Author Topic: url malware domain  (Read 2623 times)

0 Members and 1 Guest are viewing this topic.

April 23, 2010, 10:06:40 am
Read 2623 times

bpz

  • Newbie

  • Offline
  • *

  • 4
new domain:

-hxxp://brekoshentos.info/1/tmp/des.jar
-http://195.242.161.138/1/tmp/des.jar

malware:

hxxp://www.fondospara.com/js/1/tmp/

source:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /js/1/tmp</title>
 </head>
 <body>
<h1>Index of /js/1/tmp</h1>
<ul><li><a href="/js/1/"> Parent Directory</a></li>
<li><a href="all.pdf"> all.pdf</a></li>
<li><a href="allv7.pdf"> allv7.pdf</a></li>
<li><a href="collab.pdf"> collab.pdf</a></li>
<li><a href="des.jar"> des.jar</a></li>
<li><a href="flash.swf"> flash.swf</a></li>
<li><a href="geticon.pdf"> geticon.pdf</a></li>
<li><a href="ie.html"> ie.html</a></li>
<li><a href="libtiff.pdf"> libtiff.pdf</a></li>
<li><a href="newplayer.pdf"> newplayer.pdf</a></li>
<li><a href="printf.pdf"> printf.pdf</a></li>
<li><a href="vistaie7.html"> vistaie7.html</a></li>
<li><a href="vistan7ie8.html"> vistan7ie8.html</a></li>
<li><a href="vistan7other.html"> vistan7other.html</a></li>
<li><a href="xpie7.html"> xpie7.html</a></li>
<li><a href="xpie8.html"> xpie8.html</a></li>
<li><a href="xpother.html"> xpother.html</a></li>
</ul>
<address>Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a Phusion_Passenger/2.2.11 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at w/w/w.fondospara.com Port 80</address>
</body></html>


sample analisis of colllab.pdf

http://wepawet.iseclab.org/view.php?hash=e973ea02ca811ae7b03e55ed6704bcb7&t=1272016961&type=js