Author Topic: Weird domain hosting malware...  (Read 7117 times)

0 Members and 1 Guest are viewing this topic.

September 30, 2007, 06:20:17 am
Read 7117 times

sowhat-x

  • Guest
...as always,take your precaution measures...
rewrite URI from hxxp to http...

hxxp://susej.org/upload/files/

Would be nice if someone could upload this stuff in VirusTotal and see results...
I'm quite much out of time the latest days to check on it,
and also,gonna be missing on trip during this week,probably not being able to reply...
I can see quite a few of php backdoors there...what in the world is this domain...
only to be used with remote file inclusions and xss or something?
Because I see that the main form one dir above seems to be public,
meaning that anyone can upload files through it...  ???

October 29, 2007, 01:35:42 am
Reply #1

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
I re-post after my message missing for server problems
This is virustotal report about site 
hxxp://susej.org/upload/files/

Complete scanning result of "xkvsi809.txt", processed in VirusTotal at 10/28/2007 11:21:46 (CET).

[ file data ]
* name: xkvsi809.txt
* size: 5451
* md5.: 2d8d503e2b3eb93bad88b1a6a5aa302b
* sha1: c6d0fb1c34fd6bd3be9c6ca0f91547482373282a

[ scan result ]
 AhnLab-V3 2007.10.27.0/20071026 found nothing
AntiVir 7.6.0.30/20071026 found [EXP/Psyme.T.1]
Authentium 4.93.8/20071026 found [VBS/Psyme.BT]
Avast 4.7.1074.0/20071027 found nothing
AVG 7.5.0.503/20071027 found [Exploit]
BitDefender 7.2/20071028 found [Exploit.ADODB.Stream.BR]
CAT-QuickHeal 9.00/20071026 found [EXP_JS/ADODBStream.E]
ClamAV 0.91.2/20071028 found [trojan.Downloader.JS.ADODBStream]
DrWeb 4.44.0.09170/20071028 found [VBS.Psyme.239]
eSafe 7.0.15.0/20071022 found [VBS.Phel.a]
eTrust-Vet 31.2.5244/20071026 found [VBS/MS06-014!exploit]
Ewido 4.0/20071028 found [Not-A-Virus.Exploit.JS.ADODB.Stream.e]
F-Prot 4.3.2.48/20071026 found nothing
F-Secure 6.70.13030.0/20071027 found [Exploit.JS.ADODB.Stream.e]
FileAdvisor 1/20071028 found nothing
Fortinet 3.11.0.0/20071019 found [VBS/Psyme.R!tr.dldr]
Ikarus T3.1.1.12/20071027 found [Exploit.JS.ADODB.Stream]
Kaspersky 7.0.0.125/20071028 found [Exploit.JS.ADODB.Stream.e]
McAfee 5150/20071026 found [Exploit-MS06-014]
Microsoft 1.2908/20071028 found [Exploit:JS/MS06014]
NOD32v2 2621/20071028 found [JS/Exploit.ADODB.Stream.NAP]
Norman 5.80.02/20071026 found [VBS/Psyme.AE]
Panda 9.0.0.4/20071027 found nothing
Prevx1 V2/20071028 found nothing
Rising 19.46.60.00/20071028 found [trojan.DL.VBS.Agent.t]
Sophos 4.23.0/20071028 found [Mal/Psyme-B]
Sunbelt 2.2.907.0/20071027 found nothing
Symantec 10/20071028 found [Downloader.Exploit.64]
TheHacker 6.2.9.110/20071027 found nothing
VBA32 3.12.2.4/20071028 found nothing
VirusBuster 4.3.26:9/20071027 found [VBS.Psyme.BZ]

xkvsi809. is the source code page and also have into vbscript with exploit.

Edgar from Bangkok  :)

http://edetools.blogspot.com/