martuz.cn -(95.129.145.58)

[SysAdMini]

gumblar.cn has a successor :

martuz.cn

Code: [Select]

martuz.cn/vid/?id=0
downloads a pdf exploit

Code: [Select]

martuz.cn/vid/?id=2http://www.virustotal.com/analisis/71dcf146b308af42b4e7d51142c7bd90 3/40
BitDefender   7.2   2009.05.18   Exploit.PDF-JS.Gen
Sunbelt   3.2.1858.2   2009.05.17   Exploit.PDF-JS.Gen (v)
Symantec   1.4.4.12   2009.05.18   Bloodhound.PDF.7
http://wepawet.cs.ucsb.edu/view.php?hash=6830abddd7a716b2b4f8a93cfabc01dd&type=js

and a flash exploit

Code: [Select]

martuz.cn/vid/?id=3http://www.virustotal.com/analisis/6a529be0a99a47aec0af841b371ecb03 0/40

payload is a badly detected trojan

Code: [Select]

martuz.cn/vid/?id=10&http://www.virustotal.com/analisis/26ccc949ec81029591bbb6c33476a9de 6/40
AntiVir   7.9.0.168   2009.05.18   HEUR/Crypted.E
eSafe   7.0.17.0   2009.05.17   Suspicious File
Prevx   3.0   2009.05.18   Medium Risk Malware
Rising   21.30.01.00   2009.05.18   Trojan.Spy.Win32.Delf.dpt
Symantec   1.4.4.12   2009.05.18   Backdoor.Trojan
TrendMicro   8.950.0.1092   2009.05.18   PAK_Generic.001
http://www.threatexpert.com/report.aspx?md5=2131112053ed144c46277b9024bcf39f

[SysAdMini]

Martuz .cn - New Incarnation of the Gumblar Exploit. So What’s New?
http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/

gumblar.cn switches to martuz.cn (95.129.145.58 - netname: NET-VENTREX)
http://hphosts.blogspot.com/2009/05/gumblarcn-switches-to-martuzcn.html

martuz.cn injection attack
http://www.dynamoo.com/blog/2009/05/martuzcn-injection-attack.html

[Malware-Web-Threats]

Found the exploit that came with this domain

[SysAdMini]

martuz.cn doesn't resolve any longer.
Let's see what comes next.

http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html

[Malware-Web-Threats]

two hours ago
http://wepawet.iseclab.org/view.php?hash=13e9dafef418b538fdb1b34144a269ec&t=1242764583&type=js

updated with new scripts:
http://wepawet.iseclab.org/view.php?hash=9944fbc2873a20af8963a3eda934ae79&t=1242771345&type=js

190.1.246.170
exe:

Code: [Select]

hxxp://ruisjop.com/liloadercdi.php?id=3536002
Wepawet
VirusTotal - 38/39 (97.44%)
Anubis

Code: [Select]

hxxp://ruisjop.com/p1d2f3.php?id=3536002
Wepawet (link)
Wepawet (pdf)
VirusTotal - 14/40 (35%)

ThreatExpert

From ANUBIS:1033 to 99.49.23.215:80 - [peskostruikaz[.]com] 
Request: GET /auq.php?d2aff5=1972515&id=14671282555627 
Response: 200 "OK" 
From ANUBIS:1035 to 72.167.131.174:80 - [johnsonbodyshop[.]com] 
Request: GET /images/logo.gif?d4c599=1992031&id=14671282555627 
Response: 200 "OK" 

hxxp://peskostruikaz.com/auq.php?211ffb=310125&id=4111362546981
hxxp://johnsonbodyshop.com/images/logo.gif?2d35a7=423265&id=4111362546981
hxxp://shopatforgetmenot.com/images/mainlogo.gif?2d6c57=425265&id=4111362546981
hxxp://corporateshelters.com/images/logo.gif?2da377=427281&id=4111362546981

[SysAdMini]

Automatic removal of Gumblar/Martuz trojan
http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/

[boston]

a fix tool:
http://jpshortstuff.247fixes.com/beta/DaonolFix.exe

btw:
could anyone explain what the function of this c:\_.e file is?
thanks a lot.

[MysteryFCM]

could anyone explain what the function of this c:\_.e file is?

Not without a sample ....

/edit

Thanks to a friend (), it has been determined previously, that _.exe is a backdoor trojan.

[SysAdMini]

Gumblar - An Analysis and History
http://securitylabs.websense.com/content/Blogs/3401.aspx

[SysAdMini]

Inside the Massive Gumblar Attack
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

[SysAdMini]

Attached you find the joebox analysis report of the executable.