Author Topic: 52xmm.cn,www.dieee.cn and more...  (Read 4030 times)

0 Members and 1 Guest are viewing this topic.

November 19, 2007, 12:41:49 am
Read 4030 times

sowhat-x

  • Guest
Quote
hxxp://www.52xmm.cn/storm.gif

...and thanks to Malzilla's 'Decode UCS2' feature...
Quote
hxxp://www.52xmm.cn/mm/jxj.css
-> Pseudo-extension,packed with latest RLPack v1.19...
MD5 - AA2C2DA56FC31E5E29B40298CBA12BC8

==========================

Two different links for this "svcos.exe" backdoor...
MD5 - D422A36E4BDD425953B1DF70C3F3AFCE
Quote
hxxp://www.dieee.cn/eoo/svcos.exe
Quote
hxxp://www.uilxs.cn/too/svcos.exe

==========================

And one more "svcos.exe" guy here...
Quote
hxxp://204.13.65.137/hei/svcos.exe
This one though is packed with FishPE v1.16,
glad that I had fingerprinted this one back in summer... 8)
Few more exploits here as well...
he's added tons of zeros in the javascript code in order to make it non-readable...
and well,he convinced me...I got bored of manually doing so... :D
Quote
hxxp://204.13.65.137/hei/
hxxp://204.13.65.137/hei/xpbd.htm
hxxp://204.13.65.137/hei/xp07.htm
hxxp://204.13.65.137/hei/xp07004.htm
hxxp://204.13.65.137/hei/xpcx.htm
hxxp://204.13.65.137/hei/vvv.htm
hxxp://204.13.65.137/hei/xp017.htm
hxxp://204.13.65.137/hei/Audio.htm
hxxp://204.13.65.137/hei/ah.c -> pseudoextension / .ani xploit

==========================

VML,XMLHTTP exploits and what else in this one,
you might find more stuff here if you search more...
Quote
hxxp://www.balldu.com/un/1.exe
hxxp://www.balldu.com/un/2.exe
hxxp://www.balldu.com/un/3.exe
hxxp://www.balldu.com/un/4.exe
hxxp://www.balldu.com/un/5.exe
hxxp://www.balldu.com/un/6.exe
hxxp://www.balldu.com/un/7.exe
hxxp://www.balldu.com/un/8.exe
hxxp://www.balldu.com/un/9.exe
hxxp://www.balldu.com/un/10.exe
hxxp://www.balldu.com/un/11.exe
hxxp://www.balldu.com/un/12.exe
hxxp://www.balldu.com/10.exe
hxxp://www.balldu.com/qt/2s.htm
hxxp://www.balldu.com/qt/4.html
hxxp://www.balldu.com/qt/5.html
hxxp://www.balldu.com/sb.cab
hxxp://www.balldu.com/uu.exe

==========================

Quote
hxxp://1.exiao01.com/01.exe
hxxp://1.exiao01.com/02.exe
hxxp://1.exiao01.com/03.exe
hxxp://1.exiao01.com/04.exe
hxxp://1.exiao01.com/05.exe
hxxp://1.exiao01.com/06.exe
hxxp://1.exiao01.com/07.exe
hxxp://1.exiao01.com/08.exe
hxxp://1.exiao01.com/09.exe
hxxp://1.exiao01.com/10.exe
hxxp://1.exiao01.com/11.exe
hxxp://1.exiao01.com/12.exe
hxxp://1.exiao01.com/13.exe
hxxp://1.exiao01.com/14.exe
hxxp://1.exiao01.com/15.exe
hxxp://1.exiao01.com/16.exe
hxxp://1.exiao01.com/17.exe
hxxp://1.exiao01.com/18.exe
hxxp://1.exiao01.com/19.exe
hxxp://1.exiao01.com/20.exe
hxxp://1.exiao01.com/21.exe
hxxp://1.exiao01.com/22.exe
hxxp://1.exiao01.com/23.exe
hxxp://1.exiao01.com/24.exe

==========================

Quote
hxxp://www.rouoo.cn/xzz/01.exe
hxxp://www.rouoo.cn/xzz/02.exe
hxxp://www.rouoo.cn/xzz/03.exe
hxxp://www.rouoo.cn/xzz/04.exe
hxxp://www.rouoo.cn/xzz/05.exe
hxxp://www.rouoo.cn/xzz/06.exe
hxxp://www.rouoo.cn/xzz/07.exe
hxxp://www.rouoo.cn/xzz/08.exe
hxxp://www.rouoo.cn/xzz/09.exe
hxxp://www.rouoo.cn/xzz/10.exe
hxxp://www.rouoo.cn/xzz/11.exe
hxxp://www.rouoo.cn/xzz/12.exe
hxxp://www.rouoo.cn/xzz/13.exe
hxxp://www.rouoo.cn/xzz/14.exe
hxxp://www.rouoo.cn/xzz/15.exe
hxxp://www.rouoo.cn/xzz/16.exe
hxxp://www.rouoo.cn/xzz/17.exe
hxxp://www.rouoo.cn/xzz/18.exe
hxxp://www.rouoo.cn/xzz/19.exe
hxxp://www.rouoo.cn/xzz/20.exe
hxxp://www.rouoo.cn/xzz/21.exe

==========================

Quote
hxxp://p.98725.com/wd.exe
hxxp://p.98725.com/mhlm.exe
hxxp://p.98725.com/00013.exe
hxxp://p.98725.com/00014.exe
hxxp://p.98725.com/00015.exe
hxxp://p.98725.com/00016.exe
hxxp://p.98725.com/00017.exe
hxxp://p.98725.com/00018.exe
hxxp://p.98725.com/00019.exe
hxxp://p.98725.com/00020.exe
hxxp://p.98725.com/00021.exe
hxxp://p.98725.com/00022.exe
hxxp://p.98725.com/00023.exe
hxxp://p.98725.com/00024.exe
hxxp://p.98725.com/00025.exe

==========================

Quote
hxxp://xxx.mmma.biz/get.exe
hxxp://xxx.mmma.biz/big1.exe
hxxp://xxx.mmma.biz/big.exe

I kept this one as the last one for tonight for a reason...
this thing loads a driver named "pcihdd.sys",
googled a bit about it,and came across this thread...
http://www.wilderssecurity.com/showthread.php?p=1119935
In short,they claim that it can even bypass software like DeepFreeze...

November 19, 2007, 03:28:53 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
These will be added soon thanks.