Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on August 25, 2009, 08:57:47 pm

Title: PharmSpam Domains
Post by: eoin.miller on August 25, 2009, 08:57:47 pm
Once host is infected it starts sending out pharmspam, the host checks in here:
91.207.4.26/spm/s_alive.php?id=465685358604&tick=4280384&ver=102&smtp=ok

Gets email address list along with spam subject/body:
91.207.4.26/spm/s_tasks.php?id=465685358604&ver=102

...snip...
<text>
From:VIAGRA.INC<suport@mkanmz.viagra.com>
Subject:###  long sex! ###
MIME-Version: 1.0
Importance: High
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Drug Online Your discount
Looks like : Small blue diamond-shaped pills  http://canadian.zxohiyoy.cn
</text>
...snip...


Various domains used in spam body. All prepended with canadian (seems like more good ol pharmspam). All resolve to 222.186.13.57 (APNIC).

crobeziq.cn
htumiwex.cn
wdehiqeb.cn
xkigokon.cn
zxohiyoy.cn

The above IP's/domains aren't in the list yet so thought I would share.