Author Topic: - others  (Read 3321 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2008, 10:12:22 am
Read 3321 times


  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I am looking at the host because MVPHosts file author is removing it.  I wanted to understand why he was removing it.  So I followed some of your links and found the following.

1.  The download for the Acronis disk director is only pointed to by this site.  The actual download comes from:

It also had one more link in the file: Disk Director Suite 10.0.html?

I couldn't find anything in the file from that was amiss.  I scanned the file that I downloaded from which had no copyright string, and used NullSoft installer at  Only one, Sophos Sweep found anything wrong with it (Mal/TDSS-A).

2. The second one (Zlob trojan) also goes to this same host:

Again, packaged with the NullSoft installer, no copyright string.  I didn't bother to scan it but it will probably have similar results.

3. The third one (Trojan.Obfuscated.gx / Downloader) also pulled from the same host:
- says it is keygen only but we also have
- which isn't an EXE file at all but an HTML file.

What I was trying to understand was why Mike was removing this host.   You may want to take a closer look at the host since this seems to be the actual host the downloads are coming from.  If I can remember, I will scan these files again in a few days to see if the scan count goes up.  But it leaves me not knowing what to do.  I am putting the whole mess up in your folder on my server.  I did the following renames (the first because it really is an HTML file, the others to quarantine them):

VistaCodecs_v461.exe  ---> VistaCodecs_v461.html
Keygen.Acronis.Disk.Director.Suite.10.0c3098.exe --->
Keygen.Vista.Codec.Package.4.6.1c3098.exe --->
serial.XChat.2.8.7c3098.exe --->

All the stuff is in the following folder / files:

They are encrypted with password virus.  What I am searching for is who should be blocked.  It looks like the host is just the front end.  If a scan in a few days turns up something better I will be blocking in my next hosts file upgrade.  I will be removing the host since all of its exploits are contained by my hosts file blocks and the PAC filter stops it anyway (too much negative stuff associated with Warez).  I have even driven the block of warez down into the URL.