Author Topic: Few unsorted - Part 3  (Read 24193 times)

0 Members and 1 Guest are viewing this topic.

August 08, 2008, 06:42:04 am
Reply #30

sowhat-x

  • Guest
Quote
hxxp://scanner.power-antivirus-2009.com/setup/setup_1096_MHwzNXww_.exe
hxxp://pcprotectioncenter2008.com/download.php?aid=

Quote
hxxp://thehotcollegebabes.com/aplanet.exe
hxxp://thehotcollegebabes.com/a173.exe

August 08, 2008, 11:36:53 am
Reply #31

Kayrac

  • Guest
all from the same malware, some is call home, others is exe's :)

Code: [Select]
<@Kayrac> Host: www.fghie87134.com/bin/AGTMKCLSU.php?key=
<@Kayrac> Host: www.fghie87134.com/bin/AGTMKCLSF.php
<@Kayrac> Host: 121.125.68.121/Modules/T/fbpo3tqm6kdw.exe
<@Kayrac> Host: www.fghie87134.com/log/proc.php?mode=3&key=&maddr=000c29b80bd7
<@Kayrac> Host: www.fghie87134.com/bin/AGTMKCLSS.php?key=
<@Kayrac> Host: 121.125.68.121/wallpaper/baccarat3/JbWtghxOb4Cs.exe
<@Kayrac> Host: 121.125.68.121/wallpaper/baccarat3/W0UMSZNG0WkM.exe
<@Kayrac> Host: www.kjfbk07814.com/log/proc.php?key=JbWtghxOb4Cs
<@Kayrac> Host: www.fghie87134.com/bin/AGTMKCLSH.php?key=
<@Kayrac> Host: www.kjfbk07814.com/og/proc.php?key=W0UMSZNG0WkM

-Brian :)

August 09, 2008, 05:52:49 am
Reply #32

sowhat-x

  • Guest
One more 'hotcollegebabes' crap...seems to be reasonably detected though:
Quote
hxxp://thehotcollegebabes.com/mails.list

Quote
hxxp://fastupdateserver.com/zsa09/winsystem.dll -> Result: 5/36 (13.89%)
hxxp://fastupdateserver.com/zsa09/zs880000.exe -> Result: 11/36 (30.56%)

Quote
hxxp://sum4count.net/pictures/proxy.jpg
hxxp://sum4count.net/pictures/search.jpg
hxxp://sum4count.net/pictures/tibs.jpg
hxxp://sum4count.net/pictures/tool.jpg
hxxp://sum4count.net/pictures/winlogon.jpg
hxxp://try-count.net/pic/proxy.jpg
hxxp://try-count.net/pic/search.jpg
hxxp://try-count.net/pic/tibs.jpg
hxxp://try-count.net/pic/tool.jpg
hxxp://try-count.net/pic/winlogon.jpg
hxxp://pluscount.net/pyewgjhfdgjhdf/proxy.jpg
hxxp://pluscount.net/pyewgjhfdgjhdf/search.jpg
hxxp://pluscount.net/pyewgjhfdgjhdf/tibs.jpg
hxxp://pluscount.net/pyewgjhfdgjhdf/tool.jpg
hxxp://pluscount.net/pyewgjhfdgjhdf/winlogon.jpg
Detection rates over at VirusTotal currently at about 20-25 %...

Newer dl lists for the masses...  ;)
Quote
hxxp://aboutdr.cn/uk.txt
hxxp://dlxc.ccxtt.com/xtt.txt
hxxp://v.gogodown.com.cn/x.txt
hxxp://www.aloou.net/ac.txt
hxxp://www.guccia.net/prada.txt
hxxp://www.mj5640ibn.com/praasd.txt
hxxp://www.qxzzj.cn/csa.txt

August 09, 2008, 04:17:37 pm
Reply #33

Kayrac

  • Guest
zlob variant from

Code: [Select]
http://flwinstrument.com/mp3download.php?fn=MP3-2%255B4%255D.mp3&id=1651
does a crapload

Code: [Select]
iexplorerclue.com/redirect.php
Host: 69.50.164.50/this/is/stereo/music.php?param=0;1651;1537
http://www.wav2008.com/?advid=177
http://www.topsafetysoft.com/soft/?c=616513
http://windows-defense.com/2009/1/_freescan.php?aid=880348

drops tons of files, installs a toolbar, tries to get you to dl AV 2008 etc etc

-Brian

August 10, 2008, 08:46:05 am
Reply #34

sowhat-x

  • Guest
Quote
hxxp://213.155.0.242/cgi-bin/in.cgi?us01&101dea
hxxp://66.96.248.197/spm/s_tasks.php?id=DEC&ver=200
hxxp://noclegi_klimkowka.w.interia.pl/images/ie7.0.exe

Quote
hxxp://66.197.167.21/40E800142020202020202020202020205236364153344E316C0000001466000000007600000642EB000530B73CB726
hxxp://58.65.235.41/llll/tadm/ldr.exe
hxxp://58.65.235.41/llll/tadm/cfg.bin
hxxp://suspended-domain.ru/cfg.bin

Quote
hxxp://fleshkatera.cn/sys/index.php?id=0005
hxxp://fleshkatera.cn/sys/index.php?id=0006
hxxp://fleshkatera.cn/sys/index.php?id=0007

Quote
hxxp://abc-powers.com/check/n14048.htm
hxxp://main40.com/check/n14048.htm

August 10, 2008, 02:28:24 pm
Reply #35

sowhat-x

  • Guest
Plus one more... ;)
Quote
hxxp://snow-job.com/check/n14042.htm

PS:Thread closed for now...off to summer vacation for some time,he-he...  ;)
I'll return fresh,fast and furious for "Few Unsorted - Part 4" though... ;D

August 13, 2008, 09:20:56 am
Reply #36

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964