jx.llzjz.cn/down/ms.exe
hxxp://jx.llzjz.cn/down/my.exe
hxxp://jx.llzjz.cn/down/qj.exe
hxxp://jx.llzjz.cn/down/qqhx.exe
hxxp://jx.llzjz.cn/down/sg.exe
hxxp://jx.llzjz.cn/down/tl.exe
hxxp://jx.llzjz.cn/down/wd.exe
hxxp://jx.llzjz.cn/down/wl.exe
hxxp://jx.llzjz.cn/down/wmgj.exe
hxxp://jx.llzjz.cn/down/zt.exe
hxxp://jx.llzjz.cn/down/zx.exe
hxxp://jx.llzjz.cn/down/zyhx.exe
hxxp://jx.llzjz.cn/logo.jpg
hxxp://mm.haoliuliang.com/bb/lz.exe
hxxp://mm.haoliuliang.com/bb/rl.exe
hxxp://test.591jx.com/test.exe
hxxp://u1.163500.net/down/1.exe
hxxp://u1.163500.net/down/10.exe
hxxp://u1.163500.net/down/2.exe
hxxp://u1.163500.net/down/3.exe
hxxp://u1.163500.net/down/4.exe
hxxp://u1.163500.net/down/5.exe
hxxp://u1.163500.net/down/6.exe
hxxp://u1.163500.net/down/7.exe
hxxp://u1.163500.net/down/8.exe
hxxp://u1.163500.net/down/9.exe
hxxp://u2.163500.net/down/11.exe
hxxp://u2.163500.net/down/12.exe
hxxp://u2.163500.net/down/13.exe
hxxp://u2.163500.net/down/14.exe
hxxp://u2.163500.net/down/15.exe
hxxp://u2.163500.net/down/16.exe
hxxp://u2.163500.net/down/17.exe
hxxp://u2.163500.net/down/18.exe
hxxp://u2.163500.net/down/19.exe
hxxp://u2.163500.net/down/20.exe
hxxp://u2.163500.net/down/21.exe
hxxp://u2.163500.net/down/22.exe
hxxp://u3.163500.net/down/23.exe
hxxp://u3.163500.net/down/24.exe
hxxp://u3.163500.net/down/25.exe
hxxp://u3.163500.net/down/26.exe
hxxp://u3.163500.net/down/27.exe
hxxp://u3.163500.net/down/28.exe
hxxp://u3.163500.net/down/29.exe
hxxp://u3.163500.net/down/30.exe
hxxp://u3.163500.net/down/31.exe
hxxp://u3.163500.net/down/32.exe
hxxp://u3.163500.net/down/33.exe
hxxp://u3.163500.net/down/34.exe

Among the above,there exist quite a few pseudo-extensions,
and a couple of them were not .exes,but 'rotating' downloader lists...
Title: Re: Few unsorted - Part 2
Post by: JohnC on April 06, 2008, 03:24:23 pm
Thank you.
Title: Re: Few unsorted - Part 2
Post by: tjs on April 15, 2008, 05:32:59 pm
Trojan-Spy.Win32.Goldun: hxxp://voena.net/get.php

TJS
Title: Re: Few unsorted - Part 2
Post by: sowhat-x on May 02, 2008, 03:32:17 pm
Quote
hxxp://mn.wudizhongguo.com/mmuu/a014.exe
hxxp://mn.wudizhongguo.com/mmuu/arl.exe
hxxp://mn.wudizhongguo.com/mmuu/abf.exe
hxxp://mn.wudizhongguo.com/mmuu/alz.exe
hxxp://mn.wudizhongguo.com/mmuu/anrl.exe
hxxp://74.cncz.us/w/7.gif
hxxp://u.cncz.us/d/614.exe
hxxp://u.cncz.us/d/rl.exe
hxxp://u.cncz.us/d/bf.exe
hxxp://u.cncz.us/d/pps.exe
hxxp://u.cncz.us/d/lz.exe
hxxp://u.cncz.us/d/xl.exe
hxxp://xia.qisihuisheng.net/mm/ogame.exe
hxxp://xia.qisihuisheng.net/mm/014s.exe
hxxp://xia.qisihuisheng.net/mm/rll.exe
==============================

Also a downloader list...
Quote
hxxp://www.qisihuisheng.net/new.txt
It currently serves:
Quote
hxxp://1.tianxiayouzei.com/ma/1.exe
Up to...
Quote
hxxp://1.tianxiayouzei.com/ma/23.exe
==============================

Quote
hxxp://goto.stred.biz/
It redirects to...
Quote
hxxp://sex-tube20008.com/freemovie/958/5/
And eventually leads to...
Quote
hxxp://adultyoutube-18.com/soft/zoredgotdft/502d240e3d5/MediaTubeCodec_ver1.958.5.exe
Win32/Tibs according to Microsoft...VirusTotal results per moment: 5/31 (16.13%)
Title: Re: Few unsorted - Part 2
Post by: JohnC on May 02, 2008, 05:24:48 pm
Thank you.
Title: Few unsorted - Part 3...
Post by: sowhat-x on May 05, 2008, 10:26:42 am
...time for a new round ;-)

.ani-based exploits...
Quote
hxxp://boadongo.org/vbshokmm/ani.c
hxxp://dd.buhaoyishi.com/mmuu/abd.cab
hxxp://dd.tianxiayouzei.com/mmuu/abd.cab
hxxp://mn.haoyuming.net/mmuu/abd.cab
hxxp://www.8568985.com/garegky/egk.cur
hxxp://www.bbtv-chat.com/cuvt66895/ani.c
hxxp://www.imbbs2t4u.com/imbbs/imbbs.cur
hxxp://www.infosueek.com/xin/ani.c
hxxp://www.infosueek.com/xin/anitt.c
hxxp://www.jbbslivedoor.com/mmghaoyk/ani.c
hxxp://www.k5dionne.com/ma/ani.c
hxxp://www.lineagecojp.com/ie/ani.c
hxxp://www.lineagecojp.com/rbt1/ani.c
hxxp://www.lineagecojp.com/tmsn/ani.c
hxxp://www.maplestorfy.com/holy_immortals/tals/ani.c
hxxp://www.maplestorfy.com/holy_immortals/tals1/ani.c
hxxp://www.maplestorfy.com/holy_immortals/tals2/ani.c
hxxp://www.mbspro6uic.com/naizi/ani.c
hxxp://www.nihaorr1.com/Real.gif
hxxp://www.play0nlink.com/ma/ani.c
hxxp://www.playonlanei.com/game/ani.c
hxxp://www.ranninp.com/001359/ani.c
hxxp://www.rmtfane.com/link179700/ttani.c
hxxp://www.woshijianren.com/jpjp/ro.cur

At the moment,they leed to the following .exes...

hxxp://boadongo.org/vbshokmm/xia.exe
hxxp://www.8568985.com/garegky/jpmm.exe
hxxp://www.bbtv-chat.com/cuvt66895/guan.exe
hxxp://www.infosueek.com/xin/ro.exe
hxxp://www.imbbs2t4u.com/imbbs/naizi.exe
hxxp://www.jbbslivedoor.com/mmghaoyk/xia.exe
hxxp://www.infosueek.com/xin/xia.exe
hxxp://www.k5dionne.com/ma/xia.exe
hxxp://www.lineagecojp.com/tmsn/tmsn.exe
hxxp://www.lineagecojp.com/ie/ie.exe
hxxp://www.lineagecojp.com/rbt1/tt1.exe
hxxp://www.mbspro6uic.com/naizi/xia.exe
hxxp://www.play0nlink.com/ma/xia.exe
hxxp://www.playonlanei.com/game/f1.exe
hxxp://www.ranninp.com/001359/ro.exe
hxxp://www.woshijianren.com/jpjp/jpro.exe

Quote
hxxp://onlinevideosoftex.com/exe2/4912954.exe
hxxp://onlinevideosoftex.com/exe2/msetup.exe

Quote
hxxp://fanduizd.cn/hb/1.exe
Up to...
Quote
hxxp://fanduizd.cn/hb/29.exe

Quote
hxxp://d.93se.com/listo.txt
hxxp://d.789fa.com/d/1.exe
hxxp://d.789fa.com/d/2.exe

Quote
hxxp://9797aini.com/x.txt
hxxp://9797aini.com/x.exe
hxxp://147.232313.cn/down/down.exe

Various iframes and exploits here,dig more if you want...
Quote
hxxp://js.k0102.com/a11.htm
hxxp://w.cao360.com/w6.htm
hxxp://www.158dm.cn/a1.htm
hxxp://cc.buhaoyishi.com/wmwm/a014.js
hxxp://cc.buhaoyishi.com/wmwm/abf.js
hxxp://cc.buhaoyishi.com/wmwm/arl.js
hxxp://cc.haowangma.com/wmwm/a014.js
hxxp://cc.haowangma.com/wmwm/abf.js
hxxp://cc.haowangma.com/wmwm/arl.js
hxxp://gg.haoliuliang.net/wmwm/a014.js
hxxp://gg.haoliuliang.net/wmwm/abf.js
hxxp://gg.haoliuliang.net/wmwm/arl.js
hxxp://sb.5252.ws:88/103/stat6.htm
hxxp://sb.5252.ws:88/103/14.htm
hxxp://wowinterfcae.com/l.html
hxxp://wowinterfcae.com/min.html
hxxp://www.2ch22.com/2ch00358/00358.zip
hxxp://www.8568985.com/mmgjkin/
hxxp://www.8568985.com/garegky/egk.cur
hxxp://www.bbtv-chat.com/cuvt66895/Ms06014.htm
hxxp://www.blogplayonlin.com/ff11/index/movi.zip
hxxp://www.bluewoon.com/web/index1.htm
hxxp://www.caremoon.net/blog/index1.htm
hxxp://www.caremoon.net/wiki/main.htm
hxxp://www.exbloog.com/7112886/000027.zip
hxxp://www.gamerost.com/3.htm
hxxp://www.gameskiy.com/cherry.rar
hxxp://www.imbbs2t4u.com/imbbs/imbbs.htm
hxxp://www.imbbs2t4u.com/imbbs/mbb.htm
hxxp://www.infosueek.com/xin/Ms06014.htm
hxxp://www.infosueek.com/xin/Ms06014tt.htm
hxxp://www.infosueek.com/xin/Ms06046.htm
hxxp://www.infosueek.com/xin/Ms06046tt.htm
hxxp://www.infosueek.com/xin/Yahoo.htm
hxxp://www.infosueek.com/xin/Yahoott.htm
hxxp://www.miorsocft.com/cuteqq.htm
hxxp://www.miarakure.com/wiki/index1.htm
hxxp://www.mbspro6uic.com/naizi/Ms06014.htm
hxxp://www.newlookyahoo.tw/bokai/gg520.rar
hxxp://www.piayonlive.com/gaml/real.zip
hxxp://www.jbbslivedoor.com/mmghaoyk/Ms06014.htm
hxxp://www.jbbslivedoor.com/mmghaoyk/Yahoo.htm
hxxp://www.k5dionne.com/ma/Ms06014.htm
hxxp://www.k5dionne.com/ma/Yahoo.htm
hxxp://www.k5dionne.com/ousele/anitt.htm

And even more crap here,sorted alphabetically for easiness...
Quote
hxxp://33.xingaide8.cn/soft/soft/f2b4657b5568d072.exe
hxxp://453787.com/jp/photo1.exe
hxxp://453787.com/ma/cao.exe
hxxp://453787.com/ma/up.exe
hxxp://777.za123.cn/cc/999.exe
hxxp://777.za123.cn/cc2/vip.exe
hxxp://b.s102-cnzz.com/0014.exe
hxxp://b.s102-cnzz.com/0bf.exe
hxxp://b.s102-cnzz.com/0pps.exe
hxxp://b.s102-cnzz.com/0lz.exe
hxxp://b.s102-cnzz.com/0rl.exe
hxxp://b.s102-cnzz.com/0rl.exe
hxxp://boadongo.org/vbshokmm/xia.exe
hxxp://client133.faster-hosting.com/ex/zu.exe
hxxp://dd.buhaoyishi.com/mmuu/a014.exe
hxxp://dd.tianxiayouzei.com/mmuu/a014.exe
hxxp://langouster.com/iekavass/test/vir.exe
hxxp://lingage.com/yahoo.exe
hxxp://maplestorfy.w16.okwit.com/xin/xia.exe
hxxp://mn.haoyuming.net/mmuu/a014.exe
hxxp://skype.tom.com/download/archive/01400974/SkypeClient.exe
hxxp://u.uu500.com/a8da234k8asdf.exe
hxxp://wowinterfcae.com/ie.exe
hxxp://www.0755007.com/admin/vip.exe
hxxp://www.0755007.com/game/cs.exe
hxxp://www.8568985.com/garegky/jpmm.exe
hxxp://www.acyberhome.com/game/svch.exe
hxxp://www.acyberhome.com/link/server.exe
hxxp://www.acyberhome.com/set.exe
hxxp://www.ahwlqy.com/123.exe
hxxp://www.bbtv-chat.com/cuvt66895/guan.exe
hxxp://www.berseek.com/real/fenrir.exe
hxxp://www.berseek.com/real/ragna.exe
hxxp://www.blogplaync.com/chengzhi.exe
hxxp://www.bluewoon.com/Blog/k1.exe
hxxp://www.bluewoon.com/web/w1.exe
hxxp://www.boadongo.org/vbshokmm/xia.exe
hxxp://www.cityhokkai.com/games/look.exe
hxxp://www.cityhokkai.com/games/server.exe
hxxp://www.cityhokkai.com/links/look.exe
hxxp://www.cityhokkai.com/links/server.exe
hxxp://www.dentellexg.com/wenuser/ro.exe
hxxp://www.dyparagon.co.kr/gon/gmsex.exe
hxxp://www.fccja.com/com.exe
hxxp://www.gamemmobbs.com/batteROyale/ro1.exe
hxxp://www.gamerost.com/npceok.exe
hxxp://www.getamped-garm.com/guiink/t2.exe
hxxp://www.getamped-garm.com/guiink/xiaro.exe
hxxp://www.grandchasse.com/caink/laot1.exe
hxxp://www.grandchasse.com/caink/t1.exe
hxxp://www.infosueek.com/xin/ro.exe
hxxp://www.infosueek.com/xin/xia.exe
hxxp://www.jbbslivedoor.com/mmghaoyk/xia.exe
hxxp://www.joynu.com/blog/system.exe
hxxp://www.jplineage.com/1.exe
hxxp://www.jplineage.com/ss.exe
hxxp://www.k5dionne.com/ma/xia.exe
hxxp://www.kfj08.com/11e.exe
hxxp://www.lineage-bbs.com/kowloon/xoops/jb.exe
hxxp://www.lineage1bbs.com/jp/jb.exe
hxxp://www.lineagecojp.com/ie/ie.exe
hxxp://www.lineagecojp.com/rbt1/tt1.exe
hxxp://www.lineagecojp.com/ro/ro.exe
hxxp://www.lineagecojp.com/tmsn/tmsn.exe
hxxp://www.lineagecojp.com/xzyw2/xzyw2.exe
hxxp://www.lingage.com/asp100.exe
hxxp://www.lingage.com/lick.exe
hxxp://www.lingage.com/ragnarok.exe
hxxp://www.lingelink.net/Blog/test.exe
hxxp://www.lvei20.com/ourtesf/ff11.exe
hxxp://www.maplestorfy.com/caink/t1.exe
hxxp://www.maplestorfy.com/holy_immortals/tals/ff11.exe
hxxp://www.maplestorfy.com/holy_immortals/tals1/t1.exe
hxxp://www.maplestorfy.com/holy_immortals/tals2/weie.exe
hxxp://www.mbspro6uic.com/naizi/ff22.exe
hxxp://www.miarakure.com/wiki/miarakure.exe
hxxp://www.netbenrir.com/ourtesf/ff11.exe
hxxp://www.netbenrit.com/8598647/f5.exe
hxxp://www.netgamerjp.com/jp/jpmm.exe
hxxp://www.pagetions.com/Blog/ro.exe
hxxp://www.pagetions.com/Blog/test.exe
hxxp://www.play0nlink.com/ma/ff11.exe
hxxp://www.play0nlink.com/ma/ro.exe
hxxp://www.play0nlink.com/ma/t1.exe
hxxp://www.play0nlink.com/ma/xia.exe
hxxp://www.playonlanei.com/8598647/f5.exe
hxxp://www.playonlanei.com/game/f1.exe
hxxp://www.playonlanei.com/linef1/f4.exe
hxxp://www.playonlanei.com/weeb/f3.exe
hxxp://www.qsuj.com/win.exe
hxxp://www.ragnwiki.com/read/server.exe
hxxp://www.ranninp.com/001359/ro.exe
hxxp://www.renalmedical.com/Dll/1.exe
hxxp://www.rmtfane.com/link179700/ff.exe
hxxp://www.sakerver.com/web/for.exe
hxxp://www.sakerver.com/web/red.exe
hxxp://www.sakerver.com/wiki/server.exe
hxxp://www.shagigi.net/navi/admin.exe
hxxp://www.soracger.com/wiki/admin.exe
hxxp://www.symphones.com/bbs/fenrir.exe
hxxp://www.symphones.com/bbs/ragner.exe
hxxp://www.symphones.com/bbs/send.exe
hxxp://www.symphones.com/wikipedia/rmtjp.exe
hxxp://www.teamerblog.com/wiki/cer.exe
hxxp://www.testinghua.com/ie/kun.exe
hxxp://www.testinghua.com/ie/ragnarokonline/ro.exe
hxxp://www.testinghua.com/Wiki/suff11.exe
hxxp://www.toyshop.com.tw/images/sigui/ro.exe
hxxp://www.wacacop.net/wiki/sever.exe
hxxp://www.webmastei.com/weeb/f3.exe
hxxp://www.woshijianren.com/jpjp/jpro.exe
hxxp://www.xinluoqu.com/ied/ser.exe
hxxp://www.yaplogjp.com/Blog/jp3.exe
hxxp://www.yinra.com/inf/setup.exe
hxxp://www.yyjjoopp.com/abc.exe
Title: Re: Few unsorted - Part 3...
Post by: jimmyleo on May 06, 2008, 04:38:54 am
hoho the unsorted seem like great sort work.. ;D
many of them are password stuff..
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 06, 2008, 09:09:52 am
Quote
hoho the unsorted seem like great sort work..
He-he,actually,i got a bit 'lucky' yesterday,when I stumbled upon this:  ;D
http://lineage.paix.jp/guide/security/virus-listall.html
But it took me more than a couple of hours of sorting/grepping/downloading,
in order to verify what crap is actually still alive there...

Here's also the "last modified",in order to simply gather newer samples...
http://lineage.paix.jp/guide/security/virus-lastmodified.html
There are also blocklists/hosts files of the above,
these guys there have done a really nice work...
http://lineage.paix.jp/guide/security/virus-url.html
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 06, 2008, 09:54:45 am
Rotflmao!  ;D
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 06, 2008, 02:34:04 pm
Quote
many of them are password stuff...
Heh,yeah...i know this might sound like i had been living in cages or so...  ;D
But well,you see,I don't play games at all...all these months,
I wasn't really aware of what kind of stuff/info they steal exactly...
I was under the impression that it was more or less stupid teenager skiddie hacks:
eg.raising the high score via dll injection,
flooding other players with specific packets or something like that...

...but they explained me in more detail over at the irc,he-he...and well,
I was quite a bit surprized to learn that there are people out there,
that actually buy and sell the 'stealed' data for...real-world money (!) :o
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 08, 2008, 11:54:49 am
Zlob spammers again..."sex18tube2008.com" as usual:
Quote
hxxp://vmcodec.com/download/502/1027/3/
hxxp://vmcodec.com/soft/zreshkubupo/502883e8813/MediaTubeCodec_ver1.1027.3.exe
VirusTotal Results at the moment: 10/31 (32.26%)
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 08, 2008, 06:25:56 pm
...just stumbled upon this:it's the usual Zlob spammers...
41.94% detection rate at VirusTotal currently - somewhat better compared to the previous sample...
Quote
hxxp://porntl0.nov.ru/
hxxp://best-porncollection.com/exclusive4/id/3913290/1/black/white/Free+porn+site+xxx.+Free+porn+movie/
hxxp://onlinevideosoftex.com/exe2/3913290.exe
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 09, 2008, 09:06:05 pm
Zlob once again...domain already listed above...VirusTotal results: 8/31 (25.81%)
Seems that they like to 'update' it quite a few times per day lately...
Quote
hxxp://vm-codec.com/soft/zreguomgrrf/502d240e3d5/MediaTubeCodec_ver1.958.5.exe
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 10, 2008, 05:09:03 am
Newer day,newer Zlob variant spammed in forums around the net...
Quote
hxxp://www.avitool.com/download.php?id=619 -> Spawns setup.exe / latest zlob...
VirusTotal detection rate at 6/31 (19.36%) currently - MD5: 20849eb7ebd7b30affe64a303870c9ec

And the infection sites that lead do it as well...
because from what I saw,avitool.com already exists in the main list:
Quote
hxxp://www.tubeuniverse.com/mature/index.php?id=619&style=white
hxxp://www.tubecollections.com/m4/index.php?id=619&n=mature

Quote
hxxp://avp.zttwp.cn/1111.exe
MD5: f293f26776b4fc9571383123342ce628

Quote
hxxp://bh.jebooo.com/w3.exe
MD5: 9BFBF90E1F53C34E0BEF42166FAE1B39

Zlob spam continued...
Quote
hxxp://lllblog.info/gratis-porno/
hxxp://best-porncollection.com/exclusive/id/3913098/1/white/black/Sexo+Gratis/
hxxp://onlinevideosoftex.com/exe2/3913098.exe

Quote
hxxp://u.uu500.com/a8da234k8asdf.exe
hxxp://wg.92wg.com/wg1234/qqysrw_92wg.com.exe
hxxp://www.265netcn.cn/down/4030.exe
hxxp://268ip.com/down.exe
hxxp://268ip.com/down1.exe
hxxp://268ip.com/down2.exe
hxxp://268ip.com/down3.exe
hxxp://ad.laoqn.com/ad.exe
hxxp://ddos.9cdn.com/e/soft/fab61e8ed0036432.exe
hxxp://google.netcdn.com/cao/cao.exe

Oh shit...KillDisk / MBRKiller:
Quote
hxxp://hotbb.cn/kdh.rar

Few more random ones...
Quote
hxxp://update2.borlander.cn/cup/wincup.cab
hxxp://vip.sinbadcn.com/update.exe
hxxp://www.netooo.com/down/server.exe
hxxp://www.nmuift.cn/11/mh.exe
hxxp://www.nmuift.cn/11/wow.exe
hxxp://www.saynsay.com/soft/LoadSHLauncher_1001.exe
hxxp://www.saynsay.com/soft/SHLaunch_1010.cab
Title: Re: Few unsorted - Part 3...
Post by: JohnC on May 11, 2008, 08:49:54 pm
Thank you.
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 13, 2008, 05:54:40 am
Quote
hxxp://dll0.2288.org/0508/test.txt
hxxp://dll0.2288.org/down/me.exe
hxxp://218.61.201.80/qwer.exe
hxxp://218.61.201.80/zxcv.exe
hxxp://218.61.201.80/asdf.exe
hxxp://www.1a123.com/jj/ff.exe
hxxp://www.1a123.com/hp/zz.exe
hxxp://www.1a123.com/jj/cc.exe
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 29, 2008, 07:51:42 am
Quote
Is it time for more?
I've spent most of my spare time during these latest days,
in gathering/submitting skiddie tools and similar over at UploadMalware...
Hopefully I'll have more time available in order to also hunt for domains...  ::)
These few ones were posted over at Unpack.cn board...
most of them are from a downloader list:
Quote
hxxp://www.dwoc.net.cn/uc.txt
Quote
hxxp://a.987255.com/lmmh.exe
hxxp://b.987255.com//00014.exe
hxxp://b.987255.com/00008.exe
hxxp://b.987255.com/00010.exe
hxxp://b.987255.com/00011.exe
hxxp://b.987255.com/00012.exe
hxxp://b.987255.com/00013.exe
hxxp://b.987255.com/00016.exe
hxxp://b.987255.com/00035.exe
hxxp://b.987255.com/00036.exe
hxxp://b.987255.com/qq.exe
hxxp://www.163work.net.cn/down/b11.exe
hxxp://www.163work.net.cn/down/c19.exe
hxxp://www.163work.net.cn/down/g16.exe
hxxp://www.163work.net.cn/down/j17.exe
hxxp://www.163work.net.cn/down/l18.exe
hxxp://www.163work.net.cn/down/m13.exe
hxxp://www.163work.net.cn/down/n14.exe
hxxp://www.163work.net.cn/down/o15.exe
hxxp://www.163work.net.cn/down/t20.exe
hxxp://www.163work.net.cn/down/z12.exe
hxxp://www.srjkc.cn/down/b25.exe
hxxp://www.srjkc.cn/down/b31.exe
hxxp://www.srjkc.cn/down/c32.exe
hxxp://www.srjkc.cn/down/e26.exe
hxxp://www.srjkc.cn/down/f34.exe
hxxp://www.srjkc.cn/down/h30.exe
hxxp://www.srjkc.cn/down/m23.exe
hxxp://www.srjkc.cn/down/m28.exe
hxxp://www.srjkc.cn/down/o24.exe
hxxp://www.srjkc.cn/down/p21.exe
hxxp://www.srjkc.cn/down/u29.exe
hxxp://www.srjkc.cn/down/u33.exe
hxxp://www.srjkc.cn/down/v27.exe
hxxp://www.srjkc.cn/down/x22.exe
hxxp://www.ssreaader.cn/down/a3.exe
hxxp://www.ssreaader.cn/down/e1.exe
hxxp://www.ssreaader.cn/down/i8.exe
hxxp://www.ssreaader.cn/down/j4.exe
hxxp://www.ssreaader.cn/down/l10.exe
hxxp://www.ssreaader.cn/down/m6.exe
hxxp://www.ssreaader.cn/down/r2.exe
hxxp://www.ssreaader.cn/down/r7.exe
hxxp://www.ssreaader.cn/down/x9.exe
hxxp://www.ssreaader.cn/down/y5.exe
hxxp://x.987255.com/00017.exe
hxxp://x.987255.com/00019.exe
hxxp://x.987255.com/00020.exe
hxxp://www.carordriver.com/071225/xia.exe
hxxp://www.servl.com.ar/lolipop.exe
hxxp://user1.12-23.net/bak.css
hxxp://arpcnn.cn/s.exe
hxxp://arpcnn.cn/bd.cab
hxxp://70data.cn/page/addr.js
hxxp://cnalimm.cn/news.html

============================

And something quite interesting here...
Downloader.Swif.C per Symantec,EXP/Flash.Gen per AntiVir:
Quote
hxxp://user1.kugogo.net/flash2.swf
hxxp://user1.kugogo.net/flash1.swf
Current results at VirusTotal: 3/32 (9.38%)
Title: Re: Few unsorted - Part 3...
Post by: JohnC on May 29, 2008, 06:59:56 pm
Thank you.
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 30, 2008, 04:13:28 am
Heh,here's another smart-ass guy...
in a lame 'phishing' attempt of imitating Google's webpage:
Quote
hxxp://ultrasat.110mb.com
It spawns a Bifrost variant...
Quote
hxxp://ultrasat.110mb.com/exploit.exe

...from a downloader's list...
Quote
hxxp://www.dtdtdk.net/dk.txt
Quote
hxxp://softa.softkills.net/softd.exe
hxxp://softa.softkills.net/soft0.exe
hxxp://softa.softkills.net/soft1.exe
hxxp://softa.softkills.net/soft2.exe
hxxp://softa.softkills.net/soft3.exe
hxxp://softa.softkills.net/soft4.exe
hxxp://softa.softkills.net/soft5.exe
hxxp://softa.softkills.net/soft6.exe
hxxp://softa.softkills.net/soft7.exe
hxxp://softb.softkills.net/soft8.exe
hxxp://softb.softkills.net/soft9.exe
hxxp://softb.softkills.net/soft10.exe
hxxp://softb.softkills.net/soft11.exe
hxxp://softb.softkills.net/soft12.exe
hxxp://softb.softkills.net/soft13.exe
hxxp://softb.softkills.net/soft14.exe
hxxp://softc.softkills.net/soft15.exe
hxxp://softc.softkills.net/soft16.exe
hxxp://softc.softkills.net/soft17.exe
hxxp://softc.softkills.net/soft18.exe
hxxp://softc.softkills.net/soft19.exe
hxxp://softc.softkills.net/soft20.exe
hxxp://softc.softkills.net/soft21.exe
hxxp://softc.softkills.net/soft22.exe
hxxp://softc.softkills.net/soft23.exe
hxxp://softc.softkills.net/soft24.exe
hxxp://softd.softkills.net/soft25.exe
hxxp://softd.softkills.net/soft26.exe
hxxp://softd.softkills.net/soft27.exe
hxxp://softd.softkills.net/soft28.exe
hxxp://softd.softkills.net/soft29.exe
hxxp://softd.softkills.net/soft30.exe
hxxp://softd.softkills.net/soft31.exe
hxxp://softd.softkills.net/soft32.exe
hxxp://softd.softkills.net/soft33.exe
hxxp://softd.softkills.net/soft34.exe
hxxp://softd.softkills.net/soft35.exe
hxxp://softd.softkills.net/soft36.exe

Quote
hxxp://umka.lapudrel.com/download?n=core&u=0x00cd1a40&a=0x00000204&v=0x00000006&t=20080107151500
hxxp://conceptinvestin2.com/ldr/?&v=4.Build&s=24367
hxxp://jimm.007ihost.com/gate/gate.php
hxxp://rusarticles.net/flash/1.exe
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on May 30, 2008, 11:21:52 am
A trip to the MS-exploitland here...
Quote
hxxp://www.ftfashion.com/goodsimages/20073/
hxxp://sp.070808.net/23.htm
hxxp://w.aeaer.com/ae.htm
hxxp://qi.ccbtv.net/btv.htm
hxxp://88.881215.com/88.htm
hxxp://jjj.hfb86.cn/w6.htm
hxxp://xxx.hdr82.cn/web/cc.htm
hxxp://xxx.hdr82.cn/web/c1.htm
hxxp://xxx.hdr82.cn/web/c3.htm
hxxp://www.fire122.cn/shan.htm
hxxp://czz.aeaer.com/c.htm
hxxp://mn.haoyuming.net/one/index.htm
====================
Googling for "nnselect.js" also returns a few random injection results...
Title: Re: Few unsorted - Part 3...
Post by: JohnC on May 30, 2008, 06:11:23 pm
Thanks.
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on June 04, 2008, 01:52:04 pm
Newer Zlobs...
Quote
hxxp://brakecodec.com/download/brakecodec1363.exe -> Result: 7/32 (21.88%)
hxxp://getadultaccess.com/soft/temp/0_744878f_0/XXXmediaCodec_ver1.5051.0.exe -> Result: 12/32 (37.5%)
hxxp://soft-portal08-08.com/soft/zmtmalouugc/502142949d0/MediaTubeCodec_ver1.376.0.exe -> Result: 7/32 (21.88%)
Coming from...
Quote
hxxp://www.tembi.cn/porn/
hxxp://www.freeworldaccess.info/video1/
hxxp://getadultaccess.com/flash2/?aff=5051
hxxp://brakesex.net/aze/1807750957/1/player.php?m=bW92Mi53bXY=&id=1363
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on June 04, 2008, 04:21:22 pm
Various downloader lists...
Quote
hxxp://www.tongji123.org/ok.txt
hxxp://www.dtdtdk.net/dk.txt
hxxp://www.alanga.net/axi.txt
hxxp://www.xiaobai01.net/update.txt
hxxp://www.zuoyouweinan.com/ws.txt

Currently they're serving the following,plus a few randomly gathered ones...

Quote
hxxp://222.73.44.163/ma/14.exe
hxxp://222.73.44.163/ma/15.exe
hxxp://222.73.44.163/ma/16.exe
hxxp://222.73.44.163/ma/18.exe
hxxp://222.73.44.163/ma/19.exe
hxxp://33.xingaide8.cn/soft/soft/f2b4657b5568d072.exe
hxxp://59.34.197.14/ma/10.exe
hxxp://59.34.197.14/ma/11.exe
hxxp://59.34.197.14/ma/12.exe
hxxp://59.34.197.14/ma/13.exe
hxxp://59.34.197.14/ma/6.exe
hxxp://59.34.197.14/ma/7.exe
hxxp://59.34.197.14/ma/8.exe
hxxp://59.34.197.14/ma/9.exe
hxxp://mikea.chinaskm.net/soft0.exe
hxxp://mikea.chinaskm.net/soft1.exe
hxxp://mikea.chinaskm.net/soft2.exe
hxxp://mikea.chinaskm.net/soft3.exe
hxxp://mikea.chinaskm.net/soft4.exe
hxxp://mikea.chinaskm.net/soft5.exe
hxxp://mikea.chinaskm.net/soft6.exe
hxxp://mikea.chinaskm.net/soft7.exe
hxxp://mikea.chinaskm.net/softd.exe
hxxp://mikeb.chinaskm.net/soft10.exe
hxxp://mikeb.chinaskm.net/soft11.exe
hxxp://mikeb.chinaskm.net/soft12.exe
hxxp://mikeb.chinaskm.net/soft13.exe
hxxp://mikeb.chinaskm.net/soft14.exe
hxxp://mikeb.chinaskm.net/soft8.exe
hxxp://mikeb.chinaskm.net/soft9.exe
hxxp://mikec.chinaskm.net/soft15.exe
hxxp://mikec.chinaskm.net/soft16.exe
hxxp://mikec.chinaskm.net/soft17.exe
hxxp://mikec.chinaskm.net/soft18.exe
hxxp://mikec.chinaskm.net/soft19.exe
hxxp://mikec.chinaskm.net/soft20.exe
hxxp://mikec.chinaskm.net/soft21.exe
hxxp://mikec.chinaskm.net/soft22.exe
hxxp://miked.chinaskm.net/soft23.exe
hxxp://miked.chinaskm.net/soft24.exe
hxxp://miked.chinaskm.net/soft25.exe
hxxp://miked.chinaskm.net/soft26.exe
hxxp://miked.chinaskm.net/soft27.exe
hxxp://miked.chinaskm.net/soft28.exe
hxxp://miked.chinaskm.net/soft29.exe
hxxp://miked.chinaskm.net/soft30.exe
hxxp://miked.chinaskm.net/soft31.exe
hxxp://new.hanma999.com/ma/1.exe
hxxp://new.hanma999.com/ma/2.exe
hxxp://new.hanma999.com/ma/3.exe
hxxp://new.hanma999.com/ma/4.exe
hxxp://new.hanma999.com/ma/5.exe
hxxp://sese.iqdqpdq.cn/11.exe
hxxp://web.73z.org/muma/guest.exe
hxxp://web.73z.org/muma/server.exe   
hxxp://www.100liang.cn/down/cbElpes.exe
hxxp://www.100liang.cn/down/cqsj.exe
hxxp://www.100liang.cn/down/dhua3.exe
hxxp://www.100liang.cn/down/EQQ.exe
hxxp://www.100liang.cn/down/hmmh.exe
hxxp://www.100liang.cn/down/hmshj.exe
hxxp://www.100liang.cn/down/huaxia.exe
hxxp://www.100liang.cn/down/moyu.exe
hxxp://www.100liang.cn/down/tlbb.exe
hxxp://www.100liang.cn/down/tmz.exe
hxxp://www.100liang.cn/down/wlwz.exe
hxxp://www.100liang.cn/down/wmgj.exe
hxxp://www.100liang.cn/down/wmsj.exe
hxxp://www.100liang.cn/down/wow.exe
hxxp://www.100liang.cn/down/wrjh.exe
hxxp://www.100liang.cn/down/zhux1.exe
hxxp://www.100liang.cn/down/zyhx.exe
hxxp://www.969xiao.net/25.htm
hxxp://www.969xiao.net/news.html
hxxp://www.lx-hack.cn/Ajax.htm
hxxp://www.lx-hack.cn/Bfyy.htm
hxxp://www.lx-hack.cn/gang/110.exe
hxxp://www.lx-hack.cn/Lz.htm
hxxp://www.lx-hack.cn/Real.gif
hxxp://www.sentgold.com/wow/wow.exe
hxxp://www.tongji123.org/soc.exe
hxxp://www.tongji123.org/soc/soc01.exe
hxxp://www.tongji123.org/soc/soc02.exe
hxxp://www.tongji123.org/soc/soc03.exe
hxxp://www.tongji123.org/soc/soc04.exe
hxxp://www.tongji123.org/soc/soc05.exe
hxxp://www.tongji123.org/soc/soc06.exe
hxxp://www.tongji123.org/soc/soc07.exe
hxxp://www.tongji123.org/soc/soc08.exe
hxxp://www.tongji123.org/soc/soc09.exe
hxxp://www.tongji123.org/soc/soc10.exe
hxxp://www.tongji123.org/soc/soc11.exe
hxxp://www.tongji123.org/soc/soc12.exe
hxxp://www.tongji123.org/soc/soc13.exe
hxxp://www.tongji123.org/soc/soc14.exe
hxxp://www.tongji123.org/soc/soc15.exe
hxxp://www.tongji123.org/soc/soc16.exe
hxxp://www.tongji123.org/soc/soc17.exe
hxxp://www.tongji123.org/soc/soc18.exe
hxxp://www.tongji123.org/soc/soc19.exe
hxxp://www.tongji123.org/soc/soc20.exe
hxxp://www.tongji123.org/soc/soc21.exe
hxxp://www.tongji123.org/soc/soc22.exe
hxxp://www.tongji123.org/soc/soc23.exe
hxxp://www.tongji123.org/soc/soc24.exe
hxxp://www.tongji123.org/soc/soc25.exe
hxxp://www.tongji123.org/soc/soc26.exe
hxxp://www.tongji123.org/soc/soc27.exe
hxxp://www.tongji123.org/soc/soc28.exe
hxxp://www.tongji123.org/soc/soc29.exe
hxxp://www.tongji123.org/soc/soc30.exe
hxxp://www.tongji123.org/soc/soc31.exe
hxxp://www.tongji123.org/soc/soc32.exe
hxxp://x4.cae9i4u6.cn/wmcc/14.htm
hxxp://x4.cae9i4u6.cn/wmcc/real.htm
hxxp://xindizhi88.com/8/abc.exe
Title: Re: Few unsorted - Part 3...
Post by: JohnC on June 04, 2008, 10:22:29 pm
Thanks.
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on June 05, 2008, 03:52:04 pm
Quote
hxxp://513389.cn/808.txt
Or...
hxxp://513389.cn/yy.txt
--->
Quote
hxxp://163a.optioner.cn/y0.exe
Up to...
hxxp://163c.optioner.cn/y28.exe
Plus...
Quote
hxxp://163a.optioner.cn/yd.exe
=================
Quote
hxxp://w.117b.cn/config.txt
Or...
hxxp://www.mvoe.cn/config.txt
--->
Quote
hxxp://www.345bi.cn/new/01.exe
Up to...
hxxp://www.345bi.cn/new/30.exe
Plus...
Quote
hxxp://www.345bi.cn/new/are.exe
=================
Quote
hxxp://exe.wokaixin.com/014.exe
hxxp://windows.loveyoushipin.com/win.exe
hxxp://www.makgcat.com/sse.exe
hxxp://dm.htifns.com.cn/vv.exe
hxxp://www.userlg.cn/css.gif
hxxp://xia.iphone001.com/down/014.exe
hxxp://xia.iphone001.com/down/abd.cab
Title: Re: Few unsorted - Part 3...
Post by: JohnC on June 05, 2008, 09:10:06 pm
Thanks.
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on June 09, 2008, 04:06:27 am
Just a couple of bot-related malware....found them while browsing ryan1918 forums...
seems that these lamers are still up and running...  >:(

Quote
hxxp://66.29.25.194/~tspoiler/catalog/imgs/logo.gif
hxxp://app4.websitetonight.com/projects/6/6/5/5/665506/uploads/sn.no-ip.info.exe
Title: Re: Few unsorted - Part 3...
Post by: sowhat-x on June 09, 2008, 07:57:43 am
Quote
hxxp://karate-passarino.it/video1.exe
hxxp://impresalavoro.it/video1.exe
hxxp://www.quinotizie.info/video.exe
hxxp://www.flexistav.cz/video1.exe
hxxp://anykindmp3.com/download/get.php?id=4029
hxxp://aviinstrument.com/mp3download.php?fn=MP3-Track%2B03.mp3&id=4029

Also,check out this one...
Quote
hxxp://androsik.blogspot.com/
All external links in here are malware...and it seems like it's regularly "updated" as well...  >:(
Title: Re: Few unsorted - Part 3...
Post by: JohnC on June 09, 2008, 05:29:15 pm
Also,check out this one...
Quote
hxxp://androsik.blogspot.com/
All external links in here are malware...and it seems like it's regularly "updated" as well...  >:(


Searching for "NEW Viagra Super Active !! Your Coupon" finds a couple of others aswell. Either spam, malware or both.

http://empresas-chile.blogspot.com
http://citizenhiphop.blogspot.com/
http://garbagegarbage.blogspot.com/


Also related to the "you look really stupid" spam

http://aceita-este-poema.blogspot.com

Which is Exchanger related: http://www.malwaredomainlist.com/forums/index.php?topic=1853.0