Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: CkreM on March 29, 2009, 02:35:11 pm

Title: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: CkreM on March 29, 2009, 02:35:11 pm

AV Fraud,all on the same IP: 94.247.2.215

Code: [Select]

http://downloadantivirusplus.com/setup.exe
http://av-plus-support.com/registration.html
http://Bestinternetexamine.com
http://safeyouthnet.com
http://theantivirusplus.com/setup.exe
http://downloadantivirusplus.com/setup.exe
http://linkcanpro.com
http://yournetascertain.com
http://websmartcheck.com
http://websportscheck.com
http://websecurecheck.com
http://internethomecheck.com
http://easywebscanlive.com
http://yourwebscanlive.com
http://linkcanlive.com
http://myinternetexamine.com
http://yourinternetexamine.com
http://easywebexamine.com
http://bestwebexamine.com
http://yourwebexamine.com
http://easynetcheckonline.com
http://bestnetcheckonline.com
http://yournetcheckonline.com

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on March 29, 2009, 04:05:49 pm

Code: [Select]

myantivirusplus.com

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 03, 2009, 06:31:48 pm

Code: [Select]

hxxp://yourguardpro.cn/installer_90001.exe
http://www.virustotal.com/analisis/0ca99080d7252f55aac81c78f032ee5f
http://www.threatexpert.com/report.aspx?md5=23cb553ce604959f3d39575813d8d48b

Code: [Select]

easyaddedantivirus.com/setup.exehttp://www.virustotal.com/analisis/6c71656d9fd1682e3a34704e403a06e4

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 03, 2009, 07:33:58 pm

Quote from: CkreM on March 29, 2009, 02:35:11 pm

AV Fraud,all on the same IP: 94.247.2.215

Code: [Select]

http://downloadantivirusplus.com/setup.exe
http://av-plus-support.com/registration.html
http://Bestinternetexamine.com
http://safeyouthnet.com
http://theantivirusplus.com/setup.exe
http://downloadantivirusplus.com/setup.exe
http://linkcanpro.com
http://yournetascertain.com
http://websmartcheck.com
http://websportscheck.com
http://websecurecheck.com
http://internethomecheck.com
http://easywebscanlive.com
http://yourwebscanlive.com
http://linkcanlive.com
http://myinternetexamine.com
http://yourinternetexamine.com
http://easywebexamine.com
http://bestwebexamine.com
http://yourwebexamine.com
http://easynetcheckonline.com
http://bestnetcheckonline.com
http://yournetcheckonline.com

All dead.

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: MysteryFCM on April 03, 2009, 10:31:18 pm

Got 156 :)

http://hosts-file.net/pest.asp?show=94.247.2.

Another 159 at;

http://hosts-file.net/pest.asp?show=94.247.3.

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 05, 2009, 02:51:07 pm

Code: [Select]

easypersonalprotection.cn
freedefenseforyou.cn
mycheckdiseasepro.cn
mycheckdiseasestore.cn
mydefense4u.cn
mydefense4you.cn
myguardforyou.cn
newguard4u.cn
newguard4you.cn
refugepro.cn
yourguard4you.cn
yourguardforyou.cn
yourguardonline.cn
yourguardpro.cn

easyincomeprotection.cn/installer_90001.exe
easyaddedantivirus.com/setup.exe
yourcountedantivirus.com/setup.exe


Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 08, 2009, 12:56:49 pm

more Fake AV

Code: [Select]

addedantiviruslive.com/redirect.php
addedantiviruslive.com/se.exe
addedantiviruslive.com/setup.exe
addedantiviruslive.com/install/AntivirusPlus.exe
addedantiviruslive.com/install/InternetExplorer.dll
bigprotectionlive.cn/installer.exe
easybestprotection.cn/installer.exe

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: GmG on April 09, 2009, 12:03:23 pm

Code: [Select]

http://myascertainpoison.cn/?wm=70101
http://myascertainpoison.cn/installer_70101.exe


Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 11, 2009, 12:02:43 pm

redirects to Fake AV

Code: [Select]

examineillnesslive.cnFake AV

Code: [Select]

easycheckpoisonpro.cn/?
easydefenseonline.cn
bigdefense2u.cn

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 12, 2009, 12:58:37 am

FakeAV AntivirusPlus

Code: [Select]

hxxp://addedantivirusstore.com/setup.exe
hxxp://addedantivirusstore.com/se.exe
hxxp://myplusantiviruspro.com/setup.exe
hxxp://myplusantiviruspro.com/se.exe
hxxp://realantivirusplus.com/setup.exe
hxxp://realantivirusplus.com/se.exe
hxxp://yourguardstore.cn/setup.exe
hxxp://yourguardstore.cn/se.exe

setup.exe - VirusTotal: AntivirusPlus (http://www.virustotal.com/analisis/7a726f6eb665087162971d7faf018b16) 23/40 (57.5%)
se.exe - VirusTotal (http://www.virustotal.com/analisis/2621822335bdf23a472b8be841960500) 23/40 (57.5%)
se.exe - Anubis (http://anubis.iseclab.org/?action=result&task_id=154d334d0d3373814e10834fafcf8014d&format=html)

Second download - setup.exe Anubis (http://anubis.iseclab.org/?action=result&task_id=1ab5ebaf09071a1d4a9f122bba634df1d&format=html)

Code: [Select]

hxxp://addedantiviruslive.com/install/AntivirusPlus_ba.exe
hxxp://addedantivirusstore.com/install/AntivirusPlus_ba.exe
hxxp://myplusantiviruspro.com/install/AntivirusPlus_ba.exe
hxxp://realantivirusplus.com/install/AntivirusPlus_ba.exe
hxxp://yourguardstore.cn/AntivirusPlus_ba.exe

AntivirusPlus_ba.exe VirusTotal: AntivirusPlus (http://www.virustotal.com/analisis/23d64e1143b35a5a744df952f91948ad) 20/40 (50%) - Anubis (http://anubis.iseclab.org/?action=result&task_id=1dfee4c0f0e7e555401de2acaf4b8d8d2)

Fake Error Page (redirect to hxxp://addedantiviruslive.com/buy.php?id=)

Code: [Select]

hxxp://myplusantiviruslive.com


Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: MysteryFCM on April 12, 2009, 01:58:03 am

Redirs if you've got Javascript enabled, from nickad.selfip.com (IP: 82.197.130.134) to;

http://yourfriskviruspro.cn/?wm=70127&l=1
IP: 94.247.2.215

Which downloads;

http://yourfriskviruspro.cn/installer_70127.exe

SWF (not checked it yet) at;

yourfriskviruspro.cn/6/images/errsnd.swf

/edit

Wepawet analysis of the SWF;

http://wepawet.cs.ucsb.edu/view.php?hash=4db493ad19020803168e4cd15c30dd23&type=swf

/edit 2

Results for the original wm= URL;

http://wepawet.cs.ucsb.edu/view.php?hash=16b84598f9b75c0657dbf4cd5a564aa5&t=1239501884&type=js

/edit 3

NOD detected the installer as Win32/Statik when I tried downloading it ..... gonna get a smoke and coffee and snag it with NOD disabled so I can VT it.

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 13, 2009, 05:13:22 am

Trojan downloader for AntivirusPlus

Code: [Select]

hxxp://bigcoverlive.cn/installer_1.exe
VirusTotal: Trojan FakePlus (http://www.virustotal.com/analisis/cc3901199c4a4591c0b9b3fc0ab7abfd) 20/39 (51.29%)

htaccess trick?

Code: [Select]

hxxp://bigcoverlive.cn/what_ever_you_want.exe
hxxp://bigcoverlive.cn/what/ever/you/want.exe

Anubis Analysis (http://anubis.iseclab.org/?action=result&task_id=1647d9941c79d37d4992c05a575bbfa0b&format=html) - installer_1.exe

From ANUBIS:1032 to 94.247.2.215:80 - [addedantiviruslive.com] 
Request: GET /cb/real.php?id= 
Response: 200 "OK" 
Request: GET /install/AntivirusPlus.exe 
Response: 200 "OK" 
Request: GET /cfg/dmns.cfg 
Response: 200 "OK" 
Request: GET /install/InternetExplorer.dll 
Response: 200 "OK" 

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Mr Clean on April 13, 2009, 03:21:22 pm

Code: [Select]

http://bestfriskviruslive.cn/installer_90001.exe

$ dig bestfriskviruslive.cn +short
94.247.2.215

http://www.virustotal.com/analisis/8a32a4491b9f853e0ccdba6d3fb665e7  10/39


http://www.bfk.de/bfk_dnslogger.html?query=94.247.2.215#result

Code: [Select]

ns1.pubilcnameserver7.com A 94.247.2.215
addedantiviruslive.com A 94.247.2.215
searchrizotto.com A 94.247.2.215
easyaddedantivirus.com A 94.247.2.215
yourcountedantivirus.com A 94.247.2.215
av-plus-support.com A 94.247.2.215
yourguardonline.cn A 94.247.2.215
easydefenseonline.cn A 94.247.2.215
bestprotectiononline.cn A 94.247.2.215
yourguardstore.cn A 94.247.2.215
examinepoisonstore.cn A 94.247.2.215
freecoverstore.cn A 94.247.2.215
myexaminevirusstore.cn A 94.247.2.215
bestexaminedisease.cn A 94.247.2.215
yourfriskdisease.cn A 94.247.2.215
friskdiseaselive.cn A 94.247.2.215
bestdefenselive.cn A 94.247.2.215
bigprotectionlive.cn A 94.247.2.215
bigcoverlive.cn A 94.247.2.215
easyserviceprotection.cn A 94.247.2.215
easypersonalprotection.cn A 94.247.2.215
myascertainpoison.cn A 94.247.2.215
yourguardpro.cn A 94.247.2.215
refugepro.cn A 94.247.2.215
mycheckdiseasepro.cn A 94.247.2.215
yourcheckpoisonpro.cn A 94.247.2.215
bigdefense2u.cn A 94.247.2.215
newguard4u.cn A 94.247.2.215
mydefense4u.cn A 94.247.2.215
bestcover4u.cn A 94.247.2.215
freedefenseforyou.cn A 94.247.2.215
topfeed.biz A 94.247.2.215


http://www.threatexpert.com/report.aspx?md5=d3d76dd609947235df31c92881ada188

Code: [Select]

* The data identified by the following URLs was then requested from the remote web server:
http://addedantiviruspro.com/cb/real.php?id=1
http://addedantiviruspro.com/cb/installs.php?id=1

recommend adding ->    addedantiviruspro.com

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 13, 2009, 10:17:06 pm

Code: [Select]

hxxp://addedantiviruspro.com/setup.exe
hxxp://addedantiviruspro.com/se.exe

VirusTotal: Fake Antivirus (http://www.virustotal.com/analisis/ac58c815891350e2e50f518d03e7cfd7) 12/40 (30%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/b146c40b9f0562d3a379003d1c06d40e) 10/40 (25%)

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 13, 2009, 10:24:39 pm

Following the Anubis report for setup.exe on addedantiviruspro.com

second download:

Code: [Select]

hxxp://addedantiviruspro.com/install/AntivirusPlus_ba.exe

Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1ec8914096551661461fcf287e04b5bea&format=html)

VirusTotal: Fake Antivirus (http://www.virustotal.com/analisis/e669653da98289d783be3b2a08d28f23) 5/40 (12.83%)

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: SysAdMini on April 15, 2009, 07:22:54 am

Fake AV

Code: [Select]

ascertaindiseasepro.cn/?wm=70100
ascertaindiseasepro.cn/installer_70100.exehttp://www.virustotal.com/analisis/6a7fa1578f1a8374220f0366f10a98e7 19/40

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 24, 2009, 08:18:28 pm

Fake error page:

Code: [Select]

hxxp://countedantiviruspro.com

Trojan Fake AV:

Code: [Select]

hxxp://addedantivirusonline.com/setup.exe
hxxp://addedantivirusonline.com/se.exe (InternetAntivirusPro.exe)
hxxp://addedantivirusonline.com/install/AntivirusPlus_ba.exe
hxxp://addedantivirusonline.com/install/AntivirusPlus.exe

VirusTotal: Trojan (http://www.virustotal.com/analisis/4aa9714b2f4cd65af1ef500d136ed8dd) - 10/40 (25%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/6e94da28642b093fb2556c72a1770f3a) - 18/40 (45%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/f1c5d61afd874494cf444a342fed85dd) - 10/40 (25%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/afddaa010aa624373414bfd1f2568f37) - 9/40 (22.5%)

Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1ffc496d7deda2b84a90117d519a3ed4a)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=143d2e070216782b4e911a69c86a9c3a1&call=first)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=17e1c873ad84f53a45d57b1a2c141bdb7)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c5d82b8a1d838324d5f8a4dc19e65719)

Anubis Report for se.exe (InternetAntivirusPro.exe)

Quote

From ANUBIS:1037 to 94.247.2.216:80 - [searchopt7.com] 
Request: GET /cmd.php 
Response: 200 "OK" 

Anubis Report for AntivirusPlus.exe

Quote

TCP Connection Attempts:   
from ANUBIS:1740 to 220.175.36.102:139 

TCP Scans:   
50 IPs on Port 445
220.175.0.0/16

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: Malware-Web-Threats on April 26, 2009, 02:31:44 am

Fake error page:

Code: [Select]

hxxp://bestcountedantivirus.com

Title: Re: hs.2-215.zlkon.lv -(94.247.2.215)
Post by: CkreM on April 27, 2009, 03:32:18 am

fake AV:

Code: [Select]

freecoveronline.cn
freedefense2u.cn
and the fake payment site:
https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=1