Malware Domain List

Malware Related => Malicious Domains => Topic started by: cconniejean on May 10, 2008, 09:44:33 am

Title: kisswow.com.cn
Post by: cconniejean on May 10, 2008, 09:44:33 am
hxxp://www.kisswow.com.cn/

The above is the most I can get, I got a iframe alert and my computer totally attacked.

I did look at this at vURL, so I kinda of see what it is doing.
Title: Re: kisswow.com.cn
Post by: Evilcry on May 10, 2008, 02:49:30 pm
Hello,

From a fast analysis the other extracted intersing Websites are:

Code: [Select]
hxxp://www.ririwow.cn/14.htm
hxxp://www.ririwow.cn/real.htm
hxxp://www.ririwow.cn/real11.htm
hxxp://www.ririwow.cn/07004.htm
hxxp://js.users.51.la/1866439.js

kisswow.com.cn implements an exploit (MDAC - MS06-14), you can see it by strcat()ting the clsid, tha is clsid:BD96C556-65A3-11D0-983A-00C04FC29E36

ririwow.cn/07004.htm
implements another exploit Microsoft Windows VML Element Integer Overflow Vulnerability clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E

and from comes out another intersting link hxxp://www.ririwow.cn/14.htm

Code: [Select]
hxxp://dj.jueduizuan.com/ri.exe
that I'm going to reverse :)

Regards,
Evilcry


Title: Re: kisswow.com.cn
Post by: sowhat-x on May 10, 2008, 02:55:27 pm
...welcome on board,Evilcry - nice to have you around here ;)
Title: Re: kisswow.com.cn
Post by: Evilcry on May 10, 2008, 05:53:33 pm
Thank you sowhat :)

ri.exe is  Trojan.Win32.Agent.lpv, better known as TR/Dropper.Gen

Regards,
Evilcry
Title: Re: kisswow.com.cn
Post by: JohnC on May 10, 2008, 06:24:20 pm
Thank you.
Title: Re: kisswow.com.cn
Post by: cconniejean on May 11, 2008, 01:02:38 am
Thank you for the answers. I started out trying to check a link to a credit card portal and got a exploit alert from my software. So I tried to google the link instead and got hit with alerts again for exploits being blocked to my computer. Thanks again.