Mr Clean's dirt

[Mr Clean]

lot's of familiar family members
http://www.bfk.de/bfk_dnslogger.html?query=209.44.126.14

BFK must be out of date - most of those seem to be failing to resolve atm;

http://hosts-file.net/misc/hpObserver_-_209.44.126.14.html

[arnold voice]
they'll be back
[/arnold voice]

[MysteryFCM]

hehe no doubt

[Mr Clean]

Code: [Select]

http://w1.iioo4567.com/01/e1.exe

$ dig w1.iioo4567.com +short
121.12.169.219

hmmmmmm...   siblings?
http://www.bfk.de/bfk_dnslogger.html?query=121.12.169.219

yup!
http://www.malwaredomainlist.com/mdl.php?search=121.12.169&colsearch=All&quantity=50

http://www.virustotal.com/analisis/90d37a91afd8a026b22de631f92fcbbd 23/40
http://anubis.iseclab.org/?action=result&task_id=1a89a3bb88444d3d4b5243a8d2f37bd8e

[Mr Clean]

Code: [Select]

http://sendspace-us.com/surprise.exe

$ dig sendspace-us.com +short
196.2.198.241

http://virscan.org/report/65f54287fe50f4dec91a8e88986caa44.html   6/37
http://anubis.iseclab.org/?action=result&task_id=19856b42401d5af445d48e65c3a14f597

http://www.malwaredomainlist.com/mdl.php?search=196.2.198.241&colsearch=All&quantity=50

http://wepawet.iseclab.org/view.php?hash=8b4f9374e903acb4919b2e79babed892&t=1239213842&type=js


From above iseclab.org link

Code: [Select]

http://sendsurprise.com/load.php

$ dig sendsurprise.com +short
196.2.198.241

http://www.bfk.de/bfk_dnslogger.html?query=196.2.198.241#result
http://www.malwaredomainlist.com/mdl.php?search=196.2.198.241&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

http://xz1.177bt.com/qvod.exe

http://www.virustotal.com/analisis/9541efbef70b238de0cb7f511b96f62c 28/39

[Mr Clean]

Code: [Select]

$ curl http://g.uye123.com/01/fz.txt
1:http://u8.wgcn8.com/sb/ok.exe
1:http://u1.wgcn8.com/la/L1.exe
1:http://u1.wgcn8.com/la/L2.exe
1:http://u1.wgcn8.com/la/L4.exe
1:http://u1.wgcn8.com/la/L7.exe
1:http://u1.wgcn8.com/la/L6.exe
1:http://u3.wgcn8.com/lm/S8.exe
1:http://u3.wgcn8.com/lm/S1.exe
1:http://u3.wgcn8.com/lm/S10.exe
1:http://u3.wgcn8.com/lm/S2.exe
1:http://u3.wgcn8.com/lm/S12.exe
1:http://u3.wgcn8.com/lm/S14.exe
1:http://u3.wgcn8.com/lm/S15.exe
1:http://u3.wgcn8.com/lm/S16.exe
1:http://u3.wgcn8.com/lm/S11.exe
1:http://u7.wgcn8.com/cj/a1.exe
1:http://u2.wgcn8.com/gz/G1.exe
1:http://u2.wgcn8.com/gz/G5.exe
1:http://u2.wgcn8.com/gz/G4.exe
1:http://u2.wgcn8.com/gz/G39.exe
1:http://u2.wgcn8.com/gz/G33.exe
1:http://u2.wgcn8.com/gz/G25.exe
1:http://u2.wgcn8.com/gz/G35.exe
1:http://u2.wgcn8.com/gz/G37.exe
1:http://u2.wgcn8.com/gz/G15.exe
1:http://u2.wgcn8.com/gz/G9.exe
1:http://u2.wgcn8.com/gz/G24.exe
1:http://u2.wgcn8.com/gz/G21.exe
1:http://u2.wgcn8.com/gz/G29.exe
1:http://u2.wgcn8.com/gz/G23.exe
1:http://u2.wgcn8.com/gz/G22.exe
1:http://u4.wgcn8.com/gb/B7.exe
1:http://u9.wgcn8.com/cj/a2.exe
1:http://u9.wgcn8.com/cj/a10.exe
1:http://u9.wgcn8.com/cj/a6.exe
1:http://u7.wgcn8.com/cj/a9.exe
1:http://u7.wgcn8.com/cj/csj.exe
1:http://u7.wgcn8.com/cj/a8.exe
1:http://u8.wgcn8.com/sb/01.exe

gee lemme guess

http://www.virustotal.com/analisis/1ac067475424076ea1a0255875469c18 29/40

yada yada yada

[Mr Clean]

Code: [Select]

http://securedantivirusonlinescanner.com/download/Install_2003-2.exe

$ dig securedantivirusonlinescanner.com +short
89.149.235.192

http://virscan.org/report/cd19a65865d37045e846c498107a3a82.html  4/37
http://www.virustotal.com/analisis/bad07c253de49cc66c5ac1d133054e18 4/40

http://anubis.iseclab.org/?action=result&task_id=1404bfc3a7ac5a5842199e7094bcf1353

makes a call to

Code: [Select]

http://securedliveuploads.com/?act=fb&1=0&2=1192706791&3=kfddnffaffihlcoemdkedcaefcfaffedhfmdmbpc&4=eebajfjafekaifnbddghoclg&5=20&6=4&7=31&8=95&9=0&10=11-18

$ dig securedliveuploads.com +short
89.149.235.192


[Mr Clean]

Code: [Select]

$ curl hxxp://www.dfhjmfgergfds.cn/new.txt
[file]
open=y
url1= hxxp://www.cvbnmdgesc.cn/1.exe
url2= hxxp://www.cvbnmdgesc.cn/2.exe
url3= hxxp://www.cvbnmdgesc.cn/3.exe
url4= hxxp://www.cvbnmdgesc.cn/4.exe
url5= hxxp://www.cvbnmdgesc.cn/5.exe
url6= hxxp://www.cvbnmdgesc.cn/6.exe
url7= hxxp://www.cvbnmdgesc.cn/7.exe
url8= hxxp://www.cvbnmdgesc.cn/8.exe
url9= hxxp://www.cvbnmdgesc.cn/9.exe
url10= hxxp://www.cvbnmdgesc.cn/10.exe
url11= hxxp://www.cvbnmdgesc.cn/11.exe
url12= hxxp://www.cvbnmdgesc.cn/12.exe
url13= hxxp://www.cvbnmdgesc.cn/13.exe
url14= hxxp://www.cvbnmdgesc.cn/14.exe
url15= hxxp://www.cvbnmdgesc.cn/15.exe
url16= hxxp://www.cvbnmdgesc.cn/16.exe
url17= hxxp://www.cvbnmdgesc.cn/17.exe
url18= hxxp://www.cvbnmdgesc.cn/18.exe
url19= hxxp://www.cvbnmdgesc.cn/19.exe
url20= hxxp://www.cvbnmdgesc.cn/20.exe
url21= hxxp://www.cvbnmdgesc.cn/21.exe
url22= hxxp://www.cvbnmdgesc.cn/22.exe
url23= hxxp://www.cvbnmdgesc.cn/23.exe
url24= hxxp://www.cvbnmdgesc.cn/24.exe
url25= hxxp://www.cvbnmdgesc.cn/25.exe
url26= hxxp://www.cvbnmdgesc.cn/26.exe
url27= hxxp://www.cvbnmdgesc.cn/27.exe
url28= hxxp://www.cvbnmdgesc.cn/28.exe
url29= hxxp://www.cvbnmdgesc.cn/29.exe
url30= hxxp://www.cvbnmdgesc.cn/30.exe
url31= hxxp://www.cvbnmdgesc.cn/31.exe
url32= hxxp://www.cvbnmdgesc.cn/32.exe
url33= hxxp://www.cvbnmdgesc.cn/33.exe
url34= hxxp://www.cvbnmdgesc.cn/34.exe
url35= hxxp://www.cvbnmdgesc.cn/35.exe
count=35


Code: [Select]

$ dig www.dfhjmfgergfds.cn +short
222.186.25.35

$ dig www.cvbnmdgesc.cn +short
222.186.25.35

MysteryFCM: Fixed CODE tags.

[SysAdMini]

Code: [Select]

url1= hxxp://www.cvbnmdgesc.cn/1.exe
..


Already added in the morning. 

[Mr Clean]

Code: [Select]

hxxp://www.transport.net.cn/inc/main.js

$ dig www.transport.net.cn +short
202.104.113.55

http://wepawet.iseclab.org/view.php?hash=b2a8e4aa9bf27f7c61186c5d0fcdde87&t=1239621770&type=js

Code: [Select]

hxxp://w1.163.com7w.com/01/o.exe

$ dig w1.163.com7w.com +short
121.12.116.66

http://www.virustotal.com/analisis/f11deda1257b416b16a03ff280d51f6f 21/40

close relatives on 121.12.116.0/24 network
http://www.malwaredomainlist.com/mdl.php?search=121.12.116&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

hxxp://www.lw7s.cn/image/qq.exe

$ dig www.lw7s.cn +short
98.126.8.2

http://www.virustotal.com/analisis/388b66140f0cc3bc7e391aa3de1d3210  35/40

[Mr Clean]

Code: [Select]

http://dl.21dnf.cn/dnfly.exe

$ dig dl.21dnf.cn +short
121.12.105.163

http://www.virustotal.com/analisis/bedea6047cd98051978c6bbe777f1155 35/39

[Mr Clean]

Code: [Select]

hxxp://m1.bzbattery.cn/up/up.htm

$ dig m1.bzbattery.cn +short
98.126.8.2                     <-- same as www.lw7s.cn


http://www.virustotal.com/analisis/01e0d5f1ec0d2b0d44b8d1da313c13f8  9/39

[Mr Clean]

Code: [Select]

hxxp://221.192.8.90/icons/wrm.png
$ file wrm.png
wrm.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

hxxp://221.192.8.90/icons/phr.png
$ file phr.png
phr.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

hxxp://221.192.8.90/icons/kl.png
$ file kl.png
kl.png: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

http://www.virustotal.com/analisis/2203fd0129c76dfc3ab71af8af37c9e4  7/35

http://www.virustotal.com/analisis/2296b2f50f40d42d9f82fd2bf6aa1459 25/40

http://www.virustotal.com/analisis/efb65e1a9e433e85b01d5e8f16b93df7 25/39

[Mr Clean]

Code: [Select]

hxxp://securedvirusscanner.com/download/Install_2006-60.exe

$ dig securedvirusscanner.com +short
212.117.165.126
78.47.172.66
94.76.213.227

http://www.virustotal.com/analisis/1f91b6bb3043cacdfbe112726a034773 0/21

http://www.malwaredomainlist.com/mdl.php?search=212.117.165&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=78.47.172.&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=94.76.213&colsearch=All&quantity=50