Malware Domain List

Malware Related => Malicious Domains => BIGNESS - AS49093 => Topic started by: Malware-Web-Threats on September 06, 2009, 02:03:24 pm

Title: 195.88.191.46
Post by: Malware-Web-Threats on September 06, 2009, 02:03:24 pm
directs to exploits:

Code: [Select]
kvumurij.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
Wepawet (http://wepawet.iseclab.org/view.php?hash=75783f610643801091842f8202a871b4&t=1252246166&type=js)

The site below doesn't seems to work so I will check later if this domain redirects to a new one.

The urls was:

Code: [Select]
ssesodoq.cn/uin/
ssesodoq.cn/uin/whichGoodS.pdf
ssesodoq.cn/uin/searchMakeChunk.swf
ssesodoq.cn/uin/update.php?id=5
ssesodoq.cn/uin/update.php?id=6
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=9706c2be0df19ccce42de0a03a0c8c33&t=1251972741)

also work:
Code: [Select]
ssesodoq.cn/uin/update.exe

VirusTotal (http://www.virustotal.com/analisis/600574b885cc10f6aa49735f3863f1496e6ad00a9b9aa06fab7ea04665ee0f0d-1251971916) - 8/41 (19.51%)
Threat Expert (http://www.threatexpert.com/report.aspx?md5=bfd36ecb13f503729a51887643b5b7e8)

It connect to 91.207.4.250 (see threatexpert) and start spamming

Quote
GET spm/get_id.php
GET spm/page.php

Other on this IP:

http://www.malwareurl.com/listing.php?ip=195.88.191.46
http://www.malwaredomainlist.com/mdl.php?search=195.88.191.46&colsearch=All&quantity=50

Anything else?

http://www.bfk.de/bfk_dnslogger.html?query=195.88.191.46 (http://www.bfk.de/bfk_dnslogger.html?query=195.88.191.46)
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 06, 2009, 02:15:11 pm
same as below:

Code: [Select]
ns1.vvukufan.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns1.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns2.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=94f15cbfb2fffd42daa369ad1c85eda7&t=1252247278&type=js (http://wepawet.iseclab.org/view.php?hash=94f15cbfb2fffd42daa369ad1c85eda7&t=1252247278&type=js)
http://wepawet.iseclab.org/view.php?hash=e08d6e782c77ed81f7aa041a0aeadbc0&t=1252247286&type=js (http://wepawet.iseclab.org/view.php?hash=e08d6e782c77ed81f7aa041a0aeadbc0&t=1252247286&type=js)
http://wepawet.iseclab.org/view.php?hash=879f28c20c7cef91aaade18e0777f45e&t=1252247298&type=js (http://wepawet.iseclab.org/view.php?hash=879f28c20c7cef91aaade18e0777f45e&t=1252247298&type=js)
Title: Re: 195.88.191.46
Post by: cleanmx on September 06, 2009, 02:18:48 pm
payload is not in sub-dir /uin but in root....

hxxp://ssesodoq.cn/update.exe

-- gerhard
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 07, 2009, 08:41:57 am
Interesting - another MD5

Code: [Select]
kvumurij.cn/update.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=455575b550ae3c6c3d39b44ac5e501c8&t=1252313514&type=js)
MD5: 455575b550ae3c6c3d39b44ac5e501c8

Code: [Select]
kvumurij.cn/2cv/update.exe
Wepawet (http://wepawet.iseclab.org/view.php?hash=230eb4adb27b2697e2076f34a73cab13&t=1252313522&type=js)
MD5: 230eb4adb27b2697e2076f34a73cab13

the exploit kit with urls:

Code: [Select]
kvumurij.cn/2cv/
kvumurij.cn/2cv/dontLayoutDont.pdf
kvumurij.cn/2cv/wordA.swf
kvumurij.cn/2cv/update.php
kvumurij.cn/2cv/update.exe
kvumurij.cn/2cv/admin.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=b2e0d1a2a6bc191b0efc97c6cdce2ab7&t=1252313173&type=js)
VirusTotal (http://www.virustotal.com/analisis/29aeb3144b470ca9ec00bc0c379e9404a7fe0112c033b7323c0ba15ec97faf41-1252244759) - 4/41 (9.76%)

AVG: Packed.Monder
Kaspersky: Packed.Win32.Krap.x
Microsoft: Spammer:Win32/Tedroo.AA
Rising: Unknown Win32 Virus
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 07, 2009, 08:53:37 am
the ThreatExpert report also show a connection to 91.207.6.242

The following GET requests were made:
Quote
spm/get_id.php
spm/page.php?id=231828&tick=231828&ver=112&smtp=ok&task=0

Threat Expert (http://www.threatexpert.com/report.aspx?md5=7f0d1d5ea68f22da7213fc246d1c2da4)
Title: Re: 195.88.191.46
Post by: Serg on September 07, 2009, 10:09:19 am
Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee
Title: Re: 195.88.191.46
Post by: SysAdMini on September 07, 2009, 10:19:14 am
Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee

I always use the identifier "Tedroo" for this spamming trojan. Many av vendors like Microsoft, Sophos, Bitdefender or Ikarus use this identifier.

Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 12, 2009, 06:10:04 am
trojan:
Code: [Select]
mcanavib.cn/update.exe
pbigupaz.cn/update.exe
tbegicoz.cn/update.exe
wpupadop.cn/update.exe

redirects to exploits:
Code: [Select]
mcanavib.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
pbigupaz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
tbegicoz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
wpupadop.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 12, 2009, 10:27:13 am
Redirects to exploits:
Code: [Select]
sexygallets.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&antibot_hash=2990857606&ur=1&HTTP_REFERER=
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 13, 2009, 12:35:57 am
Exploits:
Code: [Select]
nfovidab.cn/a1/
nfovidab.cn/a1/index_files/x1079.js
nfovidab.cn/stat1/index.php
nfovidab.cn/stat1/overEverIsnt.pdf
nfovidab.cn/stat1/anComes.swf
Wepawet (http://wepawet.iseclab.org/view.php?hash=f01d067f2779622248046fa7869db24f&t=1252799363&type=js)

Trojan Tedroo / Packed Krap:
Code: [Select]
nfovidab.cn/update.exe
VirusTotal (http://www.virustotal.com/analisis/81785371933472baadae99b67b2c05678d211eb7005ee473f24d1c7dfafa4e02-1252801376) - 31/41 (75.61%)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=34c5c9c1ef425aa17ff32c5cb457ed5a)

Trojan Dropper:
Code: [Select]
nfovidab.cn/stat1/update.php
nfovidab.cn/stat1/update.exe
VirusTotal (http://www.virustotal.com/analisis/5cb10692c9d0d167a53fd977423c4e89a91c75b42b2d8e6e572e541f0aae5a16-1252801392) - 5/41 (12.2%)
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 13, 2009, 09:32:41 pm
Redirects to exploits:

Code: [Select]
xguxerob.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=f17c505f84eaebe97f3a5bc1a9fd3359&t=1252877484&type=js (http://wepawet.iseclab.org/view.php?hash=f17c505f84eaebe97f3a5bc1a9fd3359&t=1252877484&type=js)
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 14, 2009, 01:05:02 pm
Exploits:
Code: [Select]
http://kzayopoq.cn/dj/
http://kzayopoq.cn/stat1/
http://kzayopoq.cn/stat2
http://kzayopoq.cn/2cv/
http://kzayopoq.cn/de/
http://kzayopoq.cn/rur/

http://kpizuyuw.cn/dj/
http://kpizuyuw.cn/stat1/
http://kpizuyuw.cn/stat2/
http://kpizuyuw.cn/2cv/
http://kpizuyuw.cn/de/
http://kpizuyuw.cn/rur/

Trojan:
Code: [Select]
http://kzayopoq.cn/update.exe
http://kzayopoq.cn/dj/update.exe
http://kzayopoq.cn/stat1/update.exe
http://kzayopoq.cn/stat2/update.exe
http://kzayopoq.cn/2cv/update.exe
http://kzayopoq.cn/de/update.exe
http://kzayopoq.cn/s/update.exe
http://kzayopoq.cn/rur/update.exe

http://kpizuyuw.cn/update.exe
http://kpizuyuw.cn/dj/update.exe
http://kpizuyuw.cn/stat1/update.exe
http://kpizuyuw.cn/stat2/update.exe
http://kpizuyuw.cn/2cv/update.exe
http://kpizuyuw.cn/de/update.exe
http://kpizuyuw.cn/s/update.exe
http://kpizuyuw.cn/rur/update.exe
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 14, 2009, 01:06:10 pm
optional control panel (Liberty Exploit Toolkit)
Code: [Select]
http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php
Title: Re: 195.88.191.46
Post by: SysAdMini on September 14, 2009, 01:14:03 pm
optional control panel (Liberty Exploit Toolkit)
Code: [Select]
http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php

user,pass works as well and there are alot of referers to check.
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 14, 2009, 01:16:13 pm
Seems to be always the same pwd.

For the URLs below the update.exe at the root doesn't seems to work.
Title: Re: 195.88.191.46
Post by: SysAdMini on September 14, 2009, 01:43:59 pm

Code: [Select]
wpupadop.cn/stat2/
referer

Code: [Select]
xguxerob.cn (61.42 %) 1893 149 7.87 % (4.83 %)
kzayopoq.cn (18.69 %) 576 108 18.75 % (3.5 %)
lhamedep.cn (6 %) 185 37 20 % (1.2 %)
qmesanic.cn (4.83 %) 149 17 11.41 % (0.55 %)
fhijafif.cn (3.5 %) 108 20 18.52 % (0.65 %)
khumemit.cn (3.05 %) 94 9 9.57 % (0.29 %)
Unknown (1.3 %) 40 4 10 % (0.13 %)
fteqimop.cn (0.58 %) 18 1 5.56 % (0.03 %)
kvumurij.cn (0.58 %) 18 4 22.22 % (0.13 %)
adverter11.info (0.03 %)
Title: Re: 195.88.191.46
Post by: cleanmx on September 14, 2009, 01:44:25 pm
i will check these 612 domains...

Code: [Select]
http://007q-branch.com/
http://023led.com/
http://100watts.com/
http://174.36.148.230/
http://192.168.8.32/
http://195-88-191-46.ptrzonez.com/
http://1kinozal-tv.ru/
http://1sense.info/
http://202.143.164.43/
http://203.155.220.217/
http://203.158.224.6/
http://209.85.129.132/
http://33duraka.info/
http://33duraka.name/
http://5828178.com.tw/
http://61.7.145.106/
http://69indianmovies.com/
http://76.12.222.111/
http://943canyonroad.com/
http://988.com.my/
http://aaccord.com/
http://abass101.com/
http://abunayyanelectric.com/
http://accburo.ru/
http://aclagosstate.org/
http://adckits.com.my/
http://add-block-11.info/
http://admiraladmin.ie/
http://advanceshoppe.net/
http://adverter11.info/
http://agencjaprofit.eu/
http://aglama.net/
http://agrometal.com/
http://aklob.net/
http://alkhoei.org/
http://almdni.com/
http://amigosdatrilha.com.br/
http://and4568.narod.ru/
http://angelsanddemonsmovie.ru/
http://ankodiatraders.com/
http://antintl.com/
http://anubal-hc.ac.th/
http://area.obec.go.th/
http://arsplus.pt/
http://artnews.ucoz.ru/
http://asianschoolgirlblog.com/
http://asiantsblog.com/
http://asmash.ru/
http://ataturklisesi.k12.tr/
http://atco.ru/
http://auto-key.com/
http://auto-rubber.com/
http://autouver.com/
http://autozlom.net/
http://awarenes.narod.ru/
http://awfc.rtaf.mi.th/
http://ayranci.gov.tr/
http://ayutthaya.doae.go.th/
http://babki.do.am/
http://baby86.cn/
http://bangalorenewsnetwork.com/
http://bangkokdvd.com/
http://banhad.khonkaen.police.go.th/
http://barrasfc.com.br/
http://bestsoft.nxt.ru/
http://bet-bot.com/
http://bfnation.net/
http://bhindia.com/
http://bhinet.cz/
http://binarynetwork.com/
http://bizfin.com/
http://blogs.runningaventure.com/
http://bodin2.ac.th/
http://bposummit.com/
http://brains.edu.pk/
http://brasflower.com.br/
http://brother.co.th/
http://bsbteng.frih.org/
http://bum.ba/
http://cams.iporn.com/
http://carbon.tu2.ru/
http://caribbeantrading.com/
http://cascadasdechocolate.com/
http://catalog.snacorp.ru/
http://cazkafuq.cn/
http://cbss.ac.th/
http://cccima.com/
http://ccounter.net/
http://cdacm.bpi.ac.th/
http://cddweb.cdd.go.th/
http://celular2000.net/
http://cent.wm-elite.com/
http://ceskysoftball.cz/
http://checkdomain.vn/
http://chiangrai.ect.go.th/
http://chiaoteng.com/
http://chkchkchk.net/
http://cidecsrt.com/
http://clicknamjai.com/
http://clicregistro.com/
http://codocul.com/
http://coj.go.th/
http://commentblast.com/
http://comunadetortugas.com.ar/
http://coolio.com/
http://cotmes.org/
http://cpao.go.th/
http://cpram.co.th/
http://cpucalc.com/
http://crazyboy2008.com/
http://cuttingsarchive.org.uk/
http://cvsoftech.com/
http://cystersi.wagrowiec.pl/
http://daccordpropiedades.com.ar/
http://dailly.info/
http://danniiharwood.net/
http://dct.edu.vn/
http://defactoinfotech.com/
http://democracy2007.net/
http://deniky.unas.cz/
http://derekosbornebuilders.com/
http://detektorgold.cz/
http://digivoice.net/
http://dilekceler.com/
http://divohouse.ru/
http://download-adult-dvds.com/
http://dusithost.dusit.ac.th/
http://dzinehub.com/
http://easternthailand.com/
http://ecam-lekremlinbicetre.com/
http://e-cmgt.com/
http://ecomuse.go.kr/
http://edupac.cl/
http://egroo.by.ru/
http://ekonomik-kielce.edu.pl/
http://eladancaeudanco.com.br/
http://elearning-poppy.com/
http://embeded-adds-11.info/
http://e-muhasebe.org/
http://enforcementagent.net/
http://erschultz.com/
http://escolhaclaro.com.br/
http://estoeschile.com/
http://estoesespana.com/
http://estoesmexico.net/
http://ethertouch.com/
http://europafilmes.com.br/
http://ewha.an4u.com/
http://expedice.org/
http://feriaelvinoyelmar.com.ar/
http://fhijafif.cn/
http://financial.obec.go.th/
http://fincentrum.sk/
http://finesi.it/
http://fisheries.go.th/
http://fjellknausen.no/
http://fkdolnipoustevna.cz/
http://fnjnepal.org/
http://folux.hu/
http://forensic.police.go.th/
http://fortunepet.com/
http://forum.988.com.my/
http://forums.pslan.kiev.ua/
http://fossli.no/
http://fotodeals.com/
http://fp.tibiscus.ro/
http://francuskapeciva.com/
http://frantsuzik.com/
http://freescape.com/
http://freewebtown.com/
http://fse.tibiscus.ro/
http://fteqimop.cn/
http://fundacaocdlrecife.org.br/
http://fuskerbytes.com/
http://gabone.com/
http://galsangalvano.com/
http://gamebazaar.in/
http://gamemanagersport.es/
http://gaskachel.be/
http://gasmash.ru/
http://gcfun.com/
http://gentalgroup.com/
http://getcurrent.net/
http://getgoogleadsforfree.org/
http://gilgo.es/
http://global.pfadfinder-lammersdorf.de/
http://golbasims.k12.tr/
http://golhisar.meb.gov.tr/
http://google-analistyc.net/
http://google-analystics.com/
http://google.com/
http://gostilna-murka.com/
http://gottoloveit.com/
http://gratisweb.com/
http://greek-seaguide.com/
http://groesbeckhospital.com/
http://grvo.com/
http://gsm.com.ar/
http://gstc.com.kh/
http://gtelcom.com/
http://gulenminikkalpler.com/
http://guntha.com/
http://guthy-renker.com.cn/
http://gxjiasijy.com/
http://h288racing.nl/
http://hackfarmer.ucoz.ru/
http://haco-hamburg.de/
http://hallytrading.com/
http://hamzali.net/
http://hanbeot.org/
http://happylittlefox.com/
http://harajcom.com/
http://hawthornsuitestoledo.com/
http://hctopolcany.sk/
http://health.best-host.ru/
http://hilason.com/
http://hitori.do.am/
http://hits.checkdomain.vn/
http://hlmadeira.com/
http://hlngx.net.cn/
http://hnifuzof.cn/
http://homedrive.erio.ws/
http://home.planet.nl/
http://hostum.net/
http://hotpartychicks.net/
http://hottabibn.ucoz.ru/
http://hpline.az/
http://huameihg.cn/
http://hugejuggs.com/
http://hurleysweb.com/
http://iaesterussia.ru/
http://idelight.org/
http://image-n-design.com/
http://imagessite.net/
http://imagevinui.com/
http://indiamyplaywin.com/
http://industriaseuropeas.com/
http://inetra.spblink.ru/
http://inno.obec.go.th/
http://interastro.or.th/
http://internetjugend.pytalhost.eu/
http://introht.com/
http://invivo-crd.com/
http://irricm.net/
http://isotsa.com/
http://istanbulsanat.net/
http://itjukebox.com/
http://ivy.com.vn/
http://jacksonhudhomes.com/
http://jagbibiv.cn/
http://jjsure.com/
http://jkgarments.com/
http://jocuri.idir.ro/
http://joelesperanza.com/
http://jokepost.ru/
http://jp-vids.net/
http://jurakorea.co.kr/
http://juxingyanchu.com/
http://kalematallah.com/
http://kalibrasyononline.com/
http://kamery.pay.pl/
http://kampanlanna.com/
http://khamoosh.com/
http://khramtsova.h1.ru/
http://khumemit.cn/
http://kigi.meb.gov.tr/
http://killmax.ucoz.ua/
http://kino-plaza.com/
http://kocicka.com/
http://konakmakifersoy.k12.tr/
http://koshelechek.ucoz.ru/
http://kpizuyuw.cn/
http://kralkartal.com/
http://krasorbita.ru/
http://kri1.obec.go.th/
http://ktntv.net/
http://kumc.holston.org/
http://kurdistannet.org/
http://kutbak.sakhonnakhon.police.go.th/
http://kwangdocable.co.kr/
http://lacaceleb.hu/
http://laitbox.ru/
http://lakeeffekt.com/
http://latvianholiday.se/
http://lazyjcampground.com/
http://learningfamily.com.cn/
http://lebnews.com/
http://leopardprinter.com/
http://lexabogados.info/
http://lhamedep.cn/
http://lidoarcobalenocatania.it/
http://likeweblogs.com/
http://lindaskulturskule.no/
http://liv4ik.at.ua/
http://livelnternet.com/
http://livelnternet.net/
http://liveroom.tv/
http://lo67.free.fr/
http://losinkasgolfclub.com/
http://loveshackfancy.com/
http://lovinshoes.com/
http://loyal.by/
http://ltxfy.cn/
http://lurkersdelight.com/
http://magcomp.com/
http://mahedubai.com/
http://makmuh.trakya.edu.tr/
http://manoranjanindia.com/
http://marinersinternational.com/
http://mastersanitaryware.com/
http://matecmedicion.com.ar/
http://maths-a-domicile.com/
http://mattioli-bags.com/
http://mdseminarios.com/
http://meble-polikar.com/
http://media-click.ru/
http://meenjam-station.com/
http://melli.ir/
http://melody-europe.com/
http://memealhajeri.com/
http://mercedes-samara.ru/
http://mgts.lpru.ac.th/
http://mikesfamoushd.com/
http://mikon.my.alkar.net/
http://mindswork.net/
http://ming-key.com/
http://minilabworld.net/
http://minimalart.ru/
http://mistressmim.com/
http://miz.ru/
http://modernmusclecars.net/
http://moe.go.th/
http://mojklc.com/
http://moneytrudy.com/
http://monteblancohotel.com/
http://morticom.com/
http://mrbages.com/
http://mrspc.org/
http://mtheatrebangkok.com/
http://mtjxcl.cn/
http://muang.phayao.police.go.th/
http://mub.ru/
http://multiluces.com/
http://muntaser.com/
http://musicodedosmundos.com.ar/
http://muzhit.net/
http://mykingsizedick.com/
http://myshiur.net/
http://myvideo.com.tw/
http://nakhonnayok.net/
http://naplesgastro.com/
http://narathiwat.nfe.go.th/
http://nata.cad.pl/
http://natade.net/
http://nauticapuricelli.it/
http://nbi1.obec.go.th/
http://ndirekoc.cn/
http://neelindustries.com/
http://nelsonservizi.com.cu/
http://nextwebstudio.net/
http://niazmiaz.com/
http://nicbar.chat.ru/
http://niis.stekloholding.ru/
http://niksaze.com/
http://niksaze.info/
http://niksaze.net/
http://nma5.obec.go.th/
http://nma7.obec.go.th/
http://nongnakam.khonkaen.police.go.th/
http://nozomi.wz.cz/
http://nsw2.obec.go.th/
http://nvujinaw.cn/
http://o2timesquare.co.kr/
http://officialtobin.com/
http://offroadcup.it/
http://oggosoft.com/
http://ohrada.cz/
http://ojc.coj.go.th/
http://ok-eg.com/
http://okna-plast.org.ua/
http://okulweb.meb.gov.tr/
http://omerozkan.com.tr/
http://omidvar-brothers.com/
http://oneangryman.com/
http://online-kinofilm.ru/
http://onlinevideo.org.ua/
http://onlyhomeclips.com/
http://opfitalia.net/
http://orbitmasterbatches.com/
http://osteogenesis.info/
http://oticon.co.kr/
http://pae.co.th/
http://palat.infoo.ru/
http://palpapercupmachine.com/
http://paradox.com.mx/
http://paraslab.com/
http://pareztour.cz/
http://patrocinio.org.ar/
http://paverst.ru/
http://paytraff.biz/
http://pct1.obec.go.th/
http://peaco-op.com/
http://pelle.com.br/
http://phdmbu.com/
http://photoeye.co.kr/
http://phusang.phayao.police.go.th/
http://pivnoe-delo.com/
http://pkchlorochem.com/
http://plasticgranules.com/
http://pmkcentral.com/
http://pniei.penza.ru/
http://poeticpartners.com/
http://ponyexpres.cz/
http://poolbikemc.com/
http://pornoexpress.ru/
http://porno-videos.at.ua/
http://pornxxx4all.net/
http://postcatsavings.com/
http://potenza.cc/
http://ppk.ac.th/
http://president.lru.ac.th/
http://prikolnoe.tv/
http://princehotel-bkk.com/
http://promueble.com.mx/
http://pronetguvenlik.com.tr/
http://protizer.ru/
http://province.mots.go.th/
http://prywatne.pl/
http://qmesanic.cn/
http://qnet.co.th/
http://quantumelektronik.com/
http://quemquerserummilionario.uol.com.br/
http://rabbitscooters.com/
http://racha1.ac.th/
http://rainbowfilmsociety.com/
http://rakdeerakdee.com/
http://raku4.pamo.org.uk/
http://ramajudicial.org/
http://reinopatagonia.com/
http://rekpuck.com/
http://remdekor.ru/
http://residencialitapoa.com.br/
http://ret3.obec.go.th/
http://retireinpanama.info/
http://rhymerchemical.com/
http://roadstar.pl/
http://roadtomoney.nm.ru/
http://roces.sk/
http://rockhardpowerspray.com/
http://rolki.masa.waw.pl/
http://roomiespage.com/
http://rotoltank.nl/
http://rouming.net/
http://rsdekatrina.com/
http://rsu.ac.th/
http://rus-alco.ru/
http://russad.com/
http://rvcgnivc.ru/
http://s216099855.onlinehome.us/
http://s238620704.online.de/
http://sacramentoproperty-management.com/
http://saddozai.com/
http://safe-service.ru/
http://sahachannel.com/
http://saliwon.com/
http://sambist.ru/
http://samtech.ac.th/
http://sangath.com/
http://sanma.com.ar/
http://santacruznoticias.com.ar/
http://saraburi.ect.go.th/
http://sbw.ac.th/
http://sch19.smhoster.net/
http://school.obec.go.th/
http://scottontherocks.com/
http://scppark.com/
http://scronk.com/
http://sculptbeauty.com/
http://sdent.snu.ac.kr/
http://seafresh.com/
http://sebastianisraelit.com.ar/
http://sebnembal.com/
http://secureftp.fr/
http://semasinternational.com/
http://semena.net/
http://send29931.cn/
http://servicedesk.delta.hu/
http://sesawech.ac.th/
http://set-test.org/
http://sezma.com/
http://shinawatradio.com/
http://shock.if.ua/
http://showmakers.com.sg/
http://shrisudarshanjimaharaj.org/
http://siamfootball.com/
http://siammed.com/
http://siamwebdesign.com/
http://siamweddings.com/
http://siamzab.com/
http://sibcom.ru/
http://sibir-90.ru/
http://sickideas.com/
http://siemensinfo.pl/
http://simplewebsitedesign.co.uk/
http://sims2.04gd.com/
http://sinchewalarm.com/
http://skj.co.th/
http://skunk14.narod.ru/
http://slubne.net.pl/
http://smilson.com/
http://s-mont.cz/
http://sm-plus.kz/
http://softball-in-nrw.de/
http://softwareprojects.in/
http://solarjobsinfo.com/
http://soneribank.com/
http://songs.njom.net/
http://sotwct.org/
http://soustami.edu.sk/
http://southfp.com/
http://sozialteam.de/
http://sp2.isanok.pl/
http://spivakov.ru/
http://srisun.com/
http://sro-smileyz.extra.hu/
http://standox.sk/
http://st-andrews.ac.th/
http://statisticslebanonltd.com/
http://stavryxa.ru/
http://stms.co.th/
http://ststhailand.com/
http://studio-fourus.ru/
http://sunnasys.com/
http://supercrooo.cz/
http://superfil.com.mx/
http://support.clean-mx.de/
http://supreme.rubinplus.net/
http://svefipuj.cn/
http://syukadig.cn/
http://takikulubu.com/
http://tamlinh.net/
http://tanzania.go.tz/
http://team2000vicenza.com/
http://telebos.com/
http://telephone-discount.com/
http://tempfa.com/
http://texdp.cn/
http://thaboschool.com/
http://thailanddogs.com/
http://thcmtm.org/
http://thenetsolinc.com/
http://tindra.erio.ws/
http://tip.ogu.edu.tr/
http://tomatoe.net/
http://trivias.com/
http://trvozgul.com/
http://tudungtoday.com/
http://tundrafilm.com/
http://turanioo.k12.tr/
http://turgutlurotaryio.k12.tr/
http://turzovka.fara.sk/
http://tv-zebra.net/
http://twelfth-ads.info/
http://uboyney.net/
http://udn1.obec.go.th/
http://udn2.obec.go.th/
http://umbeijoroubado.com.br/
http://umspcl.com/
http://users.otenet.gr/
http://utt2.obec.go.th/
http://uzaktanegitim.netcad.com.tr/
http://vakassociates.in/
http://valeo-marketing.com/
http://valuemag.net/
http://valuepartners.com.br/
http://vardhmandevelopers.com/
http://vdvbux.ru/
http://videoklipy-zdarma.net/
http://video.se.am/
http://vininternational.com/
http://vitay.org.ua/
http://vivana.ru/
http://vivaris.biz/
http://vms-mail.ru/
http://vsefoyou.ucoz.ru/
http://vtuyocew.cn/
http://vzrosloe.tv/
http://wannabrowser.com/
http://wawoo-temple.org/
http://webmail.prevx.com/
http://web-sniffer.net/
http://weddingkn.com/
http://welfarestate.net/
http://wm56.inbox.com/
http://xceleratedmarketing.com/
http://xsport-samara.ru/
http://yjnnz.com/
http://yoku.cn/
http://yth.com/
http://zespol_szkol_nr3.republika.pl/
http://zhuweipaper.com/
http://zip.webhost.ru/
http://zschgrob.edu.sk/
http://zsjanapavla.sk/
http://zsmu.info/
http://zsmu.zp.ua/
http://zsohajnowka.pl/
http://zsvrutky.edu.sk/
http://zwyagel.com.ua/

all are already in database...
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 14, 2009, 10:51:03 pm
Attached wepawet results
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 15, 2009, 08:58:34 am
Exploits
Code: [Select]
ccikudor.cn/rur/
ccikudor.cn/rur/formLooksLooks.pdf
ccikudor.cn/dj/
ccikudor.cn/dj/formLeapFive.pdf
ccikudor.cn/dj/alwaysSome.swf

Code: [Select]
ccikudor.cn/stat1/
ccikudor.cn/stat1/overEverIsnt.pdf
ccikudor.cn/stat1/anComes.swf
http://wepawet.iseclab.org/view.php?hash=064ed75e2b7d4cb49bad933b1c550788&t=1253002410&type=js

Code: [Select]
ccikudor.cn/2cv/
ccikudor.cn/2cv/dontLayoutDont.pdf
ccikudor.cn/2cv/wordA.swf
http://wepawet.iseclab.org/view.php?hash=b407f0d5c99fb06bcd4b720aa147ef70&t=1253002421&type=js

Trojan
Code: [Select]
ccikudor.cn/rur/update.php
ccikudor.cn/rur/update.exe
ccikudor.cn/dj/update.php
ccikudor.cn/dj/update.exe
ccikudor.cn/stat1/update.php
ccikudor.cn/stat1/update.exe
ccikudor.cn/2cv/update.php
ccikudor.cn/2cv/update.exe

http://www.virustotal.com/analisis/9e8a441e174952f5656cdafa82c0113dd4346e0bc603d0569371314437e452aa-1253000065
http://www.virustotal.com/analisis/55102fcfbbe66b433ad481c3101ab83133e09f4c1dde6766d02dec788bf6b80d-1252737290
http://www.virustotal.com/analisis/1eac464c1a6b1b0aad0189894787ebaf2d60bd90fdaf497dc02d5459e1ebc903-1252951484
http://www.virustotal.com/analisis/c50546386b7bd52a1391a297c74e2fd4495245dd8e74bc71d2555cd5bd95b3f9-1252951511
http://www.virustotal.com/analisis/9e8a441e174952f5656cdafa82c0113dd4346e0bc603d0569371314437e452aa-1253000065
http://www.virustotal.com/analisis/55102fcfbbe66b433ad481c3101ab83133e09f4c1dde6766d02dec788bf6b80d-1252737290

http://www.threatexpert.com/report.aspx?md5=45cfd654ceedfeb15210c69d50fca924
http://www.threatexpert.com/report.aspx?md5=f2c18d0f01a08b4af70cd302ca2c3e9a

Control Panel
Code: [Select]
ccikudor.cn/rur/admin.php
ccikudor.cn/dj/admin.php
ccikudor.cn/stat1/admin.php
ccikudor.cn/2cv/admin.php
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 15, 2009, 09:48:30 am
same urls for
Code: [Select]
mvamelov.cn
Title: Re: 195.88.191.46
Post by: SysAdMini on September 15, 2009, 12:27:55 pm
Code: [Select]
ccikudor.cn/qweqwe/
ccikudor.cn/qweqwe/theirYearsBook.pdf
ccikudor.cn/qweqwe/byEtExact.swf
ccikudor.cn/qweqwe/update.php?id=5
ccikudor.cn/qweqwe/admin.php
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 18, 2009, 04:46:33 am
Exploits / Trojan Tedroo:

Code: [Select]
rxumohas.cn/qweqwe/
rxumohas.cn/qweqwe/theirYearsBook.pdf
rxumohas.cn/qweqwe/byEtExact.swf
rxumohas.cn/qweqwe/update.php
rxumohas.cn/qweqwe/update.exe
rxumohas.cn/qweqwe/admin.php
http://wepawet.iseclab.org/view.php?hash=50ed99b8cc37673039b35de571c4a13a&t=1253222498&type=js
http://www.virustotal.com/analisis/9fa4d122bbbca5e89c905eb983eec63483e45c2149186bdf004ea5d6a6ed3a1e-1253172052

Code: [Select]
kpaxikey.cn/qweqwe/update.php
kpaxikey.cn/qweqwe/update.exe
kpaxikey.cn/qweqwe/admin.php
http://wepawet.iseclab.org/view.php?hash=920549173315af67077d05ac7e567873&t=1253223700&type=js
http://www.virustotal.com/analisis/9fa4d122bbbca5e89c905eb983eec63483e45c2149186bdf004ea5d6a6ed3a1e-1253172052

Code: [Select]
mvamelov.cn/qweqwe/update.php
mvamelov.cn/qweqwe/update.exe
mvamelov.cn/qweqwe/admin.php
http://wepawet.iseclab.org/view.php?hash=43508f58a4d5b407d00a205b4feee6e6&t=1253249159&type=js
http://www.virustotal.com/analisis/9fa4d122bbbca5e89c905eb983eec63483e45c2149186bdf004ea5d6a6ed3a1e-1253172052
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 25, 2009, 03:16:45 am
Iframe to exploits
Code: [Select]
bliyonoc.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
nlequcic.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
Code: [Select]
<html><frameset rows="100%"><frame src="hxxp://kpaxikey cn/fr/news.php"></frameset></html>
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on September 25, 2009, 03:28:38 am
other on this ip:
Code: [Select]
kpizuyuw.cn
kzayopoq.cn
vciqupoj.cn
sexygallets.com
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on October 10, 2009, 01:59:08 pm
iframe to exploits
Code: [Select]
vsefurug.cn/s/in.cgi?13
hsovolih.cn/s/in.cgi?13
wrorupex.cn/s/in.cgi?13
fzegarox.cn/s/in.cgi?13
hyedafox.cn/s/in.cgi?13
xleyaguh.cn/s/in.cgi?13
sdifasip.cn/s/in.cgi?13

http://wepawet.iseclab.org/view.php?hash=de630fda00c63f16ce78109b52abbc7d&t=1255739365&type=js

Quote
<html><frameset rows="100%"><frame src="hxxp://jrizoxom.cn/a100/news.php"></frameset></html>
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on October 19, 2009, 08:04:03 am
Fragus exploit pack:

Code: [Select]
retuskf.cn/a100/news.php
nuzogbf.cn/a100/news.php
zivuzjp.cn/a100/news.php
http://wepawet.iseclab.org/view.php?hash=4d2361ac24e14aaaf210f15076a7873c&t=1255935261&type=js
http://wepawet.iseclab.org/view.php?hash=66a2634fa2f91157a449ada8169dfe84&t=1255935272&type=js
http://wepawet.iseclab.org/view.php?hash=0632cba1cbaeb137acbaf42a86aed4f5&t=1255935283&type=js

redirects to exploits:
Code: [Select]
ns1.qiyidgab.com/s/in.cgi?13
http://wepawet.iseclab.org/view.php?hash=ad0a27b98f25c42405575106c956204c&t=1255935105&type=js
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on October 22, 2009, 06:32:13 pm
continues to evolved this IP

Fragus Exploit Pack:
Code: [Select]
suqiwyk.cn/a11/news.php
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on November 06, 2009, 09:57:26 am
Code: [Select]
tutablb.cn/ege/
diyasmw.cn/a12/news.php
falokmp.cn/a12/news.php
yufezzc.cn/1/news.php
yufezzc.cn/a12/news.php
Title: Re: 195.88.191.46
Post by: Malware-Web-Threats on November 06, 2009, 01:59:22 pm
Trojan Tedroo

Code: [Select]
195.88.191.46/2.exe
http://www.virustotal.com/analisis/e34a1ecbebd6f92c817c425434f2ace566ddeb03630ec702cb4cf8fa5413aecd-1257515842 - 11/40 (27.5%)