Malware Domain List

Malware Related => Malicious Domains => Topic started by: jackberri on December 17, 2009, 11:26:00 pm

Title: New Zeus server
Post by: jackberri on December 17, 2009, 11:26:00 pm
hxxp://pxcallcentercareersx333.com/r/d1.chm
hxxp://pxcallcentercareersx333.com/r/d1.exe
hxxp://pxcallcentercareersx333.com//g/move.php
Title: Re: New Zeus server
Post by: jackberri on December 20, 2009, 10:11:39 am
Quote
hxxp://ec2-72-44-38-103.compute-1.amazonaws.com/zeus/cfg2.bin
Title: Re: New Zeus server
Post by: SysAdMini on December 20, 2009, 10:55:48 am
Quote
hxxp://ec2-72-44-38-103.compute-1.amazonaws.com/zeus/cfg2.bin

Code: [Select]
ec2-72-44-38-103.compute-1.amazonaws.com/zeus/bot.exe
ec2-72-44-38-103.compute-1.amazonaws.com/zeus/gate.php
Title: Re: New Zeus server
Post by: jackberri on December 22, 2009, 09:57:35 am
Code: [Select]
[i]hxxp://www.aksobor.ru/myadmin/config/config.bin[/i]
Title: Re: New Zeus server
Post by: jackberri on December 24, 2009, 04:39:04 pm
Code: [Select]
hxxp://sergeus2010.us/12711/cfg2.bin
hxxp://sergeus2010.us/12711/gate.php
hxxp://sergeus2010.us/12711/webs.exe
Title: Re: New Zeus server
Post by: jackberri on December 26, 2009, 05:31:24 pm
Code: [Select]
hxxp://www.simplyukjob.net /rty/ijkl/kjlhk.bin
Title: Re: New Zeus server
Post by: jackberri on December 27, 2009, 03:58:53 pm
Code: [Select]
stomaid.ru/cbd /stom.ble
is now online

The new md5sum is:
f47605d650ddc2ec67c27951960216a5
Title: Re: New Zeus server
Post by: jackberri on December 30, 2009, 12:56:33 pm
New dropzones:

Code: [Select]
rapidgatewave com /west/cgi.php
xwealthprivate info /west/cgi.php
Title: Re: New Zeus server
Post by: jackberri on December 30, 2009, 09:12:06 pm
Code: [Select]
hxxp:// 91.212.198.234 /fuck/config.bin
Title: Re: New Zeus server
Post by: jackberri on December 31, 2009, 11:08:25 am
Code: [Select]
hxxp://usastopaids.org/c/alba.jpg
Title: Re: New Zeus server
Post by: jackberri on December 31, 2009, 04:37:54 pm
Code: [Select]
hxxp://d-g-z.de/contenido/external/wysiwyg/tinymce2/jscripts/tiny_mce/plugins/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 05, 2010, 04:42:13 pm
Code: [Select]
weed.sindromx.net.ua
is now online
Title: Re: New Zeus server
Post by: SysAdMini on January 05, 2010, 05:14:32 pm
Code: [Select]
weed.sindromx.net.ua
is now online

http://www.malwaredomainlist.com/mdl.php?search=weed.sindromx.net.ua&colsearch=All&quantity=50
Title: Re: New Zeus server
Post by: jackberri on January 05, 2010, 06:08:34 pm
Sorry  :)

Code: [Select]
hxxp://weed.sindromx.net.ua/~sindromx/z/cfg.bin
hxxp://weed.sindromx.net.ua/~sindromx/z/ldr.exe
hxxp://weed.sindromx.net.ua/~sindromx/z/gate.php

Are now online
Title: Re: New Zeus server
Post by: jackberri on January 05, 2010, 07:53:37 pm
Code: [Select]
hxxp://55gy.co.tv/425/gtf.bin
Title: Re: New Zeus server
Post by: jackberri on January 06, 2010, 02:23:56 pm
Code: [Select]
hxxp://chocolatery.info/config.bin
hxxp://chocolatery.info/bot.exe
hxxp://chocolatery.info/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 07, 2010, 10:34:26 am
New files for 
Code: [Select]
193.104.27.171
Code: [Select]
hxxp://193.104.27.171/uk/ukk1.bin
hxxp://193.104.27.171/moneyuk1.exe
hxxp://193.104.27.171/ukk/gg1.php

Title: Re: New Zeus server
Post by: jackberri on January 07, 2010, 11:24:35 am
Only the config file  >:(

Code: [Select]
hxxp://wermacht.net/12/c1.bin
Title: Re: New Zeus server
Post by: SysAdMini on January 07, 2010, 12:01:46 pm
Only the config file  >:(

Code: [Select]
hxxp://wermacht.net/12/c1.bin

No problem. Found.
Title: Re: New Zeus server
Post by: jackberri on January 07, 2010, 08:21:54 pm
Code: [Select]
hxxp://history03kf.com/P0rtL1ps/657n8y4trb887.bin
hxxp://history03kf.com/P0rtL1ps/MNcs6d5rcw4CWEWE54weh5EJt5j6TSDY5.php
Title: Re: New Zeus server
Post by: jackberri on January 09, 2010, 11:59:06 am
Only the config file  >:(

Code: [Select]
hxxp://silence7.homeip.net/zx/config.bin
IP
Code: [Select]
95.169.186.103
Code: [Select]
silence7.homeip.net has one IP number , but the reverse is ns.km34517.keymachine.de. homeip.net is a domain controlled by five nameservers at dyndns.org. All of them are on different IP networks. Incoming mail for homeip.net is handled by two mailservers having a total of 14 IP numbers. Two mailservers have the same IP number. All of them are on the same IP network. homeip.net has one IP number. silence7.homeip.net is hosted on a server in Russian Federation.
Title: Re: New Zeus server
Post by: jackberri on January 11, 2010, 05:37:35 pm
Code: [Select]
http://donccapone.com/tmp/check.php
Code: [Select]
IP: 195.78.108.50
And:

Code: [Select]
1211news.com/index.exe
Code: [Select]
1211news.com//tmp/check.php
Code: [Select]
promoalp.ru
Title: Re: New Zeus server
Post by: jackberri on January 12, 2010, 12:41:02 pm
Code: [Select]
hxxp://vifiogod7com.net/vgame/logo.jpgIP:
Code: [Select]
115.100.250.114
AS9811
Title: Re: New Zeus server
Post by: jackberri on January 14, 2010, 07:34:34 am
Code: [Select]
hxxp://cashing-s.com/exp/cfg.binIP
Code: [Select]
122.115.63.45Route
Code: [Select]
122.115.60.0/22AS9803
Title: Re: New Zeus server
Post by: jackberri on January 14, 2010, 11:00:58 am
Code: [Select]
hxxp://www.traffsearch.com/zecp/cfg2.bin
hxxp://www.traffsearch.com/zecp/gate.php

IP
Code: [Select]
212.95.38.98
Create: 2010-01-09 01:13:18
Reverse Lookup
Code: [Select]
ns3.erikmedya.comCreation Date: 08-jan-2010
AS28753
Title: Re: New Zeus server
Post by: jackberri on January 14, 2010, 11:55:44 am
Code: [Select]
hxxp://britishsupport.net/bx/vlc.exe
hxxp://britishsupport.net/bx/cgi.bin

IP
Code: [Select]
222.122.60.186AS4766
Title: Re: New Zeus server
Post by: jackberri on January 14, 2010, 07:44:21 pm
Code: [Select]
hxxp://businesscosult4u.comCreation Date: 10-jan-2010
IP: 122.115.63.4
Reverse: netnic.com.cn
AS: AS9803

binary url
Code: [Select]
hxxp://businesscosult4u.com/load/load.exe
http://www.virustotal.com/es/analisis/33e1dae365ac4c0a643eb542d9e705cc181f5b754e7c73e4b1486515075fee03-1263497416 (http://www.virustotal.com/es/analisis/33e1dae365ac4c0a643eb542d9e705cc181f5b754e7c73e4b1486515075fee03-1263497416)
VT 8/41 (19.52%)

dropzone
Code: [Select]
hxxp://businesscosult4u.com/include/linkstat.php
Title: Re: New Zeus server
Post by: jackberri on January 15, 2010, 08:04:48 pm
Code: [Select]
hxxp://zexmad.com
Creation Date: 12-jan-2010

IP: 91.213.174.13

config file
Code: [Select]
hxxp://zexmad.com/web/cfg.bin
binary url

dropzone
Code: [Select]
hxxp://zexmad.com/web/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 15, 2010, 08:56:40 pm
config file
Code: [Select]
hxxp://pilonoc.cn/web/cfg.bin
binary url
Code: [Select]
hxxp://pilonoc.cn/web/ldr.exe
dropzone
Code: [Select]
hxxp://pilonoc.cn/web/gate.php
Are now online
Title: Re: New Zeus server
Post by: SysAdMini on January 15, 2010, 09:00:14 pm
config file
Code: [Select]
hxxp://pilonoc.cn/web/cfg.bin
binary url
Code: [Select]
hxxp://pilonoc.cn/web/ldr.exe
dropzone
Code: [Select]
hxxp://pilonoc.cn/web/gate.php
Are now online

Thank you, but already on list.

http://www.malwaredomainlist.com/mdl.php?search=pilonoc.cn&colsearch=All&quantity=50
Title: Re: New Zeus server
Post by: jackberri on January 15, 2010, 09:12:34 pm
config file
Code: [Select]
hxxp://pilonoc.cn/web/cfg.bin
binary url
Code: [Select]
hxxp://pilonoc.cn/web/ldr.exe
dropzone
Code: [Select]
hxxp://pilonoc.cn/web/gate.php
Are now online

Thank you, but already on list.

http://www.malwaredomainlist.com/mdl.php?search=pilonoc.cn&colsearch=All&quantity=50

On list:

Code: [Select]
pilonoc.cn/1/ldr.exe
pilonoc.cn/1/gate.php
pilonoc.cn/1/cfg.bin



Title: Re: New Zeus server
Post by: SysAdMini on January 15, 2010, 09:29:28 pm
Quote
On list:

Code: [Select]
pilonoc.cn/1/ldr.exe
pilonoc.cn/1/gate.php
pilonoc.cn/1/cfg.bin


Ok, you are right.
Title: Re: New Zeus server
Post by: jackberri on January 16, 2010, 12:06:23 am
Code: [Select]
hxxp://businesscosult4u.com/
IP: 122.115.63.4
Reverse:
Code: [Select]
netnic.com.cnAS: AS9803

Creation Date: 10-jan-2010

config file
Code: [Select]
hxxp://businesscosult4u.com/1111/cfg2.bin
dropzone
Code: [Select]
hxxp://businesscosult4u.com/1111/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 16, 2010, 01:30:34 pm
Code: [Select]
hxxp://www.mercuryepm.com
IP: 67.199.146.116

Reverse:
AS: AS25973

config file
Code: [Select]
hxxp://www.mercuryepm.com/phpmailer/_reports/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 16, 2010, 04:59:44 pm
Code: [Select]
hxxp://hostanalytics.bissnes.net
IP 64.191.75.69
Reverse s2.localhost
AS AS21788

config file
Code: [Select]
hxxp://hostanalytics.bissnes.net/host-analyzer/9s8239m8s21sextgb8sae8/update.cfg
hxxp://hostanalytics.bissnes.net/host-analyzer/9s8239m8s21sextgb8sae8/update.cfg_1.2.4.2
hxxp://hostanalytics.bissnes.net/host-analyzer/9s8239m8s21sextgb8sae8/update.cfg_1.2.7.7
Title: Re: New Zeus server
Post by: jackberri on January 16, 2010, 06:49:43 pm
New config file for

Code: [Select]
ree.fcrazy.eu
Code: [Select]
hxxp://ree.fcrazy.eu/pnz/info.bin
Title: Re: New Zeus server
Post by: jackberri on January 17, 2010, 12:41:51 am
New binary for

Code: [Select]
ree.fcrazy.eu
Code: [Select]
http://fcrazy.eu/flh/doit.phpload/zs_update.exe
Title: Re: New Zeus server
Post by: jackberri on January 17, 2010, 02:50:01 pm
Code: [Select]
hxxp://oiuyrw.bizIP: 122.115.63.30
Reverse: netnic.com.cn
AS: AS9803


config file
Code: [Select]
hxxp://oiuyrw.biz/oekdl/n/teko.bin
hxxp://oiuyrw.biz/oekdl/n/teko1.bin

http://www.nsspy.org/archive/everydns.net/2010-01-08/1.html (http://www.nsspy.org/archive/everydns.net/2010-01-08/1.html)
Title: Re: New Zeus server
Post by: jackberri on January 17, 2010, 06:56:02 pm
Code: [Select]
hxxp://windows-update.cn
IP: 78.109.23.64
Reverse: rx11.ru
AS: AS41665

config file
Code: [Select]
hxxp://windows-update.cn/php2.ini
Title: Re: New Zeus server
Post by: jackberri on January 17, 2010, 07:14:22 pm
Code: [Select]
hxxp://nazionalepugilifootball.comIP:
Code: [Select]
81.31.145.12
Reverse:
Code: [Select]
da28.joomlahost.it
AS: AS47242

config file
Code: [Select]
hxxp://nazionalepugilifootball.com/css/cfg3.bin
Title: Re: New Zeus server
Post by: jackberri on January 18, 2010, 10:06:46 am
Code: [Select]
hxxp://shop.prociechi.itIP: 62.149.175.39
Reverse:
Code: [Select]
host39-175-149-62.serverdedicati.aruba.itAS31034

config file
Code: [Select]
hxxp://shop.prociechi.it/catalog/images/icons/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 18, 2010, 11:46:54 am
Code: [Select]
hxxp://morsayniketamere.cn
IP:
Code: [Select]
91.206.201.14
AS47781

Code: [Select]
Administrative Email: hilarykneber@yahoo.com
config file
Code: [Select]
hxxp://morsayniketamere.cn/baners/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 18, 2010, 07:46:20 pm
Code: [Select]
hxxp://realtybestus.com
IP: 213.155.24.229

AS41665

Code: [Select]
registrant-email: krekivoshki@live.com

config file


Code: [Select]
hxxp://realtybestus.com/abc/bin8.xls
Title: Re: New Zeus server
Post by: jackberri on January 18, 2010, 08:37:31 pm
Code: [Select]
hxxp://www.muchomucho.net
IP 75.119.205.176
AS26347

Creation Date: 11-jan-2009
Code: [Select]
Registrant Contact: Shawn Sanford shawn@muchomucho.net
Config file:
Code: [Select]
hxxp://www.muchomucho.net/blog/wp-includes/cp/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 18, 2010, 09:34:44 pm
Code: [Select]
hxxp://kvantvertop.com
IP 115.100.250.75
AS9811

Creation Date: 15-Jan-2010
Code: [Select]
Domain Admin (contact@privacyprotect.org)
Config file:
Code: [Select]
hxxp://kvantvertop.com/us/orders.xls
hxxp://115.100.250.75/us/test/price.xls

Binary file:
Code: [Select]
hxxp://kvantvertop.com/us/directwin.exe
dropzone
Code: [Select]
hxxp://kvantvertop.com/ie.php
Title: Re: New Zeus server
Post by: SysAdMini on January 19, 2010, 07:55:18 am
Code: [Select]
hxxp://www.muchomucho.net

taken offline by provider.
Title: Re: New Zeus server
Post by: jackberri on January 19, 2010, 05:22:20 pm
Code: [Select]
hxxp://www.muchomucho.net

taken offline by provider.

Great news  :)
Go ahead!

and now config file:
Code: [Select]
6alava.com
Code: [Select]
hxxp://6alava.com/0d020d0340003s10/.p00p/config.bin


Title: Re: New Zeus server
Post by: jackberri on January 20, 2010, 05:54:25 pm
Code: [Select]
hxxp://littlednss.com
Config file
Code: [Select]
hxxp://littlednss.com/us/orders.xls
Binary file
Code: [Select]
hxxp://littlednss.com/us/directwin.exe
Drop zone
Code: [Select]
hxxp://littlednss.com/us/ie.php
IP 115.100.250.81
AS9811

Domain Admin (contact@privacyprotect.org)
Title: Re: New Zeus server
Post by: MysteryFCM on January 20, 2010, 07:21:24 pm
littlednss.com doesn't seem to be resolving any longer :(
Title: Re: New Zeus server
Post by: SysAdMini on January 20, 2010, 07:22:38 pm
littlednss.com doesn't seem to be resolving any longer :(

taken down by registrar.
Title: Re: New Zeus server
Post by: MysteryFCM on January 20, 2010, 07:42:15 pm
hehe my fault for not looking at the WhoIs status.
Title: Re: New Zeus server
Post by: jackberri on January 21, 2010, 12:41:45 am
littlednss.com doesn't seem to be resolving any longer :(

Now solves  115.100.250.81

Regards
Title: Re: New Zeus server
Post by: jackberri on January 21, 2010, 09:49:17 am
Code: [Select]
hxxp:www.electromusicnow.cnIP 122.115.63.17
AS9803
Administrative Email: williamashley40@yahoo.com

config file
Code: [Select]
hxxp:www.electromusicnow.cn/drum/trance.jpg
drop zone
Code: [Select]
hxxp://www.electromusicnow.cn/drum/dance.php
droppers:
Code: [Select]
hxxp://www.maquinaslitograficas.com/img/mujeres.jpg
hxxp://www.maquinaslitograficas.com/img/mujeress.jpg

Code: [Select]
hxxp:maquinaslitograficas.com
IP      67.205.111.201
Reverse abril.colombiaredes.info
Registrar: EVERYONES INTERNET, LTD. DBA RESELLONE.NET
AS32613
Title: Re: New Zeus server
Post by: MysteryFCM on January 21, 2010, 05:58:38 pm
littlednss.com doesn't seem to be resolving any longer :(

Now solves  115.100.250.81

Regards

Meant to mention the URL's still worked if you replaced the domain name with the old IP ;)
Title: Re: New Zeus server
Post by: jackberri on January 21, 2010, 06:53:31 pm
Found new config file for
Code: [Select]
dolbanov.net
Code: [Select]
hxxp://dolbanov.net/images/cfg/new231/azukde.bin
Title: Re: New Zeus server
Post by: jackberri on January 21, 2010, 07:23:02 pm
Code: [Select]
hxxp://ubojnajasila.net
config file:
Code: [Select]
hxxp://ubojnajasila.net/zend/cfg.bin

trojan file
Code: [Select]
hxxp://ubojnajasila.net/zend/bot.exemd5sum e6cdf6691e224ef5c2158c63fa7ed4f0

dropzone
Code: [Select]
hxxp://ubojnajasila.net/zend/gate.php

IP 200.106.149.172
AS27990

Registrar: TUCOWS INC

Registration Service Provider:
Fasthosts Internet Limited, domains@fasthosts.co.uk

Administrative Contact:
contactprivacy.com, ubojnajasila.net@contactprivacy.com

Title: Re: New Zeus server
Post by: jackberri on January 21, 2010, 10:40:53 pm
Code: [Select]
hxxp://googlefastanalytics.eu/IP 93.190.141.102
Reverse twilight.void.fi


AS49981

e-mail: info@worldstream.nl


url config:
Code: [Select]
hxxp://googlefastanalytics.eu/forum/gdvfhsv2.bin
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 08:00:19 am
Code: [Select]
hxxp://internazionale.vc/
IP 195.242.161.190
AS47434

Created On:13-Jan-2010 15:20:57 UTC

Registrant Name:charles fytche
Registrant Email:mihelonto@googlemail.com

url config:
Code: [Select]
hxxp://internazionale.vc/images/blend.jpg
hxxp://internazionale.vc/images/fly.gif



Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 08:10:53 am
New config for

Code: [Select]
nekovo.ru
url config:
Code: [Select]
hxxp://nekovo.ru/cbd/nekovo.bri
IP 109.95.114.72
AS50369

registrar: REGRU-REG-RIPN
Aleksey V Kijanskiy kievsk@yandex.ru
Created: 2010-01-06
nekovo.ru point to 109.95.114.72. It is not listed in any blacklists.
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 01:27:42 pm
Downloads trojan Zbot and other malware.
The malware configure servers


Code: [Select]
http://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
http://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
IP 193.104.110.89
AS50073
dministrative Email: gamegalenty@mail.ru
Registrant Name: googlegoogle
Title: Re: New Zeus server
Post by: SysAdMini on January 22, 2010, 04:43:57 pm
Downloads trojan Zbot and other malware.
The malware configure servers


Code: [Select]
http://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
http://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
IP 193.104.110.89
AS50073
dministrative Email: gamegalenty@mail.ru
Registrant Name: googlegoogle

I don't find any Zbot.  ???
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 05:59:42 pm

I don't find any Zbot.  ???

Code: [Select]
hxxp://klitar.cn/cp/l/28/088f1f3a888617973b88c21a23f907d5/f8fdf0601bcc3453b8b4d90fce622406
downloads 1.exe  md5sum 0e2a961da9504c243a8605e3325d246e
http://www.virustotal.com/analisis/3077da26818ed411d55d29708de40b4ce10c15a94804e7253a60ec634ce701bc-1264146214 (http://www.virustotal.com/analisis/3077da26818ed411d55d29708de40b4ce10c15a94804e7253a60ec634ce701bc-1264146214)
http://www.threatexpert.com/report.aspx?md5=0e2a961da9504c243a8605e3325d246e (http://www.threatexpert.com/report.aspx?md5=0e2a961da9504c243a8605e3325d246e)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054933&cs=5D45E0548CAF1906FEB502CA393D2E22 (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054933&cs=5D45E0548CAF1906FEB502CA393D2E22)


Code: [Select]
hxxp://klitar.cn/cp/l/11/d38bb79c97509e07111c3dea6d92cb58/efc66d8f9d32309cfe56382f69c95e6e
downloads 1.exe ====> md5sum efc66d8f9d32309cfe56382f69c95e6e
http://www.virustotal.com/analisis/a8b2b227383cec0f74966b5796130b535caf563873e99406e546107ff1d10812-1264164713 (http://www.virustotal.com/analisis/a8b2b227383cec0f74966b5796130b535caf563873e99406e546107ff1d10812-1264164713)
http://www.threatexpert.com/report.aspx?md5=efc66d8f9d32309cfe56382f69c95e6e (http://www.threatexpert.com/report.aspx?md5=efc66d8f9d32309cfe56382f69c95e6e)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53536503&cs=8F1334C420884380CF9B8986A6E7770C (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53536503&cs=8F1334C420884380CF9B8986A6E7770C)

Code: [Select]
hxxp://klitar.cn/cp/l/19/c95535db0ebc2d416bbefcacd3345420/f1a64914c01f584549056805acc61736
downloads  1.exe ====> md5sum f1a64914c01f584549056805acc61736
http://www.virustotal.com/analisis/510f22b8ab8e26bbba57c069c4c828a5914a69bdfa79759c3b55fdf84493aac7-1264112515 (http://www.virustotal.com/analisis/510f22b8ab8e26bbba57c069c4c828a5914a69bdfa79759c3b55fdf84493aac7-1264112515)
http://www.threatexpert.com/report.aspx?md5=f1a64914c01f584549056805acc61736 (http://www.threatexpert.com/report.aspx?md5=f1a64914c01f584549056805acc61736)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054935&cs=689759CBCBA3ED5C1AF9E5AAC0B4AFD6 (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12054935&cs=689759CBCBA3ED5C1AF9E5AAC0B4AFD6)

Code: [Select]
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
downloads 1.exe ====> md5sum af73d9596a9a6363ffd5d968628f7a9c
http://www.virustotal.com/analisis/c41d106d812ddd638d884ecfad511f538ade219a75e6040fd2a0fe1c40f48ebf-1264136631 (http://www.virustotal.com/analisis/c41d106d812ddd638d884ecfad511f538ade219a75e6040fd2a0fe1c40f48ebf-1264136631)
http://www.threatexpert.com/report.aspx?md5=af73d9596a9a6363ffd5d968628f7a9c (http://www.threatexpert.com/report.aspx?md5=af73d9596a9a6363ffd5d968628f7a9c)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53279518&cs=FCEC6FF1EAD0F6210D125D351881629F (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53279518&cs=FCEC6FF1EAD0F6210D125D351881629F)

Code: [Select]
hxxp://klitar.cn/cp/l/2/e99eb3a724872da6cff5f99b87ade5de/6ab84adb1bcb02622c89af526a2a2fe8
downloads 1.exe ====> md5sum 6ab84adb1bcb02622c89af526a2a2fe8
http://www.virustotal.com/analisis/88b9fd77e5dad8f827a170ffee412f97306ed8202f3619b75ab4b7585382ac1b-1264170738 (http://www.virustotal.com/analisis/88b9fd77e5dad8f827a170ffee412f97306ed8202f3619b75ab4b7585382ac1b-1264170738)
http://www.threatexpert.com/report.aspx?md5=6ab84adb1bcb02622c89af526a2a2fe8 (http://www.threatexpert.com/report.aspx?md5=6ab84adb1bcb02622c89af526a2a2fe8)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53539007&cs=40ADC24C6CA30B8C6B74165843738B84 (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=53539007&cs=40ADC24C6CA30B8C6B74165843738B84)

Code: [Select]
hxxp://klitar.cn/cp/l/12/e2b3be27fddbce37ba168e5bb9d7b484/47ce9e84a768603f9de7c1325386d39b
downloads 1.exe ====> md5sum 47ce9e84a768603f9de7c1325386d39b
http://www.virustotal.com/analisis/9d22b7762aac30ba9885a4d06e6ee0bb881653fe22119c9624bd49dd7c982d5c-1264033266 (http://www.virustotal.com/analisis/9d22b7762aac30ba9885a4d06e6ee0bb881653fe22119c9624bd49dd7c982d5c-1264033266)
http://www.threatexpert.com/report.aspx?md5=47ce9e84a768603f9de7c1325386d39b (http://www.threatexpert.com/report.aspx?md5=47ce9e84a768603f9de7c1325386d39b)
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12055006&cs=99A744B6D2E52EC02178F552105E628F (http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=12055006&cs=99A744B6D2E52EC02178F552105E628F)
Title: Re: New Zeus server
Post by: SysAdMini on January 22, 2010, 06:06:15 pm
Thanks. Ok, now I see which one it is.  But I don't get the Zbot sample.
Download returns 0 byte.
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 06:17:06 pm
Thanks. Ok, now I see which one it is.  But I don't get the Zbot sample.
Download returns 0 byte.

Code: [Select]
hxxp://klitar.cn/cp/l/20/299c49cc5225165610cd08227e9d5562/af73d9596a9a6363ffd5d968628f7a9c
downloads now the binary; but is randomly.
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 09:18:46 pm
Code: [Select]
hxxp://secline333.net
IP 195.78.108.70
AS49544

Created: 2010-01-06
Registrant Contact: HardSoft, inc
hilarykneber@yahoo.com

config url:
Code: [Select]
hxxp://secline333.net/files/saw.nrg
Title: Re: New Zeus server
Post by: jackberri on January 22, 2010, 09:58:00 pm
Code: [Select]
hxxp://tttbbbttt.zapto.org
IP 95.31.234.3
AS8402

Registrant Name:Domain Operations No-IP.com
Registrant email: domains@no-ip.com

config url:
Code: [Select]
hxxp://tttbbbttt.zapto.org/zv/config.bin
dropzone:
Code: [Select]
hxxp://tttbbbttt.zapto.org/zv/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 23, 2010, 09:05:53 am
Code: [Select]
hxxp://windowsserverinfo.comIP   109.95.114.194
AS50369

Status: DELEGATED

Creation Date: 11-jan-2010
Updated Date: 21-jan-2010

Registrant ID: VX9UXHD-RU
Registrant Name: Vera V Zaytseva
Registrant Organization: Vera V Zaytseva

Contact E-mail: taffy@blogbuddy.ru

config url:
Code: [Select]
hxxp://windowsserverinfo.com/rock.bin
trojan:
Code: [Select]
hxxp://windowsserverinfo.com/respunka.exe
dropzone:
Code: [Select]
hxxp://windowsserverinfo.com/lartunka.php
Title: Re: New Zeus server
Post by: jackberri on January 23, 2010, 11:37:53 am
Code: [Select]
hxxp://dafaroff.freehostia.com
IP   66.40.52.185
AS11388

Administrative Contact:
Whois Privacy Protection Service, Inc.

Contact E-mail: nfqlrftxvf@whoisprivacyprotect.com

config url:
Code: [Select]
hxxp://dafaroff.freehostia.com/php/config.bin
dropzone:
Code: [Select]
hxxp://dafaroff.freehostia.com/php/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 23, 2010, 01:24:03 pm
Code: [Select]
hxxp://dnsserverbackupzones.comIP   109.95.114.196
AS50369

Creation Date: 03-dec-2009
Updated Date: 03-dec-2009

Administrative Contact: Mikhail Vorobiev


Contact E-mail:  bombs@maillife.ru

config url:
Code: [Select]
hxxp://dnsserverbackupzones.com/5vnty85y8yt.bin
trojan:
Code: [Select]
hxxp://dnsserverbackupzones.com/nerbertop.exe
dropzone:
Code: [Select]
hxxp://dnsserverbackupzones.com/oleaumt.php

"Mikhail Vorobiev" owns about 149 other domains

See Heuristics Analysis:
http://www.threatexpert.com/report.aspx?md5=de23202b75977830770c4f6ac90d0f4c
Title: Re: New Zeus server
Post by: jackberri on January 23, 2010, 02:41:28 pm
Coming soon:

Code: [Select]
hxxp://nm.fcrazy.com/doit.phpload/zs_update.exe
(
Code: [Select]
bl.fcrazy.eu/hhf/info.bin)


Code: [Select]
hxxp://nm.fcrazy.com
IP 59.53.91.102
AS4134

Registration Service Provided By: ZONEREG.RU

Creation Date: 20-Jan-2010

Registrant: Frost Alex
dj.psyimported@gmail.com
Title: Re: New Zeus server
Post by: jackberri on January 24, 2010, 01:52:53 pm
Code: [Select]
hxxp://bandbmlc.it
IP:
Code: [Select]
94.75.228.36Reverse:
Code: [Select]
hosted-by.leaseweb.comAS16265

Registrant
Name: MARIA LUIGIA CRIVELLA

config url:
Code: [Select]
hxxp://bandbmlc.it/includes/you.zip
Title: Re: New Zeus server
Post by: jackberri on January 24, 2010, 05:34:49 pm
New files for

Code: [Select]
hxxp://193.104.27.11
AS12604

Kamushnoy Vladimir Vasulyovich
vla.kam@citygameru.cn

Url config:
Code: [Select]
hxxp://193.104.27.11/gig.cnf
trojan:
Code: [Select]
hxxp://193.104.27.11/gig.exe
dropzone:
Code: [Select]
hxxp://193.104.27.11/gogo.php
Title: Re: New Zeus server
Post by: jackberri on January 24, 2010, 05:35:58 pm
New files for

Code: [Select]
hxxp://mybackuper.info
IP 193.104.106.61
AS34305

Domain Name:MYBACKUPER.INFO
Created On:05-Jan-2010 17:25:46 UTC

Registrant ID:DI_10788102
Registrant Name: Polev Igor Aleksandrovich
Registrant Email:formyfirst@gmail.com

config url:
Code: [Select]
hxxp://mybackuper.info/ext/profi.bin
dropzone:
Code: [Select]
hxxp://mybackuper.info/ext/s.php
Title: Re: New Zeus server
Post by: jackberri on January 24, 2010, 05:56:37 pm
New trojan for

Code: [Select]
hxxp://115.100.250.81
Code: [Select]
hxxp://115.100.250.81/us/directwin.exe
md5sum ===>  039a10002e6e8ffd5d78e0d2a7360a4e
Title: Re: New Zeus server
Post by: jackberri on January 24, 2010, 08:58:24 pm
Code: [Select]
hxxp://www.bumagajet.net
IP: 72.167.95.90
IP Location: United States - Arizona - Scottsdale - Godaddy.com Inc

Reverse: ip-72-167-95-90.ip.secureserver.net

AS26496


Date Registered: 2010-1-19
Date Modified: 2010-1-19

Registrant: STEVE PARK
lanenoeliatzg@gmail.com


Url config:
Code: [Select]
hxxp://www.bumagajet.net/webstatics/binder.bin
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 07:08:55 am
Code: [Select]
hxxp://platinumhostingservice.comIP 109.95.114.194

AS50369
Registrar: ALANTRON BLTD

Updated Date: 05-dec-2009
Creation Date: 05-dec-2009

Name Aleksei Komarov
vista@fastermail.ru

Url config:

Code: [Select]
hxxp://platinumhostingservice.com/w847tvyf475ehh.bin
Trojans:

Code: [Select]
hxxp://platinumhostingservice.com/joystick.exe
md5sum ===> fa1f596612a133d03fa812fa7e24b9fc
http://www.virustotal.com/analisis/37832c0221a3a1deac71c6e71ce045c798f8d1ef18e58d8960fc0c52ea683fbc-1264395644 (http://www.virustotal.com/analisis/37832c0221a3a1deac71c6e71ce045c798f8d1ef18e58d8960fc0c52ea683fbc-1264395644)
VT 3/41 (7.32%)

Code: [Select]
hxxp://platinumhostingservice.com/respunka.exe
md5sum ===> aa4a6ef6180e4e22e812f5f246a7c1fe
Code: [Select]
http://www.virustotal.com/analisis/eb7e508cbe961828a55d98e5ad0b5e97a247e23528da1140356d73bc3a3aaa0c-1264380635VT 4/41 (9.76%)

dropzone:

Code: [Select]
hxxp://platinumhostingservice.com/sukertoreurt.php
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 08:14:19 am
Code: [Select]
hxxp://smithyguy.com
IP 115.100.250.108
IP Location:
China - Beijing - Beijing - Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd. Langfang Branch

AS9811
Registrar: TODAYNIC.COM, INC.

Updated Date: 20-jan-2010
Creation Date: 20-jan-2010

Registrant:
Name: Sport Co LTD
abuseemaildhcp@gmail.com

Nameserver Information:
ns1.ruskiii.com
ns2.ruskiii.com

Create: 2010-01-21 02:01:04
Update: 2010-01-21

Url config:

Code: [Select]
hxxp://smithyguy.com/smi/cfg.binmd5sum  ===> 0c37570ade7f3c9db8ddd18380424177
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 01:25:59 pm
Code: [Select]
hxxp://quicksitehostdns.com
IP 109.95.114.194
AS50369

Registrar: ALANTRON BLTD.

Updated Date: 22-dec-2009
Creation Date: 22-dec-2009

Name Polina Kuznetsova
wsw@maillife.ru

config url:
Code: [Select]
hxxp://quicksitehostdns.com/ykih648f464.bin

trojan:
Code: [Select]
hxxp://quicksitehostdns.com/morgus.exemd5sum ===> 587a6145b625027f1770fd795e889b00
http://www.virustotal.com/analisis/c6ad4aa7d5d190d9082e7efb2a1cf8b5cabd3542b209751f88e4de34897ced39-1264401795 (http://www.virustotal.com/analisis/c6ad4aa7d5d190d9082e7efb2a1cf8b5cabd3542b209751f88e4de34897ced39-1264401795)
VT 3/41 (7.32%)

dropzone:
Code: [Select]
hxxp://quicksitehostdns.com/kuskus.php
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 02:28:51 pm
Code: [Select]
hxxp://hostingdnssite.com
IP 109.95.114.196
AS50369

Registrar: ALANTRON BLTD.

Updated Date: 22-dec-2009
Creation Date: 22-dec-2009

Name Natalia Ilina
try@5mx.ru

config url:
Code: [Select]
hxxp://hostingdnssite.com/udkdhwehg84767.bin
trojan:
Code: [Select]
hxxp://hostingdnssite.com/rupor.exemd5sum ===> 4661e4763c6c5a16307abf8bb7e45c0e
http://www.virustotal.com/es/analisis/17027cc7b76fd71b05b5eb67cc65bd3e347cfee963e293c444d860781c74ba1f-1264429224 (http://www.virustotal.com/es/analisis/17027cc7b76fd71b05b5eb67cc65bd3e347cfee963e293c444d860781c74ba1f-1264429224)
VT 9/41 (21.96%)
dropzone:
Code: [Select]
hxxp://hostingdnssite.com/katkat1.php
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 04:44:50 pm
Code: [Select]
hxxp://soprocms.com
IP 122.115.63.6
AS9811

Registrar: TODAYNIC.COM, INC.
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET

Registrant: Alexander A Reva
Registrant email: klimckoe@yahoo.com

Updated Date: 10-jan-2010
Creation Date: 10-jan-2010

config url:
Code: [Select]
hxxp://soprocms.com/bot/cfg2.bin
dropzone:
Code: [Select]
hxxp://soprocms.com/bot/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 25, 2010, 08:59:29 pm
Code: [Select]
hxxp://postcodeknaller.nlIP 85.17.219.61

IP Location:
Netherlands - Noord-holland - Amsterdam - Leaseweb

Reverse: hosted-by.leaseweb.com
AS16265

Registrar: LeaseWeb B.V.




config url:
Code: [Select]
hxxp://postcodeknaller.nl/suez/config.bin
trojan:
Code: [Select]
hxxp://postcodeknaller.nl/suez/bot.exemd5sum ===> 4661e4763c6c5a16307abf8bb7e45c0e
http://www.virustotal.com/analisis/65633cd708aa630e4b8e6a81b9d8285b6f1f62c3f0097569bdb5d2df25129700-1264271393 (http://www.virustotal.com/analisis/65633cd708aa630e4b8e6a81b9d8285b6f1f62c3f0097569bdb5d2df25129700-1264271393)
VT 28/41 (68.29%)

dropzone:
Code: [Select]
hxxp://postcodeknaller.nl/suez/gate.php
*****************************************************************
See also:

Code: [Select]
hxxp://postcodeknaller.nl/
Title: Re: New Zeus server
Post by: CkreM on January 26, 2010, 04:09:11 am
Nulled pack:
Code: [Select]
xxxcamerasexcheap.com/new/post.php
xxxcamerasexcheap.com/new/viewtopic.php?s=49c58ccafe

/edit

OOps...wrong place  :-\
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 10:09:32 am
Code: [Select]
hxxp://intleft.net
IP 217.23.9.133
IP Location: Netherlands - Worldstream
AS49981

Registrar: BIZCN.COM, INC.


Updated Date: 20-jan-2010
Creation Date: 20-jan-2010

Registrant Contact: Teresa Garcia
teresagarcia@xhotmail.net
Houston TX 77040

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2010-01-21

config url:
Code: [Select]
hxxp://intleft.net/mnogobaksov/www/cfg.bin
dropzone:
Code: [Select]
hxxp://intleft.net/mnogobaksov/www/gate.php
*******************************************

There are 2 domains hosted on this IP address:

Online-gamez.org
Pirate-loads.com
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 02:51:27 pm
Code: [Select]
hxxp//:s1.ebazaar.gr
IP: 217.112.89.11
IP Location: United Kingdom - England - Manchester - Poundhost Internet Services
Reverse:
Code: [Select]
dionysos.guru-host.com
AS29550

nameserver:
Code: [Select]
ns1.guru-host.com
config url:
Code: [Select]
hxxp//:s1.ebazaar.gr/tes/cfg.bin
dropzone:
Code: [Select]
hxxp://s1.ebazaar.gr/tes/gate.php

See also:

Trojans
Code: [Select]
hxxp://www.ebazaar.gr/js/reg_edit.exe
hxxp://ebazaar.gr/js/out_original.exe
hxxp://www.ebazaar.gr/js/out.exe
hxxp://www.ebazaar.gr/js/xer.exe

Code: [Select]
hxxp://www.ebazaar.grIP: 217.112.89.11
IP Location: United Kingdom - England - Manchester - Poundhost Internet Services
Reverse:
Code: [Select]
dionysos.guru-host.comAS29550
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 03:33:48 pm
Code: [Select]
hxxp//:s1.ebazaar.gr
IP: 217.112.89.11
IP Location: United Kingdom - England - Manchester - Poundhost Internet Services
Reverse:
Code: [Select]
dionysos.guru-host.com
AS29550

nameserver:
Code: [Select]
ns1.guru-host.com
config url:
Code: [Select]
hxxp//:s1.ebazaar.gr/tes/cfg.bin

dropzone:
Code: [Select]
hxxp://s1.ebazaar.gr/tes/gate.php

trojan:

Code: [Select]
hxxp://ebazaar.gr/js/out_original.exe
Title: Re: New Zeus server
Post by: SysAdMini on January 27, 2010, 03:51:49 pm
Code: [Select]
hxxp//:s1.ebazaar.gr
IP: 217.112.89.11
IP Location: United Kingdom - England - Manchester - Poundhost Internet Services
Reverse:
Code: [Select]
dionysos.guru-host.com
AS29550

nameserver:
Code: [Select]
ns1.guru-host.com
config url:
Code: [Select]
hxxp//:s1.ebazaar.gr/tes/cfg.bin

dropzone:
Code: [Select]
hxxp://s1.ebazaar.gr/tes/gate.php

trojan:

Code: [Select]
hxxp://ebazaar.gr/js/out_original.exe

Code: [Select]
s1.ebazaar.gr/tes/bt.exe
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 06:33:26 pm
New file for

Code: [Select]
hxxp://laiserattack.com
url config:
Code: [Select]
hxxp://laiserattack.com/asshole.jpg
domains hosted on this IP address:
Code: [Select]
blindefail.com
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 11:23:21 pm
Code: [Select]
hxxp://www.whiskyshopdufftown.co.uk
IP
Code: [Select]
83.223.101.118
Reverse:
Code: [Select]
server.britserver4.comIP Location: United Kingdom - G-cust-cj

AS29017

Registrant: Fiona Murdoch

config url:
Code: [Select]
hxxp://www.whiskyshopdufftown.co.uk/images/mail/config.bin
dropzone:
Code: [Select]
hxxp://www.whiskyshopdufftown.co.uk/images/mail/ip.php
Title: Re: New Zeus server
Post by: SysAdMini on January 27, 2010, 11:29:14 pm

dropzone:
hxxp://www.whiskyshopdufftown.co.uk/images/mail/ip.php

Code: [Select]
www.linmaoshuiqing.cn/includes/maduls/gate.php
Title: Re: New Zeus server
Post by: jackberri on January 27, 2010, 11:34:23 pm


dropzone:
hxxp://www.whiskyshopdufftown.co.uk/images/mail/ip.php

Code: [Select]
www.linmaoshuiqing.cn/includes/maduls/gate.php[/quote]

My apologies
 :-[
Title: Re: New Zeus server
Post by: SysAdMini on January 27, 2010, 11:41:17 pm


dropzone:
hxxp://www.whiskyshopdufftown.co.uk/images/mail/ip.php

Code: [Select]
www.linmaoshuiqing.cn/includes/maduls/gate.php

My apologies
 :-[

No problem. I appreciate all your Zeus url submissions.
Title: Re: New Zeus server
Post by: jackberri on January 28, 2010, 02:06:27 pm
Code: [Select]
hxxp://star2gams.comIP: 91.215.170.36

AS49693

Admin Name: Sharon Umdenstock
Admin Email: umdenstoc@yahoo.com

Tech Name: YahooDomains TechContact
Tech Email: domain.tech@yahoo-inc.com

config url:
Code: [Select]
hxxp://star2gams.com/tr/cnf.bin
Title: Re: New Zeus server
Post by: jackberri on January 28, 2010, 02:17:11 pm
Code: [Select]
hxxp://brothervonmash.comIP: 193.104.94.63

AS50033

Admin Name: Epollinariya
Email: admin@hightramplate.com

config url:
Code: [Select]
hxxp://brothervonmash.com/Reducto465/mtf7ubi8377itr3.bin
Title: Re: New Zeus server
Post by: jackberri on January 28, 2010, 07:53:40 pm
Code: [Select]
hxxp://suez.services.00-com.infoIP: 75.82.179.194

AS20001

Ronald Atkins
Email: ron99houston@msn.com

config url:
Code: [Select]
hxxp://suez.services.00-com.info/phpscript.bin
Title: Re: New Zeus server
Post by: jackberri on January 28, 2010, 08:23:45 pm
New files for:

Code: [Select]
hxxp://91.201.28.3
config url
Code: [Select]
hxxp://91.201.28.3/ukk2.bin
trojan:
Code: [Select]
hxxp://91.201.28.3/moneyuk3.exe
md5sum 77e351b58a7fee257c77b2fced98e8c6
http://www.virustotal.com/analisis/8e7d8a9acfad067ce6ae0012a8a1391e26dd8f6fd7e752caa8937c8511d46899-1264709531 (http://www.virustotal.com/analisis/8e7d8a9acfad067ce6ae0012a8a1391e26dd8f6fd7e752caa8937c8511d46899-1264709531)
VT: 12/39 (30.77%)
Title: Re: New Zeus server
Post by: jackberri on January 29, 2010, 07:54:44 am
Code: [Select]
hxxp://fantastictools.com
IP: 66.252.239.35
AS14519

Registrant: Fantastic Tools & Supplies
Administrative Contact: Schlecht, Werner
email: dan@fantastictools.com

trojan:
Code: [Select]
hxxp://fantastictools.com/images/papal.gifmd5sum ===> 6a1caa3989545e003a1c42dfab93776e
http://www.virustotal.com/analisis/9bdf71ff7805c99e1bb9e998e81e219e450cc09ae626819bc2bf580e7ecce972-1264750720 (http://www.virustotal.com/analisis/9bdf71ff7805c99e1bb9e998e81e219e450cc09ae626819bc2bf580e7ecce972-1264750720)
VT 20/39 (51.29%)
Title: Re: New Zeus server
Post by: jackberri on January 29, 2010, 09:16:33 am
Code: [Select]
hxxp://servertransporternews.comIP: 193.105.0.50
AS50390

Registrant ID: VX9UXHD-RU
Registrant Name: Vera V Zaytseva
email: taffy@blogbuddy.ru

congig url:
Code: [Select]
hxxp://servertransporternews.com/penoplast.bin
Title: Re: New Zeus server
Post by: jackberri on January 29, 2010, 10:35:15 am
Code: [Select]
hxxp://biaobrgeroin.cnIP: 195.78.108.150
AS49544

Registrant Name: LiTah
email: tahli@yahoo.com

congig url:
Code: [Select]
hxxp://biaobrgeroin.cn/univito/cnf.bin
Title: Re: New Zeus server
Post by: jackberri on January 29, 2010, 07:37:10 pm
Code: [Select]
hxxp://alteregoxve.net
IP: 91.204.73.5
Reverse: msk1.imhoster.net
AS12695

Creation Date: 27-Jan-2010

Registrant Name: Beklerov Nail Bekmetovich
email: masgaspare@ymail.com


config url:
Code: [Select]
hxxp://alteregoxve.net/vbsa/cc.bin
Title: Re: New Zeus server
Post by: jackberri on January 29, 2010, 07:55:01 pm
Code: [Select]
hxxp://blackngman.com
IP: 115.100.250.108
AS9811

Create: 2010-01-16 02:56:21
Update: 2010-01-21

Registrant Name: Sport Com LTD
email: abuseemaildhcp@gmail.com

config url:
Code: [Select]
hxxp://blackngman.com/gallery/cfg.bin
Title: Re: New Zeus server
Post by: jackberri on January 30, 2010, 11:28:28 am
Code: [Select]
hxxp://91.206.201.14
IP Location: Ukraine Pe Sergey Demin

Sergey Demin
hostmaster@ans.mk.ua

AS47781

config url:

Code: [Select]
hxxp://91.206.201.14/~canada/wes/qasqw.bin
Other sites on this IP:

Code: [Select]
Bizelitt.com (Zeus server)
Bizuklux.cn  (Zeus server)
Morsayniketamere.cn (Zeus server)
Qazxswe.com 
Simplyukjob.net
Strantgre.info 
Yespacknet.org (YES exploit kit)
Iselldumps.com
Title: Re: New Zeus server
Post by: jackberri on January 30, 2010, 06:48:16 pm
Code: [Select]
hxxp://delphin.w2c.ru
IP: 94.75.199.162
AS16265

Registrant Name: Yuri A. Bogdanov
email: root@2x4.ru

config url:
Code: [Select]
hxxp://delphin.w2c.ru/config.bin
Title: Re: New Zeus server
Post by: jackberri on January 30, 2010, 08:06:52 pm
Code: [Select]
hxxp://fastgoogleanalytics.com
IP: 93.190.141.15
Reverse: twilight.void.fi

AS49981

Registrant Name: andre
email: vin.bond@gmail.com

config url:
Code: [Select]
hxxp://fastgoogleanalytics.com/forum/gdvfhsv3.bin
Title: Re: New Zeus server
Post by: jackberri on January 30, 2010, 08:27:46 pm
Code: [Select]
hxxp://193.104.27.110AS12604

Kamushnoy Vladimir
email:  vla.kam@citygameru.cn

config url:
Code: [Select]
hxxp://193.104.27.110/wtf/update.rar
trojan:
Code: [Select]
hxxp://193.104.27.110/wtf/addon.rarmd5sum ===> bb7e88cb39f48388f259eda8ef71097c
http://www.virustotal.com/analisis/7d7d00215063bcada22c0c537b40f130607b235594a92529fd88adac080793a8-1264882811 (http://www.virustotal.com/analisis/7d7d00215063bcada22c0c537b40f130607b235594a92529fd88adac080793a8-1264882811)
VT 8/41 (19.52%)

dropzone:
Code: [Select]
hxxp://193.104.27.110/wtf/update.php
Title: Re: New Zeus server
Post by: jackberri on January 31, 2010, 02:26:00 pm
Code: [Select]
hxxp://122.115.63.23IP Location: China Zhengzhou Shenzhen Ostar Telecom Ltd
Reverse: netnic.com.cn

AS9803

Registrant Name:  Jia Xiaojie
email: jxj@netnic.com.cn

config url:
Code: [Select]
hxxp://122.115.63.23/76riuyfir76fk76ri76dfkjyf/fju64i76dj76ei67yutyri76333/zz/zz2/cfg2.binmd5sum ===> 13d26ab9f602185024fdd19831ee45b4
Code: [Select]
hxxp://122.115.63.23/76riuyfir76fk76ri76dfkjyf/jytdrj76ekuytdku76ekudjfg/222/cfg2.binmd5sum ===> 23d208edb85922f70623c01aa2da53d7

trojan:
Code: [Select]
hxxp://122.115.63.23/76riuyfir76fk76ri76dfkjyf/fju64i76dj76ei67yutyri76333/zz/zz2/bot.exemd5sum ===> 4e11c69607b9707ff45f98c874659890
http://www.virustotal.com/analisis/77342f77b83d77453f87509b7d5390050d17dcc39a41a9edcf75cb95a3ca52a7-1264947102 (http://www.virustotal.com/analisis/77342f77b83d77453f87509b7d5390050d17dcc39a41a9edcf75cb95a3ca52a7-1264947102)
VT 2/41 (4.88%)

dropzone:
Code: [Select]
hxxp://122.115.63.23/76riuyfir76fk76ri76dfkjyf/fju64i76dj76ei67yutyri76333/zz/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 01, 2010, 05:19:22 pm
Code: [Select]
hxxp://evetpotratrne.com
IP: 193.104.94.79
IP Location: Russian Federation - Group 3 Llc
AS50033

Updated Date: 28-jan-2010
Creation Date: 27-jan-2010

Registrant Name: Leon
email: admin@evetpotratrne.com

config url:
Code: [Select]
hxxp://evetpotratrne.com/barcelona/barccfg9832789/barccfg23084292.bin
dropzone:
Code: [Select]
hxxp://evetpotratrne.com/barcelona/barcgate80372750.php
Title: Re: New Zeus server
Post by: jackberri on February 01, 2010, 07:29:15 pm
Code: [Select]
hxxp://193.105.0.41
IP Location: United Kingdom

AS50390

Name: Pavlenko Tetyana Oleksandrivna
email: t.pavlenko@smilanet.net

config url:
Code: [Select]
hxxp://193.105.0.41/offshore.bin
trojan:
Code: [Select]
hxxp://193.105.0.41/mranders.exemd5sum ===> c8e9c884a3c65a45385f8c68c955788a
http://www.virustotal.com/analisis/7a404d6a5937bd951b21e949981ca19e381543560025e7ce9941a37f5870396a-1265051638 (http://www.virustotal.com/analisis/7a404d6a5937bd951b21e949981ca19e381543560025e7ce9941a37f5870396a-1265051638)
VT 10/41 (24.4%)

dropzone:
Code: [Select]
hxxp://193.105.0.41/custumoper.php
Title: Re: New Zeus server
Post by: jackberri on February 02, 2010, 09:21:05 am
Code: [Select]
hxxp://metacarantin.comIP: 69.147.83.187
Reverse: p11p1.geo.sp1.yahoo.com
AS36752

Creation Date........ 2009-12-23
Registration Date.... 2009-12-23

Name: Eliso Jr.
email: contact@myprivateregistration.com

config url:
Code: [Select]
hxxp://metacarantin.com/strt.bin
trojan:
Code: [Select]
hxxp://metacarantin.com/strt.exemd5sum  ===> 5ca76c6a5354744d90ae3ae8caec629c
http://www.virustotal.com/analisis/1dc01c4b4749d0ebd103556a4e196eea32305ad23cc4fa655b0fa144b7effc1f-1265101594 (http://www.virustotal.com/analisis/1dc01c4b4749d0ebd103556a4e196eea32305ad23cc4fa655b0fa144b7effc1f-1265101594)
VT 7/40 (17.5%)
Title: Re: New Zeus server
Post by: jackberri on February 02, 2010, 09:49:30 am
Code: [Select]
hxxp://stopstopstop33.com
IP: 115.100.250.118
IP Location  China  -Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd

AS9811

Creation.. 2010-01-09 19:32:31
Update.... 2010-01-09

Registrant: Real Host
email: abuseemaildhcp@gmail.com

config url:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/conf1.bin
trojan:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/theme/445.exemd5sum  ===> b97a5bfa381d88bc4ec1431b2c18f769
http://www.virustotal.com/analisis/88b97a89db7e158425f5d7c4daa11e80e35da5c686074a8f667efb6409644ed9-1265103254 (http://www.virustotal.com/analisis/88b97a89db7e158425f5d7c4daa11e80e35da5c686074a8f667efb6409644ed9-1265103254)
VT 11/40 (27.5%)

dropzone:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/gtgy.php
Other domains:
Code: [Select]
1000zubov.net
Title: Re: New Zeus server
Post by: SysAdMini on February 02, 2010, 10:00:22 am

trojan:
Code: [Select]
hxxp://stopstopstop33.com/zzdd/theme/445.exe

This file isn't a Zeus trojan, but looks like TDSS.
http://camas.comodo.com/cgi-bin/submit?file=88b97a89db7e158425f5d7c4daa11e80e35da5c686074a8f667efb6409644ed9

 The corresponding url is hxxp://stopstopstop33.com/bote1.exe,
but the file doesn't exist.

Thanks anyway.
Title: Re: New Zeus server
Post by: jackberri on February 02, 2010, 10:41:09 am

This file isn't a Zeus trojan, but looks like TDSS.[/quote]

You're Right  :)

Another:

Only the config url ;)


Code: [Select]
hxxp://basiscause.comIP: 188.124.7.244
IP Location  Turkey - Vital Teknoloji - Dedicated Pool
Reverse: Vital-244-7-124-188.vitalhosting.com.tr
AS44565

Registrant: Nicole Kidman
email: beto34675@gmail.com

config url:
Code: [Select]
hxxp://basiscause.com/cfg3.txt
Title: Re: New Zeus server
Post by: jackberri on February 02, 2010, 05:23:09 pm
Code: [Select]
hxxp://bpergroup.ruIP 195.242.161.190
AS47434
e-mail: gogoilyin@google.com

config url:
Code: [Select]
hxxp://bpergroup.ru/images/shcest.bmp
Other domains:

Code: [Select]
internazionale.vc (zeus server)
studiofilms.ru
www.studiofilms.ru
Title: Re: New Zeus server
Post by: jackberri on February 04, 2010, 06:34:16 pm
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ruIP 188.93.212.39

AS49352

email: domains@logol.ru


url config:
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ru/bin8.xls
trojan:
Code: [Select]
hxxp://cp332308.cpanel.tech-logol.ru/stb.exemd5sum ===> d1db23405cf0206f44e5c4fa70ecbebf
http://www.virustotal.com/analisis/cd902878e9b779765e7dfc1eae1ebe5056672dc791d0a8ca2d79755cd56cf2ea-1265308099 (http://www.virustotal.com/analisis/cd902878e9b779765e7dfc1eae1ebe5056672dc791d0a8ca2d79755cd56cf2ea-1265308099)
VT 4/40 (10%)

Title: Re: New Zeus server
Post by: jackberri on February 04, 2010, 07:58:00 pm
Code: [Select]
hxxp://dfgdfgs.fileave.com
IP 64.62.181.43

AS6939

url config:
Code: [Select]
hxxp://dfgdfgs.fileave.com/dfgdfgs.bin
Title: Re: New Zeus server
Post by: jackberri on February 05, 2010, 05:54:58 pm
Code: [Select]
hxxp://115.100.250.87
IP Location: China Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd. Langfang Branch

AS9811

config url:
Code: [Select]
hxxp://115.100.250.87/uk/price.xls
trojan:
Code: [Select]
hxxp://115.100.250.87/uk/pkzip.exemd5sum ===> ceb602edc5f8b429790bf5dabbef1e09
http://www.virustotal.com/analisis/6bdeb8d852b4e4966ee878df72a557778178b6770dd7a55b955c1d25e3557a31-1265391918 (http://www.virustotal.com/analisis/6bdeb8d852b4e4966ee878df72a557778178b6770dd7a55b955c1d25e3557a31-1265391918)
VT  16/38 (42.11%)

dropzone:
Code: [Select]
hxxp://115.100.250.87/ie.php
Title: Re: New Zeus server
Post by: SysAdMini on February 05, 2010, 05:56:59 pm
Code: [Select]
hxxp://115.100.250.87

Are you able to connect to this host ? Doesn't work here.
Title: Re: New Zeus server
Post by: jackberri on February 05, 2010, 06:18:21 pm
LFT trace started at 05-Feb-10 18:49:06 CET                         
                                     ^^^^^^^^^^^^^^                   
TTL LFT trace to 115.100.250.87:80/tcp                             
 [...]     
 8  [12956] ChinaNetCom11-0-0-0-grtpaopx2.red.telefonica-wholesale.net (213.140.55.14) 302.0/219.3ms
 9  [4837] 219.158.30.233 385.0ms                                                                   
**  [neglected] no reply packets received from TTL 10                                               
11  [4837] 219.158.4.41 524.0/421.8ms                                                               
12  [4808] 202.96.12.90 409.6ms                                                                     
**  [neglected] no reply packets received from TTL 13                                               
14  [4808] 61.148.156.118 452.7ms                                                                   
**  [neglected] no reply packets received from TTL 15                                               
16  [4808] 61.148.74.210 442.3ms                                                                   
17  [9811] 211.167.95.234 433.0/423.1ms                                                             
**  [neglected] no reply packets received from TTLs 18 through 19                                   
20  [9811] [target open] 115.100.250.87:80 432.4ms   

-----------------------------------------------------------

LFT trace started at 05-Feb-10 19:14:41 CET                                                                                                               
                                      ^^^^^^^^^^^^^^               
TTL LFT trace to 115.100.250.87:80/tcp                                                                                                                   
 
[...]

**  [neglected] no reply packets received from TTL 7
 8  [12956] ChinaNetCom11-0-0-0-grtpaopx2.red.telefonica-wholesale.net (213.140.55.14) 375.6/219.2ms
 9  [4837] 219.158.30.233 396.7ms
**  [neglected] no reply packets received from TTL 10
11  [4837] 219.158.4.41 551.8/441.8ms
**  [neglected] no reply packets received from TTL 12
13  [4808] 61.148.152.137 440.5ms
14  [4808] 61.148.156.118 445.8ms
15  [4808] 61.148.157.70 436.8ms
16  [4808] 61.148.74.210 463.1ms
17  [9811] 211.167.95.234 445.2ms
18  [23724] 218.240.7.103 456.4ms
**  [neglected] no reply packets received from TTL 19
20  [9811] [target open] 115.100.250.87:80 435.9ms
LFT trace finished at 05-Feb-10 19:15:31 CET (49.82s elapsed)

 ;)
Title: Re: New Zeus server
Post by: SysAdMini on February 05, 2010, 07:00:15 pm
[..]
11   386 ms   369 ms   374 ms  61.148.152.137
12   387 ms   388 ms   390 ms  61.148.156.118
13   421 ms   399 ms   386 ms  61.148.157.70
14   375 ms   369 ms   367 ms  61.148.74.210
15   373 ms   372 ms   388 ms  211.167.95.234
16   390 ms   485 ms   388 ms  218.240.7.103
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
Title: Re: New Zeus server
Post by: jackberri on February 05, 2010, 07:15:11 pm
[..]
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.

Yes, now is closed also for me:

14  [4808] 61.148.156.118 432.7/430.0ms
15  [4808] 61.148.157.70 418.6ms
16  [4808] 61.148.74.210 444.4ms
17  [9811] 211.167.95.234 423.7ms
18  [23724] 218.240.7.103 450.2/447.3ms
**  [neglected] no reply packets received from TTLs 19 through 20
21  [9811] [target closed] 115.100.250.87:80 434.9ms
LFT trace finished at 05-Feb-10 20:12:11 CET (53.51s elapsed)
Title: Re: New Zeus server
Post by: jackberri on February 05, 2010, 07:41:24 pm
Yes, now is closed also for me:

And reopened:

[9811] [target open] 115.100.250.87:80 437.1ms
LFT trace finished at 05-Feb-10 20:38:21 CET (59.44s elapsed)

See also:

http://www.threatexpert.com/report.aspx?md5=ceb602edc5f8b429790bf5dabbef1e09 (http://www.threatexpert.com/report.aspx?md5=ceb602edc5f8b429790bf5dabbef1e09)
Title: Re: New Zeus server
Post by: jackberri on February 07, 2010, 09:59:16 am
Code: [Select]
hxxp://g4hostupdates.net.inIP 193.219.5.200
AS21031

IP Location: Vilniaus Apskritis - Vilnius - Elneta Ltd

Registrant: Abdul Raja
Email:hackmaster@safe-mail.net

Created On:21-Jan-2010

Code: [Select]
hxxp://g4hostupdates.net.in/bd/helloworld.bin
Title: Re: New Zeus server
Post by: jackberri on February 07, 2010, 04:20:11 pm
Code: [Select]
hxxp://fortoooco.su
IP: 193.104.94.15
email: samm_87@email.com
AS50033
IP Location: Russian Federation - Group 3 Llc

config url:
Code: [Select]
hxxp://fortoooco.su/ribbn.tar
dropzone:
Code: [Select]
hxxp://fortoooco.su/index1.php
Title: Re: New Zeus server
Post by: jackberri on February 07, 2010, 04:41:37 pm
Code: [Select]
hxxp://193.105.0.42
AS50390

config url:
Code: [Select]
hxxp://193.105.0.42/sargasso.bin
trojan
Code: [Select]
hxxp://193.105.0.42/mustangus.exemd5sum ===>  81ef87630642c6bd0ec0bee8d6a6a282
http://www.virustotal.com/analisis/13c2fa21cf9d0c204595ca8340aae93ca9e1ed362b95b06a795dc9f1b2818375-1265560148 (http://www.virustotal.com/analisis/13c2fa21cf9d0c204595ca8340aae93ca9e1ed362b95b06a795dc9f1b2818375-1265560148)

dropzone
Code: [Select]
hxxp://193.105.0.42/optimus.php
Title: Re: New Zeus server
Post by: jackberri on February 07, 2010, 05:03:40 pm
Code: [Select]
hxxp://www.exportweb.cn
IP: 195.245.194.22
Niklas Nyman
Email: niklaslong@gmail.com

AS43877

config url:
Code: [Select]
hxxp://www.exportweb.cn/images/show/config.bin
Title: Re: New Zeus server
Post by: jackberri on February 07, 2010, 05:37:01 pm
Code: [Select]
hxxp://436235dan.mobiIP: 213.163.91.208

Registrant ID: FR-10eb2f8c13d2
Email:contact@privacyprotect.org

AS49544

config url:
Code: [Select]
hxxp://436235dan.mobi/ukk/cfg.bin
dropzone
Code: [Select]
hxxp://436235dan.mobi/ukk/page0.php
Title: Re: New Zeus server
Post by: jackberri on February 09, 2010, 11:36:30 am
Code: [Select]
hxxp://193.104.27.109
AS12604

Kamushnoy Vladimir
info@citygameru.cn

config url:
Code: [Select]
hxxp://193.104.27.109/wtf/ins3.rartrojan:
Code: [Select]
hxxp://193.104.27.109/wtf/w3w.rarhttp://http://www.virustotal.com/analisis/102786cd087fabc4a0c645c748391d718c2dc7faf82f9b203a654f69d0a4963e-1265714274 (http://http://www.virustotal.com/analisis/102786cd087fabc4a0c645c748391d718c2dc7faf82f9b203a654f69d0a4963e-1265714274)
VT 13/41 (31.71%)
md5sum ===> 40c96b50cc13fdd519f09b6c759704f6
dropzone:
Code: [Select]
hxxp://193.104.27.109/wtf/update.php
Title: Re: New Zeus server
Post by: jackberri on February 09, 2010, 01:34:47 pm
Code: [Select]
hxxp://z130217.infobox.ru[srv039.infobox.ru]
IP: 77.221.130.39
AS30968


config url:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/config.bintrojan:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/bot.exehttp://www.virustotal.com/analisis/20adfcf0f664da7cc3d639648e339ba0ec5ab797a29d138f9500d5fc4d706d16-1265722293 (http://www.virustotal.com/analisis/20adfcf0f664da7cc3d639648e339ba0ec5ab797a29d138f9500d5fc4d706d16-1265722293)
VT 21/41 (51.22%)
md5sum ===> 4d75c8e9696d28e39dd04544de698f8e
dropzone:
Code: [Select]
hxxp://z130217.infobox.ru/tmp/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 09, 2010, 03:14:52 pm
Code: [Select]
hxxp://dedicalsels.com[6.b.79ae.static.theplanet.com]
IP: 174.121.11.6
AS30968

trojan:
Code: [Select]
hxxp://dedicalsels.com/socks/bot.exehttp://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108 (http://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108)
VT 17/41 (41.47%)
md5sum ===> efa454a5322bdb3372aa50682b386506
dropzone:
Code: [Select]
hxxp://dedicalsels.com/socks/stat.php
Title: Re: New Zeus server
Post by: SysAdMini on February 09, 2010, 03:28:24 pm
Code: [Select]
hxxp://dedicalsels.com[6.b.79ae.static.theplanet.com]
IP: 174.121.11.6
AS30968

trojan:
Code: [Select]
hxxp://dedicalsels.com/socks/bot.exehttp://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108 (http://http://www.virustotal.com/analisis/fa9dba7c4c017d31973ea697802ccd029691406d2877931adf967dd7ab793db7-1265728108)
VT 17/41 (41.47%)
md5sum ===> efa454a5322bdb3372aa50682b386506
dropzone:
Code: [Select]
hxxp://dedicalsels.com/socks/stat.php

Not a Zeus bot, but a downloader that downloads Zeus from hxxp://carderam.com/instal/qw.exe.
Title: Re: New Zeus server
Post by: jackberri on February 09, 2010, 04:06:04 pm
Code: [Select]
hxxp://193.104.27.109

config file:
Code: [Select]
http://193.104.27.109/wtf/w3.rar
Title: Re: New Zeus server
Post by: jackberri on February 09, 2010, 05:24:23 pm
Code: [Select]
hxxp://115.100.250.88IP Location: China Beijing Qi Shang Zai Xian Rate Communications Technology Co. Ltd. Langfang Branch
AS9811

config url:
Code: [Select]
hxxp://115.100.250.88/uk/price.xlsmd5sum ===> 8f3193f5e8f9af039bbb9181f5405765
trojan:
Code: [Select]
hxxp://115.100.250.88/uk/pkzip.exehttp://www.virustotal.com/analisis/51ce7dd014e5771add084b60bd731d644a28f2b5ad64bcaf28a380056e03c03d-1265736154 (http://www.virustotal.com/analisis/51ce7dd014e5771add084b60bd731d644a28f2b5ad64bcaf28a380056e03c03d-1265736154)
VT 10/41 (24.4%)
md5sum ===> fdb6cbf09b82eb4a9cf73f2f316bf742
dropzone:
Code: [Select]
hxxp://115.100.250.88/ie.php
Title: Re: New Zeus server
Post by: jackberri on February 10, 2010, 08:23:06 am
Code: [Select]
hxxp://193.105.0.81
Code: [Select]
route: 193.105.0.0/24IP Location: Ukraine Pavlenko Tetyana Oleksandrivna

Pavlenko Tetyana Oleksandrivna
e-mail: t.pavlenko@smilanet.net
AS50390

config url:
Code: [Select]
hxxp://193.105.0.81/chikony.bin
Title: Re: New Zeus server
Post by: SysAdMini on February 10, 2010, 11:46:05 am
payload of Eleonore exploit kit
Code: [Select]
podgribami.org/el/load.php?spl=mdachttp://www.virustotal.com/analisis/4babbd8c1b17b3d226f7c6973a9c34c9fd1f9659b1b648b5eb41e1296300d52d-1265801421 1/40
Symantec   20091.2.0.41   2010.02.10   Suspicious.Insight
http://camas.comodo.com/cgi-bin/submit?file=4babbd8c1b17b3d226f7c6973a9c34c9fd1f9659b1b648b5eb41e1296300d52d

corresponding config file
Code: [Select]
wwwtrue.org/m/cfag.bin
drop zone
Code: [Select]
wwwtrue.org/m/getme.php
Title: Re: New Zeus server
Post by: jackberri on February 11, 2010, 10:28:30 am
Code: [Select]
hxxp://91.201.196.37AS42229
IP Location: Ukraine Pp Mariam

Yuriy Yurievich Prokopenko
e-mail:  yuriy.prokopenko@mariam-ua.net

config url:
Code: [Select]
hxxp://91.201.196.37/yi9ahRah.eed5Jeedmd5sum ===> 35605b853611f1fcbcdf057871f4cc4f
trojan:
Code: [Select]
hxxp://91.201.196.37/oL8chaev.exehttp://www.virustotal.com/analisis/ab0bbf7a013ea9c7d503213e82018790117e411d053cb3c058c0b6670e7133d5-1265882379 (http://www.virustotal.com/analisis/ab0bbf7a013ea9c7d503213e82018790117e411d053cb3c058c0b6670e7133d5-1265882379)
VT 16/40 (40.00%)
md5sum ===> e300e0fa8ab1aa6c5c061c9dccf10e83
dropzone:
Code: [Select]
hxxp://91.201.196.37/iXeij7Ai.php
Title: Re: New Zeus server
Post by: jackberri on February 11, 2010, 03:49:12 pm
Code: [Select]
hxxp://aboutrevers.comIP: 92.60.177.230
AS15772
IP Location: Ukraine - Llc Wnet

Creation date: 2010-01-29

Andrey Aleksandrovich Polev
e-mail: o00o.code@gmail.com

config url:
Code: [Select]
hxxp://aboutrevers.com/cgi_bin/7LTS0jGk/jX8KiQ_c/style.crtmd5sum ===> df968a403bf2d98526eba84908506c39


dropzone:
Code: [Select]
hxxp://aboutrevers.com/fXaQ8zSla/ogFaTt/psSEmVy_r.php
Code: [Select]
hxxp://polevand.info/fXaQ8zSla/ogFaTt/psSEmVy_r.php
Code: [Select]
hxxp://polevand.infoIP: 92.60.177.232
AS15772
Created On:20-Jan-2010

Andrey Aleksandrovich Polev
Email:o00o.code@gmail.com
AS15772
IP Location: Ukraine - Llc Wnet
Title: Re: New Zeus server
Post by: jackberri on February 14, 2010, 09:03:48 am
Code: [Select]
hxxp://200.110.130.210
Code: [Select]
[server2.webelectronica.com.ar]AS18747
Argentina Ifx Networks Argentina S.r.l

Code: [Select]
hxxp://200.110.130.210/manual/server/config.binmd5sum ===> 8beddfc2c32cb96aa99ad74d998dd62c
Code: [Select]
hxxp://200.110.130.210/manual/server/cfg2.binmd5sum ===> 917100fc54d37a52738028ff92bac27e

Code: [Select]
hxxp://200.110.130.210/manual/server/ldr.exemd5sum ===> 480d7f7cc3e0a35d7b7b35a18702c954
http://www.virustotal.com/analisis/f6eee4dd5cc3a168e0884c1e5e613d5e2b335ac00d1fa9d52547e64cba6144d3-1265906214 (http://www.virustotal.com/analisis/f6eee4dd5cc3a168e0884c1e5e613d5e2b335ac00d1fa9d52547e64cba6144d3-1265906214)
VT 28/41 (68.29%)
Code: [Select]
hxxp://200.110.130.210/manual/server/funston.exemd5sum ===> 88ad13483267677b6260db72edb72353
http://www.virustotal.com/analisis/59eb78a8720c1399600d9e571f2bd46593d4fb4512e79503de7f4b92e526f7bb-1266137604 (http://www.virustotal.com/analisis/59eb78a8720c1399600d9e571f2bd46593d4fb4512e79503de7f4b92e526f7bb-1266137604)
VT 11/41 (26.83%)

Code: [Select]
hxxp://200.110.130.210/manual/server/gate.php
Related:

Code: [Select]
hxxp://www.mobilhanger.de
Code: [Select]
[www.grafikundvideo.de]IP: 195.71.123.230
AS6805
Germany  - Nordrhein-westfalen - Guetersloh - Franke & Partner Gbr

Lars Franke
Email: post@larsfranke-pro.de


Code: [Select]
hxxp://www.mobilhanger.de/server/config.binmd5sum ===> 917100fc54d37a52738028ff92bac27e
Code: [Select]
hxxp://www.mobilhanger.de/manual/server/cfg2.binmd5sum ===> 917100fc54d37a52738028ff92bac27e

Code: [Select]
hxxp://www.mobilhanger.de/server/funston.exemd5sum ===> 3ce0dc26a669901702afce170b069cbd
http://www.virustotal.com/analisis/7c85ebf846969f8588c660c30cafe7235e8484cdcc65b3c825262228de1b913d-1266135916 (http://www.virustotal.com/analisis/7c85ebf846969f8588c660c30cafe7235e8484cdcc65b3c825262228de1b913d-1266135916)
VT 11/40 (27.50%)
Code: [Select]
hxxp://www.mobilhanger.de/server/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 14, 2010, 09:00:10 pm
Code: [Select]
hxxp://pusicat.co.uk61.235.117.87
AS9394
Registered on: 13-Feb-2010
Last updated:  13-Feb-2010

Aulis Karvinen


Code: [Select]
hxxp://pusicat.co.uk/zend/bot.exemd5sum ===> a91d1ca4d2cc793c793ba6e5e2527e4b
http://www.virustotal.com/analisis/9649654708c3896971a85bc93eaaa7a78e38ea3c62ddcad2c5a845f35fa5acdc-1266179494 (http://www.virustotal.com/analisis/9649654708c3896971a85bc93eaaa7a78e38ea3c62ddcad2c5a845f35fa5acdc-1266179494)
Code: [Select]
hxxp://pusicat.co.uk/zend/cfg.binmd5sum ===> 5751e6227faa57ace0e7a85e46133206
Code: [Select]
hxxp://pusicat.co.uk/zend/gate.php
Other domains:
axakcom.com
dimi4.com
googleset2.cn
porntakevideo.com
updatewin.cn
webpings.biz
adobecreativesuite4mastercollection.com
shishaloversclub.com

x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x

Code: [Select]
hxxp://27gr.co.tv
Code: [Select]
netnic.com.cn122.115.63.6
AS9803

Code: [Select]
hxxp://27gr.co.tv/1/gol.php
Code: [Select]
hxxp://27gr.co.tv/1/ccc.bin
Title: Re: New Zeus server
Post by: jackberri on February 17, 2010, 10:34:59 am
Code: [Select]
hxxp://stignita.zapto.org/config.bin
hxxp://stignita.zapto.org/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 20, 2010, 08:43:07 pm
Code: [Select]
hxxp://repuzer.net.ua/perl/forum/sdram.dmtmd5sum ===> 7f5c9a858ba429e96a656e4428a2e7d1
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 12:16:56 am
Code: [Select]
hxxp://capital-team.net/funtix/cfg.binmd5sum ===> 2e05482a66f2571b0091d9e5c6bc775e
Code: [Select]
hxxp://capital-team.net/funtix/load.exemd5sum ===> 8a46224a96caea3ec00f66ee4c900ea1
http://www.virustotal.com/analisis/2a4b0eff30e6be12ce62d316bce18e144a275e947d07e4aeb2ee84b53b608ed3-1267143152 (http://www.virustotal.com/analisis/2a4b0eff30e6be12ce62d316bce18e144a275e947d07e4aeb2ee84b53b608ed3-1267143152)
VT 8/42 (19.05%)
Code: [Select]
hxxp://capital-team.net/funtix/service/serv.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 07:09:41 am
Code: [Select]
hxxp://validatestreams.com/daily/help.txtmd5sum ===> 8cfea665a9e4c1e4e8a3ecc4d534cf91
Code: [Select]
hxxp://validatestreams.com/daily/game.exemd5sum ===> 38e9205a9cee4d9b692fd09da005e7d5
http://www.virustotal.com/analisis/b2fcd9c126a5143f07b7b783a7f3536c51cc046d6db44fdd66419cc6fc06ba29-1267168001 (http://www.virustotal.com/analisis/b2fcd9c126a5143f07b7b783a7f3536c51cc046d6db44fdd66419cc6fc06ba29-1267168001)
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 07:27:05 am
Code: [Select]
hxxp://193.105.0.44/pearchik.binmd5sum ===> 8833e2c7046ff8da33800bc475c1eb31
Code: [Select]
hxxp://193.105.0.44/sentjago.exemd5sum ===> 9ad44247c2e6dec448af2ce05c77ffa4
http://www.virustotal.com/analisis/c7e26dab79a3cd21022de03d8c2fda24e3a36b80cabae5a099621480662954ca-1267168680 (http://www.virustotal.com/analisis/c7e26dab79a3cd21022de03d8c2fda24e3a36b80cabae5a099621480662954ca-1267168680)
Code: [Select]
hxxp://193.105.0.44//cableman.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 07:52:52 am
Code: [Select]
hxxp://193.105.0.21/xeruvindus.binmd5sum ===> 9a46015ad97cfaa086548a1199c68aac
Code: [Select]
hxxp://193.105.0.21/ruert78.exemd5sum ===> 42333ae8621dacd5b31af52cf6c1b2a3
http://www.virustotal.com/analisis/786b5006b1a45115d4ca52fd7e13fdaacbe5053b46498ea8b2d498c4559fd2bb-1267170209 (http://www.virustotal.com/analisis/786b5006b1a45115d4ca52fd7e13fdaacbe5053b46498ea8b2d498c4559fd2bb-1267170209)
Code: [Select]
hxxp://193.105.0.21/asterhoster.php

Code: [Select]
hxxp://193.105.0.83/avatarj.binmd5sum ===> 3092292948a6309945b238964fa55a5c
Code: [Select]
hxxp://193.105.0.83/icqcom.exemd5sum ===> a80ee959b47fddebfa8918e329e720be
http://www.virustotal.com/analisis/7fb0e483fc93ca0ff1996a455d63848d68997938d8723d1d6e06f04275177aa4-1267169774 (http://www.virustotal.com/analisis/7fb0e483fc93ca0ff1996a455d63848d68997938d8723d1d6e06f04275177aa4-1267169774)
Code: [Select]
hxxp://193.105.0.83/justinsert.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 09:00:49 am
Code: [Select]
hxxp://193.105.0.32/google.binmd5sum ===> 27199ccb14b67e88e76fd2e9c6846b46
Code: [Select]
hxxp://193.105.0.32/flowersis.exemd5sum ===> afe05c6487c31457bbcc984e4b34badb
http://www.virustotal.com/analisis/e7669f524f9d11caee41cb9a82d792f9ea1c86a79ea39e76afbad9c6bba628c4-1267171701 (http://www.virustotal.com/analisis/e7669f524f9d11caee41cb9a82d792f9ea1c86a79ea39e76afbad9c6bba628c4-1267171701)
VT 3/41 (7.32%)
Code: [Select]
hxxp://193.105.0.32/gudlive.php
Code: [Select]
hxxp://193.105.0.130/delmara.binmd5sum ===> ecfe79699433bd71f683fee9380667c3
Code: [Select]
hxxp://193.105.0.130/inticlk.exemd5sum ===> 68bf2204459c006d279d710ea8bc1fab
http://www.virustotal.com/analisis/c91159d30ada3b2339c7416975fc7d37290245efd1ea668f8a42defda865f918-1267173707 (http://www.virustotal.com/analisis/c91159d30ada3b2339c7416975fc7d37290245efd1ea668f8a42defda865f918-1267173707)
VT 4/42 (9.53%)
Code: [Select]
hxxp://193.105.0.130/iklrte.php
Code: [Select]
hxxp://193.105.0.94/majorafr.binmd5sum ===> 6b6978944169f93592e846bce7d41de0
Code: [Select]
hxxp://193.105.0.94/axelf.exemd5sum ===> f0e09661589cd8b655e23ad990545cdc
http://www.virustotal.com/analisis/c39683d1ab15d3152d5c232b75c65a4a10c68c2389756230bf0452fb39d99fc1-1267174232 (http://www.virustotal.com/analisis/c39683d1ab15d3152d5c232b75c65a4a10c68c2389756230bf0452fb39d99fc1-1267174232)
VT 3/42 (7.15%)
Code: [Select]
hxxp://193.105.0.94/dumnberd.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 10:47:30 am
Code: [Select]
hxxp://d0ing.net/do.binmd5sum ===> 21f41287a076a00836f02b54846e346c
Code: [Select]
hxxp://d0ing.net/gate.php

Code: [Select]
hxxp://google-statistics-uk.com/Y5v20t6Fdw7t3uT.binmd5sum ===> 170abccdd6f873ef508197d70b1c1a5b
Code: [Select]
hxxp://google-statistics-uk.com/jhtcd6u52nmTGHNQ25MUAym23GSajt2835JMhgsHJ735he.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 01:42:22 pm
Code: [Select]
hxxp://updateinfo22.comIP 91.212.41.60
AS29371

Code: [Select]
hxxp://updateinfo22.com/bru/grek4.exemd5sum ===> 94235e51ab70a64d9bc78a1632629e0e
http://www.virustotal.com/analisis/9ac94f75046c98efc0d4e440ca31d903d8ba04a9990ddf5be73ec17eaaed23c1-1267190771 (http://www.virustotal.com/analisis/9ac94f75046c98efc0d4e440ca31d903d8ba04a9990ddf5be73ec17eaaed23c1-1267190771)
Code: [Select]
hxxp://updateinfo22.com/bru/gate.php
others domains:
Code: [Select]
adjamadja.cn ===> trojan downloader
lusia777.com  ===> exploits
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 03:40:39 pm
Code: [Select]
hxxp://193.105.0.16AS50390
Pavlenko Tetyana Oleksandrivna
t.pavlenko@smilanet.net
Code: [Select]
hxxp://193.105.0.16/pauri.binmd5sum ===> 375dd021123df1333e054a3e2f59b130
Code: [Select]
hxxp://193.105.0.16/chentrer.exemd5sum ===> 3c68f8bfb0a257f36b3a0a9d07070938
http://www.virustotal.com/analisis/1c7ee1ae19a57bc1fdf12f5320b0b46b39b7761717db50ec436438c249f9b417-1267193606 (http://www.virustotal.com/analisis/1c7ee1ae19a57bc1fdf12f5320b0b46b39b7761717db50ec436438c249f9b417-1267193606)
VT 7/42 (16.67%)
Code: [Select]
hxxp://193.105.0.16/annheth.php
Title: Re: New Zeus server
Post by: jackberri on February 26, 2010, 08:05:02 pm
Code: [Select]
hxxp://p1anka.cn/work777/apple.jpgmd5sum ===> 93a5793a8a1123f9429bf3ae3a085da6
Code: [Select]
hxxp://p1anka.cn/work777/antispy.exemd5sum ===> 1bb1e0a65824a5a0e3741818ebb6d460
http://www.virustotal.com/analisis/1af8426936736f9a469b59e1f26bb6556a52a1c4953ca380551d78ca9443c30d-1267213732 (http://www.virustotal.com/analisis/1af8426936736f9a469b59e1f26bb6556a52a1c4953ca380551d78ca9443c30d-1267213732)
VT 5/42 (11.91%)
Code: [Select]
hxxp://p1anka.cn/work777/loveletter.php
hxxp://b1shop.cn/work777/loveletter.php

Code: [Select]
hxxp://remixta.com/images/thumb08.jpg
md5sum ===> 13e9e0b6bc90fc68415caa4226299648

Code: [Select]
hxxp://avtomoto.limewebs.com/cn/config.bin
md5sum ===> cce37aeaa8adbb6bd569d65c915b78cd
Title: Re: New Zeus server
Post by: jackberri on February 27, 2010, 11:36:06 am
Code: [Select]
hxxp://115.100.250.82/uk/td.xlsmd5sum ===> 50fcfc540ed3c93ba6d971908820b632
Code: [Select]
hxxp://115.100.250.82/uk/topdevice.exemd5sum ===> 8699872aa974070a4320c830df9a5c05
http://www.virustotal.com/analisis/401ca6914ec1d1199403a44808df6d0a5ec8e4e52264c32dafa1600365b88679-1267270235 (http://www.virustotal.com/analisis/401ca6914ec1d1199403a44808df6d0a5ec8e4e52264c32dafa1600365b88679-1267270235)
VT 12/42 (28.58%)
Code: [Select]
hxxp://115.100.250.82/7tImbTH8HY.php
Code: [Select]
hxxp://megalithrecords.com/store/images/yahoo/config.binmd5sum ===> e0d47091d5000901ae4c0b1e61a44978

Code: [Select]
hxxp://mszone.sytes.net/bnt001/config.binmd5sum ===> 591aa66cb0448f5dc1a331768c9e2f3a
Title: Re: New Zeus server
Post by: jackberri on February 27, 2010, 04:15:37 pm
Code: [Select]
hxxp://aervrfhu.ru/nhjq/n09230945.aspmd5sum ===> d97421edacd4084ed7c311f3a9aa96f4
Code: [Select]
hxxp://aervrfhu.ru/nhjq/redir.php
Title: Re: New Zeus server
Post by: jackberri on February 27, 2010, 08:18:30 pm
Code: [Select]
hxxp://iam.superfluxed.net/z/cfg.binmd5sum ===> 5f3d83dcdab1b7d2b10a49d07544c792
Code: [Select]
hxxp://bestreportws12.in/urrla/c1.binmd5sum ===> 915235f3aae7a8e32edfd5d3180acab6
Title: Re: New Zeus server
Post by: jackberri on February 28, 2010, 01:05:24 pm
Code: [Select]
hxxp://paedagogisches-journal.de/images/spoolsv_.exemd5sum ===> 52554e61e3e3da65f417222ce5bd13bb
http://www.virustotal.com/analisis/f6fae48d43c4da6b0ca242d6a65183d9f659fde4fd3db5d910c7789bd2a80357-1267361686 (http://www.virustotal.com/analisis/f6fae48d43c4da6b0ca242d6a65183d9f659fde4fd3db5d910c7789bd2a80357-1267361686)
VT 4/42 (9.53%)

Code: [Select]
hxxp://dobmvnh.com/ollala/microsoft.binmd5sum ===> a2901dc5af642b16e7a4d73648404482
Code: [Select]
hxxp://dobmvnh.com/robot.php
related:

Code: [Select]
hxxp://ks45tn2.cn/1337/bb.php?v=200&id=500109770&tid=61&b=cl&r=1&tm=2
Title: Re: New Zeus server
Post by: jackberri on February 28, 2010, 02:10:27 pm
Code: [Select]
hxxp://193.105.0.201/adv1sed.bin
md5sum ===> 5319aad8f2117960a0b06c45f836440c
hxxp://193.105.0.201/theridge.php

Code: [Select]
hxxp://excode.info/server/config.bin
md5sum ===> 1e483a0eb4c118bd04532f1105373110
hxxp://excode.info/server/gate.php

Code: [Select]
hxxp://91.201.196.107/cff1.bin
md5sum ===> be8d843c91c66522af67712de809fb40
Title: Re: New Zeus server
Post by: SysAdMini on February 28, 2010, 02:39:58 pm
Code: [Select]
hxxp://paedagogisches-journal.de/images/spoolsv_.exemd5sum ===> 52554e61e3e3da65f417222ce5bd13bb
http://www.virustotal.com/analisis/f6fae48d43c4da6b0ca242d6a65183d9f659fde4fd3db5d910c7789bd2a80357-1267361686 (http://www.virustotal.com/analisis/f6fae48d43c4da6b0ca242d6a65183d9f659fde4fd3db5d910c7789bd2a80357-1267361686)
VT 4/42 (9.53%)

Code: [Select]
hxxp://dobmvnh.com/ollala/microsoft.binmd5sum ===> a2901dc5af642b16e7a4d73648404482
Code: [Select]
hxxp://dobmvnh.com/robot.php
related:

Code: [Select]
hxxp://ks45tn2.cn/1337/bb.php?v=200&id=500109770&tid=61&b=cl&r=1&tm=2

This one is interesting. I was able to track the source of infection.

It starts at compromised German site
Code: [Select]
paedagogisches-journal.de/news.php
There is an obfuscated iframe that directs to
Code: [Select]
hulasoftz.cn/s/go.php?sid=13
hulasoftz.cn redirects to an Eleonore exploit kit at
Code: [Select]
siftozzillaa.cn/1/index.php?s=cac6ee5d4b75fc088217edb4cd34a968
payload of Eleonore kit is Oficla/Sasfis
Code: [Select]
siftozzillaa.cn/1/load.php?spl=mdac
Oficla contacts its C&C at
Code: [Select]
ks45tn2.cn/1337/bb.php?v=200&id=636608811&b=cl&tm=2
and it receives instruction for downloading Zeus from compromised German site.
Code: [Select]
[info]runurl:http://paedagogisches-journal.de/images/spoolsv_.exe|taskid:61|delay:45|upd:1|backurls:852159.com/1337/bb.php;hulasoftz.cn/1337/bb.php[/info]
ZeuS downloads its config file from
Code: [Select]
dobmvnh.com/ollala/microsoft.bin

and drops stolen data at
Code: [Select]
dobmvnh.com/robot.php
Title: Re: New Zeus server
Post by: jackberri on February 28, 2010, 02:51:39 pm
Another compromised site?

Code: [Select]
hxxp://imhiddene.ishidden.net
Code: [Select]
hxxp://imhiddene.ishidden.net/plox/configs2.binmd5sum ===> 897427a52b96a07ea64c0259516883cd
Title: Re: New Zeus server
Post by: jackberri on February 28, 2010, 05:55:58 pm
Code: [Select]
hxxp://dgnews.org/images/cfg2.binmd5sum ===> 07b6263cc53a361b79a239dbc1baa647

Code: [Select]
hxxp://sakura2.cn/c.binmd5sum ===> 4c81b56683f909d643f158fa293b70f8

Code: [Select]
hxxp://johnm.tmweb.ru/site/class.binmd5sum ===> ab14dfa8de6362fdcf0c306298d98322
Title: Re: New Zeus server
Post by: jackberri on February 28, 2010, 08:51:36 pm
Code: [Select]
hxxp://globetechnologies.com/catalog/images/gift_certificates/gv_75.gifmd5sum ===> 9bedae3d5b582b30d5e975191b71f0f0
Title: Re: New Zeus server
Post by: jackberri on March 01, 2010, 01:49:48 pm
Code: [Select]
hxxp://allnatroniksssss.com/files/d7.outmd5sum ===> 2281fa1af08d153e376bec2bfef21bba
Title: Re: New Zeus server
Post by: jackberri on March 01, 2010, 04:30:35 pm
Code: [Select]
hxxp://servisesocks5.com/zs/cofag56.binmd5sum ===> c4eec573857243d81096c3deebd41187

Code: [Select]
hxxp://centralspl.ru/adrenalin/cfg.binmd5sum ===> 9a5be3d70150e0bd44c49789fc0583db
Code: [Select]
hxxp://centralspl.ru/adrenalin/oops.php
Title: Re: New Zeus server
Post by: jackberri on March 01, 2010, 08:04:24 pm
Code: [Select]
hxxp://193.105.0.17/feelinfrisky.binmd5sum ===> 77abcad1e05a93124c49c54092812a55
Code: [Select]
hxxp://193.105.0.17/sumoero.exemd5sum ===> 68209dcadcf9be9cb804a88d0b3521a5
http://www.virustotal.com/analisis/3fedcf73962b437b76864e6112f997462c10fe488214b58edec35e5190ce9670-1267473607
VT 2/42 (4.77%)
Code: [Select]
hxxp://193.105.0.17/mongelos.php
Title: Re: New Zeus server
Post by: jackberri on March 01, 2010, 09:07:52 pm
Code: [Select]
hxxp://en.kyod.biz/lu/en.binmd5sum ===> 1591367a5964beba3b85e8496aa149a2
Code: [Select]
hxxp://195.3.136.90/lu/en.exemd5sum ===> 43725ab041033a5737d1f19e3b0e2d38
http://www.virustotal.com/analisis/23f68daf0f203ab32bcc574378b36a1f69c6d4eb39770e94825651c9e365cd89-1267477358 (http://www.virustotal.com/analisis/23f68daf0f203ab32bcc574378b36a1f69c6d4eb39770e94825651c9e365cd89-1267477358)
VT 23/42 (54.77%)
Code: [Select]
hxxp://en.kyod.biz/lu/aboutus.php
Title: Re: New Zeus server
Post by: jackberri on March 01, 2010, 11:56:25 pm
Code: [Select]
hxxp://193.105.0.131/mohitos.binmd5sum ===> 071c8f8580adbf4958f9be21c8dc1601
Code: [Select]
hxxp://193.105.0.131/dghtryhj8k.exemd5sum ===> 793e4c4873a97e9228c9c49f588509cc
http://www.virustotal.com/analisis/887519502452c59659a68be40f81f83150a566b6298668598f66f9e97e1b6dbb-1267486985
VT 2/42 (4.77%)
Code: [Select]
hxxp://193.105.0.131/pytfccr5ef4.php
Code: [Select]
hxxp://193.105.0.84/amerskv.binmd5sum ===> 342b3984b8a83370e8420bc0559f7a70
Code: [Select]
hxxp://193.105.0.84/sdfgrtybjikj.exemd5sum ===> 7f9c3d31d6b5c13bacb6f0cd17ac5571
http://www.virustotal.com/analisis/8d7467bf1dfd45068b3176a6596e82587e4480d45e6e8ef28d006a4c1b63313e-1267487555
VT 2/42 (4.77%)
Code: [Select]
hxxp://193.105.0.84/hnuik9845f.php
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 08:01:23 am
Code: [Select]
hxxp://193.105.0.22/bigdealzed.binmd5sum ===> 0dae58dbed633decceec127e0e0753bb
Code: [Select]
hxxp://193.105.0.22/vncudnvuerjg.exemd5sum ===> 9efa4ac7a084e4763ed07167b4490fe6
http://www.virustotal.com/analisis/d66d66d9e74a52afd4a653c4639a67bc0c1c4351c641cc11a111f23eedc2fb1d-1267516645
VT 4/42 (9.53%)
Code: [Select]
hxxp://193.105.0.22/ckduvbnf8r.php
Code: [Select]
hxxp://193.105.0.54/farmerfer.binmd5sum ===> 5eac981424b30925d8cada6f3f092a37
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 10:10:41 am
Code: [Select]
hxxp://ellynoise.com/SpellF0rce/Y5v20t6Fdw7t3uT.binmd5sum ===> 20c070f0d5d86c604431eba2b6b487a2
Code: [Select]
hxxp://lastweeked.com/Spe11Set234/jhtcd6u52nmTGHNQ25MUAym23GSajt2835JMhgsHJ735hj.php
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 11:25:39 am
Code: [Select]
hxxp://secline777.net/files/zf.nrgmd5sum ===> 85ef433b75c194fb6c90100b2b3d57db
Code: [Select]
hxxp://secline777.net/stat/index.php
related:
Code: [Select]
hxxp://secline777.net/reg.exemd5sum ===> 891fd16f1e89f28f1dde3f1769486430
http://www.virustotal.com/analisis/c6896383a445536bbcc04ce2809750818c860353a009b2249204d8cccdf73eb0-1267528837 (http://www.virustotal.com/analisis/c6896383a445536bbcc04ce2809750818c860353a009b2249204d8cccdf73eb0-1267528837)
VT 3/41 (7.32%)
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 01:08:09 pm
Code: [Select]
hxxp://www.gaddem.net/scam/can/cfg.cfgmd5sum ===> 0b4afdb6cd6610bb578185ebbbeb4305
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 03:42:25 pm
Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/loc_.exemd5sum ===> 532baa0e526d6a08a703392d210f28ef
http://www.virustotal.com/analisis/ae696b3a9225369af918cb79989f82cb905752590025b0053d3f1c0bef8f08af-1267541158 (http://www.virustotal.com/analisis/ae696b3a9225369af918cb79989f82cb905752590025b0053d3f1c0bef8f08af-1267541158)
VT 5/42 (11.91%)
Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/loc.exemd5sum ===> eee70e57641cfc582b2000fb36def9ee
http://www.virustotal.com/analisis/a1c54296387f40c96f433bd3b0f89bf3f74163230bcd354e9295cfec8ef48b02-1267540968 (http://www.virustotal.com/analisis/a1c54296387f40c96f433bd3b0f89bf3f74163230bcd354e9295cfec8ef48b02-1267540968)
VT 22/42 (52.39%)
Code: [Select]
hxxp://intrunans.biz/httpd/loc.somd5sum ===> b3688596f3a3ce4ce533ace2c82603ce


Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/pt.exemd5sum ===> ecd82988bad0f98f7fb7eb2f6a68ba76
http://www.virustotal.com/analisis/ab047752c9c1cd6cca921ec2e90cc2099272923b2af899b1b9a0246241fdb895-1267542428 (http://www.virustotal.com/analisis/ab047752c9c1cd6cca921ec2e90cc2099272923b2af899b1b9a0246241fdb895-1267542428)
VT 20/42 (47.62%)
Code: [Select]
hxxp://inasss.info/_ptu/loc.somd5sum ===> 1bd4eb75702b8b3ed1b9d1a7e127ec87

Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/uk1.exemd5sum ===> c1e5accf34a3e49465e9460110e204dd
http://www.virustotal.com/analisis/11e8b841860951f16c72f218d0ec554696bf7292f0c7c40010cc680c4a317356-1267542895 (http://www.virustotal.com/analisis/11e8b841860951f16c72f218d0ec554696bf7292f0c7c40010cc680c4a317356-1267542895)
VT 22/41 (53.66%)
Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/uk1_.exemd5sum ===> 0734dedc9e0a745b029cb697de39fe2c
http://www.virustotal.com/analisis/a35eb59406e40f401bbba5a553fde122ec529867e79e89903018d262dba62c5d-1267543884 (http://www.virustotal.com/analisis/a35eb59406e40f401bbba5a553fde122ec529867e79e89903018d262dba62c5d-1267543884)
VT 4/41 (9.76%)
Code: [Select]
hxxp://kinetikman.com/httpd/loc.somd5sum ===> 55013cf320dcedc5bf994aa5a07ed3bf

zeus trojan for
Code: [Select]
vsezaebok.biz:
Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/g3.exemd5sum ===> f979b34af492fa865f6da994fcbf98b0
Code: [Select]
http://www.virustotal.com/analisis/8b2234352d0381b1e6d4b9e4204d7ba5e681e1ce90e81f080ef0f3b5e04f00c3-1267340719VT 3/41 (7.32%)

related files:

Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/usr32.exemd5sum ===> fc862828bcb4f941b5acd11fc003abb3
http://www.virustotal.com/analisis/b0fb545ff54300bd36d2639974540942aa8e2c70ac797e2e7fac05418486dacc-1267494934 (http://www.virustotal.com/analisis/b0fb545ff54300bd36d2639974540942aa8e2c70ac797e2e7fac05418486dacc-1267494934)
VT 10/41 (24.39%)

Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/sv_.exemd5sum ===> 5d1b4406086d109fb144d568e28b0b8d
http://www.virustotal.com/analisis/c020d491344b331b93fee3c65f9fc0968871e02c9fca975feeccd2c3dd458b39-1267543356 (http://www.virustotal.com/analisis/c020d491344b331b93fee3c65f9fc0968871e02c9fca975feeccd2c3dd458b39-1267543356)
VT 12/42 (28.58%)

Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/Rapport.exemd5sum ===> 14997a8ac270980608357d62964df41d
http://www.virustotal.com/analisis/4cde31351d2b34e3ea9ee6910ae0c6ceae0254b2322cd38e0331c7938f23da73-1267540382 (http://www.virustotal.com/analisis/4cde31351d2b34e3ea9ee6910ae0c6ceae0254b2322cd38e0331c7938f23da73-1267540382)
VT 2/42 (4.77%)

Code: [Select]
hxxp://vds-6ae9.1gb.ua/vds/erwtuyt.exemd5sum ===> ad9342b3721d9eeb7bb6dd1f0c5e5e2d
http://www.virustotal.com/analisis/46071eae795fa891999e0a1a02160751ec55af4dc200ed7283e3cab9bcd6a613-1267540635 (http://www.virustotal.com/analisis/46071eae795fa891999e0a1a02160751ec55af4dc200ed7283e3cab9bcd6a613-1267540635)
VT 17/42 (40.48%)

Also related:
{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 05:10:47 pm
Code: [Select]
hxxp://fdkjsnfdjsbfj.net/zend/cfg.binmd5sum ===> 1a0c8234b4debc1d70982b514783eac9
Code: [Select]
hxxp://fdkjsnfdjsbfj.net/zend/bot.exemd5sum ===> 24f61b98eeedd6cd77cf4062c5d0c0a4
http://www.virustotal.com/analisis/98e370fced5d223e9c0d85d872e938210f7ffe753a0fd54af4f3dffdcc775279-1267547523 (http://www.virustotal.com/analisis/98e370fced5d223e9c0d85d872e938210f7ffe753a0fd54af4f3dffdcc775279-1267547523)
VT 23/41 (56.1%)
Code: [Select]
hxxp://fdkjsnfdjsbfj.net/zend/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 02, 2010, 07:43:45 pm
Code: [Select]
hxxp://infosline.net/zf/zf.nrgmd5sum ===> 93907e038aa20701847ab644c19d0388
Code: [Select]
hxxp://infosline.net/zf/zf.exemd5sum ===> bb1f90348d4feb8c62f529a241295537
http://www.virustotal.com/analisis/973aaf12a2755cbc32ee149740ae2eda9496e006648d1542a83a8cc73fb33ae0-1267557958 (http://www.virustotal.com/analisis/973aaf12a2755cbc32ee149740ae2eda9496e006648d1542a83a8cc73fb33ae0-1267557958)
VT 26/42 (61.91%)
Code: [Select]
hxxp://infosline.net/zf/index.php
hxxp://infosline.net/zf/gate.php



Code: [Select]
hxxp://aaa419.com/vv12218/doc2.docmd5sum ===> b2dac46e25e6ad358dd15514f80fd849
Title: Re: New Zeus server
Post by: jackberri on March 03, 2010, 10:39:32 am
IP 193.105.0.100
Code: [Select]
hxxp://moidon.com/kayboardm.bin
md5sum ===> 8c811275ccdc8cc9398476a2d57757a2
Code: [Select]
hxxp://moidon.com/matchcat.exemd5sum ===> 3b67959591742c5fc3a63c767777aab0
http://www.virustotal.com/analisis/2ffe6fc4bbab63be0cca297f91b201a6a1a40184993bf982c116eaa6237e501a-1267612614 (http://www.virustotal.com/analisis/2ffe6fc4bbab63be0cca297f91b201a6a1a40184993bf982c116eaa6237e501a-1267612614)
VT 5/42 (11.91%)
Code: [Select]
hxxp://moidon.com/speakermusic.php

IP 95.143.192.40
Code: [Select]
hxxp://lipesnaskom.com/cgi-binn/kisme.bin
md5sum ===> 32d6a3bda965e19d974c91d06e497eb7
Title: Re: New Zeus server
Post by: jackberri on March 03, 2010, 11:10:16 am
IP 95.143.192.40
Code: [Select]
hxxp://lipesnaskom.com/cgi-binn/kisme.bin



zeus trojan no yet works:

Code: [Select]
hxxp://nordrilskre.com/load/admin/load/l_1.exeand related:
Code: [Select]
hxxp://nordrilskre.com/load/admin/poin.php?v=3&id=88b1e97e-76487-644-4651974-59973
hxxp://nordrilskre.com/load/admin/hide.dll
Title: Re: New Zeus server
Post by: jackberri on March 03, 2010, 08:23:50 pm
IP 69.64.52.70
Code: [Select]
hxxp://selfwebguide.com/vaza/config.binmd5sum ===> 79d3fc9804f44791d69a34ec3dfefa57


IP 61.4.82.222
Code: [Select]
hxxp://6orod.in/core/can/config.bin md5sum ===> fa45c65cf2254d25282cd722f5af3fed
Title: Re: New Zeus server
Post by: jackberri on March 03, 2010, 09:20:42 pm
Code: [Select]
hxxp://gametester.ru/kljdaiw/afdsse2grng.jpgmd5sum ===> 8f0bc7037e17e0fdcaf44178641d0cb3
Code: [Select]
hxxp://gametester.ru/admin7hk8o/getbotdata.php
new file:

Code: [Select]
hxxp://91.201.196.37/Pho2Vi.Mieh9amd5sum ===> 327e975799f19c9d8d5b2dbe525fcc0d
Title: Re: New Zeus server
Post by: jackberri on March 04, 2010, 07:12:10 am
IP 61.4.82.222
Code: [Select]
hxxp://www.6orod.in/core/can/config.bin md5sum ===> fa45c65cf2254d25282cd722f5af3fed
Code: [Select]
hxxp://www.6orod.in/core/gt.php
Code: [Select]
hxxp://nadvet.su/barakoda/config.binmd5sum ===>0d4e3912787c7ea29c473078e7287837
Code: [Select]
hxxp://nadvet.su/barakoda/bot.exemd5sum ===> be94646b7f581b34716c133a1fac53f6
http://www.virustotal.com/analisis/e226864ff92faf1859b1e767112fb787ab6d94ec4403429f0c86f2cf16fac5f6-1267633062 (http://www.virustotal.com/analisis/e226864ff92faf1859b1e767112fb787ab6d94ec4403429f0c86f2cf16fac5f6-1267633062)
Code: [Select]
hxxp://nadvet.su/barakoda/gate.php
Code: [Select]
hxxp://193.105.0.70/rowrow111.binmd5sum ===> 6f6f54cd9b012c67e3f6819becd60457
Code: [Select]
hxxp://193.105.0.70/kiwi.exemd5sum ===> 96f15857bc873bd08aa86cfd35968ff0
http://www.virustotal.com/analisis/1e9fa7bd1ac64945a10d8b56a43066b409988ff02a10961762dbb1d0b8651479-1267555923 (http://www.virustotal.com/analisis/1e9fa7bd1ac64945a10d8b56a43066b409988ff02a10961762dbb1d0b8651479-1267555923)
Code: [Select]
hxxp://193.105.0.70/kuota.php

related malware:

Code: [Select]
hxxp://flashplayeradobe.com/theblog/confis/svchost.exemd5sum ===> 448b2533193e7d2581c84fd2f235b479
http://www.virustotal.com/analisis/2829bae4c51390be4d494ca53f3a1a8db3602a0eb1b532c90d61e97c65e4dbc7-1267543547 (http://www.virustotal.com/analisis/2829bae4c51390be4d494ca53f3a1a8db3602a0eb1b532c90d61e97c65e4dbc7-1267543547)
Title: Re: New Zeus server
Post by: jackberri on March 04, 2010, 10:25:48 am
Code: [Select]
hxxp://193.105.0.95/maraftey.binmd5sum ===>6f59265f8d97caffc9a0a63630034547
Code: [Select]
hxxp://193.105.0.95/dfgytuny54g.exemd5sum ===> b7682ed6e9e4dc559e549ce63c2c9f1a
http://www.virustotal.com/analisis/2121805cc6ca3107148e89f98da0edbd65ba85d43ee3d3790a88003a1bda80b8-1267697865 (http://www.virustotal.com/analisis/2121805cc6ca3107148e89f98da0edbd65ba85d43ee3d3790a88003a1bda80b8-1267697865)
VT 13/42 (30.96%)
Code: [Select]
hxxp://193.105.0.95/l986gfft5hrr.php
Code: [Select]
hxxp://193.105.0.33/yahoo.binmd5sum ===> 67dd3e75ec12420394635eb7d5d68204
Code: [Select]
hxxp://193.105.0.33/fjhr8g7h8j.exemd5sum ===> 9bd99da5521f3bbe934395d152618936
http://www.virustotal.com/analisis/0f56bdfc8a8890292cff4b4ecf839740c70190441214ab6ae4ff97b860ebf320-1267697996 (http://www.virustotal.com/analisis/0f56bdfc8a8890292cff4b4ecf839740c70190441214ab6ae4ff97b860ebf320-1267697996)
VT 5/42 (11.91%)
Code: [Select]
hxxp://193.105.0.33/cvkfhg5ugj.php
Code: [Select]
hxxp://188.124.7.247/zp/cfg000.bin
md5sum ===> 0301030020e5cdf8f4d772167a4b981c
Title: Re: New Zeus server
Post by: jackberri on March 04, 2010, 11:34:06 am
IP 91.206.201.224
Code: [Select]
hxxp://dnuos.ru/url/url.binmd5sum ===> a581cbe2bf2810649e9bd989825fe095
Code: [Select]
hxxp://dnuos.ru/url/url.exemd5sum ===> 78bcf2bfd658f7b3475eb4746059289e
http://www.virustotal.com/analisis/93009095a871f06eadd26463de3a403b5cdd368574456f1e281be5602d385bd5-1267702107 (http://www.virustotal.com/analisis/93009095a871f06eadd26463de3a403b5cdd368574456f1e281be5602d385bd5-1267702107)
VT 3/42 (7.15%)
Title: Re: New Zeus server
Post by: jackberri on March 04, 2010, 05:45:57 pm
IP 72.18.157.34
Code: [Select]
hxxp://brockenmon.cn/pA6oTA/mail/cig.binmd5sum ===> 58717ff449d2a973f651225c58ce0423
Code: [Select]
hxxp://brockenmon.cn/pA6oTA/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 04, 2010, 08:33:03 pm
IP 61.4.82.249
Code: [Select]
hxxp://ddknet.biz/hi/wert.binmd5sum ===> 312d85129db01ee8b8ae36f159abb2d6
Title: Re: New Zeus server
Post by: jackberri on March 05, 2010, 07:56:22 am
IP 188.124.5.110
Code: [Select]
hxxp://usworldcast.com/100/cfg3.binmd5sum ===> 593914d3a04910a41f0f189d47331ff9

IP 61.4.82.249
Code: [Select]
hxxp://promolistings.net/nulled/help.txtmd5sum ===> f16a32f0d9e3811ce6df0c0118aaea2a
Title: Re: New Zeus server
Post by: jackberri on March 05, 2010, 09:11:33 am
The Postman Always Rings Twice ;)

Code: [Select]
hxxp://193.105.0.210/revoltver.binmd5sum ===> 7d05c622719d20adb41abfe5e1dd9cc0
Code: [Select]
hxxp://193.105.0.210/antweprer.exemd5sum ===> ceb794f61bdd7ca44e377989abfe67b2
http://www.virustotal.com/analisis/ffb91571a20903845fefe3704742a053ee6904ddccbddfdef6bcde647b304dc8-1267779838 (http://www.virustotal.com/analisis/ffb91571a20903845fefe3704742a053ee6904ddccbddfdef6bcde647b304dc8-1267779838)
VT 5/42 (11.91%)
Code: [Select]
hxxp://193.105.0.210/huizhu.php
Title: Re: New Zeus server
Post by: jackberri on March 05, 2010, 03:40:59 pm
IP 122.115.63.37
Code: [Select]
hxxp://infoleaderus.biz/limo/laser.jpgmd5sum ===> 8a2e35edb14112daa49edf9b4667b083

Code: [Select]
hxxp://infoleaderus.biz/sun/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 05, 2010, 04:08:38 pm
IP 64.20.52.218
AS19318
Code: [Select]
hxxp://adobeserverupdate.com/ezik.binmd5sum ===> 51d4c4da73ce077d804125e857dae3b7
Code: [Select]
hxxp://adobeserverupdate.com/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 05, 2010, 08:51:32 pm
Code: [Select]
hxxp://193.105.0.85/scratkey.binmd5sum ===> 60916d47a1eedc0247f782031f65176b
Code: [Select]
hxxp://193.105.0.85/uj65vrev.exemd5sum ===> 7b9a3a18e5121f7dde5788579ad556f6
http://www.virustotal.com/analisis/b7170ce7d3db821b2357856ce9065b8c12cbd8499ba03740e54ac10ac9b85c7a-1267820598 (http://www.virustotal.com/analisis/b7170ce7d3db821b2357856ce9065b8c12cbd8499ba03740e54ac10ac9b85c7a-1267820598)
VT 4/42 (9.53%)
Code: [Select]
hxxp://193.105.0.85/dfh7445.php
related zeusbotnet malware:
Code: [Select]
hxxp://nordrilskre.com/load/admin/hide.dllmd5sum ===> 2836143fa4e0beac924cbd8d9d3b45c8
http://www.virustotal.com/analisis/45323760a5fa21563e7e4e27f7f2dc70e9d32dd78a7fa65f468f39782e9ab72b-1267377503 (http://www.virustotal.com/analisis/45323760a5fa21563e7e4e27f7f2dc70e9d32dd78a7fa65f468f39782e9ab72b-1267377503)
Title: Re: New Zeus server
Post by: jackberri on March 06, 2010, 10:12:27 am
IP 193.104.22.100
AS34305
Code: [Select]
hxxp://greatuk.org/tt/cfg/config.binmd5sum ===> 94565b2861dc00a618f6873456ed93a6

Code: [Select]
hxxp://122.115.63.32/gus/tdmd5sum ===> e3a9dc41bb2b64d8c48ecb88f230977c
Code: [Select]
hxxp://122.115.63.32/gus/windir.exemd5sum ===> baa03d5745db4206853835251b842b6f
http://www.virustotal.com/analisis/dd7462d75a02994b50bdf01516e0e404b997b54b275ded2b0e4bf1a5f8633972-1267865829 (http://www.virustotal.com/analisis/dd7462d75a02994b50bdf01516e0e404b997b54b275ded2b0e4bf1a5f8633972-1267865829)
VT 8/42 (19.05%)
Code: [Select]
hxxp://122.115.63.32/gus/td.php
new file:
Code: [Select]
hxxp://abouttraffic.net/news/dim.exemd5sum ===> 446584f46022015f78682ac52e35465f
http://www.virustotal.com/analisis/58843c8a672c5b4b2d971bf23fca227a09750ccd21a52fac43013a5b7c160dd4-1267808447 (http://www.virustotal.com/analisis/58843c8a672c5b4b2d971bf23fca227a09750ccd21a52fac43013a5b7c160dd4-1267808447)
VT 10/42 (23.81%)
Title: Re: New Zeus server
Post by: jackberri on March 06, 2010, 12:48:25 pm
IP 195.78.108.152
AS49544
Code: [Select]
hxxp://mycoldcoffe.com/nestle/upa.binmd5sum ===> 037f4bd378dddb8573bad95be0783f8c
Code: [Select]
hxxp://mycoldcoffe.com/nestle/gate.php
IP 124.217.239.158
Code: [Select]
hxxp://nordrilskre.com/cgi-binn/kisme.binmd5sum ===> 03d93cd363c3d22e6c18de8e37f3c81e

Code: [Select]
hxxp://188.72.220.181/plizwork/config.binmd5sum ===> f6fe59c76d14c1066b55f23987fb539f
Code: [Select]
hxxp://188.72.220.181/plizwork/bot.exemd5sum ===> c3f8bb9aa872ccbdd78d3bf401ecf5da
http://www.virustotal.com/analisis/f23ed6b80b3578281ffb27f130b6c3c9cfa88a6e7cf257872c2a7399a18b1d3d-1267879180 (http://www.virustotal.com/analisis/f23ed6b80b3578281ffb27f130b6c3c9cfa88a6e7cf257872c2a7399a18b1d3d-1267879180)
VT 8/42 (19.05%)
Code: [Select]
hxxp://188.72.220.181/plizwork/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 06, 2010, 07:51:00 pm
IP 188.124.15.243
[static.vit.com.tr]
AS44565
Code: [Select]
hxxp://www.youphotolab.info/trash/trash1.binmd5sum ===> 76b5beed40cf2d30b0eca28eb24b993e
Code: [Select]
hxxp://www.skyloudonville.info/ifimages/index.php
Title: Re: New Zeus server
Post by: jackberri on March 07, 2010, 11:53:35 am
Code: [Select]
hxxp://193.105.0.23/gairichi.binmd5sum ===> 3c36ebfc768b082996dcae6afb0581a7
Code: [Select]
hxxp://193.105.0.23/juytrert5h6.php
Code: [Select]
hxxp://193.105.0.202/sandyx.binmd5sum ===> 7d1346aeb88d2a93c808ae21465f2b7b
Code: [Select]
hxxp://193.105.0.202/ryjhtr78u.exemd5sum ===> af25d921b606b46aeb375144208ee066
http://www.virustotal.com/analisis/1c180b998f41ce1399863a9ad8c9c0d706b05aef5f6fa0282a310e11629672e4-1267950856 (http://www.virustotal.com/analisis/1c180b998f41ce1399863a9ad8c9c0d706b05aef5f6fa0282a310e11629672e4-1267950856)
VT 6/41 (14.64%)
Code: [Select]
hxxp://193.105.0.202/23iuyt.php
Code: [Select]
hxxp://193.105.0.96/olimp.binmd5sum ===> 1d8dfcc093f512382724d295cd9f8cfc


related zeusbotnet malware:
Code: [Select]
hxxp://92.60.177.232/crypt_Rapport.exemd5sum ===> 4f397096bc95cec975947e91fc2e2ef2
http://www.virustotal.com/analisis/5aac61a3511dcf80ae177927548b1f5e3f005aa47dc23b5d6d2832886eac3335-1267918468 (http://www.virustotal.com/analisis/5aac61a3511dcf80ae177927548b1f5e3f005aa47dc23b5d6d2832886eac3335-1267918468)
VT 3/42 (7.15%)
Title: Re: New Zeus server
Post by: jackberri on March 07, 2010, 07:09:22 pm
Code: [Select]
hxxp://193.105.0.101/kaspers.binmd5sum ===> f091b83f62927b3c8d7ff06ecf2e914c
Code: [Select]
hxxp://193.105.0.101/hgbvfe5yju.exemd5sum ===> 3bbe5b9ee778d17fe25d7fc85293216f
http://www.virustotal.com/analisis/9ec8b3519ac4a03f133d8021225f56986dd2659c184f1c02e0d71578ff235ebb-1267943762 (http://www.virustotal.com/analisis/9ec8b3519ac4a03f133d8021225f56986dd2659c184f1c02e0d71578ff235ebb-1267943762)
VT 8/42 (19.05%)

IP 203.174.83.98
[203-174-83-98.rev.ne.com.sg]
AS38001
Code: [Select]
hxxp://www.iiiiiiiiiiiiii.net/games/update.setmd5sum ===> 41c0f4d0735f8623d994fa33c7c2cfae
Code: [Select]
hxxp://www.iiiiiiiiiiiiii.net//games/update.php
Title: Re: New Zeus server
Post by: jackberri on March 08, 2010, 09:32:43 am
Code: [Select]
hxxp://papindos.info/checkVersions/database.datmd5sum ===> c84a2112ca3db910ae564fb72ab6a56c
Code: [Select]
hxxp://papindos.info/expertAds/FileMirror.php
Code: [Select]
hxxp://bestreportwas142.in/urrla/c1.binmd5sum ===> 458653cbc1397e2cc3e956a8ab1c6a31
Code: [Select]
hxxp://bestreportwas142.in/urrla/hey.php
Code: [Select]
hxxp://193.105.0.211/royalkingston.binmd5sum ===> 89371942d46b432bd036adb305b58806

new file:

Code: [Select]
hxxp://usworldcast.com/100/cfg33.binmd5sum ===> 38be87eacdff9368103cd8574fc8767d
Title: Re: New Zeus server
Post by: jackberri on March 08, 2010, 06:38:31 pm
IP 66.40.52.157
AS11388
Code: [Select]
hxxp://safi-vip.100webspace.net/cfg.binmd5sum ===> 7a487006cf265dc8062f6eed3d62dc25
Code: [Select]
hxxp://safi-vip.100webspace.net/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 09, 2010, 07:57:27 am
Code: [Select]
hxxp://193.105.0.71/allovu.binmd5sum ===> 87db2da845ab0296a2d4fcb87ed9fe2a
Code: [Select]
hxxp://193.105.0.71/j65g5hh7.php
IP 94.228.220.66
AS47869
Code: [Select]
hxxp://777brabus777.com/fu/loc.somd5sum ===> 25c4c8249add34718cb87ed78f98581c
Code: [Select]
hxxp://777brabus777.com/tmp/404_ca.php
Title: Re: New Zeus server
Post by: jackberri on March 09, 2010, 11:02:11 am
IP 94.228.220.66
AS47869
Code: [Select]
hxxp://777brabus777.com/fu/loc.somd5sum ===> 25c4c8249add34718cb87ed78f98581c
Code: [Select]
hxxp://777brabus777.com/tmp/404_ca.php

Also:

[grusha-92-60-177-249.hostinghutor.com]
AS15772
Code: [Select]
hxxp://92.60.177.249/fu/loc.somd5sum ===> 25c4c8249add34718cb87ed78f98581c
Code: [Select]
hxxp://92.60.177.249/tmp/404_ca.php
Title: Re: New Zeus server
Post by: jackberri on March 09, 2010, 04:26:22 pm
IP 72.167.131.22
[p3swh205.shr.phx3.secureserver.net]
AS26496
Code: [Select]
hxxp://streamlinemediaworks.com/images/space.gifmd5sum ===> cf26de0e07a83df901d2361e8b697ca0
Code: [Select]
hxxp://98.126.17.138/g86f3cbi2.php
new file:
Code: [Select]
hxxp://inasss.info/pt_newold.exemd5sum ===> c68dc0dbbfa2009f84a0f2923651a73f
http://www.virustotal.com/analisis/bdbb806bdba724547297c35102ed14349de87205a8954e2b1c03fba59e721dbb-1268151483 (http://www.virustotal.com/analisis/bdbb806bdba724547297c35102ed14349de87205a8954e2b1c03fba59e721dbb-1268151483)
VT 19/42 (45.24%)
Title: Re: New Zeus server
Post by: jackberri on March 09, 2010, 05:23:02 pm
IP 122.115.63.37
[netnic.com.cn]
AS9803
Code: [Select]
hxxp://calvinkleinstuffz.com/calvinklein2/cfg.binmd5sum ===> b49f1264a256f97a0bb31322d7bf00b7
Code: [Select]
hxxp://calvinkleinstuffz.com/calvinklein2/logger.php
Title: Re: New Zeus server
Post by: jackberri on March 09, 2010, 08:57:51 pm
IP 91.212.220.10
AS49365
Code: [Select]
hxxp://trastlifer.hk/ribbn.tarmd5sum ===> 7eff23b5cc6c16636a19f2743e08778c
Code: [Select]
hxxp://trastlifer.hk/vmxts.exemd5sum ===> 737caf44bbd1bae81186d1f1bd137809
http://www.virustotal.com/analisis/4ddf31fad5b1b04c24836cb3116c60b4efcafc7ee7ffd3cff98c6209ad3c3803-1268167831 (http://www.virustotal.com/analisis/4ddf31fad5b1b04c24836cb3116c60b4efcafc7ee7ffd3cff98c6209ad3c3803-1268167831)
VT 7/42 (16.67%)
Code: [Select]
hxxp:/trastlifer.hk/index1.php
Title: Re: New Zeus server
Post by: jackberri on March 10, 2010, 07:41:55 am
IP 84.19.188.22
[ns.km21048-05.keymachine.de]
AS31103
Code: [Select]
hxxp://slx777.com/pic72/yandex.jpgmd5sum ===> e22d6399d13c9fc593647bda64bf2567

IP 115.100.250.108
AS9811
Code: [Select]
hxxp://vidkonsultant.com/zadmin/cofag56.binmd5sum ===> e6ae0a4876b069a3f7c39073ad0d1bdb
Code: [Select]
hxxp://vidkonsultant.com/zadmin/botetz.exemd5sum ===> c1140e33709dbae55de375748cf4fb09
http://www.virustotal.com/analisis/d23a7424ab46b32860ee3baabc1461b446554316d480418181a993b655b20601-1268206506 (http://www.virustotal.com/analisis/d23a7424ab46b32860ee3baabc1461b446554316d480418181a993b655b20601-1268206506)
VT 2/42 (4.77%)
Code: [Select]
hxxp:/vidkonsultant.com/zadmin/gates5.php
IP 94.228.209.146
AS47869
Code: [Select]
hxxp://ectoplan.net/httpd/loc.somd5sum ===> beb5358d78efec8607501e998f58248a
Code: [Select]
hxxp://ectoplan.net/etc/403.php
new file:
Code: [Select]
hxxp://yrots.ru/5/exeusn3.exemd5sum ===> 0a020e8883c8d06bf6d07e9acda00ad2
http://www.virustotal.com/analisis/f28e6e8717bc4a37aa1707cfc9a13015a5a724a2ca4c0c4fbf814c68383e30eb-1268206370 (http://www.virustotal.com/analisis/f28e6e8717bc4a37aa1707cfc9a13015a5a724a2ca4c0c4fbf814c68383e30eb-1268206370)
VT 6/42 (14.29%)
Title: Re: New Zeus server
Post by: jackberri on March 10, 2010, 09:32:10 am
IP 91.212.132.76
AS49091
Code: [Select]
hxxp://freewhois.ru/laskw7as/lsiwkau2grng.jpgmd5sum ===> 63011a5da0a80b1fe06b9e4490285cd3

related zeusbotnet malware (ectoplan.net)
[undefined.datagroup.ua]
AS21219
Code: [Select]
hxxp://93.183.203.67/2line/KillEXE.exemd5sum ===> 30d56bf40b7d674cd0b2e8234a72099d
Code: [Select]
http://www.virustotal.com/analisis/44724069a536e87b7a9a25c7942a000cebbf595c726c95757370c8721ff39657-1268213045VT 3/42 (7.15%)
Title: Re: New Zeus server
Post by: jackberri on March 11, 2010, 07:57:57 am
IP 69.147.83.187
[p11p1.geo.sp1.yahoo.com]
AS36752
Code: [Select]
hxxp://pro-dancing.com/select.binmd5sum ===> 6f5a280e69f46c8fbcb43befd6b379c7
Title: Re: New Zeus server
Post by: jackberri on March 11, 2010, 08:36:56 am
IP 59.53.91.107
AS4134
Code: [Select]
hxxp://davaydavay.net/davay/cfg.binmd5sum ===> 78384e7a611feb51c01fee4764a5911d
Code: [Select]
hxxp://davaydavay.net/davay/folder/server.php
Title: Re: New Zeus server
Post by: jackberri on March 11, 2010, 11:29:11 am
IP 188.124.3.225
[static.vitalhosting.com.tr]
AS44565
Code: [Select]
hxxp://violgomebed.in/nnesx/cf.binmd5sum ===> 53bfb2d3bb0bb796197cfaab2161c353
Title: Re: New Zeus server
Post by: jackberri on March 11, 2010, 03:50:40 pm
AS29371
Code: [Select]
hxxp://91.212.41.78/OhQu5i.php
Title: Re: New Zeus server
Post by: jackberri on March 13, 2010, 08:03:53 pm
Code: [Select]
hxxp://bl.widget-des.in/mnz/mxx.binmd5sum ===> 1b1b64f9fff0cacbfc2351bd5f9aa5a2
SHA256   ===> 5ed19525591eefb2794acd610a0950e0bc4d7ba28928fbb28973aa44734e9911

IP Location China Beijing Chinanet Jiangxi Province Network
IP 59.53.91.116
AS4134
Title: Re: New Zeus server
Post by: jackberri on March 14, 2010, 11:53:11 am
Code: [Select]
hxxp://rainbox.info/tmp/tmp.php
IP Location: USA Virginia - Mclean - Smv
IP 216.22.26.29
[apple.dynadot.com]
AS25847
Title: Re: New Zeus server
Post by: jackberri on March 15, 2010, 11:12:58 am
IP 69.80.228.12
[hosted.by.x5x-noc.ru]
AS19166
Code: [Select]
hxxp://sexycheck.net/images/gate.php
IP 195.78.108.20
AS49544
Code: [Select]
hxxp://uagood.com/vOs58/tr.php
Title: Re: New Zeus server
Post by: jackberri on March 15, 2010, 03:54:27 pm
IP 69.147.83.188
[p11p3.geo.sp1.yahoo.com]
AS36752

Code: [Select]
hxxp://demonvoploti.net/join.binmd5sum ===> 12e6cbbd974a5578fb2712c30c5e0bd3
SHA256   ===> aa174f93ea97cf6c83954ac74eae6afdf3842f11647b834b6dc9a939e6fcccd7
Code: [Select]
hxxp://demonvoploti.net/play.exemd5sum ===> 12c81a1d66cbe386e2082152ce0db6b6
SHA256   ===> fbc52962a44ca83392ac9ce65b1d902e7d9523331bd3d48594d61c0cd0430d3a
http://www.virustotal.com/analisis/fbc52962a44ca83392ac9ce65b1d902e7d9523331bd3d48594d61c0cd0430d3a-1268667741 (http://www.virustotal.com/analisis/fbc52962a44ca83392ac9ce65b1d902e7d9523331bd3d48594d61c0cd0430d3a-1268667741)
VT 8/42 (19.05%)
Code: [Select]
hxxp://demonvoploti.net/test.php
Title: Re: New Zeus server
Post by: jackberri on March 17, 2010, 08:00:42 pm
IP 124.217.254.201
[pegashosting.com]
AS45839
Code: [Select]
hxxp://mazavaza.co.uk/pp/suka.binmd5sum ===> 519625b275c603401a845897cc335812
SHA256   ===> 8f3626ebffcbca58154a4338919458384c4a49a1c31bfb78c7d2148fa2226d7a
Code: [Select]
hxxp://mazavaza.co.uk/pp/huy.exemd5sum ===> dc97e1f12aedb8190b6e812022515feb
SHA256   ===> 29de8c04d0970c14e2591aa3ebcb04d3bbad1daf1b00b2ddbaff9799621ad881
http://www.virustotal.com/analisis/29de8c04d0970c14e2591aa3ebcb04d3bbad1daf1b00b2ddbaff9799621ad881-1268854581 (http://www.virustotal.com/analisis/29de8c04d0970c14e2591aa3ebcb04d3bbad1daf1b00b2ddbaff9799621ad881-1268854581)
VT 6/42 (14.29%)
Code: [Select]
hxxp://mazavaza.co.uk/pp/tini.php
Title: Re: New Zeus server
Post by: jackberri on March 18, 2010, 04:40:22 pm
IP 89.187.37.30
[host30-37.monitoring.md]
AS25129
Code: [Select]
hxxp://corpdonates.org/cnfgbts/updatesys.binmd5sum ===> 13c19a2d1681b753d4cf246583b9a779
SHA256   ===> b0370fc58b314cbfb90a21abd4b5da3afbe8290f742f8160aa64dd9c4d80ce76
Title: Re: New Zeus server
Post by: SysAdMini on March 19, 2010, 09:28:36 pm
Very "creative" registration details for a zeus domain:

domain:         gilsenkirhen.at
registrant:     AA6976333-NICAT
admin-c:        AA6976332-NICAT
tech-c:         AA6976332-NICAT
nserver:        a.ns.joker.com
nserver:        b.ns.joker.com
nserver:        c.ns.joker.com
changed:        20100317 13:07:44
source:         AT-DOM

personname:     ara arovskii
organization:
street address: 123 abc rd
postal code:    8===3
city:           gilzenkirshen
country:        Holy See (Vatican City State)
nic-hdl:        AA6976333-NICAT
changed:        20100310 19:15:02
source:         AT-DOM

personname:     ara arovskii
organization:
street address: 123 abc rd
postal code:    8===3
city:           gilzenkirshen
country:        Holy See (Vatican City State)
nic-hdl:        AA6976332-NICAT
changed:        20100310 19:11:24
source:         AT-DOM
Title: Re: New Zeus server
Post by: jackberri on March 19, 2010, 11:16:52 pm
IP 76.76.101.76
[reverse-mtl-76-76-101-76.gogax.com]
AS21793
Code: [Select]
hxxp://cralertyit.net/ini/clock.jpgmd5sum ===> 32e91d3f100c3433ab8cd5dfc09d49ae
SHA256   ===> 237e902353732ef974f83441e896dbb1732dc878e8a8f3ae3e8e3f46b7451fed
Code: [Select]
hxxp://cralertyit.net/cj/rp.php
Title: Re: New Zeus server
Post by: jackberri on March 20, 2010, 10:01:17 am
IP 218.240.28.34
AS23724
Code: [Select]
hxxp://dhsinfo.info/imgs/xd4sb8/nds28m.binmd5sum ===> 879206ec5c1147bb102e3c7401aa939a
SHA256   ===> a533448005695772d4433937bcb3b472b570ae50c1eaa1223a9df6c5adf6206a
Code: [Select]
hxxp://dhsinfo.info/templtes/a16ext/int3xs/s.php
Title: Re: New Zeus server
Post by: jackberri on March 21, 2010, 10:31:12 am
IP Location: Taiwan - Taipei - Kgex.com
IP 61.61.20.133
AS9918
Code: [Select]
hxxp://napiwis54353.com/zs/cofag56.binmd5sum ===> beff28cd3ebf4a0081804ffc583f0837
SHA256   ===> 940652e134b7fd876bc014aa3f1197994559f54d37491712f60946ea6f3d6036
Code: [Select]
hxxp://napiwis54353.com/zs/gates5.php
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 07:24:44 am
IP 61.4.82.170
AS17964
Code: [Select]
hxxp://technotrucks.net/daily/help.txtmd5sum ===> ee553cf385356331ed00f16791c41f17
SHA256   ===> a767c79fc5cb55253eec212987ddaa1403091622e18b5c7553aee4eea1de43d5
Code: [Select]
hxxp://technotrucks.net/daily/game.exemd5sum ===> dc62deb9554931c5ab07080fe86394e7
SHA256   ===> dd633282cbdf129be9769f59ee28b094a3e203c2d4b57598e658316e45b5c9d7
http://www.virustotal.com/analisis/dd633282cbdf129be9769f59ee28b094a3e203c2d4b57598e658316e45b5c9d7-1269328821 (http://www.virustotal.com/analisis/dd633282cbdf129be9769f59ee28b094a3e203c2d4b57598e658316e45b5c9d7-1269328821)
VT 21/42 (50%)
Code: [Select]
hxxp://technotrucks.net/daily/lucky.php
Title: Re: New Zeus server
Post by: SysAdMini on March 23, 2010, 07:28:19 am
Code: [Select]
hxxp://technotrucks.net/daily/game.exe

One more :

Code: [Select]
hxxp://technotrucks.net/daily/host.exe
config file is

Code: [Select]
hxxp://technotrucks.net/daily/manual.txt
drop zone is also lucky.php.
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 08:36:19 am
IP Location: Panama - Cable & Wireless Panama
190.34.188.117
AS27990

Code: [Select]
hxxp://www.your-updates.net/microsoft/IE8.binmd5sum ===> 7bab716ff87bb7d232fd6097c775e30c
SHA256   ===> bdee4b98a62a85513c526aa12b9ee484bb4bd35a67d568db31039c46a1b0208a
Code: [Select]
hxxp://www.your-updates.net/microsoft/IE8.exemd5sum ===> aaf388576f74bd35d23b3ebff0266a54
SHA256   ===> 7929304b3ac9bb123050f9fb948d0ceae16e21693b37a5f30c2508854b3d5d37
http://www.virustotal.com/analisis/7929304b3ac9bb123050f9fb948d0ceae16e21693b37a5f30c2508854b3d5d37-1269332948 (http://www.virustotal.com/analisis/7929304b3ac9bb123050f9fb948d0ceae16e21693b37a5f30c2508854b3d5d37-1269332948)
VT 8/40 (20%)
Title: Re: New Zeus server
Post by: SysAdMini on March 23, 2010, 08:41:39 am
Code: [Select]
hxxp://www.your-updates.net/microsoft/IE8.exe

drop zone:

Code: [Select]
www.win-uploads.net/win/111xjhjewhkjhdkjhkjdshkjhdkj_z01_cp.php
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 08:46:17 am
drop zone:
Code: [Select]
www.win-uploads.net/win/111xjhjewhkjhdkjhkjdshkjhdkj_z01_cp.php

Coming of the day when that which is hidden shall be revealed
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 09:45:06 am
IP Location: Ukraine Pe Anton Kasminin
IP 193.104.253.33
AS29557
Code: [Select]
hxxp://anatolo.com/overdrives.binmd5sum ===> 21fd3182f55552efb28765db90640314
SHA256   ===> 807fb9f4d6aaeb2d850a6771cd55f243f577e50a096f29e8275ff2d1a78af4d4
Code: [Select]
hxxp://anatolo.com/yukmhg654g.exemd5sum ===> 1fcfab6b5d4ec2035313360cd7cac5bb
SHA256   ===> 69c968697eec0f78ec212b082483a1e76b57cc2761375d281c5f631b3338f115
http://www.virustotal.com/analisis/69c968697eec0f78ec212b082483a1e76b57cc2761375d281c5f631b3338f115-1269336477 (http://www.virustotal.com/analisis/69c968697eec0f78ec212b082483a1e76b57cc2761375d281c5f631b3338f115-1269336477)
VT 5/41 (12.20%)

IP Location: Ukraine Pe Anton Kasminin
IP 193.104.253.32
AS29557
Code: [Select]
hxxp://onlinewebcenter.com/voderuber.binmd5sum ===> acd7f31f16e8bb05b1f9199ed079f523
SHA256   ===> 8b45113ce27cd4326a567aee306b61d2dcd5ee7ab2361b92e4e2f457b0cff95f
Code: [Select]
hxxp://onlinewebcenter.com/myn5f7jhg.exemd5sum ===> 6e3fe354a7ee5adfccb8d04db83e6eb8
SHA256   ===> 0ac346cabdb2fa578f745369048961726520bfc1dbced6fce7f74a1418fa6278
http://www.virustotal.com/analisis/0ac346cabdb2fa578f745369048961726520bfc1dbced6fce7f74a1418fa6278-1269337284 (http://www.virustotal.com/analisis/0ac346cabdb2fa578f745369048961726520bfc1dbced6fce7f74a1418fa6278-1269337284)
VT 3/42 (7.15%)
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 10:23:33 am
IP Location: Ukraine Pe Anton Kasminin
IP 193.104.253.32
AS29557
Code: [Select]
hxxp://bumfin.com/megusta.binmd5sum ===> 9179cad5fcd54c91abd2e24c8faf9ec6
SHA256   ===> 62d327ab8d8d5d0341d800705a2170da5f7c90b4521f04570bfe5afadfdd0c65
Code: [Select]
hxxp://bumfin.com/7uh48ug.exemd5sum ===> cbcdb8bb5b0cd5341a1d8775eb945f02
SHA256   ===> 6fd7b578d14321b376d263bf897c4faeadeda36ef32c38683a8c932899bd6eb3
http://www.virustotal.com/analisis/6fd7b578d14321b376d263bf897c4faeadeda36ef32c38683a8c932899bd6eb3-1269339454 (http://www.virustotal.com/analisis/6fd7b578d14321b376d263bf897c4faeadeda36ef32c38683a8c932899bd6eb3-1269339454)
VT 5/42 (11.91%)
Code: [Select]
hxxp://bumfin.com/o7ggh63.php
IP Location: Ukraine Pe Anton Kasminin
IP 193.104.253.32
AS29557
Code: [Select]
hxxp://whipsto.com/webcam.binmd5sum ===> 46394698798eb14ed173376fb25a4098
SHA256   ===> 9eaa6475bec484b18ca3ae4d4140861e909a56acc929e78e890ad4ae0e0fb8c4
Code: [Select]
hxxp://whipsto.com/gh6j54.exemd5sum ===> a878ea87634d804fbe7d38e81cb13e78
SHA256   ===> 1e25bfb15f230d74b65ac1e8a139d8d4c003667d44a469c96962c0e7618a2341
http://www.virustotal.com/analisis/1e25bfb15f230d74b65ac1e8a139d8d4c003667d44a469c96962c0e7618a2341-1269338747 (http://www.virustotal.com/analisis/1e25bfb15f230d74b65ac1e8a139d8d4c003667d44a469c96962c0e7618a2341-1269338747)
VT 3/41 (7.32%)
Code: [Select]
hxxp://whipsto.com/ny4544.php
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 05:35:58 pm
IP Location  United States  - Pennsylvania - Scranton - Network Operations Center Inc
IP 66.197.238.154
[serv1.configdns.net]
AS21788

Code: [Select]
hxxp://linksonline.in/milo/config.binmd5sum ===> fc3f44ccc4b709eec6a56151e4121654
SHA256   ===> 10401245ead9698aa817f3ebe93d6905b70e678042e07b62d3a905ac5346f852
Code: [Select]
hxxp://linksonline.in/milo/bot.exemd5sum ===> 1e97a98dbc1a8b8d3008653fdefc7466
SHA256   ===> 7846708907273e4599a73d5923036b84b6b6b05f077936e02ee84bf263ba8515
http://www.virustotal.com/analisis/7846708907273e4599a73d5923036b84b6b6b05f077936e02ee84bf263ba8515-1269364975 (http://www.virustotal.com/analisis/7846708907273e4599a73d5923036b84b6b6b05f077936e02ee84bf263ba8515-1269364975)
VT 32/42 (76.2%)
Code: [Select]
hxxp://linksonline.in/milo/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 23, 2010, 08:10:35 pm
IP 188.124.5.111
[static.vitalhosting.com.tr]
ASN44565
Code: [Select]
hxxp://sitebuildera.com/m550933n/stat1.php
related malware:
Code: [Select]
hxxp://solaruploader.com/55ttr.exemd5sum ===> 769c38d76e3e99a0fbf4ea58b071b371
SHA256   ===> b6472da2cc868ec09c472acec226d95ac04e0a322db4b9b3ea61c38e5768435b
http://www.virustotal.com/analisis/b6472da2cc868ec09c472acec226d95ac04e0a322db4b9b3ea61c38e5768435b-1269296009 (http://www.virustotal.com/analisis/b6472da2cc868ec09c472acec226d95ac04e0a322db4b9b3ea61c38e5768435b-1269296009)
VT 5/42 (11.90%)

Title: Re: New Zeus server
Post by: jackberri on March 24, 2010, 06:36:22 am
IP Location: Turkey - Vital Teknoloji - Vps Pool
IP 188.124.3.225
[static.vitalhosting.com.tr]
ASN44565
Code: [Select]
hxxp://seemyballs1.in/urla/c1.binmd5sum ===> 7edcd2bbd0da11290a026658963cbf0d
SHA256   ===> d416d024dfa6e1708d92b00fbbc698d447d0432f91da72dca0fde7034324196c
Code: [Select]
hxxp://seemyballs1.in/lol/lol.exemd5sum ===> fe4ee689d1e4acbe3cee39ad0cceb084
SHA256   ===> 74dc9ddcbce5239ab9738aa027908d453f4ae0313ea4fd18dfe3be0905b21853
http://www.virustotal.com/analisis/74dc9ddcbce5239ab9738aa027908d453f4ae0313ea4fd18dfe3be0905b21853-1269412335 (http://www.virustotal.com/analisis/74dc9ddcbce5239ab9738aa027908d453f4ae0313ea4fd18dfe3be0905b21853-1269412335)
VT 7/42 (16.67%)
Code: [Select]
hxxp://seemyballs1.in/urla/huh.php
Title: Re: New Zeus server
Post by: jackberri on March 26, 2010, 11:02:28 am
IP Location:   Taiwan - Feng Chia University
IP 140.134.32.136
AS1659
Code: [Select]
hxxp://www.stvparkcomputer.info/edu/trash3.binmd5sum ===> 0ce1d6d2983870930d0be45401d763fb
SHA256   ===> 4116bbb49e562fa3188dfed2a18387776f8e7e62c9b9e46441130ae2e679793a

IP Location:  France - Amen France Network
IP 62.193.204.77
[vds-796511.amen-pro.com]
AS28677
Code: [Select]
hxxp://serraniasuroeste.org/images/abajo_f1.jpgmd5sum ===> f0447fd257bbd978710ac328bf3b957f
SHA256   ===> e4b4b60b98f0a94a21ab83dee18b4ca9c4c6d44f8ceba7689c3296dabd112204
http://www.virustotal.com/analisis/e4b4b60b98f0a94a21ab83dee18b4ca9c4c6d44f8ceba7689c3296dabd112204-1269596485 (http://www.virustotal.com/analisis/e4b4b60b98f0a94a21ab83dee18b4ca9c4c6d44f8ceba7689c3296dabd112204-1269596485)
VT 19/42 (45.24%)
Title: Re: New Zeus server
Post by: jackberri on March 26, 2010, 12:39:53 pm
Code: [Select]
hxxp://serraniasuroeste.org/images/abajo_f1.jpg

dropzone (already listed):
Code: [Select]
hxxp://www.jokersimson.net/imagenes/index.php
Title: Re: New Zeus server
Post by: jackberri on March 26, 2010, 07:41:32 pm
IP Location:   Spain  - Galicia - Redcoruna
IP 92.43.17.2
[hosting01.redcoruna.org]
AS44497
Code: [Select]
hxxp://miraquemono.com/tienda/wp-content/themes/default/images/kubricktop.jpgmd5sum ===> 3e471d6bad771c5f14c16d25272b5c86
SHA256   ===> bc85c4fe139f352c8ae5ce0909ce923dd39a89f8a0be9f6266f39b75acac33a4
http://www.virustotal.com/analisis/bc85c4fe139f352c8ae5ce0909ce923dd39a89f8a0be9f6266f39b75acac33a4-1269632296 (http://www.virustotal.com/analisis/bc85c4fe139f352c8ae5ce0909ce923dd39a89f8a0be9f6266f39b75acac33a4-1269632296)
VT 14/41 (34.15%)
Title: Re: New Zeus server
Post by: jackberri on March 27, 2010, 07:41:49 am
IP Location:    United States - Illinois - Chicago - Hostforweb Inc
IP 216.246.124.51
[hfw3.mdjunction.com]
AS23352
Code: [Select]
hxxp://bighappy.ru/bom/config.binmd5sum ===> 7030c2ae1938da1ae2cd7519ae39a863
SHA256   ===> 6db8507735c33c80520b00d67769b91b67fda649c740a2ef408c157848102eaa
Code: [Select]
hxxp://bighappy.ru/bom/bot.exemd5sum ===> a2dc97c4456a88b329eb96c4ded4da0a
SHA256   ===> 6fadab789bdc2d6ece787139725efb7e603c91acf6785882cd97ae1460d271e2
http://www.virustotal.com/analisis/6fadab789bdc2d6ece787139725efb7e603c91acf6785882cd97ae1460d271e2-1269674867 (http://www.virustotal.com/analisis/6fadab789bdc2d6ece787139725efb7e603c91acf6785882cd97ae1460d271e2-1269674867)
VT 28/42 (66.67%)
Code: [Select]
hxxp://bighappy.ru/bom/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 27, 2010, 11:08:12 am
IP Location:  Italy - Toscana - Florence - Register.it S.p.a
IP 81.88.61.98
[host-81-88-61-98.dedicatedservers.it]
AS39729
Code: [Select]
hxxp://catmur.com/img/icons/tabs/footer.jpgmd5sum ===> fcd798a3e903ebb8677872067d5278e0
SHA256   ===> 7ca95e27f60afaf641642a50f4b21da08210bb35b1be17a3bb8856c18e9e2499
http://www.virustotal.com/analisis/7ca95e27f60afaf641642a50f4b21da08210bb35b1be17a3bb8856c18e9e2499-1269686032 (http://www.virustotal.com/analisis/7ca95e27f60afaf641642a50f4b21da08210bb35b1be17a3bb8856c18e9e2499-1269686032)
VT 19/42 (45.24%)
related:
Code: [Select]
www.stvparkcomputer.info
www.jokersimson.net

IP Location: Russian Federation -Moscow - Tetracom Cjsc
IP 193.148.47.4
AS34840

Code: [Select]
hxxp://hellokittyn.tw/grabber.exemd5sum ===> 5cefc4e17bf9d457803e07c33afca89f
SHA256   ===> 2e1e67efb33e7f66cdab9f0d7ebbc062bf6e516c0e1c760a5376fe13edd20df1
http://www.virustotal.com/analisis/2e1e67efb33e7f66cdab9f0d7ebbc062bf6e516c0e1c760a5376fe13edd20df1-1269684888 (http://www.virustotal.com/analisis/2e1e67efb33e7f66cdab9f0d7ebbc062bf6e516c0e1c760a5376fe13edd20df1-1269684888)
VT 4/42 (9.53%)
Code: [Select]
hxxp://hellokittyn.tw/6565.php
Code: [Select]
hxxp://bestsocksshop.ru/index1.phpother domains:
Code: [Select]
prismonet.com
Title: Re: New Zeus server
Post by: jackberri on March 27, 2010, 07:52:23 pm
Code: [Select]
hxxp://catmur.com/img/icons/tabs/footer.jpg

IP Location: Spain - Grupo Interdominios S.A
[lb25.interdominios.com]
IP 93.174.4.37
AS42237
Code: [Select]
hxxp://comega.es/images/pinstalaciones.jpgmd5sum ===> 0a2caff9bb0c4a6813bb8f62d5095ab6
SHA256   ===> e0505fb0fcbe3144d4ce0cb5c8c4fbaac176da4d9523adcd897fb05ffe80df90
http://www.virustotal.com/analisis/e0505fb0fcbe3144d4ce0cb5c8c4fbaac176da4d9523adcd897fb05ffe80df90-1269692084 (http://www.virustotal.com/analisis/e0505fb0fcbe3144d4ce0cb5c8c4fbaac176da4d9523adcd897fb05ffe80df90-1269692084)
VT 11/42 (26.2%)
related:
Code: [Select]
stvparkcomputer.info
jokersimson.net

IP Location:   Spain - Madrid - Hostalia-cl
IP 82.194.66.217
[linux18.dns-servicios.com]
AS16371
Code: [Select]
hxxp://ubconquense.es/images/preview_f1.pngmd5sum ===> 9cfec3569410408f1274327f856614ec
SHA256   ===> 7d81a38d6938d9a1c6d0b5f23ed069225e8bdb643628af76d63c1e1a3d099e66
http://www.virustotal.com/analisis/7d81a38d6938d9a1c6d0b5f23ed069225e8bdb643628af76d63c1e1a3d099e66-1269688904 (http://www.virustotal.com/analisis/7d81a38d6938d9a1c6d0b5f23ed069225e8bdb643628af76d63c1e1a3d099e66-1269688904)
VT 23/42 (54.77%)
related:
Code: [Select]
stvparkcomputer.info
jokersimson.net
Title: Re: New Zeus server
Post by: jackberri on March 27, 2010, 11:10:28 pm
IP Location:  Malaysia - Piradius Net
[is.protected.by.themafia.info]
IP 119.82.30.246
ASN2497

Code: [Select]
hxxp://www.antivvirrus.com/zs/cfg.binmd5sum ===> d41d8cd98f00b204e9800998ecf8427e
SHA256   ===> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Code: [Select]
hxxp://www.antivvirrus.com/zs/config.binmd5sum ===> a9e214f979bdb63a5f25572a7ae7d8ad
SHA256   ===> 0edf23183fbefebb62eddc65be1a3d2f8ad5dd9ed0569e01afabb0195b94c648
Code: [Select]
hxxp://www.antivvirrus.com/zs/bot.exemd5sum ===> 2bdf5386539a406ce9fdeeb637d3ac9d
SHA256   ===> 002e254b32251819e7791e457d94c35df7ba01fb7978ece9eb804c22b33c08d9
http://www.virustotal.com/analisis/002e254b32251819e7791e457d94c35df7ba01fb7978ece9eb804c22b33c08d9-1269721706 (http://www.virustotal.com/analisis/002e254b32251819e7791e457d94c35df7ba01fb7978ece9eb804c22b33c08d9-1269721706)
VT 29/41 (70.74%)
Code: [Select]
www.antivvirrus.com/zs/botum-install.exe
md5sum ===> 9b6ac4a6d0a316abb1fa5de487e7bfb7
SHA256   ===> 093b169cb0d1e047424c1eb6f38a101f6184210e8786733de954141821f8c489
http://www.virustotal.com/analisis/093b169cb0d1e047424c1eb6f38a101f6184210e8786733de954141821f8c489-1269731046 (http://www.virustotal.com/analisis/093b169cb0d1e047424c1eb6f38a101f6184210e8786733de954141821f8c489-1269731046)
VT 5/42 (11.91%)
Code: [Select]
www.antivvirrus.com/zs/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 28, 2010, 11:27:46 am
IP Location:  United Kingdom - Pi Obodovsky Ivan Sergeevich
IP 195.78.108.71
ASN49544
Code: [Select]
hxxp://seclinezzz.net/zzz.nrgmd5sum ===> 5959b796f7e0f30126ee1df01a17c55e
SHA256   ===> f2f46d04707d0ed744faff1a4532a5cde9b087fb9e94d56c7cba30e53c14c2ea
Code: [Select]
hxxp://seclinezzz.net/zzz.exemd5sum ===> 3931246483d5b84066e9f1ff24c7221e
SHA256   ===> 512cf303a35b4d081a830af014283ed1499f9b1484d4687bb0db1ecd5d84f49e
http://www.virustotal.com/analisis/512cf303a35b4d081a830af014283ed1499f9b1484d4687bb0db1ecd5d84f49e-1269775106 (http://www.virustotal.com/analisis/512cf303a35b4d081a830af014283ed1499f9b1484d4687bb0db1ecd5d84f49e-1269775106)
VT 3/42 (7.15%)
Code: [Select]
hxxp://seclinezzz.net/s.php
Code: [Select]
hxxp://seclinezzz.net/stat/index.php
related malware - trojan Sasfis
Code: [Select]
hxxp://seclinezzz.net/s5.exemd5sum ===> 4b0eb6b90c8dbeeaf5a870b7cdf77d00
SHA256   ===> 9a62ddb2edb1ab6a613748552cbd98b50b8e3005862e98486316e2e4f9f5a1c7
http://www.virustotal.com/analisis/9a62ddb2edb1ab6a613748552cbd98b50b8e3005862e98486316e2e4f9f5a1c7-1269775243 (http://www.virustotal.com/analisis/9a62ddb2edb1ab6a613748552cbd98b50b8e3005862e98486316e2e4f9f5a1c7-1269775243)
VT 3/41 (7.32%)

related malware - trojan Sasfis
IP Location:  United Kingdom - Pi Obodovsky Ivan Sergeevich
IP 195.78.108.71
ASN49544
Code: [Select]
hxxp://mys5.org/up.exemd5sum ===> e61c265fd436f79dbacfe94ed2bc4ddf
SHA256   ===> 15c6cbc2f60b1e16a12e8fd22c0e1d4c0ba50457e28bdfb60e622223c4e15863
http://www.virustotal.com/analisis/15c6cbc2f60b1e16a12e8fd22c0e1d4c0ba50457e28bdfb60e622223c4e15863-1269773148 (http://www.virustotal.com/analisis/15c6cbc2f60b1e16a12e8fd22c0e1d4c0ba50457e28bdfb60e622223c4e15863-1269773148)
VT 24/41 (58.54%)
Title: Re: New Zeus server
Post by: jackberri on March 28, 2010, 08:02:45 pm
Code: [Select]
hxxp://www.antivvirrus.com/zs/cfg.binmd5sum ===> d41d8cd98f00b204e9800998ecf8427e
SHA256   ===> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

IP Location: Noord-holland - Amsterdam - Leaseweb B.v
IP  95.211.132.102
[hosted-by.leaseweb.com]
AS16265

Code: [Select]
hxxp://microsoft-server4-update.com/picks0/main1.docmd5sum ===> 59a3996f9e80387335a1201652d9c432
SHA256   ===> b4b73a65d4ee6a4ea94bd90cf6f41616845065a37cd2f8c653daaf76ae9b999a
Code: [Select]
hxxp://adobe8-muts.cn/picks0/main1.docmd5sum ===> 59a3996f9e80387335a1201652d9c432
SHA256   ===> b4b73a65d4ee6a4ea94bd90cf6f41616845065a37cd2f8c653daaf76ae9b999a
Code: [Select]
hxxp://microsoft-server4-update.com/update0/update.php
Code: [Select]
hxxp://adobe8-muts.cn/update0/update.php
IP Location:  United Kingdom - Pi Obodovsky Ivan Sergeevich
IP 195.78.109.98
ASN49544
Code: [Select]
hxxp://aggood.net/e.binmd5sum ===> 6dea35f357a2b1388c951ec9c9278d9d
SHA256   ===> b062808ff13568acf832c6c736facf6beaaf03cafa0181bd9796af0bedefd8f6
Code: [Select]
hxxp://aggood.net/br488/91.php
IP Location:  Singapore - Newmedia Express Pte Ltd Singapore Web Hosting Provider
IP 203.174.83.98
ASN38001
Code: [Select]
hxxp://uytrec.cn/games/update.php
Title: Re: New Zeus server
Post by: jackberri on March 29, 2010, 12:26:10 pm
IP 188.124.15.143
IP Location: Turkey Vital Teknoloji - Dedicated Pool
[static.vit.com.tr]
ASN44565
Code: [Select]
hxxp://gavnoedov.net/2.datmd5sum ===> a96a28f42667488fb4918441c9605899
SHA256   ===> 1372046627da8d44e6043a1363715b5b741799571742044909cba917f8e85d1b

related:
IP Location:  United Kingdom Uk2.net Dedicated Servers
[cpanel19.uk2.net]
ASN13213
Code: [Select]
hxxp://83.170.83.1/~skwebsit/logo.jpgmd5sum ===> 1f7c77b6780c33e57eb15fcf1c1cc27a
SHA256   ===> 8fd67519622aa24cd8760b54a7bf38c419f297869937ae3c7ba041945251d592

other domains:
Code: [Select]
x-monitoring.com
Title: Re: New Zeus server
Post by: jackberri on March 29, 2010, 08:08:26 pm
IP Location:  United States  - Texas - Dallas - Softlayer Technologies Inc
IP 67.228.1.65
[67.228.1.65-static.reverse.softlayer.com]
ASN36351

Code: [Select]
hxxp://www.hiddenowned.viefirehosting.com/btn/config.binmd5sum ===> 79315412073a0bf8e19929f711b7268b
SHA256   ===> c5d41febfa0916449a19ee449c67674964af7cc5bcbaa8a858f779169bd7be11
Code: [Select]
hxxp://www.hiddenowned.viefirehosting.com/btn/bt.exemd5sum ===> eab505251a5f411126ffb99e08bfa066
SHA256   ===> 25999ebe5f48b13ebcb76cd002aa69ee3bab0dcff34153ce694a5dfc10a95b54
http://www.virustotal.com/analisis/25999ebe5f48b13ebcb76cd002aa69ee3bab0dcff34153ce694a5dfc10a95b54-1269893048 (http://www.virustotal.com/analisis/25999ebe5f48b13ebcb76cd002aa69ee3bab0dcff34153ce694a5dfc10a95b54-1269893048)
VT 26/39 (66.67%)
Code: [Select]
hxxp://www.hiddenowned.viefirehosting.com/btn/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 30, 2010, 04:12:31 pm
IP Location: China Beijing Linktom Network Technology Co. Ltd
IP 61.4.82.216
AS17964
Code: [Select]
hxxp://kokaine.biz/media/GooD.binmd5sum ===> 914fce59856c185d7063adcb23bdb4b2
SHA256   ===> b642061879519a132b7fc0f46a8aafc64fa7cc24b55f9bf2d960cbe6ca4c9652
Code: [Select]
hxxp://kokaine.biz/cw/index.php
related malware:
IP Location: China Beijing Linktom Network Technology Co. Ltd
IP 61.4.82.216
AS17964
Code: [Select]
hxxp://www.rusdrivers.spb.ru/admin.exe
Code: [Select]
hxxp://www.rusdrivers.spb.ru/driver.exemd5sum ===> 49972db1a4a0abb6501f5f3bfaf2c2d2
SHA256   ===> 0968b5c8c8582be84fc2aaaf76c3472edcb8271af8e4c4beb923c27fad8a71e9
http://www.virustotal.com/analisis/0968b5c8c8582be84fc2aaaf76c3472edcb8271af8e4c4beb923c27fad8a71e9-1269964910 (http://www.virustotal.com/analisis/0968b5c8c8582be84fc2aaaf76c3472edcb8271af8e4c4beb923c27fad8a71e9-1269964910)
VT 15/38 (39.48%)
other domains:
Code: [Select]
www.newsdownloads.cn
www.free-gifts.ru
www.rlosswe.com
www.loootamaria.com
www.detransfsolutions.com
Title: Re: New Zeus server
Post by: jackberri on March 30, 2010, 04:59:47 pm
IP Location:  United States  - Texas - Dallas - Theplanet.com Internet Services Inc
IP 174.120.233.254
[fe.e9.78ae.static.theplanet.com]
AS21844
Code: [Select]
hxxp://ignclan.com/e107_docs/help/English/cm/config.binmd5sum ===> 5221f652bd6eeb9212aec8608fbf934f
SHA256   ===> bb453aaea6ce852f0c81ea4d1ef4cd0a05746855c2b4764f51386f380ac04ea8
Code: [Select]
hxxp://ignclan.com/e107_docs/help/English/cm/bot.exemd5sum ===> d85407ae761f43cb3823608fef59a1ae
SHA256   ===> 19fe43a017cdfcf44ce389dbcfac39c0c8b5c7132e29c983b118da232d55199f
Code: [Select]
hxxp://ignclan.com/e107_docs/help/English/cm/gate.phphttp://www.virustotal.com/analisis/19fe43a017cdfcf44ce389dbcfac39c0c8b5c7132e29c983b118da232d55199f-1269968023 (http://www.virustotal.com/analisis/19fe43a017cdfcf44ce389dbcfac39c0c8b5c7132e29c983b118da232d55199f-1269968023)
VT 30/42 (71.43%)
Title: Re: New Zeus server
Post by: jackberri on April 07, 2010, 07:16:23 pm
IP Location: United States Anaheim Webexxpurts 
AS36167
Code: [Select]
hxxp://67.23.176.116/config.binmd5sum ===> baf959af5cbf02871b70bb2b4bcc692a
SHA256   ===> 4e511ed1577b30444617670b3d2aaa43274f0c77e150947b8d3067e7c8cab14f
Code: [Select]
hxxp://67.23.176.116/gate.phprelated:
IP Location: Canada Vancouver Netnation Communications Inc 
IP 64.40.123.31
[Hippo.van-dns.com]
AS14280
Code: [Select]
hxxp://www.cspmedical.com/survey/bot.exemd5sum ===> b0cef78872656c50edc23766d7011dc9
SHA256   ===> ffe75e0962733d4dfedc293354ad89d75f04cf3f74e5f77eb634126e1a00e8c4
http://www.virustotal.com/es/analisis/ffe75e0962733d4dfedc293354ad89d75f04cf3f74e5f77eb634126e1a00e8c4-1270666576 (http://www.virustotal.com/es/analisis/ffe75e0962733d4dfedc293354ad89d75f04cf3f74e5f77eb634126e1a00e8c4-1270666576)
VT 27/39 (69.24%)
related:
IP Location: United States Kansas City Wholesale Internet Inc 
IP 69.197.161.218
AS32097
Code: [Select]
hxxp://tigerden.uppit.com/0110/0wsrtgo8/istealcrypt1.exemd5sum ===> cf74534a20045b99da764654eb2fa54e
SHA256   ===> 7a878e8dfc3f35f957740d0435afb3201922645a4eefbcd8233f0551e99a641e
http://www.virustotal.com/es/analisis/7a878e8dfc3f35f957740d0435afb3201922645a4eefbcd8233f0551e99a641e-1270666957 (http://www.virustotal.com/es/analisis/7a878e8dfc3f35f957740d0435afb3201922645a4eefbcd8233f0551e99a641e-1270666957)
VT 35/39 (89.75%)
Title: Re: New Zeus server
Post by: jackberri on April 08, 2010, 04:44:02 pm
IP Location:  Spain  - La Rioja - Logrono - Arsys.es
[llgb376.servidoresdns.net]
IP  217.76.130.26
AS20718
Code: [Select]
hxxp://losbocatasdeantonio.com/img/content/16401_23404.gifmd5sum ===> 535970149f8d21f691f3cbc6548e5f3a
SHA256 ===> 6540d8be9c1a301effd3780d1a6a9c74bb8965818640d0813f9fa5b209daf809
[urlhttp://www.virustotal.com/es/analisis/6540d8be9c1a301effd3780d1a6a9c74bb8965818640d0813f9fa5b209daf809-1270739116[/url]
VT 26/39 (88.89%)
know related :
Code: [Select]
hxxp://www.stvparkcomputer.info/edu/trash3.bin
Title: Re: New Zeus server
Post by: jackberri on April 10, 2010, 09:21:29 am
IP Location: Russian Federation Moscow Tetracom Cjsc 
IP 193.148.47.48
AS34840

Code: [Select]
hxxp://izdibabu.ru/bong.bmpmd5sum ===> be4b619f9aa323d9ecb4fb345955369a
SHA256 ===> 963f88684843449d5bc787fc22e6c6431ab797b91da1174d508ead15503e75af
Code: [Select]
hxxp://izdibabu.ru/swfx64.exemd5sum ===> c19f063161fada6bf6606c93f857dfc5
SHA256 ===> a57dd950059e7fe99cc269bba8b34a0b6e546f57150dc1280f558302688a0e74
http://www.virustotal.com/es/analisis/a57dd950059e7fe99cc269bba8b34a0b6e546f57150dc1280f558302688a0e74-1270890826 (http://www.virustotal.com/es/analisis/a57dd950059e7fe99cc269bba8b34a0b6e546f57150dc1280f558302688a0e74-1270890826)
VT 3/39 (7.7%)
Code: [Select]
hxxp://izdibabu.ru/index1.php
Code: [Select]
hxxp://jisver.ru/index1.php
Title: Re: New Zeus server
Post by: jackberri on April 10, 2010, 04:40:49 pm
IP Location: China Langfang Development Area Huarui Xintong Network Technology Co. Ltd   
IP 119.255.23.54
AS4837
Code: [Select]
hxxp://hihohy.com/httpd/loc.somd5sum ===> 444f7800a306eb6a635c3e997337f0cc
SHA256 ===> 1e3c53d4442d4e23fb52c4672f94617abdab8036133031500db8f82c6983139a
Code: [Select]
hihohy.com/2cgi/go.php
IP Location: United States Houston Acronoc Inc
IP 69.80.228.12
[hosted.by.x5x-noc.ru]
AS19166
Code: [Select]
hxxp://reepta.com/commonfiles/newcfg.binmd5sum ===> f8336c04de2468baf0340b7b7805965a
SHA256 ===> 4e17d467486437cbd1dfed36d3e13c13788194d7e56ea83bc10b65a5e1bdfb78
related:
IP Location: United States Chicago Hosting Services Inc
[174.36.82.177-static.reverse.softlayer.com]
AS36351
Code: [Select]
hxxp://174.36.82.177/cgi-bin/mdma/in2   ===> update32.exe
md5sum ===> a72b147eed8e0a2a7554ac81c9c0ac01
SHA256 ===> 33e57605aef708bf9a7409abae0472c497800a9714a53b2088a05f38e6d084f0
http://www.virustotal.com/es/analisis/33e57605aef708bf9a7409abae0472c497800a9714a53b2088a05f38e6d084f0-1270916761 (http://www.virustotal.com/es/analisis/33e57605aef708bf9a7409abae0472c497800a9714a53b2088a05f38e6d084f0-1270916761)
VT 8/39 (20.52%)
Title: Re: New Zeus server
Post by: jackberri on April 10, 2010, 05:58:32 pm
IP Location: Ukraine Odessa Wnet-odessa-colo   
IP 92.60.176.41
[real-host.ru]
AS15772

Code: [Select]
hxxp://vladlen.real-host.ru/sites/4311345.binmd5sum ===> c87c5c58a0bc137e07da2d9b4f017d17
SHA256 ===> e340ba45c74dca00d9a89fc80e831704681cbe769305351ec56459a77d0e3ab2
Code: [Select]
hxxp://vladlen.real-host.ru/sites/update.exemd5sum ===> f64bbe6d81ab24018ed294fdd0d5865f
SHA256 ===> 8ce8b2fe6d282ec97ca06432792ddcb7ef3689e59e68b7c233fef62861456ae3
http://www.virustotal.com/es/analisis/8ce8b2fe6d282ec97ca06432792ddcb7ef3689e59e68b7c233fef62861456ae3-1270921916 (http://www.virustotal.com/es/analisis/8ce8b2fe6d282ec97ca06432792ddcb7ef3689e59e68b7c233fef62861456ae3-1270921916)
VT 23/39 (58.98%)
Code: [Select]
vladlen.real-host.ru/sites/index1.php
Title: Re: New Zeus server
Post by: jackberri on April 13, 2010, 04:18:44 pm
IP Location: United Kingdom Pi Obodovsky Ivan Sergeevich
IP 195.78.109.241     
[i241.2u-panama.com]
AS49544
Code: [Select]
hxxp://mys5zzz.biz/f/q1.nrg      
md5sum ===> 2d4a0ffa5c8aa7db299e6854e9250501
SHA256 ===> eb7c18aa4703c559a6ff30606ac1d8944cfa4a7ca414d454688008058fb02885
Code: [Select]
hxxp://mys5zzz.biz/stat/index.php
Code: [Select]
hxxp://seclinezzz.tk/f/load.nrgmd5sum ===> 5c1a4f7553f9eb024a0bbbcd50ce8fff
SHA256 ===> 1a2a90b7b59659b027a67c77a65dcb51758bbaed34381ddc6555c13b3efbb567

trojan zeus (already listed) for seclinezzz.tk :
IP Location: Moldova - Eugenia E. Groza
IP 91.209.238.4
AS48671
Code: [Select]
hxxp://enoraup.com/load/load.exemd5sum ===> 00457cb63c8bb4f1e17f2634a4488e13
SHA256 ===> 91519ca48b75dc68ad8f8bff425d5eb4364694400d2bef3ffd87573e48bda4f9
http://www.virustotal.com/es/analisis/91519ca48b75dc68ad8f8bff425d5eb4364694400d2bef3ffd87573e48bda4f9-1271174609 (http://www.virustotal.com/es/analisis/91519ca48b75dc68ad8f8bff425d5eb4364694400d2bef3ffd87573e48bda4f9-1271174609)
VT 7/40 (17.5%)
Title: Re: New Zeus server
Post by: jackberri on April 14, 2010, 09:24:25 am
IP Location: China Beijing China Railway Telecommunications Center
IP 222.35.143.116
AS38356
Code: [Select]
hxxp://foinkto015.net/ckk/after.jpgmd5sum ===> c4a943a58ee46a6b6e19ef7a0d13d1a0
SHA256  ===> e9a94062fa4c9d1f9c006191a8d8aef64b5f7b998a32b38705badfba8224979c
Code: [Select]
hxxp://foinkto015.net/rep/d.exemd5sum ===> 445c4e6b4b73915bd44ad587223e8a49
SHA256  ===> 0e4d412e2052830ba2d5da9710b74e63fad1607a9c91907d115126199bdbe222
http://www.virustotal.com/es/analisis/0e4d412e2052830ba2d5da9710b74e63fad1607a9c91907d115126199bdbe222-1271236756 (http://www.virustotal.com/es/analisis/0e4d412e2052830ba2d5da9710b74e63fad1607a9c91907d115126199bdbe222-1271236756)
VT 6/40 (15%)
Code: [Select]
hxxp://foinkto015.net/ckk/nuker.php
Title: Re: New Zeus server
Post by: jackberri on April 14, 2010, 02:38:20 pm
IP Location: United States Walnut Psychz Networks
IP 208.87.243.131
[bird.unixbsd.info]
AS40676
Code: [Select]
hxxp://spiritnum.com/sokol/cfg2.binmd5sum ===> 509b7768062f79b67e144c9c71e7a9b4
SHA256 ===> 09a2394e443bce4b37750210d538ccce26c43d42fe876f0ce6233d7467356f09
Code: [Select]
hxxp://spiritnum.com/booot.exemd5sum ===> 1924d6b0a8999e6dfae7e840d91dad44
SHA256 ===> 8372d95a6a884cec04905dcfb6b245a3444fa4273c54589c327ca5d0409c0057
http://www.virustotal.com/es/analisis/8372d95a6a884cec04905dcfb6b245a3444fa4273c54589c327ca5d0409c0057-1271254867 (http://www.virustotal.com/es/analisis/8372d95a6a884cec04905dcfb6b245a3444fa4273c54589c327ca5d0409c0057-1271254867)
VT 23/40 (57.5%)
Code: [Select]
hxxp://spiritnum.com/sokol/gate.php
Title: Re: New Zeus server
Post by: jackberri on April 15, 2010, 02:52:46 pm
IP Location: United States Dallas Theplanet.com Internet Services Inc 
[9.89.5446.static.theplanet.com]
AS21844
Code: [Select]
hxxp://70.84.137.9/eg.jpgmd5sum ===> 1168e470f80e7e47c8d349d253dd9b93
SHA256  ===> 48da0403bc885b26498d5e8692c1a9b71a801531d95d93ef964b9d829d36e294
Title: Re: New Zeus server
Post by: jackberri on April 16, 2010, 09:55:37 am
IP Location: China Beijing Beijing Linktom Network Technology Co. Ltd
IP 61.4.82.247
AS17964
Code: [Select]
hxxp://zalipuka.com/gogo/man.binmd5sum ===> 1be819e21bced8f2f34afbc927f220ed
SHA256  ===> 0e6e570880fd82a9f2d2c8f4c8aa826915ae5f7d05b7766b1336a5e548b11ba7
Code: [Select]
hxxp://zalipuka.com/gogo/index.php
Title: Re: New Zeus server
Post by: jackberri on April 18, 2010, 10:17:55 am
IP Location: China Langfang Development Area Huarui Xintong Network Technology Co. Ltd 
IP 119.255.23.47
AS4837
Code: [Select]
hxxp://ferrom.cz.cc/nnrro/local.php
Title: Re: New Zeus server
Post by: jackberri on April 18, 2010, 05:31:01 pm
IP Location: China Langfang Development Area Huarui Xintong Network Technology Co. Ltd 
IP 119.255.23.54
AS4837
Code: [Select]
hxxp://pipeccc.info/go/xpx.php
Title: Re: New Zeus server
Post by: jackberri on April 18, 2010, 08:17:04 pm
IP Location: Moldova Eugenia E. Groza
AS48671
Code: [Select]
hxxp://91.209.238.24/index.php
Code: [Select]
hxxp://91.209.238.24/m5install/810/1
hxxp://91.209.238.24/admin
Title: Re: New Zeus server
Post by: jackberri on April 20, 2010, 06:25:32 am
IP Location: France Paris Ovh Sas 
IP 91.121.19.159
[ns24153.ovh.net]
AS16276
Code: [Select]
hxxp://ayelconsulting.net/ourvers/xdlogink/bropes.php?captchamd5sum ===> 3323616a4ce92f7deec35d3686d4ef8c
SHA256 ===> 3cf7a0cf9599fb798f73d6edc137378970acd6933fbaea50b9b5b4699a8fa204
related (already listed):
Code: [Select]
hxxp://termasllifen.cl/Locitos/pord/managessec/Pripm/Tearpt.php?confirm
Title: Re: New Zeus server
Post by: SysAdMini on April 20, 2010, 08:19:51 am
IP Location: France Paris Ovh Sas 
IP 91.121.19.159
[ns24153.ovh.net]
AS16276
Code: [Select]
hxxp://ayelconsulting.net/ourvers/xdlogink/bropes.php?captchamd5sum ===> 3323616a4ce92f7deec35d3686d4ef8c
SHA256 ===> 3cf7a0cf9599fb798f73d6edc137378970acd6933fbaea50b9b5b4699a8fa204
related (already listed):
Code: [Select]
hxxp://termasllifen.cl/Locitos/pord/managessec/Pripm/Tearpt.php?confirm


I discovered some more:

Code: [Select]
ayelconsulting.net/ourvers/xdlogink/bropes.php?confirm
www.ancspeciality.com/aects/ewUser/monnelf/lormPlanale/mapturcha.php?confirm
bettercontabil.com.br/lrsontarman/ischel/dentor/bignuer/awSeaetal/mailp.php?confirm
www.weinviertler-heuriger.at/mervc/Dinerecal/trimewCard/opUnditorm/pques.php?confirm

These scripts are universal. Function depends on parameter only.
?confirm = trojan
?captcha = config file
without parameter = drop zone
?ip = ip check
Title: Re: New Zeus server
Post by: jackberri on April 20, 2010, 09:40:00 am
IP Location: United States Houston Acronoc Inc     
IP 69.80.228.12
[hosted.by.x5x-noc.ru]
AS19166
Code: [Select]
hxxp://genderswar.co.cc/changed3/newcfg.binmd5sum ===> b040a2bfb5e1242e26a1e8a15ac68b37
SHA256 ===> 40c8c455eacd3e87617de68442bf535139fc844f985631194b29704653be6d65
Code: [Select]
hxxp://genderswar.co.cc/changed3/ldr.exemd5sum ===> 0be1b3b740367dfea3e2966a82b8d7f5
SHA256 ===> 003476517fbf710da39f9cdc1881873e3a9ad9cfc69181360759b94cb6406c85
http://www.virustotal.com/es/analisis/003476517fbf710da39f9cdc1881873e3a9ad9cfc69181360759b94cb6406c85-1271755465 (http://www.virustotal.com/es/analisis/003476517fbf710da39f9cdc1881873e3a9ad9cfc69181360759b94cb6406c85-1271755465)
VT 14/41 (34.15%)
Code: [Select]
hxxp://genderswar.co.cc/changed3/guests1/gate.php
Title: Re: New Zeus server
Post by: jackberri on April 20, 2010, 10:09:23 am
IP Location: Russian Federation Moscow Tetracom Cjsc   
IP 193.148.47.82
AS34840
Code: [Select]
hxxp://myperfection.ru/forum2/viewtopic.php
Title: Re: New Zeus server
Post by: jackberri on April 21, 2010, 07:44:23 pm
IP Location: Russian Federation Moscow Vline Ltd     
IP 109.196.143.59
AS39150
Code: [Select]
hxxp://pares.biz/bong0.bmpmd5sum ===> b92290fa7f2d344a3529c678560d3e74
SHA256 ===> 25ca16f31198c614cbab65b31978b7de096d9276b4c8eb6ef4fc4c18b17d1604
Code: [Select]
hxxp://pares.biz/cristd32.exemd5sum ===> ec7fc197f8ce71f440c11182d79da563
SHA256 ===> a2c3e6f832eb0987db2c5e8cdbbbe0d2a401a748d7ba1c93f1988769837e2975
http://www.virustotal.com/es/analisis/a2c3e6f832eb0987db2c5e8cdbbbe0d2a401a748d7ba1c93f1988769837e2975-1271878591 (http://www.virustotal.com/es/analisis/a2c3e6f832eb0987db2c5e8cdbbbe0d2a401a748d7ba1c93f1988769837e2975-1271878591)
VT 0/42 (0%)
Code: [Select]
hxxp://klastf.ru/index1.php
Title: Re: New Zeus server
Post by: jackberri on April 23, 2010, 10:16:34 pm
IP Location: China Langfang Development Area Huarui Xintong Network      
IP 119.255.23.16
AS4837
Code: [Select]
hxxp://www.softkill.in/server/config.binmd5sum ===> 5ede4de4539bdae744cf3f7f3ca9d657
SHA256 ===> c7643f8c37478d081c914a7c668dd7a65cc4dbcf2e8b4b4bcfa6f4947dea400d
Code: [Select]
hxxp://www.softkill.in/server/bot.exemd5sum ===> 1bca13f5e6aa61d157ada561ef2cd06f
SHA256 ===> 25f671c26acd6b1cdaf23808a0999caf4cf345031e55b2232cc12d5d2d084f2a
http://www.virustotal.com/analisis/25f671c26acd6b1cdaf23808a0999caf4cf345031e55b2232cc12d5d2d084f2a-1271695068 (http://www.virustotal.com/analisis/25f671c26acd6b1cdaf23808a0999caf4cf345031e55b2232cc12d5d2d084f2a-1271695068)
VT 27/40 (67.50%)
Code: [Select]
hxxp://www.softkill.in/server/gate.php
Code: [Select]
hxxp://popunserv.com/calc.xlsmd5sum ===> 340c2afde2ac26fc89df9b997ea07cda
SHA256 ===> f541438b73e38e4becf841b4cd76fe0b7b6716e4c5773de4704680afee837c0c
Code: [Select]
hxxp://popunserv.com/1.php
(already listed, now online)
Code: [Select]
hxxp://www.lpozz.com/video_secret/az.oggmd5sum ===> 9b5005d256380b81bffae88d29807c1e
SHA256 ===> 51378e9e531e1ca48b3f463b8ac1929dc64eef707e4ded473296ca60362bd5e5
Code: [Select]
hxxp://www.lpozz.com/odrstgvsl/in_12131.php
Title: Re: New Zeus server
Post by: jackberri on April 27, 2010, 10:48:24 am
IP Location: United States Columbus Enet Inc   
IP 207.182.135.7
[7.87.b6.static.xlhost.com]
AS10297
Code: [Select]
hxxp://vinnlife.info/logs/thisisencryptionkey9.binmd5sum ===> 3e5961ef08f35ae917678249fcd068ae
SHA256 ===> 479b4c1f067fcda7d9cb124fe99363cdbc5e9d3c7fa1641f96251874488f613c
Code: [Select]
hxxp://vinnlife.info/logs/logo.jpgmd5sum ===> 66f800090eef6410a1cda0f084400cea
SHA256 ===> a0ebe90562d83986f64fcdc6316d7b993078366f511e65e5301daa7b9adc0429
Code: [Select]
hxxp://vinnlife.info/logs/logo.exemd5sum ===> 65b316c067243d5e9f325b820ef30838
SHA256 ===> 10124447bb4f650db42fcf5ff8c4bd8acab8c3679ed8747d4387a24d609cf10f
http://www.virustotal.com/es/analisis/10124447bb4f650db42fcf5ff8c4bd8acab8c3679ed8747d4387a24d609cf10f-1272364732 (http://www.virustotal.com/es/analisis/10124447bb4f650db42fcf5ff8c4bd8acab8c3679ed8747d4387a24d609cf10f-1272364732)
VT 27/41 (65.86%)

related:

IP Location: Russian Federation East-siberian State Technological University   
IP 86.110.96.29
AS35335
Code: [Select]
hxxp://cactus.esstu.ru/unesco/.ldjahs/botca2.exemd5sum ===> 601e77d9ee7b05dbd7c077929945b947
SHA256 ===> 86c7e64e7c42eb03e027487157041588a8d394a8648c171529b9d1f28fe58791
http://www.virustotal.com/es/analisis/86c7e64e7c42eb03e027487157041588a8d394a8648c171529b9d1f28fe58791-1272363276 (http://www.virustotal.com/es/analisis/86c7e64e7c42eb03e027487157041588a8d394a8648c171529b9d1f28fe58791-1272363276)
VT 29/41 (70.74%)
Code: [Select]
hxxp://cactus.esstu.ru/unesco/.ldjahs/botca3.exemd5sum ===> 0cc99286850b6050fa07159fb0be6c4d
SHA256 ===> 8d6a74ba2f6f90c5e51d1dec1a64abbdd1c80bd6410e2fa79376117eb4e8f74f
http://www.virustotal.com/es/analisis/8d6a74ba2f6f90c5e51d1dec1a64abbdd1c80bd6410e2fa79376117eb4e8f74f-1272364238 (http://www.virustotal.com/es/analisis/8d6a74ba2f6f90c5e51d1dec1a64abbdd1c80bd6410e2fa79376117eb4e8f74f-1272364238)
VT 8/41 (19.52%)
Code: [Select]
hxxp://cactus.esstu.ru/unesco/.ldjahs/dexec2.exemd5sum ===> ba7adc27d8011f80ba8bd9704f41f6ec
SHA256 ===> f4b8844fac1d022032d907355e2cc4b175c8754a54ac81e690bf387e0aaf8c53
http://www.virustotal.com/es/analisis/f4b8844fac1d022032d907355e2cc4b175c8754a54ac81e690bf387e0aaf8c53-1272364515 (http://www.virustotal.com/es/analisis/f4b8844fac1d022032d907355e2cc4b175c8754a54ac81e690bf387e0aaf8c53-1272364515)
VT 25/41 (60.98%)
Title: Re: New Zeus server
Post by: jackberri on April 27, 2010, 12:24:47 pm
Code: [Select]
hxxp://cactus.esstu.ru/unesco/.ldjahs/dexec2.exe
related:

Code: [Select]
hxxp://59.44.60.152:443/admin/113.jpgmd5sum ===> 72bbe8f05b65a35f4483cf3fb116db11
SHA256 ===> b34aaf03072a937b12d19550e20b9f7e2a3a85f757aba5ff7f9af05ea64ce709


Title: Re: New Zeus server
Post by: jackberri on April 28, 2010, 08:32:59 am
IP Location: Russian Federation NEVAL PE Nevedomskiy Alexey Alexeevich 
IP 91.212.198.228
AS24589
Code: [Select]
hxxp://gardenhousee.com/showtop/config.binmd5sum ===> d41d8cd98f00b204e9800998ecf8427e
SHA256 ===> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Code: [Select]
hxxp://gardenhousee.com/showtop/imdex1.php
IP Location: Netherlands GRAFIX-IS GrafiX Internet B.V 
IP 194.110.67.125
AS16131
Code: [Select]
hxxp://kiktodns.com/redir.php
Title: Re: New Zeus server
Post by: jackberri on April 30, 2010, 07:03:36 am
IP Location: United Kingdom Block For Pi Assignments   
IP 193.105.207.98
AS50793
Code: [Select]
hxxp://recover8888.com/zk/cofag56.binmd5sum ===> 89fd2736508a5bee4a2c7ae9d9086469
SHA256 ===> 544559a0a36e4a578ed18c799eacfa9c13d1b4ef28f4c6542209280070a1753a
Code: [Select]
hxxp://recover8888.com/zk/botetz.exemd5sum ===> d2acb86a4e2e8137bc40885582f42132
SHA256 ===> f4efd9db902a9b7409b19684c7e1caf0b8ca62757b5d485e1f9aec9dc2792b97
http://www.virustotal.com/es/analisis/f4efd9db902a9b7409b19684c7e1caf0b8ca62757b5d485e1f9aec9dc2792b97-1272610575 (http://www.virustotal.com/es/analisis/f4efd9db902a9b7409b19684c7e1caf0b8ca62757b5d485e1f9aec9dc2792b97-1272610575)
VT 4/41 (9.76%)
Code: [Select]
hxxp://recover8888.com/zk/gates5.php
Title: Re: New Zeus server
Post by: jackberri on April 30, 2010, 12:26:56 pm
IP Location: United States Dallas Softlayer Technologies Inc   
IP 74.86.133.34
[sigma.hytekhosting.com]
AS36351
Code: [Select]
hxxp://shelobs.com/img/affair5.gifmd5sum ===> f66d9d044c95f38de0a56b4294937958
SHA256 ===> ad8785d69eb67b518218aeaff9be5fdbaa7ecd88a6bcda41fde9479e532bd8bd
Code: [Select]
hxxp://shelobs.com/img/affair6.gifmd5sum ===> ae82052de985339186c81fb40a4015ac
SHA256 ===> 0e654a6511a1f0fb6333a3b35c8a9c9be69d34fc03d3868fb58f61f3960457cd
Title: Re: New Zeus server
Post by: jackberri on May 01, 2010, 10:23:30 am
IP Location: Germany Gunzenhausen Fastvps Ltd   
IP 188.40.159.20
[static.20.159.40.188.clients.your-server.de]
AS24940

Code: [Select]
hxxp://defibrilator-life.co.cc/life/updme.binmd5sum ===> f672e1c0d499031c51ee068e508be020
SHA256 ===> 573f19e237a44304118fe070b7766d35dd4d5f8409559bd9c18b6e7aea28982d
Code: [Select]
hxxp://defibrilator-life.co.cc/life/ldr.exemd5sum ===> 093287b328d91c02baceec513e524e71
SHA256 ===> a0983621052330e702c0fcf2e379cb89c5f6d6d7df55f41815bc0bad80c239c5
http://virusscan.jotti.org/en-gb/scanresult/a74388d164d03645e4d9b7f404e1da64d4eca28d (http://virusscan.jotti.org/en-gb/scanresult/a74388d164d03645e4d9b7f404e1da64d4eca28d)
Result 5/18 (27.77%)
Code: [Select]
hxxp://defibrilator-life.co.cc/death/gate.php
Code: [Select]
hxxp://worldsstatistics.co.cc/stat/update.binmd5sum ===> f672e1c0d499031c51ee068e508be020
SHA256 ===> 573f19e237a44304118fe070b7766d35dd4d5f8409559bd9c18b6e7aea28982d
Code: [Select]
hxxp://worldsstatistics.co.cc/life/updme.binmd5sum ===> f672e1c0d499031c51ee068e508be020
SHA256 ===> 573f19e237a44304118fe070b7766d35dd4d5f8409559bd9c18b6e7aea28982d
Code: [Select]
hxxp://worldsstatistics.co.cc/stat/ldr.exemd5sum ===> 093287b328d91c02baceec513e524e71
SHA256 ===> a0983621052330e702c0fcf2e379cb89c5f6d6d7df55f41815bc0bad80c239c5
Code: [Select]
hxxp://worldsstatistics.co.cc/de44th/gate.phpother domains:
Code: [Select]
war-cs.ru
Title: Re: New Zeus server
Post by: jackberri on May 04, 2010, 05:47:40 pm
IP Location: Taiwan  ERX-TANET-ASN1
IP 140.130.220.8
[student.cmsh.cyc.edu.tw]
AS1659
Code: [Select]
hxxp://student.cmsh.cyc.edu.tw/~streetdance/logo.jpgmd5sum ===> ae1a0c8df37e7cf5eccfa55b48799ce2
SHA256 ===> 1946cc280edc312fa7ff1892bb5b0e0d316fa054b9118e3da08767ba8bd4e07b
http://www.virustotal.com/es/analisis/1946cc280edc312fa7ff1892bb5b0e0d316fa054b9118e3da08767ba8bd4e07b-1272993267 (http://www.virustotal.com/es/analisis/1946cc280edc312fa7ff1892bb5b0e0d316fa054b9118e3da08767ba8bd4e07b-1272993267)
VT 12/41 (29.27%)

IP Location: France- Paris- Dedibox Sas 
IP 88.191.17.26
[sd-2179.dedibox.fr]
AS12322
Registrant/Email Registrant: Whois Manager/v466u7kv8xc@whoisproof.com
Code: [Select]
hxxp://mazdabiz.info/flashimg/pic077.gifmd5sum ===> 6a788ef7b167a471be87865057ae84e4
SHA256 ===> 787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2
http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1272994055 (http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1272994055)
VT 12/41 (29.27%)

IP Location: France- Paris- Dedibox Sas 
IP 88.191.17.26
[sd-2179.dedibox.fr]
AS12322
Registrant/Email Registrant: Darrell Duckery/vynyofyb6297@gmail.com
Code: [Select]
hxxp://darellfood.info/flash/img01.binmd5sum ===> fac97271924af79ebdcdbf8dc1031a0d
SHA256 ===> e3d169b562c19acb23791d1ce0530910b9ff1907fc0036db45ecfba95a8ca81a
Title: Re: New Zeus server
Post by: jackberri on May 05, 2010, 08:11:36 am
IP Location: France- Paris- Dedibox Sas 
IP 88.191.17.26
[sd-2179.dedibox.fr]
AS12322
Registrant/Email Registrant: Nancy Griffith/dagmjpew656@gmail.com
Code: [Select]
hxxp://mytestjob.info/flash/img01.binmd5sum ===> fac97271924af79ebdcdbf8dc1031a0d
SHA256 ===> e3d169b562c19acb23791d1ce0530910b9ff1907fc0036db45ecfba95a8ca81a
Code: [Select]
hxxp://mytestjob.info/flashimg/pic077.gifmd5sum ===> 6a788ef7b167a471be87865057ae84e4
SHA256 ===> 787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2
http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1273046517 (http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1273046517)
VT 19/41 (46.35%)
Title: Re: New Zeus server
Post by: jackberri on May 05, 2010, 08:53:00 am
IP Location: France- Paris- Dedibox Sas 
IP 88.191.17.26
[sd-2179.dedibox.fr]
AS12322
Registrant/Email Registrant: Sheldon Paul/curtismelendezrx@gmail.com
Code: [Select]
hxxp://kabinaoff.info/flashu/img01.binmd5sum ===> 16d25ccb351a70f02651b9d2918cfdd4
SHA256 ===> e3d169b562c19acb23791d1ce0530910b9ff1907fc0036db45ecfba95a8ca81a
Code: [Select]
hxxp://kabinaoff.info/flashimg/pic077.gifmd5sum ===> 6a788ef7b167a471be87865057ae84e4
SHA256 ===> 787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2
http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1273046517 (http://www.virustotal.com/es/analisis/787f3f72565680053798e6279560aed93c777c9b4be1ad357f84f2e5c6f601e2-1273046517)
VT 19/41 (46.35%)
Title: Re: New Zeus server
Post by: jackberri on May 05, 2010, 10:51:38 pm
IP Location: Spain - Tusprofesionales
IP 86.109.162.6
[a0001.abansys.com]
AS196713
Registrant/Email Registrant: Autos Rebmar Andalucia, S.L.L./consultavehiculos@autosrebmar.com
Code: [Select]
hxxp://autosrebmar.com/images/imagen2.gifmd5sum ===> f47370175914d5ac7a7bca22ec8296fc
SHA256 ===> 5e4e9ba47c59e410a1a5af38d65d53abab94085d96d9612299c6ffabe77a671d
http://www.virustotal.com/es/analisis/5e4e9ba47c59e410a1a5af38d65d53abab94085d96d9612299c6ffabe77a671d-1273098534 (http://www.virustotal.com/es/analisis/5e4e9ba47c59e410a1a5af38d65d53abab94085d96d9612299c6ffabe77a671d-1273098534)
VT 24/41 (58.54%)
Code: [Select]
hxxp://autosrebmar.com/images/asterisk.gifmd5sum ===> b9908af44d8989c467d9170c10a9ec25
SHA256 ===> 59ea5a47ba427b8fa3eba1055b70e5303325b637ccb9ddcf2f52192ed16827a6
http://www.virustotal.com/es/analisis/59ea5a47ba427b8fa3eba1055b70e5303325b637ccb9ddcf2f52192ed16827a6-1273098632 (http://www.virustotal.com/es/analisis/59ea5a47ba427b8fa3eba1055b70e5303325b637ccb9ddcf2f52192ed16827a6-1273098632)
VT 17/41 (41.47%)
related (already listed):
Code: [Select]
hxxp://www.stvparkcomputer.info/edu/trash3.bin

Trojan downl. for:
Code: [Select]
kabinaoff.info
mytestjob.info
Code: [Select]
hxxp://autosrebmar.com/images/alquiler/merclasc07.jpgmd5sum ===> fc7c86ecbdb4ca1d73fcc33fad965048
SHA256 ===> 34b1ecc30244cdef63f21dd684e183fbd1e190a9a8b31ddf0643545b29219e9b
http://www.virustotal.com/es/analisis/34b1ecc30244cdef63f21dd684e183fbd1e190a9a8b31ddf0643545b29219e9b-1273097173 (http://www.virustotal.com/es/analisis/34b1ecc30244cdef63f21dd684e183fbd1e190a9a8b31ddf0643545b29219e9b-1273097173)
VT 24/41 (58.54%)




Title: Re: New Zeus server
Post by: jackberri on May 07, 2010, 09:45:57 am
IP Location: United States Seattle Spry Hosting   
IP 209.59.222.191
[searchadvertsol.net]
AS29873
Registrant/Email Registrant: Whois Privacy Protection Service/yyvptbgd@whoisprivacyprotect.com
Code: [Select]
hxxp://searchadvertsol.net/stop.binmd5sum ===> abb63a3c236446ebfa28b440ee4bdbf7
SHA256 ===> 35d7f1a9fb2ea665a154572de639066f8bf348a92ec9ffac1791d22040a6b5d9
Code: [Select]
hxxp://searchadvertsol.net/board/gate.php
only dropzone:

IP Location:  PROXIEZ-AS PE Nikolaev Alexey Valerievich
AS50896
Registrant/Email Registrant: Nikolaev Alexey/admin@proxiz.ru
Code: [Select]
hxxp://91.216.3.27/smile/gate.php
Title: Re: New Zeus server
Post by: jackberri on May 07, 2010, 05:08:34 pm
IP Location: Serbia Isp Teamnet  
IP 89.216.66.213
AS31042
Registrant/Email Registrant: Vladimir V Silianov/frogs@bigmailbox.ru
Code: [Select]
hxxp://dolsgunss.com/archivo100r4/update.exe?P1_Prod_Version=ShockwaveFlashmd5sum ===> 547b32d660d2e0cd330155262d5dec42
SHA256 ===> fecda0b99e1891de38e2d726fe505689b691cd6fe39f11fb598a9204020cff06
http://www.virustotal.com/analisis/fecda0b99e1891de38e2d726fe505689b691cd6fe39f11fb598a9204020cff06-1273251315 (http://www.virustotal.com/analisis/fecda0b99e1891de38e2d726fe505689b691cd6fe39f11fb598a9204020cff06-1273251315)
VT 33/41 (80.49%)

related zeus botnet malware
Code: [Select]
saiwoofeutie.comIP Location: China Telecom JiangXi province  
IP 59.53.91.192
AS4134
Registrant/Email Registrant: Alexander Kupalo/shine@freenetbox.ru
Code: [Select]
hxxp://bugafadsaj.com/svchost.exemd5sum ===> 7f0c7e8b165a80d5e0960ef47b329305
SHA256 ===> ae014f0acfa453f2840e934106c995e1bcd2d75c0af8ca024b0d741c7581d2c4
http://www.virustotal.com/es/analisis/ae014f0acfa453f2840e934106c995e1bcd2d75c0af8ca024b0d741c7581d2c4-1273244988 (http://www.virustotal.com/es/analisis/ae014f0acfa453f2840e934106c995e1bcd2d75c0af8ca024b0d741c7581d2c4-1273244988)
VT 1/41 (2.44%)
Title: Re: New Zeus server
Post by: jackberri on May 08, 2010, 07:25:48 am
IP Location: Taiwan KGTNET-TW KG   
IP 61.61.20.133
AS9918
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://easytest4us.com.tw/tbn2566/confag56.binmd5sum ===> cb26fc55a993b1374024fba7747fea76
SHA256 ===> dc69f7a8d1ad764743c2a434f02bdbede2a68bdf91286e1722126ff5083227f1
Title: Re: New Zeus server
Post by: jackberri on May 08, 2010, 10:41:51 am
IP Location: Russian Federation Pe Bondarenko Dmitriy Vladimirovich
AS29106
Registrant/Email Registrant: Bondarenko Dmitriy/bondarenkoip1@gmail.com
Code: [Select]
hxxp://91.213.174.115/~nvds/usatoday/obama.docmd5sum ===> 4c759b98364d098afcfdbab57ddf302d
SHA256 ===> 2799df3352ee626fdb3c4d998e4a10b67f3cb37cd9798051ad97f182182ca5e1
Code: [Select]
hxxp://91.213.174.115/~nvds/usatoday/wdh.exemd5sum ===> 717ba55b844495e54c82cd48b0fc5d33
SHA256 ===> d659bf6196cb729135644b9a3ae0ef9677700a6c447b7c67e46a06d3f461305b
http://www.virustotal.com/es/analisis/d659bf6196cb729135644b9a3ae0ef9677700a6c447b7c67e46a06d3f461305b-1273313974 (http://www.virustotal.com/es/analisis/d659bf6196cb729135644b9a3ae0ef9677700a6c447b7c67e46a06d3f461305b-1273313974)
VT 7/41 (17.08%)

dropzone (already listed)
IP Location: Malaysia Piradius Net 
AS45839
Registrant/Email Registrant: PIRADIUS NET Administrator/abuse@piradius.net
Code: [Select]
hxxp://124.217.230.39/~ddusa/rytnkenhc7tIm.php
Title: Re: New Zeus server
Post by: jackberri on May 08, 2010, 04:14:17 pm
Probably, dropzone

IP Location: Panama ASEVELOZ Eveloz   
IP 200.63.44.225
[cp5.panamaserver.com]
AS27716
Registrant/Email Registrant: DNS MANAGER/on3785408120001@absolutee.com
Code: [Select]
hxxp://onlineprofitsinnercircle.com/botpanel/rofl.php
Title: Re: New Zeus server
Post by: jackberri on May 09, 2010, 04:21:51 pm
IP Location: United Kingdom Block For Pi Assignments   
IP 194.8.250.49
AS43134
Registrant/Email Registrant: DI_10020144 Steven Smith/steven.smith.ny@gmail.com
Code: [Select]
hxxp://newagehosting.us/1273318197.exemd5sum ===> 8ac18eb219ca9a97fa71bd246e18c753
SHA256 ===> 6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175
https://www.virustotal.com/es/analisis/6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175-1273420353 (https://www.virustotal.com/es/analisis/6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175-1273420353)
VT 14/41 (34.15%)

IP Location: United Kingdom Block For Pi Assignments   
IP 194.8.250.49
AS43134
Registrant/Email Registrant: Andrei A Filipenko/andyfly2009@yandex.ru
Code: [Select]
hxxp://yourgoogleanalytics.com/statscounter/74/counter83751139026.php
Title: Re: New Zeus server
Post by: jackberri on May 10, 2010, 04:03:52 pm
IP Location: United Kingdom Block For Pi Assignments   
IP 194.8.250.49
AS43134
Registrant/Email Registrant: DI_10020144 Steven Smith/steven.smith.ny@gmail.com
Code: [Select]
hxxp://newagehosting.us/1273318197.exemd5sum ===> 8ac18eb219ca9a97fa71bd246e18c753
SHA256 ===> 6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175
https://www.virustotal.com/es/analisis/6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175-1273420353 (https://www.virustotal.com/es/analisis/6f0020c178ca7aace6ea30b4657b3e9476d57cd9204857bf1bdadb69cb927175-1273420353)
VT 14/41 (34.15%)

Code: [Select]
hxxp://newagehosting.us/1273400562.exemd5sum ===> 11614825286cc93111b553dab817ad77
SHA256 ===> cfb40507d1c45acc248dc7472e5c6f5978899e637448317948666858653bf2ed
https://www.virustotal.com/es/analisis/cfb40507d1c45acc248dc7472e5c6f5978899e637448317948666858653bf2ed-1273506693 (https://www.virustotal.com/es/analisis/cfb40507d1c45acc248dc7472e5c6f5978899e637448317948666858653bf2ed-1273506693)
VT 13/41 (34.15%)
related:
Code: [Select]
www.bestgoogleanalytics.com
www.statxx.co.in
Title: Re: New Zeus server
Post by: jackberri on May 11, 2010, 03:15:16 pm
IP Location: United States Scranton Network Operations Center Inc
IP 66.197.236.149   
[hostecs.net]
AS21788
Email Registrant: 74hucn@163.com
Code: [Select]
hxxp://163580.cn/fine/config.binmd5sum ===> d6b3a9bc99b5088223059f2778443a6b
SHA256 ===> f3409eefb12aadef7af6cb8ed941286f2ec3a460253f0bc12f818e550c25d8b3
Code: [Select]
hxxp://163580.cn/fine/gate.php
Email Registrant: wsndpy@gmail.com
Code: [Select]
hxxp://ouiu.cn/fine/config.binmd5sum ===> d6b3a9bc99b5088223059f2778443a6b
SHA256 ===> f3409eefb12aadef7af6cb8ed941286f2ec3a460253f0bc12f818e550c25d8b3
Code: [Select]
hxxp://ouiu.cn/fine/gate.php
Registrant/Email Registrant: Roosveer, Marc/dns@armyrats.com
Code: [Select]
hxxp://armyrats.com/fine/config.binmd5sum ===> d6b3a9bc99b5088223059f2778443a6b
SHA256 ===> f3409eefb12aadef7af6cb8ed941286f2ec3a460253f0bc12f818e550c25d8b3
Code: [Select]
hxxp://armyrats.com/fine/gate.php
Registrant/Email Registrant: WhoisGuard Protected ()/(4ec1d3c371124f439aef7f4798c3b253.protect@whoisguard.com)
Code: [Select]
hxxp://jswiseco.com/fine/config.binmd5sum ===> d6b3a9bc99b5088223059f2778443a6b
SHA256 ===> f3409eefb12aadef7af6cb8ed941286f2ec3a460253f0bc12f818e550c25d8b3
Code: [Select]
hxxp://jswiseco.com/fine/gate.php
IP Location: Germany Hetzner Online Ag
[free.gigespace.net]
AS24940
Registrant/Email Registrant: Igor Potapov/abuse@gigespace.com
Code: [Select]
hxxp://178.63.221.91/config.binmd5sum ===> bcc47a83502f61c146c92d7aaa27510a
SHA256 ===> 982f4742b65f077331f49c5e5cbeb75998b2f5bbf4d980a81ce628d56961e454
Code: [Select]
hxxp://178.63.221.91/gate.php
Title: Re: New Zeus server
Post by: jackberri on May 12, 2010, 09:58:28 am
IP Location: Ukraine - VLAF-AS Vlaf Processing Ltd
IP 195.88.144.62  
AS48984
Registrant/Email Registrant: Evgeny Korentzov/admin@farsearch.tw
Code: [Select]
hxxp://farsearch.tw/zs/cofag56.binmd5sum ===> b5762fd7dbf70a3fd54482dbf357b33d
SHA256 ===> 8b6a97ebb17faca05ba16a3bbc084b2d81ec0536120fcd24262099b5458a1f05
Code: [Select]
hxxp://farsearch.tw/zs/botetz.exemd5sum ===> d17815b31e88723e2651462f286823b2
SHA256 ===> 8ea3b7aa9acb00053fc1940c87fdc4fd9e327bdfb6674423f5492acb539ccbde
https://www.virustotal.com/es/analisis/8ea3b7aa9acb00053fc1940c87fdc4fd9e327bdfb6674423f5492acb539ccbde-1273653222 (https://www.virustotal.com/es/analisis/8ea3b7aa9acb00053fc1940c87fdc4fd9e327bdfb6674423f5492acb539ccbde-1273653222)
VT 10/41 (24.4%)
Code: [Select]
hxxp://farsearch.tw/zs/gates5.php
Title: Re: New Zeus server
Post by: jackberri on May 13, 2010, 06:55:55 pm
IP Location: United States Dallas Theplanet.com Internet Services Inc
IP 70.87.126.194
[gator65.hostgator.com]   
AS21844
Registrant/Email Registrant: Christopher Davis/email@stopher.org
Code: [Select]
hxxp://lindsaydavis.com/lx/cfg.binmd5sum ===> b08a219f3e237a6bb083c47d43850729
SHA256 ===> 6ce9f4b1186581582af1517b1298779f118910c454da6ba446b8630c1ddcbcef
Code: [Select]
hxxp://lindsaydavis.com/lx/ldr.exemd5sum ===> 0a1ead02394006cb77835523e291caa1
SHA256 ===> f145deea33d4610ec3f1bd1ab82c3e811153fcf69e88ed787b7f9f8f6a8f5c6a
https://www.virustotal.com/es/analisis/f145deea33d4610ec3f1bd1ab82c3e811153fcf69e88ed787b7f9f8f6a8f5c6a-1273775965 (https://www.virustotal.com/es/analisis/f145deea33d4610ec3f1bd1ab82c3e811153fcf69e88ed787b7f9f8f6a8f5c6a-1273775965)
VT 37/41 (90.24%)
Code: [Select]
hxxp://lindsaydavis.com/lx/index.php
Code: [Select]
hxxp://lindsaydavis.com/lx/s.php
Title: Re: New Zeus server
Post by: jackberri on May 14, 2010, 09:46:48 am
IP Location: Canada IWEB-AS iWeb Technologies Inc
IP 67.205.74.14
AS32613
Registrant/Email Registrant: WhoisGuard Protected/08dbd7be4be64c1ca86a2f62d8dd6dfd.protect@whoisguard.com
Code: [Select]
hxxp://serviceexe.com/config.binmd5sum ===> 82c10b861d678058c747267ebde07967
SHA256 ===> 5b7d445238b55db1a7cbc484dcf914b2e32c2bfdd25b81b9e7a0d72edc324ba9
Code: [Select]
hxxp://serviceexe.com/bot.exemd5sum ===> e400573df78d3d82523edfa8559dc320
SHA256 ===> a24414651883b57f6ef08da4f54f56ad4acec6570212393f63151720f543386c
https://www.virustotal.com/es/analisis/a24414651883b57f6ef08da4f54f56ad4acec6570212393f63151720f543386c-1273829472 (https://www.virustotal.com/es/analisis/a24414651883b57f6ef08da4f54f56ad4acec6570212393f63151720f543386c-1273829472)
VT 33/41 (80.49%)
Code: [Select]
hxxp://serviceexe.com/gate.php
Title: Re: New Zeus server
Post by: jackberri on May 15, 2010, 03:07:12 pm
IP Location: Ukraine - VLAF-AS Vlaf Processing Ltd
IP 195.88.144.92   
AS48984
Email Registrant: 94ab291ccbfd96b35c155386eec1ce2a@domain-private.com
Code: [Select]
sollutsn.biz/newstart/botopriem.php
Title: Re: New Zeus server
Post by: jackberri on May 18, 2010, 12:57:22 pm
IP Location: Lithuania - Elneta-AS Internet Service Provider ELNETA UAB Autonomous System Lithuania, Vilnius
IP 193.219.5.201
AS21031
Registrant/Email Registrant: Abdul/g4hosting@safe-mail.net
Code: [Select]
hxxp://gameover.net.in/bot123/config.binmd5sum ===> 2e712284995e0d293888387bef36a669
SHA256 ===> bd4b16054ed61f60ebb6453033c84aa7d7de977b97669c1d06e75b534a058d1a


related rootkit Rustock
IP Location: United States -PNAP-MIA -SOFTLAYER Technologies Inc.   
IP 208.43.19.64
[208.43.19.64-static.reverse.softlayer.com]
AS36351
Registrant/Email Registrant: Zebra Media/zebramediallc@gmail.com
Code: [Select]
hxxp://liveinfopro.com/dl/inst1018wse.exemd5sum ===> 30fbdbb98a5a886fef895ae2445ec98b
SHA256 ===> da6a09b0013efe8894ea30fe6b331b0e9381512711ec14d86f457713938b016c
https://www.virustotal.com/es/analisis/da6a09b0013efe8894ea30fe6b331b0e9381512711ec14d86f457713938b016c-1274164725 (https://www.virustotal.com/es/analisis/da6a09b0013efe8894ea30fe6b331b0e9381512711ec14d86f457713938b016c-1274164725)
VT 0/41 (0%)
Title: Re: New Zeus server
Post by: jackberri on May 19, 2010, 07:07:58 am
IP Location: United States - AUT-NUM- American Internet, In 
IP 204.10.137.152
[www6.cpanel8.amhosting.com]   
AS33093
Registrant/Email Registrant: Elaine E Cordiello/billing@amhosting.com
Code: [Select]
hxxp://rdello.com/cfg2.binmd5sum ===> f48f1af605c1fc6a11c5a0008d635003
SHA256 ===> 3a4b4e24d2684461a2229fa514c1a17f4f117b683ea9a76d49ccb41865a41492
Code: [Select]
hxxp://rdello.com/gate.php
IP Location: China - CHINANET-BJ-METRO Beijing Telecom 
IP 121.101.216.205
AS4847
Registrant/Email Registrant:  PP-SP-001/contact@privacyprotect.org
Code: [Select]
hxxp://ddkom.biz/eu/index.phprelated:
Code: [Select]
www.newsdownloads.cn
www.coolparts31.tw
www.sinergy-dl.com
www.sokam.info
   
Title: Re: New Zeus server
Post by: jackberri on May 19, 2010, 09:41:52 am
IP Location: United States - Hosting Solutions International 
IP 69.64.62.49
[static-ip-69-64-62-49.inaddr.intergenia.de]   
AS30083
Registrant/Email Registrant: Pyotr Smirnov/royalhideaway77@gmail.com
Code: [Select]
hxxp://www.basurm.com/sl/config.binmd5sum ===> a44010a4329613acde310415fa088ed3
SHA256 ===> 802ea6db5c55a8784f972516cdeb9d8322925df1ab4e6d3685a6ca8b4cb229ef
Code: [Select]
hxxp://www.basurm.com/sl/vs.php
IP Location: Korea  - Proxy-Registered Route Object by DACOM(AS3786)
IP 125.180.131.26
AS17858
Code: [Select]
hxxp://deewaek4heeh.kz/cp11/zengate.php
other stuff
Code: [Select]
hxxp://cmccmcssvnbuilds.com/zs/_reports/other/--+default+--/
Title: Re: New Zeus server
Post by: jackberri on May 19, 2010, 06:00:49 pm
IP Location: United States - THEPLANET-AS2 ThePlanet.com Internet Services, Inc. 
IP  174.121.79.66
[michigan.site5.com]
AS21844
Registrant/Email Registrant: Claudia Mexicano Padilla/ron@rontrs.com
Code: [Select]
hxxp://ellater.com/gate.php
Code: [Select]
hxxp://ellater.com/index.php
Title: Re: New Zeus server
Post by: jackberri on May 20, 2010, 10:31:51 am
IP Location:  UA - EVAUA-NET  InfoPlus Ltd
IP 91.216.11.92
AS50908
Email Registrant: kazanovshina@yahoo.com
Code: [Select]
hxxp://www.kazanovshina.ru/kuku.php
Code: [Select]
hxxp://kazanovshina.ru/kuku.php
IP Location: Kazakhstan - ALFAHOSTNET Alfa-Host LLP. 
IP 193.105.207.120
AS50793
Registrant/Email Registrant: Alexandr Dmitrikov/2354364575s@gmail.com
Code: [Select]
hxxp://34real.ru/bin.binmd5sum ===> dd7850b9af0f494ed65a98e34f5ba7fa
SHA256 ===> b75b7787536a805761ea0e1ca603cab2071e2f3a9bb6dcaff6705b55ee0b1b76
Code: [Select]
hxxp://34real.ru/http/bin.exemd5sum ===> 66686d067c0a19c3da358b59f5681426
SHA256 ===> 3d522a6ff2705815027cbfa83316e69304b89b066b58391cf7d90883cf715cf9
https://www.virustotal.com/es/analisis/3d522a6ff2705815027cbfa83316e69304b89b066b58391cf7d90883cf715cf9-1274350836 (https://www.virustotal.com/es/analisis/3d522a6ff2705815027cbfa83316e69304b89b066b58391cf7d90883cf715cf9-1274350836)
VT 3/41 (7.32%)
Code: [Select]
hxxp://34real.ru/http/rapport.exemd5sum ===> 3cc308ca988a282ee881dde006722cd9
SHA256 ===> 8b880255e2ec4346d574f366961e14ac91acd16989e1b130f76bab32fecc8cbd
https://www.virustotal.com/es/analisis/8b880255e2ec4346d574f366961e14ac91acd16989e1b130f76bab32fecc8cbd-1274350925 (https://www.virustotal.com/es/analisis/8b880255e2ec4346d574f366961e14ac91acd16989e1b130f76bab32fecc8cbd-1274350925)
VT 5/41 (12.2%)
Code: [Select]
hxxp://34real.ru/http/killaa.exemd5sum ===> 29bceaf44e3f621ecf9420ee88ed2e67
SHA256 ===> 33813ef664075fb429065575b75d751d7f05d455a4f38c78c96366756ef90980
https://www.virustotal.com/es/analisis/33813ef664075fb429065575b75d751d7f05d455a4f38c78c96366756ef90980-1274351152 (https://www.virustotal.com/es/analisis/33813ef664075fb429065575b75d751d7f05d455a4f38c78c96366756ef90980-1274351152)
VT 6/41 (14.64%)
Code: [Select]
hxxp://34real.ru/http/logosex.php
Title: Re: New Zeus server
Post by: jackberri on May 21, 2010, 12:36:17 pm
IP Location:  Germany  - Berlin - 1&1 Internet Ag 
IP 87.106.81.67
[s15331284.onlinehome-server.info]
AS8560
Registrant/Email Registrant: Gravitynet E-Solutions  (SROW-373360)/info@gravitynet.es
Code: [Select]
hxxp://loteriahadamadrina.com/imagenes/logos/logo_generale2.pngmd5sum ===> 8116a1a983278d81294e8e1308c63091
SHA256 ===> 20455ee5aaecc9be979632561f6394b46d36f039c4d658cf7b1322cb523aa931
https://www.virustotal.com/es/analisis/20455ee5aaecc9be979632561f6394b46d36f039c4d658cf7b1322cb523aa931-1274445032 (https://www.virustotal.com/es/analisis/20455ee5aaecc9be979632561f6394b46d36f039c4d658cf7b1322cb523aa931-1274445032)
VT 3/41 (7.32%)
related:
IP Location: France - ProXad network / Free SAS 
IP 88.191.12.172
[lola.cathytof.com]
AS12322
Registrant/Email Registrant: Brad Higginbotham/EmersonDuffyZP@gmail.com
Code: [Select]
hxxp://barmatuxa.info/images/smilies/domaindelete.binmd5sum ===> 33ed97929bc7bce41aaf6c5929d10468
SHA256 ===> 54a621a7efffe8efcc88595ab5f2cb4c74ae044b227fe2b20c0383ac2342ef9b

other stuff:
IP Location:  Latvia - LATVENERGO-AS Latvian national Energy company
IP 85.15.231.77
[mail.mm88.lv]
AS29600
Code: [Select]
http://bacalavala.com.es/am/8e383b9b5d61f31de077719e46fa2b0b.php
new file related bestviewbar.com:

Code: [Select]
hxxp://solaruploader.net/asdasd23435667ed.exemd5sum ===> 75ea4c941fd89002c8db690c16ef200a
SHA256 ===> ec36c6c7e4ca2b7f3c42c0d5633e30c21dc64b9ee1c302acd53de0d79094a24b
https://www.virustotal.com/analisis/ec36c6c7e4ca2b7f3c42c0d5633e30c21dc64b9ee1c302acd53de0d79094a24b-1274403104 (https://www.virustotal.com/analisis/ec36c6c7e4ca2b7f3c42c0d5633e30c21dc64b9ee1c302acd53de0d79094a24b-1274403104)
VT 7/41 (17.07%)

Title: Re: New Zeus server
Post by: jackberri on May 21, 2010, 02:32:40 pm
related barmatuxa.info/images/smilies/domaindelete.bin
IP Location:   United States  - New York - Buffalo - Matrix Telecommunications 
IP 24.75.44.61
[col10.prvlb.net]
AS3356
Registrant/Email Registrant: Bonnie Ross/bonnie@stuffedchocolate.com
Code: [Select]
hxxp://stuffedchocolate.com/email2.jpgmd5sum ===> d4064ae8325eea56020f8a006b25b33f
SHA256 ===> ce8f9fbb56a0c44bc6f21214ec900cc67d7192cd2710288b01d096cec6a27dd9
https://www.virustotal.com/es/analisis/ce8f9fbb56a0c44bc6f21214ec900cc67d7192cd2710288b01d096cec6a27dd9-1274451707 (https://www.virustotal.com/es/analisis/ce8f9fbb56a0c44bc6f21214ec900cc67d7192cd2710288b01d096cec6a27dd9-1274451707)
VT 3/41 (7.32%)
Title: Re: New Zeus server
Post by: jackberri on May 23, 2010, 10:25:58 pm
IP Location: China  CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.196
AS4847
Registrant/Email Registrant: Karen Young/contact@myprivateregistration.com  
Code: [Select]
hxxp://karenearly.com/s/exe.exemd5sum ===> 183d01e1fa314af2206cd2a6e72c413e
SHA256 ===> 92da9864f335587d33bb11253bfeb1e303eaae924690e7ea205a5e871e2aeadf
https://www.virustotal.com/es/analisis/92da9864f335587d33bb11253bfeb1e303eaae924690e7ea205a5e871e2aeadf-1274653312 (https://www.virustotal.com/es/analisis/92da9864f335587d33bb11253bfeb1e303eaae924690e7ea205a5e871e2aeadf-1274653312)
VT 16/41 (39.03%)
related already listed:
Code: [Select]
hxxp://cribrejist.kz/bin/zoogezow.bin

related barmatuxa.info:
IP Location: Spain  - AS_ARSYS-EURO-1 arsys.es
IP 217.76.130.68
[llgb974.servidoresdns.net]
AS20718
Registrant/Email Registrant: Antonio Sanchez Vazquez/asanchez@centrocep.es  
Code: [Select]
hxxp://centrocep.es/imagenes/bannercepweb12.jpgmd5sum ===> 667d0cbc8adc4b65c5cd157817b60ddf
SHA256 ===> 3d836753aa18696a7a4121ef39491d907a8816ce72a282ac8673c3b9dc9fde13
https://www.virustotal.com/es/analisis/3d836753aa18696a7a4121ef39491d907a8816ce72a282ac8673c3b9dc9fde13-1274653065 (https://www.virustotal.com/es/analisis/3d836753aa18696a7a4121ef39491d907a8816ce72a282ac8673c3b9dc9fde13-1274653065)
VT 11/41 (26.83%)

related barmatuxa.info:
IP Location: Germany  - Strato Rechenzentrum -  STRATO AG
IP 81.169.145.72
[w08.rzone.de]
AS6724
Registrant/Email Registrant: Yolanda Cortizo Escalona/yocores@hotmail.com
Code: [Select]
hxxp://achepizzeria.com/Imagenes/logo12.gifmd5sum ===> 0462b6b5e5a8d718fe10d9cd9329bc0b
SHA256 ===> 79cb72cf9dd5ac49e9cb334cd8a73edf811f90df066b3ed4bbd1ca31a82da6f6
https://www.virustotal.com/es/analisis/79cb72cf9dd5ac49e9cb334cd8a73edf811f90df066b3ed4bbd1ca31a82da6f6-1274652814 (https://www.virustotal.com/es/analisis/79cb72cf9dd5ac49e9cb334cd8a73edf811f90df066b3ed4bbd1ca31a82da6f6-1274652814)
VT 7/40 (17.5%)

IP Location: Morocco - IAM-AS Itissalat Al-MAGHRIB MAROC TELECOM
IP 41.140.132.55
AS6713
Code: [Select]
hxxp://2gunz.no-ip.info/bot/cfg.binmd5sum ===> 487ccb56f29f4c5404a4d4e26235205d
SHA256 ===> 0866dfc3b6acdd5645c02de8db58c7dc5ade01d7d4f9929a411b8971d977b8a2
Code: [Select]
hxxp://2gunz.no-ip.info/bot/gate.php
Title: Re: New Zeus server
Post by: jackberri on May 24, 2010, 06:53:57 am
IP Location: Turkey - Borusan Telekom Ankara - BORUSANTELEKOM-AS Borusan Telekom Autonomus System
IP 212.98.234.210
AS15924
Registrant/Email Registrant: aziz san/azizsan@hotmail.com
Code: [Select]
hxxp://akocakkoyu.com/images/bot.exemd5sum ===> 9579cc953b402bb908f7fe51075c3243
SHA256 ===> 9d06d9bce0f472b66c3bc181ee16cb96e0d9b33db619e01c560a9234a4f971ec
https://www.virustotal.com/es/analisis/9d06d9bce0f472b66c3bc181ee16cb96e0d9b33db619e01c560a9234a4f971ec-1274682826 (https://www.virustotal.com/es/analisis/9d06d9bce0f472b66c3bc181ee16cb96e0d9b33db619e01c560a9234a4f971ec-1274682826)
VT 38/40 (95%)

more:
Code: [Select]
hxxp://akocakkoyu.com/images/loader.exemd5sum ===> 48a793a2180b3841c18db03fd899b476
SHA256 ===> 2b933977576b2369770b130cf3e2d7db8e4767eebcc6a8bf217a931e7cdc9af2
https://www.virustotal.com/analisis/2b933977576b2369770b130cf3e2d7db8e4767eebcc6a8bf217a931e7cdc9af2-1274682028 (https://www.virustotal.com/analisis/2b933977576b2369770b130cf3e2d7db8e4767eebcc6a8bf217a931e7cdc9af2-1274682028)
VT 25/41 (60.98%)
Title: Re: New Zeus server
Post by: jackberri on May 24, 2010, 04:08:30 pm
IP Location: Ukraine - GLOBALROUTING - INTERACTIVE3D-AS
IP 195.78.109.177
AS49544
Registrant/Email Registrant: Ulian Ve/aniwaylin@yahoo.com
Code: [Select]
hxxp://dledns.org/firma/ccnf.binmd5sum ===> cb669a703c6107e6f696c627414b9adb
SHA256 ===> 1ddedcae84c85c20de59d599f23503d716c1703f112100acbe15e5ee70e5c969

other malware (SpyEye):
IP Location: United States - SINGLEHOP, Inc.
IP 69.175.5.60
[web72.justhost.com]
AS32475
Registrant/Email Registrant: Ben Barry/privacy@pipedns.com
Code: [Select]
hxxp://ousdre.com/Formgrab Access Panel/config.php
Title: Re: New Zeus server
Post by: jackberri on May 24, 2010, 07:08:25 pm
IP 193.105.207.120
AS50793
Email Registrant: gavrilov81@mail.ru
Code: [Select]
hxxp://medriop56.ru/flash/ukey.binmd5sum ===> 2144164fb75460d271d14bb17bf2fec1
SHA256 ===> ee548aeb11eebda68e307f9d242297e65a55cd94cfd21d5d21b15938d8e67393
Code: [Select]
hxxp://medriop56.ru/flash/uka_.exemd5sum ===> 2a3cd46f44cccce8fc3328704654122a
SHA256 ===> a9a0a28cbc04944386cb9b5ae5b9c0d418babe140f78d7faea84c56545ad113f
https://www.virustotal.com/es/analisis/a9a0a28cbc04944386cb9b5ae5b9c0d418babe140f78d7faea84c56545ad113f-1274726686 (https://www.virustotal.com/es/analisis/a9a0a28cbc04944386cb9b5ae5b9c0d418babe140f78d7faea84c56545ad113f-1274726686)
VT 6/41 (14.64%)

Code: [Select]
hxxp://medriop56.ru/flash/killaa_.exemd5sum ===> 036e5dbc169af73249fa592b8903cc14
SHA256 ===> 951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c
https://www.virustotal.com/es/analisis/951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c-1274726348 (https://www.virustotal.com/es/analisis/951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c-1274726348)
VT 7/41 (17.08%)
Code: [Select]
hxxp://medriop56.ru/flash/kill_.exemd5sum ===> 3a23aafb729a1d4f60608a43fc7b744a
SHA256 ===> 131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f
https://www.virustotal.com/es/analisis/131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f-1274726515 (https://www.virustotal.com/es/analisis/131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f-1274726515)
VT 7/41 (17.08%)
Code: [Select]
hxxp://medriop56.ru/flash/rapport_.exemd5sum ===> 9d4e69b6d172238aceeef09d054a1066
SHA256 ===> d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb
https://www.virustotal.com/es/analisis/d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb-1274726964 (https://www.virustotal.com/es/analisis/d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb-1274726964)
VT 5/41 (12.2%)
Title: Re: New Zeus server
Post by: jackberri on May 24, 2010, 08:19:30 pm
IP Location: Russian Federation - BEST-HOSTER Group Co. Ltd 
IP  91.215.170.54
[piter54.dns-rus.net]
AS49693
Email Registrant: ndprinasx@mail.ru
Code: [Select]
hxxp://lljj.ruredirects to:
Code: [Select]
hxxp://www.golii-abama.lljj.ru/golii_abama)))).avi.exemd5sum ===> 476e45d0ce519d09e7e7ed47a0bf206f
SHA256 ===> 3a2d4b74a0470cd90e2fec80ff714c2abaa56eaef89ba32543c79f4c9ef58727
https://www.virustotal.com/es/analisis/3a2d4b74a0470cd90e2fec80ff714c2abaa56eaef89ba32543c79f4c9ef58727-1274731661 (https://www.virustotal.com/es/analisis/3a2d4b74a0470cd90e2fec80ff714c2abaa56eaef89ba32543c79f4c9ef58727-1274731661)
VT 8/41 (19.52%)
Title: Re: New Zeus server
Post by: jackberri on May 25, 2010, 09:51:09 am
IP Location: Taiwan - ERX-TANET-ASN1 Tiawan Academic Network (TANet)
IP 163.30.190.1 
AS1659
Code: [Select]
hxxp://host.lyjh.tyc.edu.tw/~te52094/img062.gifmd5sum ===> fed5437a19b56c0fff24be66f2b284bc
SHA256 ===> c2fe1110580d8d6374ba3e515523a04210150445f0f4076899ec2963517c10db
https://www.virustotal.com/es/analisis/c2fe1110580d8d6374ba3e515523a04210150445f0f4076899ec2963517c10db-1274780177 (https://www.virustotal.com/es/analisis/c2fe1110580d8d6374ba3e515523a04210150445f0f4076899ec2963517c10db-1274780177)
VT 6/41 (14.64%)
related:
Code: [Select]
barmatuxa.net
barmatuxa.info
Title: Re: New Zeus server
Post by: jackberri on May 25, 2010, 10:20:34 pm
IP  193.105.207.104
AS50793
Registrant/Email Registrant: Elena Zhuravleva/neigh@fastermail.ru
Code: [Select]
hxxp://2pulenepro.net/php/php.binmd5sum ===> 62d76ba5f0010535bfc9711a4b0662a8
SHA256 ===> 2d82db7ea47cb7c205c707011a859b662517a157bb177ce6e245d5878dd12beb
Code: [Select]
hxxp://2pulenepro.net/php/php.exemd5sum ===> a4da7d809a8a53cb35fd0ebc7363eab6
SHA256 ===> a79907b47de81778f400a19c906a40bc0e7f24a9fde54ac77c11cb3f2ec6c14e
https://www.virustotal.com/analisis/a79907b47de81778f400a19c906a40bc0e7f24a9fde54ac77c11cb3f2ec6c14e-1274748991 (https://www.virustotal.com/analisis/a79907b47de81778f400a19c906a40bc0e7f24a9fde54ac77c11cb3f2ec6c14e-1274748991)
VT 5/41 (12.20%)
Code: [Select]
hxxp://2pulenepro.net/php/rapport.exemd5sum ===> 9d4e69b6d172238aceeef09d054a1066
SHA256 ===> d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb
https://www.virustotal.com/analisis/d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb-1274816852 (https://www.virustotal.com/analisis/d763d6f2a1ba54bec4bb19c2dfc81ed7b479b6a35d50003ca7fc4c70290e01cb-1274816852)
VT 17/41 (41.46%)
Code: [Select]
hxxp://2pulenepro.net/php/killaa.exemd5sum ===> 036e5dbc169af73249fa592b8903cc14
SHA256 ===> 951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c
https://www.virustotal.com/analisis/951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c-1274816512 (https://www.virustotal.com/analisis/951c4333b75062f458acea81706e85b8c8e3792672a15ef432ff46824e86189c-1274816512)
VT 16/40 (40.00%)
Code: [Select]
hxxp://2pulenepro.net/php/kill.exemd5sum ===> 3a23aafb729a1d4f60608a43fc7b744a
SHA256 ===> 131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f
https://www.virustotal.com/analisis/131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f-1274816484 (https://www.virustotal.com/analisis/131b17a7a1f6acdb979974a9ef9ed60ba80509d71981c970ffb1f004cc7b902f-1274816484)
VT 16/40 (40.00%)
Code: [Select]
hxxp://2pulenepro.net/php/drop.php
Title: Re: New Zeus server
Post by: jackberri on May 27, 2010, 07:53:54 am
IP Location: Moldova - UNINETMD-AS S.C. Uninet S.R.L 
IP 195.170.178.60
AS39858
Email Registrant: contact@privacyprotect.org
Updated Date: 12-may-2010
Creation Date: 01-May-2010
Code: [Select]
hxxp://domain452740.com/nhjq/n09230945.asp
hxxp://domain453001.com/nhjq/n09230945.asp
hxxp://domain454002.com/nhjq/n09230945.asp
hxxp://domain455110.com/nhjq/n09230945.asp
hxxp://domain456011.com/nhjq/n09230945.asp
hxxp://domain457198.com/nhjq/n09230945.asp
hxxp://domain458103.com/nhjq/n09230945.asp
hxxp://domain459110.com/nhjq/n09230945.asp
hxxp://domain460002.com/nhjq/n09230945.asp
hxxp://domain460003.com/nhjq/n09230945.asp
hxxp://domain460004.com/nhjq/n09230945.asp
hxxp://domain460005.com/nhjq/n09230945.asp
hxxp://domain460006.com/nhjq/n09230945.asp
hxxp://domain460007.com/nhjq/n09230945.asp
hxxp://domain460008.com/nhjq/n09230945.asp
hxxp://domain460009.com/nhjq/n09230945.asp
hxxp://domain460010.com/nhjq/n09230945.asp
hxxp://domain460011.com/nhjq/n09230945.asp
hxxp://domain460012.com/nhjq/n09230945.asp
hxxp://domain460013.com/nhjq/n09230945.asp
hxxp://domain460014.com/nhjq/n09230945.asp
hxxp://domain460015.com/nhjq/n09230945.asp
hxxp://domain460016.com/nhjq/n09230945.asp
hxxp://domain460017.com/nhjq/n09230945.asp
md5sum ===> 8945cb91d93d86d59935e07ee66f06cb
SHA256 ===> 149bffb68426536747e8cfae9a04b9c14b22bd3bfea06f91011da3ebb23d0fab
Code: [Select]
hxxp://domain452740.com/nhjq/redir.php
Title: Re: New Zeus server
Post by: jackberri on May 27, 2010, 03:17:04 pm
related bnale8.net:
IP Location: United States - RoadRunner RR-RC-Wholesale Internet, Inc 
IP 69.197.135.94
AS32097
Registrant/Email Registrant: v l hemingway/woagagnu4@yahoo.co.uk
Code: [Select]
hxxp://mastaace.ag/images/euro.pngmd5sum ===> 44e7b792d18b70c83000e8dbc2e6b7c8
SHA256 ===> 68855b1cc1e20c6c174f1b037adb4895b05662e78a3155a7bf91f9133110619c
IP Location: United States - RoadRunner RR-RC-Wholesale Internet, Inc 
IP 208.110.72.86
AS32097
Registrant/Email Registrant: Jeremy Spence/stoneonfire3@gmail.com
Code: [Select]
hxxp://hamilakinec.eu/data/info.php
Title: Re: New Zeus server
Post by: jackberri on May 27, 2010, 05:52:00 pm
IP Location: Canada - Eonix Corp IP Space - CWIE Cavecreek Wholesale Internet Exchange, LLC 
IP 75.75.243.127
AS19181

Code: [Select]
hxxp://samocity-fr.co.cc/xenos/gate.php
backdoor Poison:
Code: [Select]
hxxp://samocity-fr.co.cc/xenos/bot.exemd5sum ===> 7720d1825a3ea8bb3c8545332c2ff267
SHA256 ===> cf59c1dde3a3eb1308a32991f946b7e499752c759f15040d64a103d0cfc0a0f6
https://www.virustotal.com/es/analisis/cf59c1dde3a3eb1308a32991f946b7e499752c759f15040d64a103d0cfc0a0f6-1274981092 (https://www.virustotal.com/es/analisis/cf59c1dde3a3eb1308a32991f946b7e499752c759f15040d64a103d0cfc0a0f6-1274981092)
VT 4/41 (9.76%)
Title: Re: New Zeus server
Post by: jackberri on May 29, 2010, 07:03:45 am
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.7
AS29106
Registrant/Email Registrant: max pet/maxpet1212@gmail.com
Code: [Select]
hxxp://galaradio.name/www/loc.somd5sum ===> bcba8049a7c4b06a28cb0d14e7ad949e
SHA256 ===> 135cb48a63bd2b5ace4634b1f47b805354474a06cae8cad882e5024c830b03c5
Code: [Select]
hxxp://galaradio.name/crypt_kill.exemd5sum ===> 2f3bbdd8ba32e90f9fceeadf50d2bcf1
SHA256 ===> c6e1794ea72eeeff4117eb942e19ed0ee88ec318e37804ee4df4595e55750554
https://www.virustotal.com/es/analisis/c6e1794ea72eeeff4117eb942e19ed0ee88ec318e37804ee4df4595e55750554-1275115889 (https://www.virustotal.com/es/analisis/c6e1794ea72eeeff4117eb942e19ed0ee88ec318e37804ee4df4595e55750554-1275115889)
VT 4/41 (9.76%)
Code: [Select]
http://galaradio.name/www/go.php
Title: Re: New Zeus server
Post by: jackberri on May 29, 2010, 09:02:27 am
Code: [Select]
hxxp://galaradio.name/www/loc.sosorry:
Code: [Select]
hxxp://galaradio.name/vhosts/loc.somd5sum ===> bcba8049a7c4b06a28cb0d14e7ad949e
SHA256 ===> 135cb48a63bd2b5ace4634b1f47b805354474a06cae8cad882e5024c830b03c5
Title: Re: New Zeus server
Post by: jackberri on May 29, 2010, 05:32:20 pm
IP Location: Russian Federation - VLine Telecom Block Moscow - VLTELECOM-AS VLineTelecom LLC
IP 109.196.130.43
AS39150
Email Registrant: punky@5mx.ru
Code: [Select]
hxxp://oashae2ieyek.ru/bin/ahwohn.binmd5sum ===> ba756bbe608ae156597164aba5dd95ec
SHA256 ===> 81740f291d618fa6d4cdecf8a1db35dba4982396a0c591821dc5ba601a093336
Code: [Select]
hxxp://oashae2ieyek.ru/bin/ahwohn.exemd5sum ===> 44e1a00364c1c06cee67521800feccbe
SHA256 ===> e1bb749c42fbf1347d8a29c0dfcec877c7851758e6654c847f0df2313eb96b06
https://www.virustotal.com/es/analisis/e1bb749c42fbf1347d8a29c0dfcec877c7851758e6654c847f0df2313eb96b06-1275153775 (https://www.virustotal.com/es/analisis/e1bb749c42fbf1347d8a29c0dfcec877c7851758e6654c847f0df2313eb96b06-1275153775)
VT 24/41 (58.54%)
Title: Re: New Zeus server
Post by: jackberri on May 29, 2010, 10:55:28 pm
IP Location: United States - Hosting Solutions International
IP 69.64.62.52
AS30083
Registrant ID:AT_11711862
Registrant/Email Registrant: Kimberly/madonsa77@gmail.com
Code: [Select]
hxxp://www.drun.in/pp/config.binmd5sum ===> 0dccebf537313dfd927a08fe4db40bed
SHA256 ===>  b350ea227e9ffa9d8408e8d0922c635a716d9239eb2f172177d92517ecf3a265
Code: [Select]
hxxp://www.drun.in/pp/sp.php
related: colossus321.startdedicated.com
Title: Re: New Zeus server
Post by: jackberri on May 30, 2010, 12:00:08 pm
IP 193.105.207.120
AS50793
Registrant/Email Registrant: Dmitry Smirnov/boa@freenetbox.ru
Code: [Select]
hxxp://1pulenepro.net/smile/smile.binmd5sum ===> 64acbe904ad9c8745c42e985b253503c
SHA256 ===> 9c1e7cdb946a007247dd1c143c217a26b38f50d2c9e38bcdf726551a3b37936d
Code: [Select]
hxxp://1pulenepro.net/smile/smile.exemd5sum ===> 9b912bd5b63bcafc0c6f30afffa46473
SHA256 ===> 2d35e638ff6d0d13713a25c977a76ed337ff19b4b82d4d183bf7dfe3391e6d21
https://www.virustotal.com/es/analisis/2d35e638ff6d0d13713a25c977a76ed337ff19b4b82d4d183bf7dfe3391e6d21-1275219754 (https://www.virustotal.com/es/analisis/2d35e638ff6d0d13713a25c977a76ed337ff19b4b82d4d183bf7dfe3391e6d21-1275219754)
VT 2/41 (4.88%)
Code: [Select]
hxxp://1pulenepro.net/smile/kill.exemd5sum ===> c680c891e592a8657fb2a88be5d62776
SHA256 ===> ee8e733bc93efde95d75e72a0991639fd3d617643a0dfb773ae5d411d7d1cb41
https://www.virustotal.com/es/analisis/ee8e733bc93efde95d75e72a0991639fd3d617643a0dfb773ae5d411d7d1cb41-1275219889 (https://www.virustotal.com/es/analisis/ee8e733bc93efde95d75e72a0991639fd3d617643a0dfb773ae5d411d7d1cb41-1275219889)
VT 0/41 (0%)
Code: [Select]
hxxp://1pulenepro.net/smile/killaa.exemd5sum ===> a7a47fea839934c06ea538aad79dcb31
SHA256 ===> c182fa0bfbdb8e9e4e28e43c6066dc5eaa3af6123d98c603e361dd92ba9bcadd
https://www.virustotal.com/es/analisis/c182fa0bfbdb8e9e4e28e43c6066dc5eaa3af6123d98c603e361dd92ba9bcadd-1275220071 (https://www.virustotal.com/es/analisis/c182fa0bfbdb8e9e4e28e43c6066dc5eaa3af6123d98c603e361dd92ba9bcadd-1275220071)
VT 1/41 (2.44%)
Code: [Select]
hxxp://1pulenepro.net/smile/rapport.exe md5sum ===> dda896412596379fd1ef77b3b1bd6440
SHA256 ===> e2df7d738a60d0f7fbb1108daeeb059b57b2c6a0868ccb9e93be37630573b227
https://www.virustotal.com/es/analisis/e2df7d738a60d0f7fbb1108daeeb059b57b2c6a0868ccb9e93be37630573b227-1275220201 (https://www.virustotal.com/es/analisis/e2df7d738a60d0f7fbb1108daeeb059b57b2c6a0868ccb9e93be37630573b227-1275220201)
VT 0/41 (0%)
Title: Re: New Zeus server
Post by: jackberri on May 31, 2010, 08:38:52 am
IP 193.105.207.120
AS50793
Email Registrant: gavrilov81@mail.ru
Code: [Select]
hxxp://reklamen7.ru/indigo/registr.exemd5sum ===> 8765e70f505b2b4b70ca0e4805ee575e
SHA256 ===> deffdbb851fefa1c3f7effd125e8a99209fc06c676d22c8010ae61828410aa2e
https://www.virustotal.com/es/analisis/deffdbb851fefa1c3f7effd125e8a99209fc06c676d22c8010ae61828410aa2e-1275293969 (https://www.virustotal.com/es/analisis/deffdbb851fefa1c3f7effd125e8a99209fc06c676d22c8010ae61828410aa2e-1275293969)
VT 2/41 (4.88%)
Code: [Select]
hxxp://reklamen7.ru/indigo/putin_gay.phpprobably file config:
Code: [Select]
hxxp://reklamen7.ru/indigo/ava.gif
Code: [Select]
hxxp://reklamen7.ru/indigo/kill.exemd5sum ===> c1b8163d236006a507fd2dd99590c8b5
SHA256 ===> 997d1a10ca3793d03e76662b0afa40b88412f5c21b9a32dd6b5e1491b8ae46ce
https://www.virustotal.com/es/analisis/997d1a10ca3793d03e76662b0afa40b88412f5c21b9a32dd6b5e1491b8ae46ce-1275293493 (https://www.virustotal.com/es/analisis/997d1a10ca3793d03e76662b0afa40b88412f5c21b9a32dd6b5e1491b8ae46ce-1275293493)
VT 0/41 (0%)
Code: [Select]
hxxp://reklamen7.ru/indigo/killaa.exemd5sum ===> 4b6985fed2b494bc6034d128cf8ad7d5
SHA256 ===> bbfe14922b6a90043067f03c0652e83f0a1d03ab860281cc4124f2d54b1eeb84
https://www.virustotal.com/es/analisis/bbfe14922b6a90043067f03c0652e83f0a1d03ab860281cc4124f2d54b1eeb84-1275293649 (https://www.virustotal.com/es/analisis/bbfe14922b6a90043067f03c0652e83f0a1d03ab860281cc4124f2d54b1eeb84-1275293649)
VT 0/41 (0%)
Code: [Select]
hxxp://reklamen7.ru/indigo/rapport.exemd5sum ===> 8ce87fa325fe53cb565580e9b22d303f
SHA256 ===> a7fd527927907ddd7f5835ebbbfae61b4bd86f491a4c9db5d070f70a2b7be8ea
https://www.virustotal.com/es/analisis/a7fd527927907ddd7f5835ebbbfae61b4bd86f491a4c9db5d070f70a2b7be8ea-1275293806 (https://www.virustotal.com/es/analisis/a7fd527927907ddd7f5835ebbbfae61b4bd86f491a4c9db5d070f70a2b7be8ea-1275293806)
VT 0/41 (0%)
Title: Re: New Zeus server
Post by: jackberri on June 01, 2010, 06:33:09 am
IP Location: Moldova - UNINETMD-AS S.C. Uninet S.R.L
IP 195.170.178.60
AS39858
Email Registrant: contact@privacyprotect.org
Updated Date: 18-may-2010
Creation Date: 01-May-2010
Code: [Select]
hxxp://domain455110.com/nhjq/n09230945.aspmd5sum ===> 8bbab6f07f9a19bbd09670f0fafa54f9
SHA256 ===>  d453370328036b9e18a0ab5c9c7a1efd7b1ca8895b391ee7f8dfde8116750254
Code: [Select]
hxxp://domain455110.com/nhjq/redir.php
Title: Re: New Zeus server
Post by: jackberri on June 01, 2010, 10:34:23 am
IP Location: Poland - NETART - NetArt Autonomous System NetArt Spolka Akcyjna S.K.A  
IP 85.128.244.127
AS15967
[aoj127.rev.netart.pl]
Registrant's handle: ovh4a9e6e409rlt (INDIVIDUAL)
Code: [Select]
www.seo-cms.pl/_mod/tmp/w/config.binmd5sum ===> 0f1933e92de365ec62a50f71d4f442b1
SHA256 ===> 1310ced9f6abcb5ee4c4e45c89099fd6ca4ee6bc70d34602b471e51111016092
Code: [Select]
hxxp://www.seo-cms.pl/_mod/g.exemd5sum ===> ea8a806bcd374f4c5149ab3026760042
SHA256 ===> e56cfaa5b2a889bb79eb0cd9714f6e915313476b2eeb68b2ee7df4860215c411
https://www.virustotal.com/es/analisis/e56cfaa5b2a889bb79eb0cd9714f6e915313476b2eeb68b2ee7df4860215c411-1275399036 (https://www.virustotal.com/es/analisis/e56cfaa5b2a889bb79eb0cd9714f6e915313476b2eeb68b2ee7df4860215c411-1275399036)
VT 33/41 (80.49%)
Code: [Select]
hxxp://www.seo-cms.pl/_mod/tmp/w/gate.phpmore:
Code: [Select]
www.seo-cms.pl/_mod/
Title: Re: New Zeus server
Post by: jackberri on June 01, 2010, 03:09:13 pm
IP 193.105.207.103
AS50793
Registrant/Email Registrant: Thomas Alexandre/support@okrison.com
Code: [Select]
hxxp://okrison.com/ftp/net.binmd5sum ===> b1503e9aedca391c8112db3a0a4068a2
SHA256 ===> 5bc09232abac92325c32e46dd46a626966ae4dafb1ebb09a400ba5eb24d326b6
Code: [Select]
hxxp://okrison.com/ftp/net.exemd5sum ===> ff7c6371745e1e0a4a96cf505fbb4f6e
SHA256 ===> ef1ad4e76548711c4a57aaa301c821b20856f36be613e15d2cee3f5b4b87efeb
https://www.virustotal.com/es/analisis/ef1ad4e76548711c4a57aaa301c821b20856f36be613e15d2cee3f5b4b87efeb-1275404455 (https://www.virustotal.com/es/analisis/ef1ad4e76548711c4a57aaa301c821b20856f36be613e15d2cee3f5b4b87efeb-1275404455)
VT 5/41 (12.2%)
Code: [Select]
hxxp://okrison.com/ftp/gateway.php
Title: Re: New Zeus server
Post by: jackberri on June 02, 2010, 11:06:44 pm
IP Location: United States - RR-RC-Enet-Columbus
IP 173.45.117.233
AS10297
[e9.75.2d.static.xlhost.com]
Email Registrant: contact@privacyprotect.org
Code: [Select]
www.tunisia-security.com/ze/cfg.binmd5sum ===> 9b5e0650379e654ac822cffe9ef0116c
SHA256 ===> db3ad0b3176c1af0eb9362dcecb8c81d9a23ec48a30ea1206ae969c54f3abe04
Code: [Select]
hxxp://www.tunisia-security.com/ze/bot.exemd5sum ===> b82cb305dd628068ce172611b8e8344d
SHA256 ===> 14bb262d9b75bf74041eb67a0e66e088616203828439ac4c901a77f25600a2a2
https://www.virustotal.com/es/analisis/14bb262d9b75bf74041eb67a0e66e088616203828439ac4c901a77f25600a2a2-1275518618 (https://www.virustotal.com/es/analisis/14bb262d9b75bf74041eb67a0e66e088616203828439ac4c901a77f25600a2a2-1275518618)
VT 31/41 (75.61%)
Code: [Select]
hxxp://www.tunisia-security.com/ze/gate.phprelated:
Code: [Select]
hxxp://shup.com/Shup/354526/ss.exemd5sum ===> f723c2afc93c7dfa541a681cefe77620
SHA256 ===> 987c752d5c7b3c8c1c65d73c9bb0c0b36d632030d8368953bb211517993407b2
https://www.virustotal.com/es/analisis/987c752d5c7b3c8c1c65d73c9bb0c0b36d632030d8368953bb211517993407b2-1275519118 (https://www.virustotal.com/es/analisis/987c752d5c7b3c8c1c65d73c9bb0c0b36d632030d8368953bb211517993407b2-1275519118)
VT 24/41 (58.54%)
Code: [Select]
hxxp://stashbox.org/915020/ss.exemd5sum ===> f723c2afc93c7dfa541a681cefe77620
SHA256 ===> 987c752d5c7b3c8c1c65d73c9bb0c0b36d632030d8368953bb211517993407b2

related:
Code: [Select]
hxxp://slh02.no-ip.biz:288/
Title: Re: New Zeus server
Post by: jackberri on June 03, 2010, 05:22:16 pm
IP Location: Colombia - CAPITAL-TECHNOLOGY - Capital Technology Services Group
IP 200.115.112.222
AS21560
Registrant/Email Registrant: zhou hao/ujangoc@126.com
Code: [Select]
hxxp://parfaitpournous.com/botpanel/sell2.jpgmd5sum ===> 3f0b1aacfcc7c87d0faee8ae1f66bd86
SHA256 ===>  e566c6df70baa6834ea1829a317c85c5a7fd455436be61cedb7621453bb5ea81
Code: [Select]
hxxp://parfaitpournous.com/botpanel/rofl.php
Title: Re: New Zeus server
Post by: jackberri on June 04, 2010, 10:13:09 pm
IP Location: Canada - MTO Telecom inc. Proxy Route Object Gogax - MAINT AS21793 Maintainer for Tenino Telephone
IP 76.76.101.68
[reverse-mtl-76-76-101-68.gogax.com]
AS21793
Code: [Select]
hxxp://krakinderviksa.com/jkbtezj/lib.php
Title: Re: New Zeus server
Post by: jackberri on June 05, 2010, 10:12:40 am
Code: [Select]
hxxp://lbook.org/~hjelp/cp6/bot.exemd5sum ===> b19342766c5cdb193c27cc44255a2473
SHA256 ===> 4dfc66ce2034acc9c0b7150674fac5442c00ff23d8e0e39344a7b3c5161182df
https://www.virustotal.com/es/analisis/4dfc66ce2034acc9c0b7150674fac5442c00ff23d8e0e39344a7b3c5161182df-1275731365 (https://www.virustotal.com/es/analisis/4dfc66ce2034acc9c0b7150674fac5442c00ff23d8e0e39344a7b3c5161182df-1275731365)
VT 7/41 (17.08%)
Code: [Select]
hxxp://lbook.org/gbot2.exemd5sum ===> e77aea12708fbfc35a95d021b8cc7557
SHA256 ===> b6f753c8f5554286709a7a892b42332e7d9424227e07ae3d7f6d9e219ed5b2ee
https://www.virustotal.com/es/analisis/b6f753c8f5554286709a7a892b42332e7d9424227e07ae3d7f6d9e219ed5b2ee-1275731514 (https://www.virustotal.com/es/analisis/b6f753c8f5554286709a7a892b42332e7d9424227e07ae3d7f6d9e219ed5b2ee-1275731514)
VT 7/41 (17.08%)
related:
Code: [Select]
irc.priv8net.com
C&C Server: 85.12.60.100:51987
Title: Re: New Zeus server
Post by: jackberri on June 05, 2010, 06:09:28 pm
IP 193.105.207.120
AS
Email Registrant: gavrilov81@mail.ru
Code: [Select]
hxxp://globus-trio.ru/catalog/catalog.binmd5sum ===> ab7d91b5d7c3b1389c17e173e841bf82
SHA256 ===>  90e823eeff6619a56cfe9fe0de60fe19fcb8231f7f046b69c874086d7dce6352
Code: [Select]
hxxp://globus-trio.ru/catalog/catalog.php
Code: [Select]
hxxp://globus-trio.ru/catalog/killaa10.exemd5sum ===> b50606acad2827222257d23efd48dccb
SHA256 ===>  5dabd03761a35a1534cce98a16576bc6c4e2f322af020d664313d95fe55019ec
Code: [Select]
hxxp://globus-trio.ru/catalog/kill10.exemd5sum ===> d668331822ae98a98ce1d74384d7cc0e
SHA256 ===>  306e86bbf62c9b56f7916b463d0f08f21cc907f4f7eabe7e040f41fc49d3c7f4
Code: [Select]
hxxp://globus-trio.ru/catalog/rapport10.exemd5sum ===> faa25caf05055777b4b71b8b0cc87f56
SHA256 ===>  ee61a1cae09851bcbc870bedfcb317d18a8a1701563d1b374813018ae806b758
Title: Re: New Zeus server
Post by: jackberri on June 06, 2010, 01:09:25 pm
IP Location: Ukraine - Datacentre "0x2a" Route object - net-0x2a-as Private Entrepreneur Zharkov Mukola Mukolayovuch Datacentre "0x2a"
IP 91.211.117.144
AS48587
Registrant ID:DI_10802959
Registrant/Email Registrant: Abdul/g4hosting@safe-mail.net
Code: [Select]
hxxp://installsalot.in/ca/helloworld.binmd5sum ===> af7fb4e2d2d315347f1cea6d8d6f1219
SHA256 ===> 694fa298df6948ee0b1ae5fe03c4435d273bb5e0ea7e1b61f6f1a6f3f33e9b71
Code: [Select]
hxxp://installsalot.in/ca/go.exemd5sum ===> f235b65866b00fb04f74652b27ae6675
SHA256 ===> 50c7df12acafeba04c83a51d23089c861b9498b407f82fce3cf2351f4b2d5579
https://www.virustotal.com/es/analisis/50c7df12acafeba04c83a51d23089c861b9498b407f82fce3cf2351f4b2d5579-1275829314 (https://www.virustotal.com/es/analisis/50c7df12acafeba04c83a51d23089c861b9498b407f82fce3cf2351f4b2d5579-1275829314)
VT 33/40 (82.5%)
Code: [Select]
hxxp://installsalot.in/ca/index.php
--------
related zeusbotnet malware:
IP Location: United Kingdom - UK2.NET - UK2NET-AS UK-2 Ltd Autonomous System One
IP 109.123.78.51
[mercury.itx-dns.com]
AS13213
Protected Domain Services Customer ID: NCR-927080
Email Registrant: hostshack.net@protecteddomainservices.com
Code: [Select]
hxxp://hostshack.net/files/328997512/IC.exemd5sum ===> 12d8f64c8d1f21863316ebfcbcc7228b
SHA256 ===> 5f2f4b37e7002c41c29344ed3370c81adb8a3358d2927580708084f221fb4521
https://www.virustotal.com/es/analisis/5f2f4b37e7002c41c29344ed3370c81adb8a3358d2927580708084f221fb4521-1275819301 (https://www.virustotal.com/es/analisis/5f2f4b37e7002c41c29344ed3370c81adb8a3358d2927580708084f221fb4521-1275819301)
VT 14/41 (34.15%)
Code: [Select]
hxxp://hostshack.net/files/328997512/STL.exemd5sum ===> 4c38cf8a0dd52131996c03ee84498eee
SHA256 ===> bd95d8266a8c3afea3738e19bc8e32b58c90b50d230ac791f7fcc818c9cd3356
https://www.virustotal.com/es/analisis/bd95d8266a8c3afea3738e19bc8e32b58c90b50d230ac791f7fcc818c9cd3356-1275819456 (https://www.virustotal.com/es/analisis/bd95d8266a8c3afea3738e19bc8e32b58c90b50d230ac791f7fcc818c9cd3356-1275819456)
VT 9/41 (21.96%)
Code: [Select]
hxxp://hostshack.net/files/328997512/E4U.exemd5sum ===> 8002a924799a9e720eeb70d7c487d796
SHA256 ===> 00994242a5d59111d76b66860d55588852f88ab1d84c0d4c20c8dd3ad4557f2d
https://www.virustotal.com/es/analisis/00994242a5d59111d76b66860d55588852f88ab1d84c0d4c20c8dd3ad4557f2d-1275819578 (https://www.virustotal.com/es/analisis/00994242a5d59111d76b66860d55588852f88ab1d84c0d4c20c8dd3ad4557f2d-1275819578)
VT 11/41 (26.83%)

Title: Re: New Zeus server
Post by: jackberri on June 08, 2010, 02:53:13 pm
IP 193.105.207.103
AS50793
Email Registrant: gavrilov81@mail.ru
Code: [Select]
hxxp://221212121.ru/forum/index1.lolmd5sum ===> 19ce8bcc8c07d182bfb101adbe82ab0b
SHA256 ===> edfb46110a717d3ebf03479f70f0904648fd4aba59222533652812b6808c530c
Code: [Select]
hxxp://221212121.ru/forum/login.php
Title: Re: New Zeus server
Post by: jackberri on June 09, 2010, 07:54:45 am
IP Location: Turkey - DIMENOC-HOSTDIME .com
IP 66.7.198.88
[server2.dns-principal-2.com]
AS33182
Code: [Select]
hxxp://municipalidadlagoranco.cl/images/banners/samo.jpgmd5sum ===> 03b1f3392301ef4fdf9c88827a047396
SHA256 ===>  30f908fd22051faf803bf27cf7cf29e1b6703f4c9ad0d65cdadfc1cbb69aefca
https://www.virustotal.com/es/analisis/30f908fd22051faf803bf27cf7cf29e1b6703f4c9ad0d65cdadfc1cbb69aefca-1276068710 (https://www.virustotal.com/es/analisis/30f908fd22051faf803bf27cf7cf29e1b6703f4c9ad0d65cdadfc1cbb69aefca-1276068710)
VT 8/41 (19.52%)
related:
IP Location: Spain - AS_ARSYS-EURO-1 arsys.es
IP 217.76.130.89
[llgf010.servidoresdns.net]
AS20718
Code: [Select]
hxxp://cooperaccio.org/img/flash.binmd5sum ===> 65a6fa54069aa0f59a7516f2c8d1d606
SHA256 ===>  7db8b3fdfae981967616c0606071036fb669ea32f51214099d2da89a53a59724
Title: Re: New Zeus server
Post by: jackberri on June 09, 2010, 09:18:04 am
IP Location: Spain - IPEOPLE Internet People SL
IP 89.207.232.14
[mercurio.dominiodns.com]
AS41287
ID: 280A-MIG1
Registrant/Email Registrant:Gualda Sancho/info@gualda.com
Code: [Select]
hxxp://caseva.es/images/totalimg.jpgmd5sum ===> 19ec9cb54270f53e6c978f11d3601e0e
SHA256 ===> 4eb8e6b76b30f2b5a9ba33d68ab2af319e622f6701c53db3310e3a84b9fe6f20
https://www.virustotal.com/es/analisis/4eb8e6b76b30f2b5a9ba33d68ab2af319e622f6701c53db3310e3a84b9fe6f20-1276070927 (https://www.virustotal.com/es/analisis/4eb8e6b76b30f2b5a9ba33d68ab2af319e622f6701c53db3310e3a84b9fe6f20-1276070927)
VT 5/40 (12.5%)
related:
Code: [Select]
hxxp://loteriahadamadrina.com/imagenes/flash.binmd5sum ===> 9cb237d199338e6bced4c60aca23b9b7
SHA256 ===> 56d44f79706b1ff119e3e1aa66288766347445fd44b9a2e00536d03879d2a031

IP Location: United States - COGENT /PSI
IP 149.6.80.14
[ipeople.demarc.cogentco.com]
AS174
Registrant/Email Registrant:Computer Wealthy, S.L/info@computerwealthy.com
Code: [Select]
hxxp://barriolamc.com/inc/flash.binmd5sum ===> 6861de5ddcf743c0c5820470e32149ca
SHA256 ===> e0429d55f4806d428a07e7a327d900adf5b50e9390e4c18b73adc33f171729ae
related:
Code: [Select]
hxxp://municipalidadlagoranco.cl/images/banners/cocaine.jpgmd5sum ===> 9674c2aea6d7e82c997b154eb83021dd
SHA256 ===> ce3391025337d85772e57230ea5fca32c8617303349f5a415204692e5917ceab
https://www.virustotal.com/es/analisis/ce3391025337d85772e57230ea5fca32c8617303349f5a415204692e5917ceab-1276073006 (https://www.virustotal.com/es/analisis/ce3391025337d85772e57230ea5fca32c8617303349f5a415204692e5917ceab-1276073006)
VT 6/41 (14.63%)

IP Location: France - AMEN Network
IP 62.193.209.39
[vds-873329.amen-pro.com]
AS28677
Registrant/Email Registrant: Computer Wealthy, S.L/info@computerwealthy.com
Code: [Select]
hxxp://campinglavall.net/img/packmen.jpgmd5sum ===> ed3e9c0a003b472a031d9342fd52f6d4
SHA256 ===> c42c3545e3c9ad7731a9180348c09fbb6053e458509f7bc5e08fe9853848dbe2
https://www.virustotal.com/es/analisis/c42c3545e3c9ad7731a9180348c09fbb6053e458509f7bc5e08fe9853848dbe2-1276074024 (https://www.virustotal.com/es/analisis/c42c3545e3c9ad7731a9180348c09fbb6053e458509f7bc5e08fe9853848dbe2-1276074024)
VT 5/41 (12.2%)
related:
IP Location: France - OVH ISP
IP 91.121.152.148
[host.computerwealthy.es]
AS16276
Registrant/Email Registrant:Plana Rovira S.L/nurimaso@nusvirtual.com
Code: [Select]
hxxp://llessui.com/imagenes/flash.binmd5sum ===> 190a49722b860a2a2ac58e091370975f
SHA256 ===> 3a14a12ff939e92422f54f4816545d1519dd4015ef2dc70c9682da549396e7f5
Title: Re: New Zeus server
Post by: jackberri on June 09, 2010, 10:59:40 am
IP Location: Germany - STRATO AG
IP 81.169.145.148
[w94.rzone.de]
AS6724
Registrant/Email Registrant: Jose Manuel Reguera Silva/josemareguera@hotmail.com
Code: [Select]
hxxp://tributem.com/latbuena_11.jpgmd5sum ===> 9b80f59cc69f9e3a14bafc115b03a42a
SHA256 ===>  9ccb47a82f547ef4090a389f18893e1c0269962d88bd5a720ec975180d768b36
https://www.virustotal.com/es/analisis/9ccb47a82f547ef4090a389f18893e1c0269962d88bd5a720ec975180d768b36-1276080902 (https://www.virustotal.com/es/analisis/9ccb47a82f547ef4090a389f18893e1c0269962d88bd5a720ec975180d768b36-1276080902)
VT 6/41 (14.64%)
Code: [Select]
hxxp://tributem.com/latbuena_15.jpgmd5sum ===> 8eb894367b499f4d1664725b1223d6d6
SHA256 ===>  1f84a48a78c265d13158a262e396bc16f412800db496f030b49936fb3a64344a
https://www.virustotal.com/es/analisis/1f84a48a78c265d13158a262e396bc16f412800db496f030b49936fb3a64344a-1276080989 (https://www.virustotal.com/es/analisis/1f84a48a78c265d13158a262e396bc16f412800db496f030b49936fb3a64344a-1276080989)
VT 6/41 (14.64%)
related:
Code: [Select]
hxxp://barriolamc.com/inc/flash.bin
Title: Re: New Zeus server
Post by: jackberri on June 09, 2010, 10:56:59 pm
IP Location: Chile - CL-ECSA-LACNIC ENTEL CHILE S.A
IP 200.72.1.94
[winweb.entelchile.net]
AS6471
Registrant: Alejandro Chanes Luksic
Code: [Select]
hxxp://www.alcamarsaci.cl/images/jmm.jpgmd5sum ===> 285c71451e1d43a1170c74ec0bc21e50
SHA256 ===>  5a702af4d660b82dafb75fc2aa00f827d96e138fe450823ecf4e1650e881887e
https://www.virustotal.com/es/analisis/5a702af4d660b82dafb75fc2aa00f827d96e138fe450823ecf4e1650e881887e-1276123578 (https://www.virustotal.com/es/analisis/5a702af4d660b82dafb75fc2aa00f827d96e138fe450823ecf4e1650e881887e-1276123578)
VT 7/41 (17.08%)
related:
Code: [Select]
hxxp://serraniasuroeste.org/images/flash.binmd5sum ===> f025524b0647f4e90271efc066613113
SHA256 ===>  25443550e4254dffd75c50d98f3652d1b09c5e757e91f941a48ee1896df5de67
Title: Re: New Zeus server
Post by: jackberri on June 10, 2010, 07:02:53 am
IP Location: France - PROXAD Free SAS
IP 88.191.14.154
[sd-1622.dedibox.fr]
AS12322
Registrant/Email Registrant: Antoine Porter/wcqewkxc95@gmail.com
Code: [Select]
hxxp://geroinanety.net/estatwebstat/webstat.phpdropzone for:
Code: [Select]
serraniasuroeste.org/images/flash.bin
llessui.com/imagenes/flash.bin
loteriahadamadrina.com/imagenes/flash.bin
barriolamc.com/inc/flash.bin
cooperaccio.org/img/flash.bin


IP Location: United Kingdom - FASTHOSTS-INTERNET Fasthosts Internet Ltd
IP 213.171.218.7
[server213-171-218-7.livedns.org.uk]
AS15418
Registrant/Email Registrant: valle Romano Sur Roger Allwood/rallwood@ari.es
Code: [Select]
hxxp://comunidadvalleromanosur.com/Images/vallewe.jpgmd5sum ===> 8e7ee4bda3daeeaecf6d3844690a8ca5
SHA256 ===>  9954f2b15851b2913164f95c10afde6492e37eae57d1841b8190cc8ff869c2c3
https://www.virustotal.com/es/analisis/9954f2b15851b2913164f95c10afde6492e37eae57d1841b8190cc8ff869c2c3-1276152243 (https://www.virustotal.com/es/analisis/9954f2b15851b2913164f95c10afde6492e37eae57d1841b8190cc8ff869c2c3-1276152243)
VT 6/41 (14.64%)
related:
Code: [Select]
hxxp://cooperaccio.org/images/flash.bin
Title: Re: New Zeus server
Post by: jackberri on June 10, 2010, 04:58:46 pm
IP Location: Germany - HETZNER-RZ-NBG-BLK5 - HETZNER-AS Hetzner Online AG RZ
IP 78.46.39.103
[static.103.39.46.78.clients.your-server.de]
AS24940
Email Registrant: genkonrkarl11@gmail.com
Code: [Select]
hxxp://blakoneyrenr.ru/temp/re/cofag56.binmd5sum ===> aaa0d202eff52741b68645848a6e1dba
SHA256 ===>  a7c9637f3c59a82eac6bd1b918baad19d9006e98a02bfa81062e578c594c777a
Code: [Select]
hxxp://blakoneyrenr.ru/temp/re/gates5.phpTDSS:
Code: [Select]
hxxp://blakoneyrenr.ru/1276003925.exemd5sum ===> 72c4bfd94032b71009e84cc9a376f9a3
SHA256 ===>  513f5d10d3f4ffb2622b4cbb52ace2825da72c383b36287b040da52b7a27f01e
https://www.virustotal.com/es/analisis/513f5d10d3f4ffb2622b4cbb52ace2825da72c383b36287b040da52b7a27f01e-1276187891 (https://www.virustotal.com/es/analisis/513f5d10d3f4ffb2622b4cbb52ace2825da72c383b36287b040da52b7a27f01e-1276187891)
VT 27/41 (65.86%)
Title: Re: New Zeus server
Post by: jackberri on June 10, 2010, 07:19:16 pm
IP 195.206.246.209
AS31252
Code: [Select]
hxxp://www.inhaber-moack.com/rsyvsdg/cfg.binmd5sum ===> 41659d924748fe0def088f51313b0435
SHA256 ===>  9f0842aee67090b00dc9e2d4cc9f1a09de7c53c45405524576787d297bdc1fad
Code: [Select]
hxxp://www.inhaber-moack.com/rsyvsdg/gate745736.php
Title: Re: New Zeus server
Post by: jackberri on June 13, 2010, 03:06:42 pm
IP Location: United Kingdom - VISN Vision Internet Network
IP 193.254.210.167
[amrod.visn.co.uk]
AS31426
Registrant: Patrick Brennan
Code: [Select]
hxxp://a3crg.co.uk/shop/images/attributes/web/config.binmd5sum ===> f43fc79e1bac3b0f866325307e610db7
SHA256 ===> 05bd673470ca985b4e1775f636ddfbb63d988c78a2b835660bbdafec14bf1d97
Code: [Select]
hxxp://a3crg.co.uk/shop/images/attributes/web/gate.php
Title: Re: New Zeus server
Post by: jackberri on June 13, 2010, 06:57:33 pm
IP Location: France - France Telecom - Orange IP Backbone for Enterprise and french consumers
IP 81.252.196.50
[50-196.252-81.static-ip.oleane.fr]
AS3215
Code: [Select]
hxxp://zroot.info.tm/config.binmd5sum ===> b209296b73fecaab1f45ab119138c5b0
SHA256 ===> 6cbe1174aa99eb976f8fd25a169b3795112bcd2bd1068f3a34a3a82b4eae03e6
Code: [Select]
hxxp://zroot.info.tm/gate.php
IP Location: United States - RoadRunner RR-RC-Wholesale Internet, Inc
IP 204.12.250.34
AS32097
Email Registrant: liutoy@gmail.com
Code: [Select]
hxxp://toutube.cn/config.cpmmd5sum ===> d7fb3285cc08384bd949226b2d316b1d
SHA256 ===>  88f0d2ac5b074bedf97713baef082579675fcfaf9892b05911bc1e64d6c87106
Code: [Select]
hxxp://204.12.250.34/config.cpmmd5sum ===> d7fb3285cc08384bd949226b2d316b1d
SHA256 ===>  88f0d2ac5b074bedf97713baef082579675fcfaf9892b05911bc1e64d6c87106
Title: Re: New Zeus server
Post by: .b on June 14, 2010, 12:13:25 am
Code: [Select]
Domain: ditdum.com
Full Address: ditdum.com/working/gate.php
Full Address: ditdum.com/working/iq/alg.exe (87ebabb14d7aa0e944361d0ad62a0b14)
Full Address: ditdum.com/working/iq/cfg2.bin (0bff590d279bc8918a73387dd5e0feba)
Title: Re: New Zeus server
Post by: jackberri on June 15, 2010, 06:58:51 am
IP Location: United States - Hosting Solutions International
IP 69.64.62.50
[static-ip-69-64-62-50.inaddr.intergenia.de]
AS30083
Registrant ID:AT_11711862
Registrant/Registrant Email: Kimberly/madonsa77@gmail.com
Code: [Select]
hxxp://boonz.in/vp/config.binmd5sum ===> 5f743c36e5ac8bf43cd478aa811122c9
SHA256 ===>  c5847d162c5cc7cebc15cdad859b96523f904207cb668cb658d23e6dc1161475
Code: [Select]
hxxp://boonz.in/vp/pl.php
Code: [Select]
hxxp://boonz.in/vp/ss.php?m=login
Title: Re: New Zeus server
Post by: jackberri on June 15, 2010, 09:32:55 am
IP Location: Brazil  - PLUGIN VANET ISP
IP 187.61.16.234
[migreme-web01.dominiotemporarioidc.com]
AS18479
Registrant/Email Registrant: Kingo Labs/Jonny Itaya/kingolabs@kingolabs.com.br
Code: [Select]
hxxp://migre.me/P1r0
redirects to:
IP Location: Ukraine  - AGGREGATE BLOCK FOR UKRTELECOM - UKRTELNET JSC UKRTELECOM
IP 92.112.118.211
[211-118-112-92.pool.ukrtel.net]
AS6849
Code: [Select]
hxxp://declaracion.bde.es.psdrv.ru/atn_www/jsp/descargar/
Code: [Select]
hxxp://declaracion.bde.es.psdrv.ru/atn_www/jsp/descargar/declaracion.exemd5sum ===> 069d2cacf0594f13ab3c575bd3ff4499
SHA256 ===>  ee46f830b11a0b7a30ebc4adfbb9f8a4c70d98d5cb1f00cd61ecdebd1e8f871a
http://www.virustotal.com/es/analisis/ee46f830b11a0b7a30ebc4adfbb9f8a4c70d98d5cb1f00cd61ecdebd1e8f871a-1276597524 (http://www.virustotal.com/es/analisis/ee46f830b11a0b7a30ebc4adfbb9f8a4c70d98d5cb1f00cd61ecdebd1e8f871a-1276597524)
VT 2/41 (4.88%)
related (already listed):
Code: [Select]
phaizeipeu.ru/bin/vusogahh.bin
Title: Re: New Zeus server
Post by: jackberri on June 15, 2010, 07:08:10 pm
IP Location: United States - Ann Arbor - Nexcess.net L.l.c
IP 208.69.122.69
[toofast.nexcess.net]
AS36444
Registrant/Registrant Email: RopeofSilicon.com LLC/bradbrevet@ropeofsilicon.com
Code: [Select]
hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/config.binmd5sum ===> ccb45406c0b7b7701aeed1b71819bb26
SHA256 ===>  6aba2245a2311b60ecad7286839e33037ff3453079755c87447fe63a65141546
Code: [Select]
hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/gate.php
Code: [Select]
hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/bot.exemd5sum ===> e5a8a38573413c9052b8586b24928cd9
SHA256 ===>  f530ef0148dbe35fc6cc55f1d027b0feacabd30076a5054ddd7a6bbced92d4c9
Title: Re: New Zeus server
Post by: jackberri on June 16, 2010, 11:44:03 am
IP Location: United States - QUADRANET
IP 66.63.181.74
AS29761
Registrant ID:CR36973518
Registrant/Registrant Email: Jennifer Obrey/jen@webworksct.com
Code: [Select]
hxxp://militaryseeds.org/kider/appicarchl/pores/flykagageses/cgtvtaloys.php?opludelmd5sum ===> 79ada2ef185941fe1a0dd12baf9eff5d
SHA256 ===>  fba72063371699cf11cede968f4f96a59201c42ca15320d1c27d03477e2239c4
Code: [Select]
hxxp://militaryseeds.org/kider/appicarchl/pores/flykagageses/cgtvtaloys.php
Title: Re: New Zeus server
Post by: jackberri on June 16, 2010, 07:34:10 pm
IP Location: China - Chinanet Hunan Province Network
AS4134
Code: [Select]
hxxp://124.228.136.39/adgjlzcbm/config.binmd5sum ===> e74bd6dc4463de0d4cd12881b5e1bd9f
SHA256 ===> d259ddcac68c1eaa9fc7f48c5fff93b2ef357749613272d2cebb59f1ccab5f2a
Code: [Select]
hxxp://124.228.136.39/adgjlzcbm/bot.exemd5sum ===> 31ee3c91e3648622ec5ee81a9fc1161e
SHA256 ===> 75f0eb813491e5cd7fdfceeb6efd4769304484d14a3cc51b84bc9d4069d5a511
http://www.virustotal.com/es/analisis/75f0eb813491e5cd7fdfceeb6efd4769304484d14a3cc51b84bc9d4069d5a511-1276637010 (http://www.virustotal.com/es/analisis/75f0eb813491e5cd7fdfceeb6efd4769304484d14a3cc51b84bc9d4069d5a511-1276637010)
VT 33/41 (80.5%)
Code: [Select]
hxxp://124.228.136.39/adgjlzcbm/gate.php
related zeusbotnet malware:
IP Location: Russian Federation - MADET-NET - DINET-AS Digital Network JSC
IP 195.2.252.153
[hosted-by.madet.info]
AS12695
Registrant/Email Registrant: Dean Morton/support@ahohonline.com
Code: [Select]
hxxp://afretroactive.com/exe.exemd5sum ===> 0102e0c5db8732d74a2675c05b8dbe04
SHA256 ===> 0dbfef9112191e5e3d7dd651e68f8b1fdb3824f706dfe3ec383f1034eaae7937
http://www.virustotal.com/es/analisis/0dbfef9112191e5e3d7dd651e68f8b1fdb3824f706dfe3ec383f1034eaae7937-1276712805 (http://www.virustotal.com/es/analisis/0dbfef9112191e5e3d7dd651e68f8b1fdb3824f706dfe3ec383f1034eaae7937-1276712805)
VT 2/41 (4.88%)
related:
Code: [Select]
hxxp://96.9.182.197/mybackup21.rar
hxxp://96.0.203.114/mybackup21.rar
hxxp://173.208.150.90/mybackup21.rar
md5sum ===> fdc7d559e9db995b22ed3b857dca1b7e
SHA256 ===> 10244db559a020d4a191e790b6ab98576a2e8543b5a827a1fc5fff4e0af53dc9
http://www.virustotal.com/analisis/10244db559a020d4a191e790b6ab98576a2e8543b5a827a1fc5fff4e0af53dc9-1276603299 (http://www.virustotal.com/analisis/10244db559a020d4a191e790b6ab98576a2e8543b5a827a1fc5fff4e0af53dc9-1276603299)
VT 3/41 (7.32%)
Title: Re: New Zeus server
Post by: jackberri on June 17, 2010, 09:53:15 am
IP Location: France - France Telecom - Orange IP Backbone for Enterprise and french consumers
IP  81.252.196.50
[50-196.252-81.static-ip.oleane.fr]
AS3215
Registrant/Email Registrant: Ken Foshaug/shubrickqz7en@yahoo.com
Code: [Select]
hxxp://tuxforever.tk/jack/gate.php
other malware:
Trojan Harnig:
Code: [Select]
hxxp://rapidshare.com/files/399415576/ppi1a.exe
hxxp://rs868tl3.rapidshare.com/files/399415576/ppi1a.exe
hxxp://rapidshare.com/files/399415603/ppi1b.exe
md5sum ===> 63cf91db63048359f2e0d7fc2db3fca1
SHA256 ===>  25640206d58ec57f437cb91f46fc10548b66956a4cdc8f6347e27e11f6cd039d
http://www.virustotal.com/es/analisis/25640206d58ec57f437cb91f46fc10548b66956a4cdc8f6347e27e11f6cd039d-1276767890 (http://www.virustotal.com/es/analisis/25640206d58ec57f437cb91f46fc10548b66956a4cdc8f6347e27e11f6cd039d-1276767890)
VT 18/41 (43.9%)
TDSS:
Code: [Select]
hxxp://rapidshare.com/files/399798492/ppi21.exemd5sum ===> 88e7bef58e090c7369e44fe9830d2271
SHA256 ===>  81ff39956a45a3da47d3170f9a7495fe8e87f0d26545252dee47c82907279f99
http://www.virustotal.com/es/analisis/81ff39956a45a3da47d3170f9a7495fe8e87f0d26545252dee47c82907279f99-1276767740 (http://www.virustotal.com/es/analisis/81ff39956a45a3da47d3170f9a7495fe8e87f0d26545252dee47c82907279f99-1276767740)
VT 7/41 (17.1%)
Code: [Select]
hxxp://rapidshare.com/files/399798632/ppi22.exemd5sum ===> decfa57753b1e7d55984f7bcbe54febd
SHA256 ===>  30f3cab1ec84a97a30596605100960028e1bdb965bf8617c2e8b0b9cfae2b9a9
http://www.virustotal.com/es/analisis/30f3cab1ec84a97a30596605100960028e1bdb965bf8617c2e8b0b9cfae2b9a9-1276767487 (http://www.virustotal.com/es/analisis/30f3cab1ec84a97a30596605100960028e1bdb965bf8617c2e8b0b9cfae2b9a9-1276767487)
VT 7/40 (17.5%)
trojan:
Code: [Select]
hxxp://rapidshare.com/files/399832883/GoldenInstall12.exemd5sum ===> 2fc752f7c64aa55426c70d35be0d4f80
SHA256 ===>  31d39b9d12b82d7bd761b752f934d2884c4a2f2518982988d2900b79919490e9
http://www.virustotal.com/es/analisis/31d39b9d12b82d7bd761b752f934d2884c4a2f2518982988d2900b79919490e9-1276767620 (http://www.virustotal.com/es/analisis/31d39b9d12b82d7bd761b752f934d2884c4a2f2518982988d2900b79919490e9-1276767620)
VT 22/41 (53.66%)
Title: Re: New Zeus server
Post by: jackberri on June 17, 2010, 05:51:20 pm
IP Location: China - CHINA-TELECOM
IP  59.53.91.124
AS4134
Email Registrant: contact@privacyprotect.org
Code: [Select]
hxxp://biztoolbar.com/ze/cofag56.binmd5sum ===> 24fbdaaa20b78123ea6c459954ef3476
SHA256 ===>  ef1d167d4c97134e95cd7179737e120df98232b555dccdbd0168e400dae10da1
Code: [Select]
hxxp://biztoolbar.com/ze/botetz.exemd5sum ===> ee5e43ef4386d1e81911bc839c0aa03a
SHA256 ===>  1b327d7a06de60817c89e9a68f9bbe3c456bb4ab08aae55189989edfe8c598ad
http://www.virustotal.com/es/analisis/1b327d7a06de60817c89e9a68f9bbe3c456bb4ab08aae55189989edfe8c598ad-1276795937 (http://www.virustotal.com/es/analisis/1b327d7a06de60817c89e9a68f9bbe3c456bb4ab08aae55189989edfe8c598ad-1276795937)
VT 20/40 (50%)
Code: [Select]
hxxp://biztoolbar.com/ze/gates5.phpTDSS:
Code: [Select]
hxxp://biztoolbar.com/1272003965.exemd5sum ===> 9df7639728429748939d42671a06c4ab
SHA256 ===>  dba39b8c091becf760d8d68943ba98b308c4d62b2986c135f811445da9229258
http://www.virustotal.com/es/analisis/dba39b8c091becf760d8d68943ba98b308c4d62b2986c135f811445da9229258-1276794565 (http://www.virustotal.com/es/analisis/dba39b8c091becf760d8d68943ba98b308c4d62b2986c135f811445da9229258-1276794565)
VT 33/40 (82.50%)
Trojan Dropper:
Code: [Select]
hxxp://biztoolbar.com/agressive.exemd5sum ===> 3315287968320a0dc4d045d3dae935b4
SHA256 ===>  1268d1f0b4fcdeb8953b1d3e7e9b4350660e442ca24f56ee5d2bc1a2e9e3741a
http://www.virustotal.com/es/analisis/1268d1f0b4fcdeb8953b1d3e7e9b4350660e442ca24f56ee5d2bc1a2e9e3741a-1276796369 (http://www.virustotal.com/es/analisis/1268d1f0b4fcdeb8953b1d3e7e9b4350660e442ca24f56ee5d2bc1a2e9e3741a-1276796369)
VT 37/40 (92.5%)
Title: Re: New Zeus server
Post by: jackberri on June 18, 2010, 09:45:28 am
IP Location: Russian Federation - Volgograd - Pe Bondarenko Dmitriy Vladimirovich
IP  91.213.174.10
AS29106
Registrant/Email Registrant: Dmitriy/bondarenkoip1@gmail.com
Code: [Select]
hxxp://update-windows7.com/go.phpother domains:
Code: [Select]
vvxxn.com
trust-update.com
microsoft-update.name
googie-update.com
Title: Re: New Zeus server
Post by: jackberri on June 18, 2010, 06:31:02 pm
IP Location: United States - THEPLANET-AS2 ThePlanet.com Internet Services, Inc.
IP  174.120.23.124
[7c.17.78ae.static.theplanet.com]
AS21844
Code: [Select]
hxxp://budgetvip.com.vn/apache.jpgmd5sum ===> b5a83846bb7dfb00e27cc977fd42a8fe
SHA256 ===>  40b705a4f3fd2d438be22e40dddd71d0874d4df9980a83fa28b5352225f3e536
Code: [Select]
hxxp://medianservicebz.net/webstate/webstat.phprelated (Rogue-Fake-AV):
Code: [Select]
hxxp://shop.tiredwolfhome.com/main.php?h=budgetvip.com.vn&i=JsWpjdIcr/Oljhj7U8VHy5gXog==&e=4
IP Location: Russian Federation - Volgograd - Pe Bondarenko Dmitriy Vladimirovich
IP  178.208.83.6
[s2.h.mchost.ru]
AS35415
Email Registrant: kitsul71@gmail.com
Code: [Select]
hxxp://sex-gifts.ru/includes/Archive/images/gate.phpTDSS:
Code: [Select]
hxxp://sex-gifts.ru/includes/Archive/1276674934.exemd5sum ===> e43fa8404b4b23e5aeac856858aa98b9
SHA256 ===>  6612c8f4c887e321b016f1b85d8b3498cb20daf835be189f59892fea204b7135
http://www.virustotal.com/es/analisis/6612c8f4c887e321b016f1b85d8b3498cb20daf835be189f59892fea204b7135-1276862623 (http://www.virustotal.com/es/analisis/6612c8f4c887e321b016f1b85d8b3498cb20daf835be189f59892fea204b7135-1276862623)
VT 4/40 (10%)

IP Location: United Kingdom - GOSCOMB-AS Goscomb Technologies Limited Based in the London Docklands
IP  93.89.80.112
[dns1.rx-commission.com]
AS39326
Registrant ID:Edns-r3780905
Registrant/Email Registrant: Tait Chris/pdg@alef.sc
Code: [Select]
hxxp://podgorz.org/zuo/zsweb_cleaned/config.binmd5sum ===> a6714d5eda45a88e611dd41501a93c54
SHA256 ===>  c3db1dccee8f916c54f102647b367a70228d1497f724727b3c34d029acfefabf
Code: [Select]
hxxp://podgorz.org/zuo/zsweb_cleaned/bot.exemd5sum ===> c8105186058fb4e29accdd7d5239994a
SHA256 ===>  3065380250b2b9e55190732068bd883550af42a28decb6df33c381563a73bac9
http://www.virustotal.com/es/analisis/3065380250b2b9e55190732068bd883550af42a28decb6df33c381563a73bac9-1276880758 (http://www.virustotal.com/es/analisis/3065380250b2b9e55190732068bd883550af42a28decb6df33c381563a73bac9-1276880758)
VT 38/41 (92.69%)
Code: [Select]
hxxp://podgorz.org/zuo/zsweb_cleaned/gate.php
Title: Re: New Zeus server
Post by: jackberri on June 19, 2010, 08:52:22 am
IP Location: Argentina
IP  186.18.69.201
[cpe-201.69.18.186.in-addr.arpa]
AS27747
Code: [Select]
hxxp://doctornimnul.com/webstat/flash03.binmd5sum ===> acd80ff1a16969811ff29e6731e5f006
SHA256 ===>  fe6e59e2da26754706e05658b3981b626939a2dee68fca7827432f673be95d94
Code: [Select]
hxxp://doctornimnul.com/webstat/getimages.php
IP Location: Ukraine - DATAXATA-AS TOV Data-Xata
AS8870
[hyper-2-pr0tein-1.data-xata.net]
Code: [Select]
hxxp://91.197.131.153/cp/bot.exemd5sum ===> 19362fd0c3527f24379df1fe3ec77794
SHA256 ===>  16b0024a98437d427207c1737245bdf7c45aa41e2af64c193da91d8b42d436c6
http://www.virustotal.com/es/analisis/16b0024a98437d427207c1737245bdf7c45aa41e2af64c193da91d8b42d436c6-1276937190 (http://www.virustotal.com/es/analisis/16b0024a98437d427207c1737245bdf7c45aa41e2af64c193da91d8b42d436c6-1276937190)
VT 21/41 (51.22%)
Code: [Select]
hxxp://91.197.131.153/cp/gate.php
Title: Re: New Zeus server
Post by: jackberri on June 20, 2010, 07:44:53 am
IP Location: Germany - KEYWEB-AS Keyweb AG
IP 87.118.84.17
AS31103
[ns.km13002-05.keymachine.de]
Email Registrant: zond80@gmail.com
Code: [Select]
hxxp://b.chto.su/cfg2.binmd5sum ===> a800bd2edea21d783edfec42ae1dd6d5
SHA256 ===>  b890a8beb9528a741e2f25acda03d72dcad1875792c5bcfb04a53fab88f960f2
Code: [Select]
hxxp://b.chto.su/bot.exemd5sum ===> 985b4dda9cb26ba071609da3caea1833
SHA256 ===>  dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f
http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278 (http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278)
VT 32/41 (78.05%)
Code: [Select]
hxxp://b.chto.su/gate.php
IP Location: Germany
IP 95.169.184.8
AS31103
Registrant/Email Registrant: Washer, Emilie/emwash37@gmail.com
Code: [Select]
hxxp://sekmoon.net/1.php
IP Location: Netherlands - XL-AS XL Network
IP 194.60.207.200
[cp-005.xl-is.net]
AS35470
Code: [Select]
hxxp://hermes1.nl/apache.jpgmd5sum ===> b5a83846bb7dfb00e27cc977fd42a8fe
SHA256 ===>  40b705a4f3fd2d438be22e40dddd71d0874d4df9980a83fa28b5352225f3e536
dropzone:
IP Location: France - PROXAD Free SAS
IP 88.191.38.208
AS12322
[forumcrea.com]
Registrant/Email Registrant: Antoine Porter/wcqewkxc95@gmail.com
Code: [Select]
hxxp://medianservicebz.net/webstate/webstat.php
Code: [Select]
related (already listed): budgetvip.com.vn/apache.jpg
Title: Re: New Zeus server
Post by: jackberri on June 20, 2010, 12:40:52 pm
IP 91.216.122.6
AS49544
Registrant/Email Registrant: Harry Bishop/Harry.PBishop@yahoo.com
Code: [Select]
hxxp://malbobro.org/qwerty/cfg2.binmd5sum ===> febc2ed8f7117e68bbf01dec3c4c6b2c
SHA256 ===>  815132eea433478b1bcfd43094cc31e941956d8aaafaab7b8064e03b41f89d9e
Code: [Select]
hxxp://malbobro.org/qwerty/bot.exemd5sum ===> 95157978d6b7e6e990c6952c097f9506
SHA256 ===>  ae9a1472546e6490f8bd39de3b37bd1889ce00c1fef1165714570646c68ca0ef
http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278 (http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278)
VT 31/41 (75.61%)
Code: [Select]
hxxp://malbobro.org/qwerty/gate.php
Code: [Select]
dropzone for  am-remorquage.fr/alogo.jpg (already listed):
IP Location:  France  - FR-DEDIBOX
IP 88.191.38.208
[forumcrea.com]
AS12322
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.php
related (fake av):
IP Location:  Netherlands  - LeaseWeb AS
IP 95.211.131.185
[hosted-by.leaseweb.com]
AS16265
Code: [Select]
hxxp://ns2.kpi-graphics.com/main.php?h=am-remorquage.fr&i=J8mjj9QYr/miihj7U8RPw50Xog==&e=4related:
Code: [Select]
traff.pohuy.ws/
issintm.pohuy.ws/
Title: Re: New Zeus server
Post by: jackberri on June 20, 2010, 02:09:59 pm
IP Location:  China  - Sun Rise Technology Co.ltd
IP 121.101.216.195
AS4847
Registrant/Email Registrant: Ted Thorson/kentos@gwab.com
Code: [Select]
hxxp://senders2010.com/sites/up.binmd5sum ===> 285bb8dfaac3018257cfae3e18e36ba4
SHA256 ===>  2b74a68f4ed0ada67659c015704eabef4bf657fa2809d7eb9543f7f1939aaca8
Code: [Select]
hxxp://senders2010.com/sites/update.exemd5sum ===> ce72195b65287b4f277fbfbc87d36fbc
SHA256 ===>  fe7e312905d36aac3e700f97b40345629fb1e604e0976dd82d4a03b3fa944e2c
http://www.virustotal.com/es/analisis/fe7e312905d36aac3e700f97b40345629fb1e604e0976dd82d4a03b3fa944e2c-1277042061 (http://www.virustotal.com/es/analisis/fe7e312905d36aac3e700f97b40345629fb1e604e0976dd82d4a03b3fa944e2c-1277042061)
VT 31/41 (75.61%)
Code: [Select]
hxxp://senders2010.com/sites/index1.php
IP Location:  China  - Sun Rise Technology Co.ltd
IP 121.101.216.232
AS4847
Registrant/Email Registrant: Michael Gray/migray71@yahoo.com
Code: [Select]
hxxp://grigga-sinna.com/mix/brug.binmd5sum ===> 8c3acd7efebab9c5528b54b11215f9f2
SHA256 ===>  94f851fb973bf363a0cc5f9c1b60e4ec791326f852b7128905b9f29a8d44d78b
Code: [Select]
hxxp://grigga-sinna.com/mix/prts.exemd5sum ===> d81e236fc7be8998fcb9e7c7fe487396
SHA256 ===>  5a9185a3b1b59657dbfd6dbefe3c1bdc678e66316216311f7aa8bbba9c3d7fe3
http://www.virustotal.com/es/analisis/5a9185a3b1b59657dbfd6dbefe3c1bdc678e66316216311f7aa8bbba9c3d7fe3-1277040703 (http://www.virustotal.com/es/analisis/5a9185a3b1b59657dbfd6dbefe3c1bdc678e66316216311f7aa8bbba9c3d7fe3-1277040703)
VT 27/41 (65.86%)
Code: [Select]
hxxp://grigga-sinna.com/mix/s.phpother sites:
Code: [Select]
infoshok.info
newdaypeace.org
sokam.info
superhomelawn.com
keroholek.net
Title: Re: New Zeus server
Post by: jackberri on June 22, 2010, 06:55:08 pm
IP Location: Netherlands - Deziweb first PI netblock - OXILION-AS Oxilion B.V.
IP 91.198.106.196
[vds658.deziweb.com]
AS48539
Code: [Select]
hxxp://amsterdamtoteheran.nl/apache.jpgmd5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79

IP Location: Slovenia - SiOL.SI, Provider Aggregated Block SiOL Internet d.o.o - SIOL-NET Telekom Slovenije d.o.o
IP 193.189.160.32
[sirius-b.siol.net]
AS5603
Code: [Select]
hxxp://www.amar-co.si/apache.jpgmd5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79

dropzone (already listed) for amar-co.si & amsterdamtoteheran.nl:
Code: [Select]
hxxp://medianservicebz.net/webstate/webstat.php
IP Location: Slovenia - SiOL.SI, Provider Aggregated Block SiOL Internet d.o.o - SIOL-NET Telekom Slovenije d.o.o
IP 76.76.101.70
[reverse-mtl-76-76-101-70.gogax.com]
AS21793
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://hikmesanbukais.com/hdsr/dst/lob.phptrojan:
Code: [Select]
hxxp://hikmesanbukais.com/kl/fu.exemd5sum ===> 1d1e6f890238caffa88580944c51f9a5
SHA256 ===>  212362344cc0acd66dbbfc648ed20ce01144631c3ce9a456392cc45690a44be7
http://www.virustotal.com/es/analisis/212362344cc0acd66dbbfc648ed20ce01144631c3ce9a456392cc45690a44be7-1277211749 (http://www.virustotal.com/es/analisis/212362344cc0acd66dbbfc648ed20ce01144631c3ce9a456392cc45690a44be7-1277211749)
VT 24/41 (58.54%)

other malware:
Trojans  Downloader Agent:
IP Location: United States - ASN-NA-MSG-01 Managed Solutions Group, Inc.
IP 205.209.143.94
AS27645
Code: [Select]
hxxp://www.20iamback.com/u81.htmmd5sum ===> e3b0cc89dcab6a97d692e7f52d67ec1a
SHA256 ===>  a693613ec60d1e949bd45bfcccaf8d9d903946627cf16788b72e485e5a2ae36b
http://www.virustotal.com/es/analisis/a693613ec60d1e949bd45bfcccaf8d9d903946627cf16788b72e485e5a2ae36b-1277230296 (http://www.virustotal.com/es/analisis/a693613ec60d1e949bd45bfcccaf8d9d903946627cf16788b72e485e5a2ae36b-1277230296)
VT 21/40 (52.5%)

IP Location: United States - Comcast Cable Communications, Inc - FDCSERVERS AS for FDC Servers
IP 76.73.94.174
[hypassin.com]
AS30058
Registrant/Email Registrant: li yugang/3691994400@qq.com
Code: [Select]
hxxp://www.battl1e.net/sharp/mti1.htmmd5sum ===> 671e48127ed944f410b38ff5bb107d68
SHA256 ===>  c1ea1701b254a62471b8290e7b686ff4266ad4cea94907cece8cda63be2044d6
http://www.virustotal.com/es/analisis/c1ea1701b254a62471b8290e7b686ff4266ad4cea94907cece8cda63be2044d6-1277231536 (http://www.virustotal.com/es/analisis/c1ea1701b254a62471b8290e7b686ff4266ad4cea94907cece8cda63be2044d6-1277231536)
VT 4/40 (10%)
Code: [Select]
hxxp://www.battl1e.net/sharp/on2n.htmmd5sum ===> 015e372f8d7ca449e5cf43d6073af411
SHA256 ===>  7c5c10b0ccc7b449a8ffb36874fdfe405ac9a2c8b4bf4a298de803a20a98b0b2
http://www.virustotal.com/es/analisis/7c5c10b0ccc7b449a8ffb36874fdfe405ac9a2c8b4bf4a298de803a20a98b0b2-1277231238 (http://www.virustotal.com/es/analisis/7c5c10b0ccc7b449a8ffb36874fdfe405ac9a2c8b4bf4a298de803a20a98b0b2-1277231238)
VT 5/41 (12.2%)
Code: [Select]
hxxp://www.battl1e.net/uhy.htmmd5sum ===> 5e101107e979eb6a64bce44a7da95d0e
SHA256 ===>  6d14b2c720ad66b558ac209c03550fcff005a023984d49c6149ce6f32e3e3eef
http://www.virustotal.com/es/analisis/6d14b2c720ad66b558ac209c03550fcff005a023984d49c6149ce6f32e3e3eef-1277231745 (http://www.virustotal.com/es/analisis/6d14b2c720ad66b558ac209c03550fcff005a023984d49c6149ce6f32e3e3eef-1277231745)
VT 4/41 (9.76%)

Title: Re: New Zeus server
Post by: jackberri on June 23, 2010, 10:01:53 am
IP Location: Viet Nam
IP 125.212.165.128
AS24086
Registrant ID:2b630a2f7c47b122
Registrant/Registrant Email: Paul Hohlbein/wadosihp948@gmail.com
Code: [Select]
hxxp://indexxor.info/apachev2.jpgmd5sum ===> 6385fecbebd8c6e23eee13d9338d2dec
SHA256 ===>  064e0ed3ad53486dedc49b8a28729b96c75dceef346949474ad72aaf6b4dcd48
dropzone:
IP Location: France - PROXAD Free SAS
IP 88.191.17.26
[sd-2179.dedibox.fr]
AS24086
Registrant ID:2b630a2f7c47b122
Registrant/Registrant Email: Matthew Johnson/ruyerfky9@gmail.com
Code: [Select]
hxxp://pteradaktel.net/webstate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on June 23, 2010, 10:40:40 am
IP Location: Netherlands - Deziweb first PI netblock - OXILION-AS Oxilion B.V.
IP 91.198.106.67
[s2.wlserver.nl]
AS48539
Code: [Select]
hxxp://deltalloydbusinesscourse.nl/apache.jpgmd5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79
related (Fake AV):
IP Location: Netherlands - LeaseWeb AS Amsterdam
IP 95.211.131.185
AS16265
[hosted-by.leaseweb.com]
Registrant/Registrant Email: Eureka Jewelry Design/cmsherwin@aol.com
Code: [Select]
hxxp://ns1.eurekajewelrydesign.com/main.php?h=deltalloydbusinesscourse.nl&i=Jcmog9Qeo/Osjxj7U8VHw5sXog==&e=r
Title: Re: New Zeus server
Post by: jackberri on June 24, 2010, 06:32:10 am
IP Location: China - CHINA-TELECOM
IP 59.53.91.124
AS4134
Registrant Email: abusehostserver@gmail.com
Code: [Select]
hxxp://anuegonahui.cn/config.binmd5sum ===> 95db42b1bd8ea82f2edc4ffe0019f634
SHA256 ===>  2ac0157c3f8081e6c2bf3d518afafbea6b1fb1ccc5c5c3b6d92e006c186167d2
Code: [Select]
hxxp://anuegonahui.cn/bot.exemd5sum ===> b2025cee825ce13e8528933b3b935ebe
SHA256 ===>  908e343756deabf97023ef9a1f226671dffbf0ce74e6abaca7d8076e1fb2296a
http://www.virustotal.com/es/analisis/908e343756deabf97023ef9a1f226671dffbf0ce74e6abaca7d8076e1fb2296a-1277360554 (http://www.virustotal.com/es/analisis/908e343756deabf97023ef9a1f226671dffbf0ce74e6abaca7d8076e1fb2296a-1277360554)
VT 19/41 (46.35%)
Code: [Select]
hxxp://anuegonahui.cn/game.php
Title: Re: New Zeus server
Post by: jackberri on June 24, 2010, 06:56:29 am
config file:
IP Location: Bosnia and Herzegovina - GlobalNET Bosnia - BA-GLOBALNET-AS GlobalNET Bosnia x Internet Service Provider
IP 77.78.240.44
AS42560
Registrant ID:45597597-NSI
Registrant/Registrant Email: Bit System/dalass233@hotmail.com
Code: [Select]
hxxp://googletracker.info/mp3/music/wave.binmd5sum ===> 043f142e4945e37e7efcbcc05a80a3d1
SHA256 ===>  244c188a2ce07e065de3c9c9edf9e6e15b9915a7417f2715d91fbf2396a6a4f2

ZeuS trojan:
IP Location: United States - PNAP-LAX softlayerexempt - SOFTLAYER Technologies Inc
IP 75.126.124.164
[voda13.vodahost.com]
AS36351
Registrant ID:  69436O786844
Registrant/Registrant Email: Zubin Hiramanek/zubin11@hotmail.com
Code: [Select]
hxxp://pulselocums.com.au/media/sound.exemd5sum ===> 8c81399fe156f3f129e5f1a2079699ba
SHA256 ===>  191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0
http://www.virustotal.com/es/analisis/191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0-1277361797 (http://www.virustotal.com/es/analisis/191d6ac238d6684a385380826bcf34f2698632c2ca9fbc57f4143b0310ea5cc0-1277361797)
VT 16/40 (40%)
Title: Re: New Zeus server
Post by: jackberri on June 24, 2010, 09:59:23 am
IP Location: Russian Federation - KALUGA-NET - KALUGANET AI Ltd
IP 193.104.34.63
AS50108
Registrant Email: admin@playwithout.ru
Code: [Select]
hxxp://baqrr.ru/bong0.bmpmd5sum ===> b050887bc71b11023d7e29d6068a3a3f
SHA256 ===>  30d281187c566f6841fecd88bd3a835b98a2abdfe0ec59c2865babd3c7200578

IP Location: Russian Federation - KALUGA-NET - KALUGANET AI Ltd
IP 193.104.34.63
AS50108
Registrant Email: admin@esamigo.ru
Code: [Select]
hxxp://evvke.ru/index1.php
IP Location: Moldova - STARNET-AS StarNet Moldova
IP 195.206.246.222
AS31252
Registrant Email: admin@vipcastlefinal.ru
Code: [Select]
hxxp://8string.ru/file1.exemd5sum ===> c060a4b811adcb90e69ad828b1022006
SHA256 ===>  0751829476a46ca638f6402e0b4a3ddb11064ffd582acf743785036cd16e7d08
http://www.virustotal.com/es/analisis/0751829476a46ca638f6402e0b4a3ddb11064ffd582acf743785036cd16e7d08-1277371457 (http://www.virustotal.com/es/analisis/0751829476a46ca638f6402e0b4a3ddb11064ffd582acf743785036cd16e7d08-1277371457)
VT 8/41 (19.52%)
Code: [Select]
hxxp://8string.ru/file2.exemd5sum ===> 0f03f9476d0c01e0a49be0aa9f927298
SHA256 ===>  1ba4df1d150b52e2cd942867cde21b20cd52fde4a337cb08f90ba82c21b5fcc1
http://www.virustotal.com/es/analisis/1ba4df1d150b52e2cd942867cde21b20cd52fde4a337cb08f90ba82c21b5fcc1-1277371674 (http://www.virustotal.com/es/analisis/1ba4df1d150b52e2cd942867cde21b20cd52fde4a337cb08f90ba82c21b5fcc1-1277371674)
VT 3/41 (7.32%)
Code: [Select]
hxxp://8string.ru/file3.exemd5sum ===> 6a2242f2b0fc2ec60728eb3236693b31
SHA256 ===>  4284a957de21cb626f5888cff7bd4a3fe2ea2fddf783d4112d7f84f0273bb010
http://www.virustotal.com/es/analisis/4284a957de21cb626f5888cff7bd4a3fe2ea2fddf783d4112d7f84f0273bb010-1277371852 (http://www.virustotal.com/es/analisis/4284a957de21cb626f5888cff7bd4a3fe2ea2fddf783d4112d7f84f0273bb010-1277371852)
VT 8/41 (19.52%)

IP Location: Moldova - STARNET-AS StarNet Moldova
IP 195.206.246.222
AS31252
Registrant ID: OLNI_197517_0_0
Registrant/Registrant Email: Uter Fallen/admin@kannat.biz
Code: [Select]
hxxp://kannat.biz/gate.phprelated:
Code: [Select]
hxxp://eadboong.com/ztvb/gate/
Title: Re: New Zeus server
Post by: jackberri on June 24, 2010, 06:11:27 pm
AS42953
email: roman@moscapital.ru
Code: [Select]
hxxp://91.194.0.40/aud2version.binmd5sum ===> 0d2631cea467c852466e547772ad5c10
SHA256 ===>  143ac466450f5142bc36dff3d70ec18cd74a4aa7e4c70a32366007279f32c72a

inetnum:        91.194.0.0 - 91.194.1.255
netname:        MOSCOWCAPITALBANK-NET
descr:          Bank Moscowskiy Kapital Ltd.
country:        RU

org:            ORG-BMKL1-RIPE
organisation:   ORG-BMKL1-RIPE
org-name:       Bank Moscowskiy Kapital Ltd.
org-type:       OTHER
Title: Re: New Zeus server
Post by: jackberri on June 25, 2010, 10:36:10 am
IP Location: Netherlands - Nxs Internet BV
IP 217.115.197.58
[php4.cluster2.nxs.nl]
AS16237
Code: [Select]
hxxp://rjd-010.nl/apache.jpg
hxxp://rjd-010.nl/apachev2.jpg
md5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79
dropzone (already listed):
Code: [Select]
hxxp://pteradaktel.net/webstate/webstat.php
IP Location: Netherlands - Gelderland Internet Exchange - GL-IX-AS
IP 77.95.248.188
[e3-srv74.server.eu]
AS43190
Code: [Select]
hxxp://pugs.nl/apache.jpg
hxxp://pugs.nl/apachev2.jpg
md5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79
dropzone (already listed):
Code: [Select]
hxxp://pteradaktel.net/webstate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on June 25, 2010, 12:02:44 pm
IP Location:           - Najada route - INTERACTIVE3D-AS Interactive3D
IP 91.216.122.18
AS49544
Registrant/Registrant Email: Scott Christie/s.christie10@yahoo.com
Code: [Select]
hxxp://pezdeshnosti.net/agressive.exemd5sum ===> 0351dccb2fab5b3553881cc7a7834996
SHA256 ===>  30292cc5a042b91009c2aa0db157f362abd45893b61bd6277ad6c143d1c2c0a0
http://www.virustotal.com/es/analisis/30292cc5a042b91009c2aa0db157f362abd45893b61bd6277ad6c143d1c2c0a0-1277464259 (http://www.virustotal.com/es/analisis/30292cc5a042b91009c2aa0db157f362abd45893b61bd6277ad6c143d1c2c0a0-1277464259)
VT 19/41 (46.35%)
Code: [Select]
hxxp://pezdeshnosti.net/ddd/gate436465.phprelated:
Code: [Select]
server12.ss2.name
Title: Re: New Zeus server
Post by: jackberri on June 25, 2010, 04:24:50 pm
IP Location: Netherlands - Nxs Internet BV
IP 217.115.197.59
[php5.cluster2.nxs.nl]
AS16237
Code: [Select]
hxxp://werkenbijdlapiper.nl/apache.jpg
Code: [Select]
hxxp://werkenbijdlapiper.nl/apachev2.jpgmd5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79
dropzone (already listed):
Code: [Select]
hxxp://pteradaktel.net/webstate/webstat.php
IP Location: Singapore - QALA Singapore Pte Ltd - QALA-SG-AP M1 Connect Pte Ltd
IP 210.193.49.130
[svr10.focushub.com]
Registrant/Registrant Email: Bryan Wong/SIDEWALK10@ZERO.AD.JP
AS17547
Code: [Select]
hxxp://praisemytee.com/apache.jpg
Code: [Select]
hxxp://praisemytee.com/apachev2.jpgmd5sum ===> bbde3bab4a97ed75736b761169a80491
SHA256 ===>  d8fb95049fb0335d9780b26fad9e73cfc8e6f64ebd33a2074433b4c19e6aab79
dropzone (already listed):
Code: [Select]
hxxp://pteradaktel.net/webstate/webstat.phprelated (Fake AV):
Code: [Select]
hxxp://wiki.joymineralcosmetics.com/main.php?h=praisemytee.com&i=J8moj9sbrP6sihj7U8VDy5sXog==&e=4
IP Location:   France  - Ovh Sas
IP 213.186.33.87
[cluster014.ovh.net]
AS16276
Code: [Select]
hxxp://marathon-demenagement.fr/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.php
IP Location:  Malaysia  - Exa Bytes Network Sdn.Bhd - EXABYTES-AS-AP Exa Bytes Network Sdn.Bhd
IP 110.4.45.98
AS46015
Code: [Select]
hxxp://solartif.com.my/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.phprelated (Fake AV):
Code: [Select]
hxxp://ns1.joymineralcosmetics.com/main.php?h=solartif.com.my&i=JcSvj9Qarf+mihj7U8VDw5kXog==&e=4
IP Location:  Malaysia  - Exa Bytes Network Sdn.Bhd - EXABYTES-AS-AP Exa Bytes Network Sdn.Bhd
IP 110.4.45.111
[bramble.mschosting.com]
AS46015
Code: [Select]
hxxp://wic.com.my/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.phprelated (Fake AV):
Code: [Select]
hxxp://blog.onlyyoulifestyle.com/main.php?h=wic.com.my&i=JcSvj9Qarf+njRj7U8VCw5IXog==&e=4related:
Code: [Select]
hxxp://tviwvo.pohuy.ws/t/t?
IP Location:  Netherlands  - LEASEWEB - LeaseWeb AS
IP 85.17.3.199
AS16265
Code: [Select]
hxxp://markec.by/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.php
Fake AV for supradem.fr
Code: [Select]
hxxp://wwww.causeof.org/main.php?h=supradem.fr&i=J8mjj9QYr/mhgRj7U8tHz5kXog==&e=4
hxxp://wwww.causeof.org/main.php?i=J8mjj9QYr/mhgRj7U8tHz5kXog==&e=3

IP Location:  Russian Federation - Bank Moscowskiy Kapital Ltd
AS42953
Code: [Select]
hxxp://91.194.0.20/beemstofadm.binmd5sum ===> 70002aa44905bb6fdacac4d951fdc759
SHA256 ===>  4d830e91fe7a64a760a92abd6aebe01f605a21747da5a5e056798cf653341490

other malware
trojan dropper agent
Code: [Select]
hxxp://hostshack.net/files/328997512/UltimateCodes.exemd5sum ===> 8c3f8827614de3692cb3cc7ef73c5ff0
SHA256 ===>  e4a4f62ed8f562fdf03ab1a4e49beb2818f97bfe41af76770eb0cc76cb00953e
http://www.virustotal.com/es/analisis/e4a4f62ed8f562fdf03ab1a4e49beb2818f97bfe41af76770eb0cc76cb00953e-1277480863 (http://www.virustotal.com/es/analisis/e4a4f62ed8f562fdf03ab1a4e49beb2818f97bfe41af76770eb0cc76cb00953e-1277480863)
VT 2/41 (4.88%)

IP Location:  China  - China Telecom Guangxi province - CHINA-TELECOM
IP 222.217.221.27
AS4134
Code: [Select]
hxxp://ip.yihaha.org/gorun.exemd5sum ===> 1398a666565e0b0e0266abcaf19e57ba
SHA256 ===>  493f577832ab229332b2919a0c93d2169b1fd32e3c0972d8450ba32036114c3f
http://www.virustotal.com/es/analisis/493f577832ab229332b2919a0c93d2169b1fd32e3c0972d8450ba32036114c3f-1277481037 (http://www.virustotal.com/es/analisis/493f577832ab229332b2919a0c93d2169b1fd32e3c0972d8450ba32036114c3f-1277481037)
VT 14/40 (35%)
Code: [Select]
hxxp://ip.yihaha.org/click.exemd5sum ===> 31802c1c776687f837eb0f5877da1798
SHA256 ===>  bab6f1cc6ad9c9d7b101ac6bf7f8722cc03c033070f95c229feec61cf99215b7
http://www.virustotal.com/es/analisis/bab6f1cc6ad9c9d7b101ac6bf7f8722cc03c033070f95c229feec61cf99215b7-1277481507 (http://www.virustotal.com/es/analisis/bab6f1cc6ad9c9d7b101ac6bf7f8722cc03c033070f95c229feec61cf99215b7-1277481507)
VT 15/40 (37.5%)
Title: Re: New Zeus server
Post by: jackberri on June 26, 2010, 09:07:29 am
IP: peer-to-peer networking?
Registrant/Registrant Email: Peter A. Bush/PeterABush@example.com
Code: [Select]
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/oraha.bin
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/orahxa.bin
md5sum ===> dfd46f8fdf3084984f57580fbe4f40b9
SHA256 ===>  eca7c31d4ca9f6dd749657db69e3d28045a19ff926c085d38f57c7072d376961
Code: [Select]
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/xman.binmd5sum ===> 4b39facc0eb63bfe05d7b0bae4a8a125
SHA256 ===>  a5fa854b55e81f62789bfb5a0951f4a9b75fb45ef34fcb9d02edfcfbc5b68785
Code: [Select]
hxxp://mnbvicdij4uhdjb5421knnkd.com/bin/orahxa.exemd5sum ===> 824957281e4a1f35d5ccb5d93c90c238
SHA256 ===>  d09833c762096ea1ee3d3ad4b6a76eff08c956937b2eca53077a071ca08a31d5
Code: [Select]
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/xman.exemd5sum ===> a394e171555b406295465d4c49df81fb
SHA256 ===>  48f5cd3e3630cbbc6df5abbe09fb6fa0815b8b58cfebe26eb51ddacb75c2e705
Code: [Select]
hxxp://mnbvicdij4uhdjb5421knnkd.com/xman/gogo.php
IP Location:   France  - Ovh Sas
IP 213.186.33.19
[cluster010.ovh.net]
AS16276
Code: [Select]
hxxp://supradem.fr/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.php
IP 121.101.216.210
AS4847
Code: [Select]
hxxp://bewartokken.com/blog/post.php
Title: Re: New Zeus server
Post by: jackberri on June 26, 2010, 04:51:45 pm
IP Location: Ukraine  - TTC Network -TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System Nauka-Svyaz Ukraine
IP 195.128.226.132
AS31445
Code: [Select]
hxxp://uk-microsoft.com/src/update.setmd5sum ===> 7f0c711c31eff1da7128dc7a09fcccb2
SHA256 ===>  82da35bd8a470c2e0c3b85c32d74275efb72c5ead935f39847448755b83c1a42
Code: [Select]
hxxp://uk-microsoft.com/src/update.exemd5sum ===> 45e4849ee69dac0d095f9b9c2f57ebbf
SHA256 ===>  dbdbb1e839730b353d264a8a01837d0f96348d71364bb2ef18fd1c018c67c35d
http://www.virustotal.com/es/analisis/dbdbb1e839730b353d264a8a01837d0f96348d71364bb2ef18fd1c018c67c35d-1277570693 (http://www.virustotal.com/es/analisis/dbdbb1e839730b353d264a8a01837d0f96348d71364bb2ef18fd1c018c67c35d-1277570693)
VT 9/40 (22.5%)

IP Location:   Bosnia and Herzegovina  - GlobalNET Bosnia
IP 77.78.239.43
AS42560
Code: [Select]
hxxp://acunetxweb.net/123/footer.php

IP Location:   United States  - DIMENOC-HOSTDIME
IP 66.7.218.232
[dime167.dizinc.com]
AS33182
Code: [Select]
hxxp://clibs.co.uk/website/wp-image.php
other malware:
Trojan PWS
IP Location:  Brazil  - IGB
IP 200.226.249.3
[3.249.226.200.in-addr.arpa.ig.com.br]
AS14571
Code: [Select]
hxxp://masterconsultora.hpg.com.br/rex.jpgmd5sum ===> d6fee15957029fde5323dd0e4684501b
SHA256 ===>  0b2fc62d3090c9c09b8ea254597423fe57945e996df71d2da5d5e235e83e9666
http://www.virustotal.com/es/analisis/0b2fc62d3090c9c09b8ea254597423fe57945e996df71d2da5d5e235e83e9666-1277569409 (http://www.virustotal.com/es/analisis/0b2fc62d3090c9c09b8ea254597423fe57945e996df71d2da5d5e235e83e9666-1277569409)
VT 16/41 (39.03%)
Title: Re: New Zeus server
Post by: jackberri on June 28, 2010, 09:45:10 am
IP Location:  Kazakhstan - AlfaHost LLP. Route Object -ALFAHOSTNET Alfa-Host LLP
IP 193.105.207.102
AS50793
Registrant/Registrant Email: Private Person/vatchin@mail.ru
Code: [Select]
hxxp://postmetoday.ru/dks8k/dks9postmetoday2main.jpgmd5sum ===> 47ede4152325b6d9f1cd3aa854c763d6
SHA256 ===>  8e18a407775ea0b6dbcdc92e4037a2972bdc70470976d623dbeaf8f9b5776cfd
Code: [Select]
hxxp://postmetoday.ru/exe8k/pump.exemd5sum ===> d660aae712adc5e1d23d2500a13b4cfd
SHA256 ===>  2d225cd78f0649521c4c9ee5cd9c195be35aecc8f2f988e846dc5bbdeeb9d683
http://www.virustotal.com/es/analisis/2d225cd78f0649521c4c9ee5cd9c195be35aecc8f2f988e846dc5bbdeeb9d683-1277712943 (http://www.virustotal.com/es/analisis/2d225cd78f0649521c4c9ee5cd9c195be35aecc8f2f988e846dc5bbdeeb9d683-1277712943)
VT 6/41 (14.64%)
Code: [Select]
hxxp://postmetoday.ru/admin8sia/datapump.php
IP Location:  United States - ThePlanet.com Internet Services, Inc - THEPLANET-AS2
IP 174.120.169.226
[gator1078.hostgator.com]
AS21844
Registrant: Joel Garcia
Code: [Select]
hxxp://teendx.com/cfg2.binmd5sum ===> 71f5ec16f3ddbd89489136effbb5550e
SHA256 ===>  d9b23e76e72a24647fd6548ca88e5473701218cd6c889c804422375a339d09b8
Code: [Select]
hxxp://teendx.com/bot.exemd5sum ===> d7e2eff1f08983b5a18a95019a68384f
SHA256 ===>  591b0abcfd67bac9993e17b3394e902a413958cee51c908bc5936595cb06e4ed
http://www.virustotal.com/es/analisis/591b0abcfd67bac9993e17b3394e902a413958cee51c908bc5936595cb06e4ed-1277716625 (http://www.virustotal.com/es/analisis/591b0abcfd67bac9993e17b3394e902a413958cee51c908bc5936595cb06e4ed-1277716625)
VT 33/40 (82.5%)
Code: [Select]
hxxp://teendx.com/gate.php
IP Location:  China - CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.205
AS4847
Registrant/Registrant Email: Migdalia Diaz/MillieDiaz4@aol.com
Code: [Select]
hxxp://promo-standart.info/kiker/cfg.binmd5sum ===> a40eb43a6b5fb5482bbcddb28debbc4e
SHA256 ===>  55049575bf6fe4bb9fb49dece4293dcdf5769fb077d2a61eded15d7c38661208
Code: [Select]
hxxp://promo-standart.info/kiker/gate.php
related:
Code: [Select]
www.sinergy-dl.com
www.streetgetthen.net
www.coolparts31.tw/S_main/
www.artfromdown.net
www.lightrootlog.net
www.laveseekk.com

Title: Re: New Zeus server
Post by: jackberri on June 29, 2010, 07:38:04 am
IP Location:  China - China Telecom JiangXi province - CHINA-TELECOM
IP 59.53.91.121
AS4134
Registrant/Registrant Email: Yulia Degtyar/sweet@5mx.ru
Code: [Select]
hxxp://cutewizard.com/dee/ger.mamd5sum ===> 10d89abfb89d76a0f5a15f96b6a331e7
SHA256 ===>  d7e1d25ca04b3a79c16899595bd4e4bf367ad52eb243263fa91a6b9a8a91bdeb
Code: [Select]
hxxp://cutewizard.com/dee/dee.exemd5sum ===> 732e5ff8d836a86fcd4044ae52c9b85e
SHA256 ===>  0be99b50325e2bb382ec7e19b4f565423efb802f1abb9a47dbed53cd2b4bc969
http://www.virustotal.com/es/analisis/0be99b50325e2bb382ec7e19b4f565423efb802f1abb9a47dbed53cd2b4bc969-1277795973 (http://www.virustotal.com/es/analisis/0be99b50325e2bb382ec7e19b4f565423efb802f1abb9a47dbed53cd2b4bc969-1277795973)
VT 6/41 (14.64%)
dropzone:
IP Location:  Thailand - TRUEINTERNET-TH - TRUE-AS-AP True Corporation Co.,Ltd
IP 124.122.173.242
[ppp-124-122-173-242.revip2.asianet.co.th]
AS17552
Registrant/Registrant Email: Daria Inozemtseva/order@bigmailbox.ru
Code: [Select]
hxxp://brushcourt.com/ger/gfhsk.php
other malware:

Trojan
IP Location:  United States - BurstNET Technologies
IP 64.191.57.201
[64-191-57-201.hostnoc.net]
AS21788
Code: [Select]
hxxp://wywg.yinlongtrade.com.cn/wywg/mssj/brittle.exemd5sum ===> 3ea4ad5f9c7f03e94741ae6e1b097bef
SHA256 ===>  818ae77ada06bd35ff021e27b79442b60ad3d19151d02e2224ab9ee7df84826f
http://www.virustotal.com/es/analisis/818ae77ada06bd35ff021e27b79442b60ad3d19151d02e2224ab9ee7df84826f-1277733648 (http://www.virustotal.com/es/analisis/818ae77ada06bd35ff021e27b79442b60ad3d19151d02e2224ab9ee7df84826f-1277733648)
VT 7/41 (17.08%)
Title: Re: New Zeus server
Post by: jackberri on June 29, 2010, 11:15:51 am
IP Location:  United Kingdom - Heart Internet Network via Node4 AS - NODE4-AS Node4 Ltd, UK
IP 79.170.40.52
[web52.extendcp.co.uk]
AS31727
Registrant/Registrant Email: Daisy Thomas Recruitment Group/sales@creativeideaz.co.uk
Code: [Select]
hxxp://daisythomas.com/statsme/plugins/geoip_region_maxmind.binmd5sum ===> 22417ac3b694b5ec382127906f87ae29
SHA256 ===>  b630124a342092bed8b5f7ce085887ac563a35de52a9af2cb02e7eb5e9ed0220
Code: [Select]
hxxp://daisythomas.com/statsme/plugins/geoip_region_maxmind.exemd5sum ===> b1dcd0653d80183d4f68e3602aa53489
SHA256 ===>  646b5d923cc236e705fefe1d145c0eb6abb22b1e7d804309a70191d194e66d77
http://www.virustotal.com/es/analisis/646b5d923cc236e705fefe1d145c0eb6abb22b1e7d804309a70191d194e66d77-1277816453 (http://www.virustotal.com/es/analisis/646b5d923cc236e705fefe1d145c0eb6abb22b1e7d804309a70191d194e66d77-1277816453)
VT 8/40 (20%)
dropzone:
IP Location:   United States  - DIMENOC-HOSTDIME
IP 66.7.218.232
[dime167.dizinc.com]
AS33182
Registrant: Transinvest
Code: [Select]
hxxp://clibs.co.uk/website/wp-image.php
Title: Re: New Zeus server
Post by: jackberri on June 29, 2010, 03:31:11 pm
IP Location: Hungary  - DREAMSHOW-NET-ROUTE - INTEGRITY-HU-AS INTEGRITY Informatics Ltd. HU
IP 212.52.173.242
[start1.integrity.hu]
AS28924
Registrant: Pintér András
Code: [Select]
hxxp://dominator.hu/alogo.jpgmd5sum ===> db0601b2aadb6ea03b0828203b365c84
SHA256 ===>  1749b809f111f27f4fe666969bafbd50e655bf2b6448918805dab63c3a9b0f74
dropzone (already listed):
Code: [Select]
hxxp://www.blogjo.biz/webstate/webstat.phprelated (Fake AV):
Code: [Select]
hxxp://blog.homeofthetiredwolf.com/main.php?h=www.dominator.hu&i=J8mtitEeq/2liBj7U8VPzJgXog==&e=4
Title: Re: New Zeus server
Post by: jackberri on June 29, 2010, 10:19:18 pm
IP Location:  Germany - UNITEDCOLO-AS Autonomous System of unitedcolo.de
IP 213.202.225.90
[213.202.225.90.rdns.funpic.de]
AS13301
Code: [Select]
hxxp://ago1980.ag.funpic.org/bot.exemd5sum ===> 65620a78ab15ad64f74cd40252c768b9
SHA256 ===>  6058a0e659bff8f25cbad2c9bd24dc1d78a554e4faadf8a887228456d0aea284
http://www.virustotal.com/es/analisis/6058a0e659bff8f25cbad2c9bd24dc1d78a554e4faadf8a887228456d0aea284-1277849210 (http://www.virustotal.com/es/analisis/6058a0e659bff8f25cbad2c9bd24dc1d78a554e4faadf8a887228456d0aea284-1277849210)
VT 37/41 (90.25%)

IP Location: United Kingdom  - UKNOC-RT - UKNOC-AS
IP 85.92.66.151
[raleigh.mywebserver.net]
AS34282
Registrant: Youth City
Code: [Select]
hxxp://queeryouth.org.uk/apache.jpgmd5sum ===> 72b3fd7df26fa7373e37ebba3217dd0c
SHA256 ===>  524987b336958f6f0a2c964cfa9d1973a7ba23f6d1346db4c153c48abd14f700
related (Fake AV):
Code: [Select]
hxxp://wiki.global-sourcing.us/main.php?h=queeryouth.org.uk&i=JcioiNIco/2lgRj7U8VDyJwXog==&e=r
Title: Re: New Zeus server
Post by: jackberri on June 30, 2010, 10:06:47 am
IP Location: Austria  - ANEXIA Internetdienstleistungs GmbH - ANEXIA-AS ANEXIA
IP 188.65.75.18
[s1312-4576.anx-cus.at]
AS42473
Registrant Email: peterr333444@gmail.com
Code: [Select]
hxxp://makeadifference.be/botpanel/sell2.jpgmd5sum ===> 4e9fc48a199cdf7266a625cbb304295a
SHA256 ===>  c7179c2d1e4f1a0af3ef86ccd1348b994e75b26595d568fad36d1c8a45b6b807
Code: [Select]
hxxp://makeadifference.be/botpanel/rofl.php
Title: Re: New Zeus server
Post by: jackberri on June 30, 2010, 12:22:26 pm
IP Location: Ukraine  - TTC Network - TTC-AS Naukanet (TopNET) UA
IP 195.128.226.131
AS31445
Code: [Select]
hxxp://uahwya.com/ba.jpgmd5sum ===> f0964649e0ec806d9637e179ba115adc
SHA256 ===>  573a75a9f311e8d62c76d40f0cd8789be9fb16d118628ae25551bf29c23e3737
IP Location: Ukraine  - TTC Network - TTC-AS Naukanet (TopNET) UA
IP 195.128.226.133
[homenet2.br01-kiev-vlan1029.ttc-network.com]
AS31445
Code: [Select]
hxxp://parrd.ru/bot2.exemd5sum ===> 2a475f77a3069a97abc50cab8f6a1e88
SHA256 ===>  f6eccb32a71e567417e1a2d5277cfe8c3d45b8edd9aa5c2f64ac202ae630aab5
http://www.virustotal.com/es/analisis/f6eccb32a71e567417e1a2d5277cfe8c3d45b8edd9aa5c2f64ac202ae630aab5-1277895811 (http://www.virustotal.com/es/analisis/f6eccb32a71e567417e1a2d5277cfe8c3d45b8edd9aa5c2f64ac202ae630aab5-1277895811)
VT 6/41 (14.64%)
Code: [Select]
hxxp://uahwya.com/entra.php
Title: Re: New Zeus server
Post by: jackberri on June 30, 2010, 10:27:05 pm
Code: [Select]
hxxp://91.194.0.101/adm32dll.binmd5sum ===> 5e9a49a29033d1be097d1f9c10ed04d3
SHA256 ===>  46dae5d8ac076492d68a47ef2f1a55ec77edcb7bb36e14616e4b4284ed91694a

Code: [Select]
hxxp://91.194.0.103/aud2milk.binmd5sum ===> fd36cf40f3922a55deefe21551ba93d2
SHA256 ===>  43775b79d38a3e94a4f5650654af916246325b5a1b9815f9cca10dc95f4b2687
Title: Re: New Zeus server
Post by: jackberri on July 01, 2010, 07:36:48 am
IP Location:  China - China Telecom JiangXi province - CHINA-TELECOM
IP 59.53.91.121
AS4134
Registrant/Registrant Email: Alexander Kupalo/eons@fastermail.ru
Code: [Select]
hxxp://coralfund.com/gbt/uka.okmd5sum ===> 10d89abfb89d76a0f5a15f96b6a331e7
SHA256 ===>  d7e1d25ca04b3a79c16899595bd4e4bf367ad52eb243263fa91a6b9a8a91bdeb
dropzone:
IP Location:  Puerto Rico - One Link Network
IP 70.45.55.199
[host-70-45-55-199.onelinkpr.net]
AS36423
Registrant/Registrant Email: Private Person/vc@bigmailbox.ru
Code: [Select]
hxxp://www.sdlls.ru/uka/gfdsk.php
IP Location:  Algeria - FAWRI-AS FAWRI
IP 41.201.194.86
AS36947
Code: [Select]
hxxp://zeusbotnet.dvrdns.org/zs/builder/cfg.binmd5sum ===> fe55125edf9cdc32d4715a403393cb47
SHA256 ===>  830b20d0e0cfd0007b57f17e9561cba14eec2ba561043eb931b46225834f35ba
Code: [Select]
hxxp://zeusbotnet.dvrdns.org/zs/builder/bot.exemd5sum ===> 7c30163695673a4e330f43d2bcb74817
SHA256 ===>  8d736067477dfe2a7f56a022cbfb117fc2600626e1d215580e00d8a21bd5f9a6
http://www.virustotal.com/es/analisis/8d736067477dfe2a7f56a022cbfb117fc2600626e1d215580e00d8a21bd5f9a6-1277968752 (http://www.virustotal.com/es/analisis/8d736067477dfe2a7f56a022cbfb117fc2600626e1d215580e00d8a21bd5f9a6-1277968752)
VT 32/40 (80.00%)
Code: [Select]
hxxp://zeusbotnet.dvrdns.org/zs/builder/zbs.exemd5sum ===> ab601226d71547965fa2978ca4179516
SHA256 ===>  40ec906cd32d4582f25e52b3fe501ad1b2f8f33521fbf9b63f7bcb3635b9ed33
http://www.virustotal.com/es/analisis/40ec906cd32d4582f25e52b3fe501ad1b2f8f33521fbf9b63f7bcb3635b9ed33-1277968932 (http://www.virustotal.com/es/analisis/40ec906cd32d4582f25e52b3fe501ad1b2f8f33521fbf9b63f7bcb3635b9ed33-1277968932)
VT 37/40 (92.5%)
Code: [Select]
hxxp://http://zeusbotnet.dvrdns.org/zs/web/gate.php

Code: [Select]
hxxp://zeusbotnet.dvrdns.org/zs/server/zsbcs.exemd5sum ===> cffd1eb96af02773c36c0701f9918dea
SHA256 ===>  8ef56edf211fe9130c08e505911054f74392cf7f29a4c3f4947e622ff65ed3bb
http://www.virustotal.com/es/analisis/8ef56edf211fe9130c08e505911054f74392cf7f29a4c3f4947e622ff65ed3bb-1277969299 (http://www.virustotal.com/es/analisis/8ef56edf211fe9130c08e505911054f74392cf7f29a4c3f4947e622ff65ed3bb-1277969299)
VT 35/41 (85.37%)
Code: [Select]
hxxp://zeusbotnet.dvrdns.org/zs/server/zsbcs64.exemd5sum ===> 89bfeb1912308a243871979d70e6475c
SHA256 ===>  362000ea79980aef80eeab94686b0d44c7f6785501ed0f61fe85a279bbf06c65
http://www.virustotal.com/es/analisis/362000ea79980aef80eeab94686b0d44c7f6785501ed0f61fe85a279bbf06c65-1277969161 (http://www.virustotal.com/es/analisis/362000ea79980aef80eeab94686b0d44c7f6785501ed0f61fe85a279bbf06c65-1277969161)
VT 11/41 (26.83%)
Title: Re: New Zeus server
Post by: jackberri on July 01, 2010, 12:23:37 pm
IP Location:  Ireland - HOSTING365-AS Number for Hosting 365 Ireland Limited
IP 82.195.136.187
[victoria.xeonserver-six.co.uk]
AS29650
Code: [Select]
hxxp://www.albanianblogger.com/theme/config.binmd5sum ===> fbe443b862f0fa1dcf22ea3834ed9d09
SHA256 ===>  7b0301c2fdda56abca790ea1661a08e254ad9e84bf4843ef65e69464d9306579
Code: [Select]
hxxp://www.albanianblogger.com/theme/bot.exemd5sum ===> 8f15e62c93a3e87147fb3226901ed603
SHA256 ===>  06cb66c0dcba7ca9c901d8995f03b13cc4afb42f40b4ef30ad4511c3ef4c2e8b
http://www.virustotal.com/es/analisis/06cb66c0dcba7ca9c901d8995f03b13cc4afb42f40b4ef30ad4511c3ef4c2e8b-1277986263 (http://www.virustotal.com/es/analisis/06cb66c0dcba7ca9c901d8995f03b13cc4afb42f40b4ef30ad4511c3ef4c2e8b-1277986263)
VT 37/41 (90.25%)
Code: [Select]
hxxp://albanianblogger.com/theme/gate.php
IP Location:  Italy - INTERBUSINESS - ASN-IBSNAZ Telecom Italia S.p.a.
IP 79.0.249.151
[host151-249-dynamic.0-79-r.retail.telecomitalia.it]
AS3269
Registrant/Registrant Email: Emmett Frank/EmmettFrank@gmail.com
Code: [Select]
hxxp://h45h45t9.com/altDEssss.imgmd5sum ===> 427f472f94c1f91125e740dca7bf4361
SHA256 ===>  2ce5f07a99b8bda501738daa23c76964ae497d2ebf110c77f4f86cf100b48a58
Code: [Select]
hxxp://h45h45t9.com/umba/DfwbdV.php
IP Location:  Germany - Surfplanet GmbH PA-Block
AS33984
Code: [Select]
hxxp://85.88.26.76/net/cfg2.binmd5sum ===> 1e0375df1ab33e4ca2e5f351ae6684a4
SHA256 ===>  32f3e19978ae6af0246af8c539764fd2aa6d43ea46885306626ac7412112165b
Code: [Select]
hxxp://85.88.26.76/net/bot.exemd5sum ===> d091e24aae36f1a3e2ba024671ce07d8
SHA256 ===>  c02d61f134c08b69dd0e3a862a1916c522c778f2471e46a07968365d1b11a208
http://www.virustotal.com/es/analisis/c02d61f134c08b69dd0e3a862a1916c522c778f2471e46a07968365d1b11a208-1277985204 (http://www.virustotal.com/es/analisis/c02d61f134c08b69dd0e3a862a1916c522c778f2471e46a07968365d1b11a208-1277985204)
VT 33/41 (80.49%)
Code: [Select]
hxxp://85.88.26.76/net/gate.php
Title: Re: New Zeus server
Post by: jackberri on July 01, 2010, 08:11:21 pm
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.68
AS29106
Registrant/Registrant Email: Addel Lois/admin@goodndservice.net
Code: [Select]
hxxp://winupdatedll.com/cp/tasksz.php?dc
hxxp://winupdatedll.com/cp/l/28/552c8f123505033d61ee6fa34fd793ba/2da59421dae579c26522846bf962c1b5
hxxp://winupdatedll.com/cp/r/28/552c8f123505033d61ee6fa34fd793ba/2da59421dae579c26522846bf962c1b5
downloads ===> 1.exe
md5sum ===> e5045e518178225c8db85bbd44730359
SHA256 ===>  aad6beb87ee3093ed8e8d43de8019123bc75c670213a9643e376b244abb7e53f
http://www.virustotal.com/es/analisis/aad6beb87ee3093ed8e8d43de8019123bc75c670213a9643e376b244abb7e53f-1278012920 (http://www.virustotal.com/es/analisis/aad6beb87ee3093ed8e8d43de8019123bc75c670213a9643e376b244abb7e53f-1278012920)
VT 4/41 (9.76%)
dropzone:
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.68
AS29106
Registrant/Registrant Email: Garmin Kubinsky/fole@fox.net
Code: [Select]
hxxp://sakjt3r5a.com/t0.php
IP Location:  Ukraine - TTC Network - TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System
IP 195.128.226.133
[homenet2.br01-kiev-vlan1029.ttc-network.com]
AS31445
Registrant/Registrant Email: Private Person/admin@bestcasinotop.ru
Code: [Select]
hxxp://ssjl.ru/backup.tgzmd5sum ===> d8b9c0ae36562435dc27046cec95e86d
SHA256 ===>  3161b06d73e98aebc414b84e5a040cec8a6d94b4346b2a617c3e76bbe558298f
dropzone:
IP Location:  Ukraine - TTC Network - TTC-AS Naukanet (TopNET) UA Aggregation network Autonomous System
IP 195.128.226.133
[homenet2.br01-kiev-vlan1029.ttc-network.com]
AS31445
Registrant/Registrant Email: Private Person/admin@bestcasinotop.ru
Code: [Select]
hxxp://uiao.ru/sdkljhdfdlgklk3434.phprelated:
Code: [Select]
parrd.ru
Title: Re: New Zeus server
Post by: jackberri on July 02, 2010, 03:02:37 pm
IP Location:   Ukraine  - SPD Shahnazarova Y.M. Route Objectk - Pe Volovik Elena Sergiyvna
IP 193.105.174.46
AS196954
Registrant ID: CO717108-RT
Registrant/Registrant Email: Pavel Pugachev/ya_whois@yandex.ru
Code: [Select]
hxxp://cocainy.biz/solara/cofaginok.sinmd5sum ===> 5b6b6f740cea934ab355de7232a0d26f
SHA256 ===>  95dd87abfef60cd25b97f3c59df3e3e341ded19e6e19826d3b9ff6d922b1018c
Code: [Select]
hxxp://cocainy.biz/solara/Jdkfdsdss.php
IP Location: Canada  - NETELL-20 - NETELLIGENT Hosting Services Inc
IP 209.44.103.10
[p10.em-n.org]
AS10929
Registrant ID: ncr-7190003-9748
Registrant/Registrant Email: Jakd eM/getjak3d@gmail.com
Code: [Select]
hxxp://zeusbot.xvn.in/web/cfg.binmd5sum ===> 3d0699962db5840b45ef8e8a3a302272
SHA256 ===>  e05845e50b1a4a2f8af87492e11b29e72ad83aaf13dd0dbfc00a7bf461e236af
Code: [Select]
hxxp://zeusbot.xvn.in/web/ldr.exemd5sum ===> 8d5c5f7f79ae45fff71332cbe0e3d17c
SHA256 ===>  1f3b1f80817ee0061bdfa989dfe12c76f3076f494b9c6b33c1a51d365f1ff89b
http://www.virustotal.com/es/analisis/1f3b1f80817ee0061bdfa989dfe12c76f3076f494b9c6b33c1a51d365f1ff89b-1278067725 (http://www.virustotal.com/es/analisis/1f3b1f80817ee0061bdfa989dfe12c76f3076f494b9c6b33c1a51d365f1ff89b-1278067725)
VT 31/41 (75.61%)
Code: [Select]
hxxp://zeusbot.xvn.in/web/gate.php
Title: Re: New Zeus server
Post by: jackberri on July 03, 2010, 12:29:41 pm
IP Location:   Austria  - ANEXIA Internetdienstleistungs GmbH - ANEXIA-AS ANEXIA
IP 188.65.74.72
AS42473
Registrant/Registrant Email: Domain Admin/contact@privacyprotect.org
Code: [Select]
hxxp://domain460013.com/nhjq2/n09230945.aspmd5sum ===> 2848486625b4047a3444923dab914393
SHA256 ===>  09446d23a9fcc90046f7eea4518e2db230621858552f4ea10c145ff758ad3b65
Code: [Select]
hxxp://domain460013.com/nhjq2/document.docmd5sum ===> 0f58de965e77108ab21f852c4a96f4ef
SHA256 ===>  f1d17dbb8753cfd66c6b18c30b9a9713fe3e11c2b491a4f571458fd9d02787dd
Code: [Select]
hxxp://domain460013.com/nhjq2/pereday.php
IP Location: United States  - HOSTNOC-8BLK Block1 - BurstNet Technologies, Inc.
IP 184.82.18.41
[184-82-18-41.hostnoc.net]
AS21788
Registrant/Registrant Email: Ekaterina Gilmanova/filed@qx8.ru
Code: [Select]
hxxp://hfcpda.com/gb/miscmd5sum ===> aeb34917633682c8c2a46ee000b3dd30
SHA256 ===>  b448f3c7505bd5742d1660fbe2a86838c5d7db1cfa542e42de288698f7955e49
related:
IP Location: United States  - PNAP-LAX softlayerexempt - SOFTLAYER Technologies Inc.
IP 74.86.13.144
[force.imageleet.net]
AS36351
Registrant: Pauleen Wainwright
Code: [Select]
hxxp://promotiveimage.co.uk/syndicates/flash.exemd5sum ===> 64c0d5a36b2e91d5d4bf27f903afa699
SHA256 ===>  f069134ef97aec218b428f504cdb8ae467ad23fc98adb06bedf3540fcf2e2e5d
http://www.virustotal.com/es/analisis/f069134ef97aec218b428f504cdb8ae467ad23fc98adb06bedf3540fcf2e2e5d-1278158457 (http://www.virustotal.com/es/analisis/f069134ef97aec218b428f504cdb8ae467ad23fc98adb06bedf3540fcf2e2e5d-1278158457)
VT 15/41 (36.59%)
Code: [Select]
hxxp://promotiveimage.co.uk/syndicates/flashplayer.exemd5sum ===> 6cdf7118d8a719a34a66c2bf40ea1658
SHA256 ===>  86f43c48325ee68a95d81f8ddc1c7174fb0882d65c783cd62778f6982cf4ee65
http://www.virustotal.com/es/analisis/86f43c48325ee68a95d81f8ddc1c7174fb0882d65c783cd62778f6982cf4ee65-1278158149 (http://www.virustotal.com/es/analisis/86f43c48325ee68a95d81f8ddc1c7174fb0882d65c783cd62778f6982cf4ee65-1278158149)
VT 19/41 (46.35%)
Code: [Select]
hxxp://promotiveimage.co.uk/syndicates/flashupdate.exemd5sum ===> 55d39b196e1ac496a355e9bc16de3ba1
SHA256 ===>  e962af6f7a4166b0bac0e2ef52f6d627594910f83bc305f4f911e6b239ca62fe
http://www.virustotal.com/es/analisis/e962af6f7a4166b0bac0e2ef52f6d627594910f83bc305f4f911e6b239ca62fe-1278157876 (http://www.virustotal.com/es/analisis/e962af6f7a4166b0bac0e2ef52f6d627594910f83bc305f4f911e6b239ca62fe-1278157876)
VT 20/41 (48.79%)
Title: Re: New Zeus server
Post by: jackberri on July 07, 2010, 12:36:10 pm
IP Location: United States  - HOSTNOC-8BLK Block1 - BurstNet Technologies, Inc.
IP 114.80.142.16
AS46393
Registrant/Registrant Email: Pavel Bubnov/kings@bigmailbox.ru
Code: [Select]
hxxp://regflinbullst.net/mas/cfg.binmd5sum ===> 5fff4b1e62a0ccaa17e7d9251f17ed98
SHA256 ===>  906cf82e9815e99d58ccca975142020259d703ffafd094f45098882465903c55

IP Location: Russian Federation  - DATACENTER2 - INFOBOX-AS Infobox.ru Autonomous System.
IP 77.221.140.102
AS30968
Registrant Email: support@infobox.ru
Code: [Select]
hxxp://z140877.infobox.ru/admin/c.binmd5sum ===> ce3ad838b74ec3a39669042bdd0685b2
SHA256 ===>  b3b3636c3eaa429927983b5594a9d14613faf07bb1a8246bec07e5bb1f8e38ab
Code: [Select]
hxxp://z140877.infobox.ru/admin/bot.exemd5sum ===> 99b9ad7ded46dc6ba48c7e1d55c62528
SHA256 ===>  72e05c605abfba1e3ecba8c59702b210a97ad0a21fc7b01177fc5f0820e77e88
http://www.virustotal.com/es/analisis/72e05c605abfba1e3ecba8c59702b210a97ad0a21fc7b01177fc5f0820e77e88-1278400852 (http://www.virustotal.com/es/analisis/72e05c605abfba1e3ecba8c59702b210a97ad0a21fc7b01177fc5f0820e77e88-1278400852)
VT 6/40 (15%)
Code: [Select]
hxxp://z140877.infobox.ru/admin/g.php
IP Location: Moldova  - STARNET-AS StarNet
IP 195.206.246.250
AS31252
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://update-java.com/src/update2.setmd5sum ===> 19093e2e96156992a3d340c2820df6e1
SHA256 ===>  83d8f984ce0a210dcbecaf691eeac154d21eb2135b836aeb029cb3c03db49de5

IP Location:  Kazakhstan  - AlfaHost LLP. Route Object - ALFAHOSTNET Alfa-Host LLP.
IP 193.105.207.102
AS50793
Registrant/Registrant Email: Private Person/vatchin@mail.ru
Code: [Select]
hxxp://mywebsource.ru/392cfg9/292mywebsource2main.jpgmd5sum ===> 1c70d927ba14a85590184e89eba7e271
SHA256 ===>  4b19658f43c7a16803edc045143f00c30a375c426c661fc7b64525e251b18461
Code: [Select]
hxxp://mywebsource.ru/exe38s/myweb.exemd5sum ===> 927b31e911e6ac61cfc00315f1f02c9c
SHA256 ===>  c0bb2861d0a126b2b180368dd3de65ffb77556b2da6b730e1b96c3d30ae66d54
http://www.virustotal.com/es/analisis/c0bb2861d0a126b2b180368dd3de65ffb77556b2da6b730e1b96c3d30ae66d54-1278319008 (http://www.virustotal.com/es/analisis/c0bb2861d0a126b2b180368dd3de65ffb77556b2da6b730e1b96c3d30ae66d54-1278319008)
VT 14/41 (34.15%)
Code: [Select]
hxxp://mywebsource.ru/flash/adobe.php
IP Location: United States  - PEAKCLT Peak 10
IP 216.134.204.32
[mail.123wealthquest.com]
AS19271
Registrant/Registrant Email: Domains by Proxy, Inc./SWINGTIMING.COM@domainsbyproxy.com
Code: [Select]
hxxp://swingtiming.com/images/graph7.jpgmd5sum ===> 406ccc0947df51d2e66b7f845e97a9f3
SHA256 ===>  79810eb885d33832f6efda9aab0a4d909166cceaaffb1dc40ed0f493e9fbffbd
dropzone:
Code: [Select]
hxxp://keybussines.com/main/
IP Location: Moldova  - STARNET-AS StarNet Moldova
IP 195.5.161.5
AS31252
Registrant ID: MESHDM-161504
Registrant/Registrant Email: Francis Maskrey/yolahume@rocketmail.com
Code: [Select]
hxxp://vertucom62.me/mas/cfg.binmd5sum ===> fddba3a01c97932e84543923b4a3aae8
SHA256 ===>  20f14c0b5e85abb0332da2abcaafbd92cfea55bdbdcaff8f755dac985f3aabdf

IP Location: Russian Federation  - SINCHROLINE-ROUTE - SYNCHROLINE Autonomous System Syncroline Ltd
IP 217.171.64.154
[ctes.ll.sl.ru]
AS20630
Registrant/Registrant Email: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://ggooggle.net/first.binmd5sum ===> 2bd5ff898e7b2d60498a518c4ff86f03
SHA256 ===>  9392c75411747eb0711f2c284f1e9d862c698405cfcc12993f495827b3e3116e
dropzone:
IP Location: Russian Federation  - HETZNER-RZ-FKS-BLK2 - HETZNER-AS Hetzner Online AG RZ
IP 178.63.3.186
[de2.reserver.ru]
AS24940
Registrant/Registrant Email: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://kingdonald.net/welcome.php
Title: Re: New Zeus server
Post by: S!Ri on July 07, 2010, 12:44:05 pm
Code: [Select]
http://www.umach.nl/images/zoom1.gifMD5: 11D313B26F58028BE2F1D3FAEE6B75D2

Code: [Select]
http://linkbuilding.nl/boom.jpg
http://www.linkbuilding.nl/boom.jpg
Title: Re: New Zeus server
Post by: jackberri on July 08, 2010, 07:23:42 pm
IP Location: Moldova  - STARNET-AS StarNet Moldova
IP 195.206.246.246
AS31252
Registrant/Registrant Email: Alex Frog/admin@agradomhome109.com
Code: [Select]
hxxp://agradomhome109.com/A1lT0berg/KLJ5idfveE43iDrD.binmd5sum ===> 84f3ffe670f91d35d478e1741105dd3b
SHA256 ===>  35a060f1d03045fa9fd7de494b23c7e2cec02f336c89a5355f8854bb8e58f357
Code: [Select]
hxxp://agradomhome109.com/A1lT0berg/tk76kHGFVtr6657Du4wdxytkVD4546757fj5vfv56.php
IP Location: Moldova  - STARNET-AS StarNet Moldova
IP 195.206.246.220
AS31252
Registrant/Registrant Email: Bahir Mashom/admin@google.name
Code: [Select]
hxxp://g3vrv3rveverfsd.tw/picture/gif.gifmd5sum ===> 361221fec75de5df71a2259f21c1028d
SHA256 ===>  3d05efe5711282d37f187b3837d828be25a74caf7b1bca263ab320e62987e2f0
Code: [Select]
hxxp://g3vrv3rveverfsd.tw/picture/gaterrz.php
IP Location: Russian Federation  -VLine Telecom Block Moscow - VLTELECOM-AS VLineTelecom LLC Moscow
IP 109.196.143.91
AS39150
Registrant Email: contact@privacyprotect.org
Code: [Select]
hxxp://clocktribuh.biz/14592.fopmd5sum ===> 3f58a8deed4609de200456b7fa63dcc9
SHA256 ===>  5a7d18cba86d5ea85be34f1532ec7ea952c46079cea5bc5d7f044cc87b217e13
Code: [Select]
hxxp://clocktribuh.biz/dfi4ert9fgk4g.php
IP Location: United Kingdom  - RapidSwitch Ltd - RAPIDSWITCH-AS
IP 78.129.242.243
AS29131
Registrant/Registrant Email: Dr Neil Witt/dgadd@ico3.com
Code: [Select]
hxxp://technologyenhancedlearning.net/images/6.jpgmd5sum ===> a6947b7db705c8b47a0df3c9f1c543f7
SHA256 ===>  e07a1a682c7df5c9c7e5caf5a583394e18fa68cd654d5224976c2a34f1b9d393
Code: [Select]
hxxp://technologyenhancedlearning.net/images/1.jpg
hxxp://technologyenhancedlearning.net/images/2.jpg
hxxp://technologyenhancedlearning.net/images/3.jpg
hxxp://technologyenhancedlearning.net/images/7.jpg
dropzone:
IP Location: United States  - GoDaddy.com, Inc. - Go Daddy
IP 208.109.113.170
[ip-208-109-113-170.ip.secureserver.net]
AS26496
Registrant/Registrant Email: Private Whois Service/s8zcuzf4c2b70f16a10e@n3omkv94bf61e901fd6c.privatewhois.net
Code: [Select]
hxxp://listwowgame.com/webstate/webstat.php
IP Location: China  - China Telecom JiangXi province - CHINA-TELECOM
IP 59.53.91.121
AS4134
Registrant/Registrant Email: Elena Zhuravleva/take@fastermail.ru
Code: [Select]
hxxp://playatord.com/caa/can.admd5sum ===> 19c40c479ddc9c4e776fccbc3e2353bf
SHA256 ===>  8ccf398008d72d90a431a972a5ed6e23b07d94cd478a7dbf760486a2eb7ce6b0
Code: [Select]
hxxp://playatord.com/caa/caa.exemd5sum ===> dd626a7f3c6a055afb54905f061a21b2
SHA256 ===>  e4a4cd9ecf579d772a0c97e072a43019dcabed0d9c97d8e50452ae16e36af6b9
http://www.virustotal.com/es/analisis/e4a4cd9ecf579d772a0c97e072a43019dcabed0d9c97d8e50452ae16e36af6b9-1278599820 (http://www.virustotal.com/es/analisis/e4a4cd9ecf579d772a0c97e072a43019dcabed0d9c97d8e50452ae16e36af6b9-1278599820)
VT 13/41 (31.71%)

IP Location: Bosnia and Herzegovina  - GlobalNET Bosnia - BA-GLOBALNET-AS GlobalNET Bosnia x Internet Service Provider
IP 77.78.240.5
AS42560
Registrant/Registrant Email: Rezeda Maratovna Hairutdinova/admin@mftn.ru
Code: [Select]
hxxp://shkafu.net/loh.lohmd5sum ===> 3d1aec076c33fba43d953e150fd6e407
SHA256 ===>  3f419b4e7fd88ec45a9450d8f0b97edd770fea8ccca4cbef1fdda4e03ac68375
Code: [Select]
hxxp://shkafu.net/hren.exemd5sum ===> b2926d18802547700f23a55457b59b50
SHA256 ===>  6cdd6dc77bcbfbe57fc397a29d67a6986b7b6fc3b93c2c6fd16ef486d2af1fde
http://www.virustotal.com/es/reanalisis.html?6cdd6dc77bcbfbe57fc397a29d67a6986b7b6fc3b93c2c6fd16ef486d2af1fde-1278608317 (http://www.virustotal.com/es/reanalisis.html?6cdd6dc77bcbfbe57fc397a29d67a6986b7b6fc3b93c2c6fd16ef486d2af1fde-1278608317)
VT 38/41 (92.69%)
Code: [Select]
hxxp://shkafu.net/dver.php
Code: [Select]
hxxp://shkafu.net/add.exemd5sum ===> dd626a7f3c6a055afb54905f061a21b2
SHA256 ===>  863f680a9cbb832111ef739019b661e8d732549557bc75627ca75e91a6f211aa
http://www.virustotal.com/es/analisis/863f680a9cbb832111ef739019b661e8d732549557bc75627ca75e91a6f211aa-1278607655 (http://www.virustotal.com/es/analisis/863f680a9cbb832111ef739019b661e8d732549557bc75627ca75e91a6f211aa-1278607655)
Title: Re: New Zeus server
Post by: jackberri on July 09, 2010, 06:55:34 am
IP Location:  Moldova - STARNET-AS
IP 195.206.246.248
AS31252
Registrant/Registrant Email: Private person/admin@bestcasinotop.ru
Code: [Select]
hxxp://vaserys.ru/2a.jpgmd5sum ===> 08a2caa22524066f4751f69236c5313b
SHA256 ===>  827f63af8160649951878b195473d195bed1b39e5a5a210acc4b61a23d9f8638
Code: [Select]
hxxp://vaserys.ru/focu.php
IP Location:  Moldova - STARNET-AS
IP 195.206.246.251
AS31252
Registrant/Registrant Email: Kate Liss/admin@vaseajretikru.com
Code: [Select]
hxxp://vaseajretikru.com/asdfghjkl/endjiany.binmd5sum ===> fc7a2f6c2a93d556f1d84ba173d8f473
SHA256 ===>  3aa316d4f04cefa718c3704808a41a83e562ba0fd611e18782030287e42993ac

IP Location:  Russian Federation - CRONYX - RINET-AS Cronyx Plus Ltd (RiNet ISP) Autonomous System
IP 195.91.237.51
AS8331
Registrant Email: lakystrike@rambler.ru
Code: [Select]
hxxp://starsico.ru/NeW_pizdeC/configa.binmd5sum ===> a75dfc4bc759868a9bdd33e5dbe10505
SHA256 ===>  9b5a4ac6f73706c0cb13d8d4dfd081be1db0be06fcb6faeff69f0677b49d0109
Code: [Select]
hxxp://vaserys.ru/focu.php
Title: Re: New Zeus server
Post by: jackberri on July 09, 2010, 10:31:30 am
config file:
IP Location: Malaysia  - Exa Bytes Network Sdn.Bhd. - EXABYTES-AS-AP
IP 110.4.45.100
[angelica.mschosting.com]
AS46015
Registrant/Registrant Email: Mohd Suhaimi Hassan/zam@krimnet.com
Code: [Select]
hxxp://ketengahholding.com.my/boom.jpgmd5sum ===> 636fc5028a363ab000f997c4d78cf65f
SHA256 ===>  c36d10acd33f9e198246618c6a1b75579bc0e108eba07c86ba33a5a2f1c759b4
ZeuS trojan:
IP Location: Germany  - PlusServer AG - PLUSSERVER-AS
IP 85.25.152.20
[india800.server4you.de]
AS8972
Registrant/Registrant Email: Christian Gatzen/christian@gatzen.info
Code: [Select]
hxxp://music-nah.de/zoom1.gifmd5sum ===> 9cd61119095bc039b879fa673808b08c
SHA256 ===>  37035c16e7c5b12d479b7e6bc2972946b3954eb8f43169cf2a94b3149874dff1
http://www.virustotal.com/es/analisis/37035c16e7c5b12d479b7e6bc2972946b3954eb8f43169cf2a94b3149874dff1-1278670664 (http://www.virustotal.com/es/analisis/37035c16e7c5b12d479b7e6bc2972946b3954eb8f43169cf2a94b3149874dff1-1278670664)
VT 19/41 (46.35%)
dropzone (already listed):
Code: [Select]
hxxp://www.listwowgame.com/webstate/webstat.php
IP Location: Bosnia and Herzegovina  - GlobalNET Bosnia - BA-GLOBALNET-AS
IP 77.78.240.113
AS42560
Registrant/Registrant Email: Private Person/esvr@freemailbox.ru
Code: [Select]
hxxp://esvr1.ru/bin/aobeuzar.binmd5sum ===> 056ceb74d44771133804a8d1eda6ae7d
SHA256 ===>  5be567e26421720b71c857f8efc08f9a47a96f56e1138159258ae5d0ba39a359
Code: [Select]
hxxp://esvr1.ru/bin/aobeuzar.exemd5sum ===> 3063bdae2b6cdcd61dfcc4d96aeae201
SHA256 ===>  f434b993fb60090de7e85983fac298fb136bac547087811ee2ffe03861f492e0
http://www.virustotal.com/es/analisis/f434b993fb60090de7e85983fac298fb136bac547087811ee2ffe03861f492e0-1278664051 (http://www.virustotal.com/es/analisis/f434b993fb60090de7e85983fac298fb136bac547087811ee2ffe03861f492e0-1278664051)
VT 36/41 (87.81%)

IP Location: China  - China Telecom JiangXi province - CHINA-TELECOM
IP 59.53.91.121
AS4134
Registrant/Registrant Email: Lyubov Bushmakina/rat@bigmailbox.ru
Code: [Select]
hxxp://snasidsopa.com/dez/dez.lomd5sum ===> ae7ffdc100a387a1ec87c695ea10447e
SHA256 ===>  baf878574b68ab747db42e13fa620c47d5c92463947c550b3553161917a1cc26
Code: [Select]
hxxp://snasidsopa.com/dez/dez.exemd5sum ===> 60f41a41089e6df3cfb1d1273e138ce4
SHA256 ===>  aa4304476f721b2cef9885882756d93342a8f2d4d6d19a8f4cc7c8f0d00b02f9
http://www.virustotal.com/es/analisis/aa4304476f721b2cef9885882756d93342a8f2d4d6d19a8f4cc7c8f0d00b02f9-1278665941 (http://www.virustotal.com/es/analisis/aa4304476f721b2cef9885882756d93342a8f2d4d6d19a8f4cc7c8f0d00b02f9-1278665941)
VT 22/41 (53.66%)
related:
Code: [Select]
hxxp://bluestateing.com/

new files:
Code: [Select]
hxxp://vertucom62.me/mas/stam/server.php
Title: Re: New Zeus server
Post by: jackberri on July 09, 2010, 12:35:52 pm
IP Location: United States  - 1&1 Internet Inc. - ONEANDONE-AS
IP 74.208.95.157
AS8560
Registrant/Registrant Email: Srinivas Yedida/yr_sri@yahoo.com
Code: [Select]
hxxp://raysdp.com/Images/zoom1.gif       md5sum 11d313b26f58028be2f1d3faee6b75d2
hxxp://raysdp.com/Images/zoom2.gif       md5sum 439dcf838705d54269605f8d98b7d5a3
hxxp://raysdp.com/Images/zoom3.gif       md5sum 41377b2f8b94eb3df31a4c4a557f0194
hxxp://raysdp.com/Images/zoom4.gif       md5sum 2e96c2ca618c99198da86e8bddb992c5
hxxp://raysdp.com/Images/zoom5.gif       md5sum aac1b8f7b85359caf6bb2a99bcdd37b4
hxxp://raysdp.com/Images/zoom6.gif       md5sum 4bf165a7b53892766769f92f57fc6c49
http://www.virustotal.com/es/analisis/67614d015d781ad0e19d0bc0cd04ebba3ae49a624c5a6174cd21e7d0ee187ba2-1278677865
http://www.virustotal.com/es/analisis/ce34c93559ca17748c42454819a6832d45061bc4972e8660ea6a7771f071342b-1278677938
http://www.virustotal.com/es/analisis/ce4ff16a3af9ba9a1111a73244732a110305b24dd80eeb57b79ef6a5c82ae2be-1278678034
http://www.virustotal.com/es/analisis/a25c23ad56d372f2dced72e26f38da40e118d2e1526089bb458025443f8e92d5-1278678071
http://www.virustotal.com/es/analisis/189c55aee25c18f6ae61f22ce7ad9b143d1624cbdc3b710fd4be9bdf700913c5-1278678109
http://www.virustotal.com/es/analisis/88d699924757bf56e1c5a9646b890ada4108c46d874e350c3f91d4e162a5e7d8-1278678138 (http://www.virustotal.com/es/analisis/67614d015d781ad0e19d0bc0cd04ebba3ae49a624c5a6174cd21e7d0ee187ba2-1278677865
http://www.virustotal.com/es/analisis/ce34c93559ca17748c42454819a6832d45061bc4972e8660ea6a7771f071342b-1278677938
http://www.virustotal.com/es/analisis/ce4ff16a3af9ba9a1111a73244732a110305b24dd80eeb57b79ef6a5c82ae2be-1278678034
http://www.virustotal.com/es/analisis/a25c23ad56d372f2dced72e26f38da40e118d2e1526089bb458025443f8e92d5-1278678071
http://www.virustotal.com/es/analisis/189c55aee25c18f6ae61f22ce7ad9b143d1624cbdc3b710fd4be9bdf700913c5-1278678109
http://www.virustotal.com/es/analisis/88d699924757bf56e1c5a9646b890ada4108c46d874e350c3f91d4e162a5e7d8-1278678138)
config file (already listed):
Code: [Select]
hxxp://linkbuilding.nl/boom.jpgdropzone (already listed):
Code: [Select]
hxxp://www.listwowgame.com/webstate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on July 09, 2010, 05:07:56 pm
IP Location: France  - OVH ISP Paris - OVH Paris
IP 213.186.33.87
[cluster014.ovh.net]
AS16276
Registrant/Registrant Email: Belkadi Abdelkader/fuarjyu9kjkaam6kzc5y@u.o-w-o.info
Code: [Select]
hxxp://talents-dz.com/images/zoom1.gif       md5sum 737a85da9311cca0e89de1fc4ec72394
hxxp://talents-dz.com/images/zoom2.gif       md5sum f241d2cac45d5d0f4efd53801e8b73be
http://www.virustotal.com/es/analisis/8ed5d2407aa39e959de52c595fe9170a74870b86bf8307e6ce371ffb47c59066-1278685617
http://www.virustotal.com/es/analisis/678254be3e5bcc568891957c127f5e8285aa5ef2b88999a98dc5c12d72df5549-1278685867 (http://www.virustotal.com/es/analisis/8ed5d2407aa39e959de52c595fe9170a74870b86bf8307e6ce371ffb47c59066-1278685617
http://www.virustotal.com/es/analisis/678254be3e5bcc568891957c127f5e8285aa5ef2b88999a98dc5c12d72df5549-1278685867)

config file (already listed):
Code: [Select]
hxxp://ketengahholding.com.my/boom.jpg
dropzone (already listed):
Code: [Select]
hxxp://www.listwowgame.com/webstate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on July 09, 2010, 07:20:49 pm
IP Location: Netherlands  - LEASEWEB - LeaseWeb AS
IP 85.17.143.67
[w1.attodns.nl]
AS16265
ZeuS trojan:
Code: [Select]
hxxp://randycolle.nl/sisadmin_doktor_2.jpgmd5sum ===> 4d55f4449a5d548465e96a1d1df215a1
SHA256 ===>  a19ea880adc160d9319f61dafe36caad3d1980c2b60a634b73c1288be187bd96
http://www.virustotal.com/es/analisis/a19ea880adc160d9319f61dafe36caad3d1980c2b60a634b73c1288be187bd96-1278699340 (http://www.virustotal.com/es/analisis/a19ea880adc160d9319f61dafe36caad3d1980c2b60a634b73c1288be187bd96-1278699340)
VT 15/41 (36.59%)
config file:
Code: [Select]
hxxp://ketengahholding.com.my/baner.gifmd5sum ===> 9962d2be7b62475107534fd795d73c97
SHA256 ===>  3f16e7c6af7c71de93d52787e74bcf3e8064400ffdc13a36d6d1b42ef117bc0b

dropzone (already listed):
Code: [Select]
hxxp://www.listwowgame.com/webstate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on July 10, 2010, 11:53:53 am
IP Location: Austria  - ANEXIA Internetdienstleistungs GmbH - ANEXIA-AS
IP 188.65.74.70
AS42473
Registrant ID: TOD-42502831
Registrant/Registrant Email: Joudy Lay/admin@kjjm.biz
Code: [Select]
hxxp://kjjm.biz/backup.tgzmd5sum ===> 072ee350762c82aaf301e1973e2f91fc
SHA256 ===>  95bf83103fdb6c5ef0dae19f40dfd6905e39e5f1b311dbd215e3fb73192e07b9

IP Location: Taiwan  - KGEX.com - KGTNET-TW KG Telecommunication Co
IP 61.61.20.136
AS9918
Registrant ID: TOD-42502831
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://lyuboidomen.net/src/footer.jpgmd5sum ===> 0e7ecc2599199d07700985cc463108cc
SHA256 ===>  8e58c71f1c06cbbd1d4e530a1ac38eefc3bb9ae87c1cfdfc3f14a8865d32831f
Code: [Select]
hxxp://yuboidomen.net/src/img.php
config file:
IP Location: United States  - PNAP-CHG layeredtech routes - FASTSERVERS , Inc
IP 74.200.236.203
[ws20.pronameserver.com]
AS16805
Registrant/Registrant Email: James Shayler/jamesshayler@btopenworld.com
Code: [Select]
hxxp:///phuket-apartmentrentals.com/baner.gifmd5sum ===> 9962d2be7b62475107534fd795d73c97
SHA256 ===>  3f16e7c6af7c71de93d52787e74bcf3e8064400ffdc13a36d6d1b42ef117bc0b
ZeuS trojan:
IP Location: United States  - ThePlanet.com Internet Services, Inc. - THEPLANET-AS2
IP 67.15.56.68
[win2.interactivedns.com]
AS21844
Registrant/Registrant Email: T-soft/prashpadia@gmail.com
Code: [Select]
hxxp://t-softindia.com/sisadmin_doktor_2.jpgmd5sum ===> f37409323f5fd5ec4851ba6e532e02a4
SHA256 ===>  346d6a6ebe57c28a64eb9fe1cb512332a5c25106904248945664f007f52642b2
http://www.virustotal.com/es/analisis/346d6a6ebe57c28a64eb9fe1cb512332a5c25106904248945664f007f52642b2-1278760851 (http://www.virustotal.com/es/analisis/346d6a6ebe57c28a64eb9fe1cb512332a5c25106904248945664f007f52642b2-1278760851)
VT 19/41 (46.35%)
dropzone (already listed):
Code: [Select]
hxxp://www.listwowgame.com/webstate/webstat.php
IP Location: Germany  - HANSENET - HANSENET Telekommunikation GmbH
IP 92.227.85.52
[g227085052.adsl.alicedsl.de]
AS13184
Registrant/Registrant Email: Linda J. Watts/LindaJWatts@bigmail.net
Code: [Select]
hxxp://hosting-king.net/config.binmd5sum ===> 10886337e9c6af2c15311f1538316f67
SHA256 ===>  a314e5b0dc318a44572dcb40b15c05da1f619b53459df7bdbc2a6e575dddb361
Code: [Select]
hxxp://hosting-king.net/bot.exemd5sum ===> ce81df0e7050bd417f2ff20ff98b1b60
SHA256 ===>  25a8ec602c85f1764543e2748a1dfaa86a7dfe387621d105f0f6892dc7809083
http://www.virustotal.com/es/analisis/25a8ec602c85f1764543e2748a1dfaa86a7dfe387621d105f0f6892dc7809083-1278757270 (http://www.virustotal.com/es/analisis/25a8ec602c85f1764543e2748a1dfaa86a7dfe387621d105f0f6892dc7809083-1278757270)
VT 12/41 (29.27%)

IP Location: Germany  - SCHLUND-PA-4 - ONEANDONE-AS
IP 82.165.223.177
[kundenserver.de]
AS8560
Registrant/Registrant Email: Frederic Fransen/fransen.f@gmail.com
Code: [Select]
hxxp://fredericfransen.com/zoom1.gifmd5sum ===> e6b33e0eb9791e6ebe49d40c62f80791
SHA256 ===>  fbaa169a4e457cc8f10d29c77775ab6259da7d7848a73d3f191593a3d889fe6f
http://www.virustotal.com/es/analisis/fbaa169a4e457cc8f10d29c77775ab6259da7d7848a73d3f191593a3d889fe6f-1278760005 (http://www.virustotal.com/es/analisis/fbaa169a4e457cc8f10d29c77775ab6259da7d7848a73d3f191593a3d889fe6f-1278760005)
VT 19/40 (47.5%)
config file (already listed):
Code: [Select]
hxxp://ketengahholding.com.my/boom.jpg
Title: Re: New Zeus server
Post by: jackberri on July 10, 2010, 12:42:57 pm
Code: [Select]
hxxp://yuboidomen.net/src/img.php

sorry:
Code: [Select]
hxxp://lyuboidomen.net/src/img.php
Title: Re: New Zeus server
Post by: jackberri on July 13, 2010, 06:29:36 am
IP Location: Moldova - STARNET-AS
IP 195.206.246.246
AS31252
Registrant/Registrant Email: Alex Frog/admin@agradomhome109.com
Code: [Select]
hxxp://chanellinedot27.com/Fant0m1cks/RWhtriyDR43y5gFtyTE65.binmd5sum ===> 411db9344ebf852735c27cbc54bc751c
SHA256 ===>  f7080abc050460488234e7f7c05598cc7e25e5e0f441fa82841c25548c097e0b
Code: [Select]
hxxp://chanellinedot27.com/Fant0m1cks/LXiuyyYyr64i6Yt6Ck76xcti5CVtyto7d6fVl676fVtt3.php
IP Location: United States - ADDED FOR - AS36444
IP 207.32.185.30
AS36444
Registrant/Registrant Email: Domains by Proxy, Inc./ACCURATEABSTRACTS.COM@domainsbyproxy.com
Code: [Select]
hxxp://accurateabstracts.com/IMG/Accurate_03.jpgmd5sum ===> 166f297bfb6105de94e376c234faccf4
SHA256 ===>  88b63bc62c5f33782243866348bba7485f33b3ad63f38d9bff39c240c7c82eab
Title: Re: New Zeus server
Post by: jackberri on July 13, 2010, 11:06:25 pm
Code: [Select]
hxxp://91.194.0.163/joseppe_vaudg.binmd5sum ===> d4f54381fe4a112e4f79118ca075fada
SHA256 ===>  08a9a5e52c00327c00d683cd7481f58b0d53fce0ad3a7565e742f1fea5934a45
Title: Re: New Zeus server
Post by: jackberri on July 14, 2010, 09:19:05 am
IP Location: Israel - Proxy-registered route objec - BEZEQ-INTERNATIONAL-AS
IP 62.219.30.3
[win40.1host.co.il]
AS8551
Code: [Select]
hxxp://iimba.org.il/banner.jpgmd5sum ===> aed36630a906e309e70f79035dee03ff
SHA256 ===>  c98ce2b1bfe23962a7d3bbe003915c1dbb78d8f5b1789b1a2f7dcc9f9073eca0
Title: Re: New Zeus server
Post by: jackberri on July 14, 2010, 05:19:21 pm
IP Location: Germany  - Neue Medien Muennich - NMM-AS
IP 85.13.139.218
[dd17936.kasserver.com]
AS34788
Registrant/Registrant Email: Werner Kaltofen/info@all-inkl.com
Code: [Select]
hxxp://seelenbuecher.de/images/zoom1.gifmd5sum ===> 88dee198feffec974c110f39246b518d
SHA256 ===>  2bccb889d37a4032860f3dfc6fd210d6763510efab603ad96217c0e925da29d5
http://www.virustotal.com/es/analisis/2bccb889d37a4032860f3dfc6fd210d6763510efab603ad96217c0e925da29d5-1279127046 (http://www.virustotal.com/es/analisis/2bccb889d37a4032860f3dfc6fd210d6763510efab603ad96217c0e925da29d5-1279127046)
VT 21/42 (50%)
related (already listed):
Code: [Select]
hxxp://linkbuilding.nl/boom.jpg
Title: Re: New Zeus server
Post by: jackberri on July 15, 2010, 10:20:20 am
IP Location: Russian Federation  - Encore Ltd. Route Object - ALFATELECOM
IP 91.216.215.70
AS51274
Registrant/Registrant Email: Private Person/vatchin@mail.ru
Code: [Select]
hxxp://google-stats.ru/373cfg/923googlestats2main.jpgmd5sum ===> 0a6ff3bcb5c55efc480b915bb93cd2c5
SHA256 ===>  30774d561f1f44013b11fb9f6d8acddf3a1f3a0c8974da9ca07948691e72486e
Code: [Select]
hxxp://google-stats.ru/exestat/google.exemd5sum ===> 9c2b9c06dd9e55499830d3bb7adaf59f
SHA256 ===>  db96186317c64bd98d9449c791264cc6d78bd853506bd1804235702b0fb39569
http://www.virustotal.com/es/analisis/db96186317c64bd98d9449c791264cc6d78bd853506bd1804235702b0fb39569-1279188369 (http://www.virustotal.com/es/analisis/db96186317c64bd98d9449c791264cc6d78bd853506bd1804235702b0fb39569-1279188369)
VT 7/41 (17.08%)
Code: [Select]
hxxp://google-stats.ru/stats/count.php
IP Location: Italy  - TRIVENET - TRIVENET S.p.A. TELECOMUNICAZIONI ITALY
AS12481
Registrant/Registrant Email: Trivenet S.p.A./abuse@trivenet.it
Code: [Select]
hxxp://212.103.194.188/GEOMARKETING/geomarketing_dmd5sum ===> abb53d136433f4245301661d9a2c69b1
SHA256 ===>  138b83454a2f49a342a507cc1fb5369d81a50a6e78717d7d04b78cbd7cc21ef7
dropzone:
IP Location: Russian Federation - VLine Telecom Block Moscow - VLTELECOM-AS
IP 109.196.143.71
AS39150
Registrant/Registrant Email: Egor Slesarev/admin@yellow-cargo.com
Code: [Select]
hxxp://yellow-cargo.com/httpdocs/help.php
Title: Re: New Zeus server
Post by: jackberri on July 15, 2010, 01:33:45 pm
IP Location: China  - Tietong Telecommunications Corporation
IP 122.70.149.197
[ip149.hichina.com]
AS38356
Registrant/Registrant Email: Polina Kuznetsova/flab@bigmailbox.ru
Code: [Select]
hxxp://salx.cc/rni.cpmmd5sum ===> a3125df476ef9beee7bf5ea85210999f
SHA256 ===>  aec2d119bb7ba335e60d1c3968b70613a77b2ce08179b7b1462405e3c890f2a8
dropzone (already listed: new IP)
IP Location: China  - Broadband Ip Network Based Dwdm
IP 61.28.22.201
AS17490
Registrant/Registrant Email: Oksana Sajapina/daft@qx8.ru
Code: [Select]
hxxp://annintus.com/yahooman.php
IP Location: Moldova  - STARNET-AS
IP 195.206.246.220
AS31252
Registrant/Registrant Email: Uljana Malya/admin@cawwe.com
Code: [Select]
hxxp://cawwe.com/picture/gif.gifmd5sum ===> 75cdc5f3890506d576b78d261098479f
SHA256 ===>  30beef78977dfec6392e641ab8c460e7cf7b879df98ac715d57d71469e890635
Code: [Select]
hxxp://cawwe.com/picture/gaterrz.php
IP Location: Moldova  - STARNET-AS
IP 195.206.246.225
AS31252
Registrant/Registrant Email: Viktor Fedorov/admin@ushship.com
Registrant/Registrant Email: Artur Har/admin@eurelectrics.com
Code: [Select]
hxxp://ushship.com/xed/config.binmd5sum ===> 97f412b648b24d7948c010729532c15f
SHA256 ===>  a482e08e23f3f9c5ae758fff2bcc1e0aa8bd1cb764d659420a4a82d3f2e3458f
Code: [Select]
hxxp://eurelectrics.com/xed/config.binmd5sum ===> 80a13cd05da31fd54dbd1a1386d6c2ac
SHA256 ===>  f0dad1d5b98fa38037716a7d598324259a193d5393403f3e699a610c80ff158b
Code: [Select]
hxxp://ushship.com/xed/yourbot.exemd5sum ===> 3921a7ecf7e01c001107ffda5ea243e9
SHA256 ===>  f9b71f91548edf256fae03cf00a45a089badb881d11aa472ab95c01636bcc701
http://www.virustotal.com/es/analisis/f9b71f91548edf256fae03cf00a45a089badb881d11aa472ab95c01636bcc701-1279191059 (http://www.virustotal.com/es/analisis/f9b71f91548edf256fae03cf00a45a089badb881d11aa472ab95c01636bcc701-1279191059)
VT 17/42 (40.48%)
Code: [Select]
hxxp://eurelectrics.com/xed/yourbot.exemd5sum ===> ef07ada306f7bcb3b686e264611d07a0
SHA256 ===>  f82ebf92a13584c552498951868e3f0c5a0e253492c78f3c5de43a6a4eeeb340
http://www.virustotal.com/es/analisis/f82ebf92a13584c552498951868e3f0c5a0e253492c78f3c5de43a6a4eeeb340-1279191740 (http://www.virustotal.com/es/analisis/f82ebf92a13584c552498951868e3f0c5a0e253492c78f3c5de43a6a4eeeb340-1279191740)
VT 35/42 (83.34%)
Code: [Select]
hxxp://ushship.com/xed/gate.php
Code: [Select]
hxxp://eurelectrics.com/xed/gate.php
IP Location: Russian Federation  - KALUGA-NET - KALUGANET AI Ltd.
IP 193.104.34.63
AS50108
Registrant/Registrant Email: Private Person/admin@alarmingzone.ru
Registrant/Registrant Email: Alex Kron/admin@werh.biz
Code: [Select]
hxxp://nnam.ru/backup.tgzmd5sum ===> 367a5f85c7d04f0c9e76e38b181f619f
SHA256 ===>  a7b9a5eb8f78a23af7ff1b3132c19550793af643a42c8c44faba2a8779c4e78f
dropzone:
Code: [Select]
hxxp://werh.biz/sdkljhdfdlgklk3434.php
Title: Re: New Zeus server
Post by: jackberri on July 15, 2010, 07:14:05 pm
IP Location:  United Kingdom - NETCONNEX Broadband Ltd. - London, UK
IP 91.207.220.74
[www.hidden.org]
AS21396
Registrant: Lasker Collections Limited
Code: [Select]
hxxp://b2bdebtcollection.co.uk/images/sisadmin_doktor_2.jpgmd5sum ===> 1f2e88634a4c34ed6df4c5c9c6dc2bcc
SHA256 ===>  604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d
http://www.virustotal.com/es/analisis/604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d-1279216497 (http://www.virustotal.com/es/analisis/604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d-1279216497)
VT 21/42 (50%)

IP Location:  United States - PNAP-CHG layeredtech routes - FASTSERVERS , Inc
IP 74.200.236.203
[ws20.pronameserver.com]
AS16805
Registrant: lara murray
Code: [Select]
hxxp://magmaessex.co.uk/media/images/sisadmin_doktor_2.jpgmd5sum ===> 634fb10caece0457f919108b3e4f145a
SHA256 ===>  f2a62179ba8475c20807ea2fff0d82ec11194fe0ebec465fe2818b3646f90b36
http://www.virustotal.com/es/analisis/f2a62179ba8475c20807ea2fff0d82ec11194fe0ebec465fe2818b3646f90b36-1279218442 (http://www.virustotal.com/es/analisis/f2a62179ba8475c20807ea2fff0d82ec11194fe0ebec465fe2818b3646f90b36-1279218442)
VT 18/42 (42.86%)

IP Location:  Netherlands - LEASEWEB - LeaseWeb AS
IP 85.17.7.36
[chandler.binadit.com]
AS16265
Code: [Select]
hxxp://extraware.nl/images/sisadmin_doktor_2.jpgmd5sum ===> 949ab8485dfa78e757e9ad869e3add4b
SHA256 ===>  4998d72af7ca77bf08c88ebea12898333364f909881af64e4c250f1ffb66d77a
http://www.virustotal.com/es/analisis/4998d72af7ca77bf08c88ebea12898333364f909881af64e4c250f1ffb66d77a-1279219515 (http://www.virustotal.com/es/analisis/4998d72af7ca77bf08c88ebea12898333364f909881af64e4c250f1ffb66d77a-1279219515)
VT 19/42 (45.24%)
related (already listed):
Code: [Select]
hxxp://www.ketengahholding.com.my/baner.gif
IP Location:  United States - PAH-INC Go Daddy Software, Inc
IP 68.178.254.145
[p3slh033.shr.phx3.secureserver.net]
AS26496
Registrant/Registrant Email: Tom Poole/tom@poole.com
Code: [Select]
hxxp://aquafino.com/images/sisadmin_doktor_2.jpgmd5sum ===> 1f2e88634a4c34ed6df4c5c9c6dc2bcc
SHA256 ===>  604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d
http://www.virustotal.com/es/analisis/604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d-1279216497 (http://www.virustotal.com/es/analisis/604918a309965f5ce7571aca4a3d792e5c9859e6ead2e35b5e5cdf252750fe8d-1279216497)
VT 21/42 (50%)


IP Location:  Germany - SCHLUND-PA-2 - 1&1 Internet Ag
IP 212.227.192.137
[kundenserver.de]
AS8560
Registrant/Registrant Email: Boukhalfa Dilmi/boukhalfadilmi@yahoo.fr
Code: [Select]
hxxp://montemeubles-location.com/sisadmin_doktor_2.jpgmd5sum ===> 273977febaa098a95d9f2316014e908
SHA256 ===>  01c4c354e360175ab4af6240329fd69c9fbcc282843b50953fdab1aa8b8cd379
http://www.virustotal.com/es/analisis/01c4c354e360175ab4af6240329fd69c9fbcc282843b50953fdab1aa8b8cd379-1279215292 (http://www.virustotal.com/es/analisis/01c4c354e360175ab4af6240329fd69c9fbcc282843b50953fdab1aa8b8cd379-1279215292)
VT 21/42 (50%)
related (already listed)
Code: [Select]
hxxp://phuket-apartmentrentals.com/baner.gif
IP Location:  Russian Federation - Keyweb AG IP Network - KEYWEB-AS
IP 95.169.190.224
[ns.km35228.keymachine.de]
AS31103
Registrant/Registrant Email: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://cruelstar.net/sol777.exemd5sum ===> 72363e01b650a68a99cce54e41f3f82d
SHA256 ===>  5e982e4ce92ff3b384c9980fe9eb34b98d4ec7e1fac7f7a6363302a1a2640ef1
http://www.virustotal.com/es/analisis/5e982e4ce92ff3b384c9980fe9eb34b98d4ec7e1fac7f7a6363302a1a2640ef1-1279217444 (http://www.virustotal.com/es/analisis/5e982e4ce92ff3b384c9980fe9eb34b98d4ec7e1fac7f7a6363302a1a2640ef1-1279217444)
VT 26/42 (61.91%)
Code: [Select]
hxxp://atx7.biz/pic55/gtx71.php
IP Location:  South Africa - MTNNS-AS MTN Network Solutions
IP 41.204.200.87
[dedi87.cpt2.host-h.net]
AS16637
Code: [Select]
hxxp://houseofafricaguesthouse.co.za/images/sisadmin_doktor_2.jpgmd5sum ===> 6d83c3e3bdcd4121af9ebc838182cf93
SHA256 ===>  029dca2325d996bb3b2582b3fd3a8d8f603cf05bdb4d5509404e08dfa6d2628b
http://www.virustotal.com/es/analisis/029dca2325d996bb3b2582b3fd3a8d8f603cf05bdb4d5509404e08dfa6d2628b-1279220211 (http://www.virustotal.com/es/analisis/029dca2325d996bb3b2582b3fd3a8d8f603cf05bdb4d5509404e08dfa6d2628b-1279220211)
VT 21/42 (50%)
related:
Code: [Select]
http://blog.natebennettfleming.com/main.php?i=I8yqiNsarvKjghP/U8pOyJEf&e=3related (already listed):
Code: [Select]
hxxp://www.ketengahholding.com.my/baner.gif
Title: Re: New Zeus server
Post by: jackberri on July 15, 2010, 11:17:40 pm
IP Location: United Kingdom - NETCONNEX Broadband Ltd. London, UK
IP 91.207.220.74
[www.hidden.org]
AS21396
Registrant: Lasker Collections Limited
Code: [Select]
hxxp://b2bdebtrecovery.co.uk/images/sisadmin_doktor_2.jpgmd5sum ===> 617bd2e16a84cc2527faab01a4e026cc
SHA256 ===>  63b22e99f47f61ab6b88a093beb6895e3389797681ee3e585ccdb242b9233d3f
http://www.virustotal.com/es/analisis/63b22e99f47f61ab6b88a093beb6895e3389797681ee3e585ccdb242b9233d3f-1279227000 (http://www.virustotal.com/es/analisis/63b22e99f47f61ab6b88a093beb6895e3389797681ee3e585ccdb242b9233d3f-1279227000)
VT 22/42 (52.39%)
related (already listed):
Code: [Select]
hxxp://phuket-apartmentrentals.com/baner.gif
IP Location: Denmark - Tele Danmark - TDC Data Networks TDC A/S
IP 193.89.99.224
AS3292
Code: [Select]
hxxp://cardo.dk/baner.jpgmd5sum ===> 7b9cf8d10c1081ce482239e00ec82066
SHA256 ===>  5522865b6640101c167e612763901761619c24458dd5ce6e591d86ca8cbcf736
http://www.virustotal.com/es/analisis/5522865b6640101c167e612763901761619c24458dd5ce6e591d86ca8cbcf736-1279232989 (http://www.virustotal.com/es/analisis/5522865b6640101c167e612763901761619c24458dd5ce6e591d86ca8cbcf736-1279232989)
VT 9/40 (22.5%)
config file:
IP Location: Denmark - One.com - NGDC NetGroup A/S
IP 193.202.110.148
[srv148.one.com]
AS16245
Code: [Select]
hxxp://pifa.se/banner.gifmd5sum ===> c59fd3e6e6d59c9f491501b53ad554e2
SHA256 ===>  7efbf581aa9dca2b5c393390f511579f74db2d78be3d68763994feb29e942342
related:
Code: [Select]
hxxp://ns2.natebennettfleming.com/main.php?h=www.pifa.se&i=J86ui9Eao/iigBj7U8VOw5MXog==&e=4
Title: Re: New Zeus server
Post by: jackberri on July 16, 2010, 09:25:27 am
IP Location: United States - PNAP-LAX newdream-8 - DREAMHOST-AS
IP 69.163.223.137
[apache2-pat.vilnius.dreamhost.com]
AS26347
Registrant/Registrant Email: Private Registrant/kodebazaar.com@proxy.dreamhost.com
Code: [Select]
hxxp://kodebazaar.com/ban00.jpgmd5sum ===> 57a27b7083fb4501177f79d45b49445d
SHA256 ===>  5b7d27223351d61a80f9fb7d6797a7c8426a8eaecfe983e2ddbd7ebde4d2abac
http://www.virustotal.com/es/analisis/5b7d27223351d61a80f9fb7d6797a7c8426a8eaecfe983e2ddbd7ebde4d2abac-1279265396 (http://www.virustotal.com/es/analisis/5b7d27223351d61a80f9fb7d6797a7c8426a8eaecfe983e2ddbd7ebde4d2abac-1279265396)
VT 9/42 (21.43%)
related:
Code: [Select]
hxxp://visvrienden.nl/wp-includes/images/banner.gifrelated (already listed: new IP)
IP Location: France - ProXad network / Free SAS - PROXAD Free SAS
IP: 88.191.30.24
[sd-2435.dedibox.fr]
AS12322
Code: [Select]
http://www.listwowgame.com/webstate/webstat.php
IP Location: United States  - PAH-INC Go Daddy Software, Inc.
IP 72.167.131.106
[p3slh173.shr.phx3.secureserver.net]
AS26496
Code: [Select]
hxxp://unbreakabletattoo.com/baner.jpgmd5sum ===> b8ab4b229332cd553aba60817a9fbf2e
SHA256 ===>  7e4058c9b6018bc9b5d30f397a0f74a5a48f5dd99208e78719711f87a0b96f1e
http://www.virustotal.com/es/analisis/7e4058c9b6018bc9b5d30f397a0f74a5a48f5dd99208e78719711f87a0b96f1e-1279270828 (http://www.virustotal.com/es/analisis/7e4058c9b6018bc9b5d30f397a0f74a5a48f5dd99208e78719711f87a0b96f1e-1279270828)
VT 13/42 (30.96%)
config file:
IP Location: United States  - CORPCOLO Corporate Colocation, Inc
IP 74.124.210.84
[biz51.inmotionhosting.com]
AS17139
Code: [Select]
hxxp://vendicious.com/images/powered.gifmd5sum ===> 7ef39c6836463b0fc7590aaa35dec800
SHA256 ===>  379aa3b91db628416da49a5b830d5cad0587244d2e33cd28a2bb05f32b958584
related (already listed):
Code: [Select]
http://www.listwowgame.com/webstate/webstat.php
IP Location: Denmark - Tele Danmark - TDC Data Networks TDC A/S
IP 193.89.99.224
AS3292
Code: [Select]
hxxp://jeffs-koreskole.dk/ban00.jpgmd5sum ===> 0a97bca6404a95282a1196ca29106c3a
SHA256 ===>  fc505fdfb1d9bd6600d1b467a3796b3c6e81c7d184b9c0c2ca518273411854e1
http://www.virustotal.com/es/analisis/fc505fdfb1d9bd6600d1b467a3796b3c6e81c7d184b9c0c2ca518273411854e1-1279261163 (http://www.virustotal.com/es/analisis/fc505fdfb1d9bd6600d1b467a3796b3c6e81c7d184b9c0c2ca518273411854e1-1279261163)
VT 11/41 (26.83%)
config file:
IP Location: Netherlands  - PCextreme B.V. - Routed by AS25525 - REASONNET-AS
IP 109.72.85.37
[nl02.pcextreme.nl]
AS25525
Code: [Select]
hxxp://visvrienden.nl/wp-includes/images/banner.gifmd5sum ===> f08254f4c1537eb15facdcd35c7b0cb0
SHA256 ===>  4e47fb88d2056224be6690b01301e8e678fe6f808af626e0cf1d79628d0d32f6

IP Location: Bosnia and Herzegovina  - GlobalNET Bosnia - BA-GLOBALNET-AS
IP 77.78.240.115
AS42560
Registrant/Registrant Email: Private Registrant/skit@5mx.ru
Code: [Select]
hxxp://zephehooqu.ru/bin/teemaeko.binmd5sum ===> 504d61333e63401acaf19005319a8b39
SHA256 ===>  d57146f74c857d2f569186797d9bc7d0d71298367412694be330874d2ef2f89c
Code: [Select]
hxxp://zephehooqu.ru/bin/teemaeko.exemd5sum ===> 9758f04d2f1bd664f37c4285a013372a
SHA256 ===>  cfa160f6f4d763daf400c03d1b994bccca2d26c8c4c8ea5717113d935fe59382
http://www.virustotal.com/es/analisis/cfa160f6f4d763daf400c03d1b994bccca2d26c8c4c8ea5717113d935fe59382-1279266466 (http://www.virustotal.com/es/analisis/cfa160f6f4d763daf400c03d1b994bccca2d26c8c4c8ea5717113d935fe59382-1279266466)
VT 27/42 (64.29%)

Title: Re: New Zeus server
Post by: jackberri on July 16, 2010, 01:36:00 pm
IP Location:  Denmark - Tele Danmark - TDC Data Networks TDC A/S
IP 193.89.99.224
AS3292
Code: [Select]
hxxp://www.folkebladet.dk/baner.jpgmd5sum ===> 7e7c1400766b89e9f5976310c0645f73
SHA256 ===>  54e3c3b7e39e4ef24af1e131e624e37d1782736c19f82deed41de01694c39865
http://www.virustotal.com/es/analisis/54e3c3b7e39e4ef24af1e131e624e37d1782736c19f82deed41de01694c39865-1279282475 (http://www.virustotal.com/es/analisis/54e3c3b7e39e4ef24af1e131e624e37d1782736c19f82deed41de01694c39865-1279282475)
VT 10/42 (23.81%)
related (already listed):
Code: [Select]
hxxp://www.pifa.se/banner.g​if
hxxp://www.listwowgame.com/​webstate/webstat.php

IP Location:  United States - THEPLANET-AS2
IP 174.132.165.222
[de.a5.84ae.static.theplanet.com]
AS21844
Registrant/Registrant Email: Mumtaz Saxena/saxena@timing.net
Code: [Select]
hxxp://ezonemall.com/baner.jpgmd5sum ===> 86ba1cf852558e237eaa73bae9303516
SHA256 ===>  25676e68dd3a3579e850a95421a0609b6f81e5863cbba5defbed4bb0ff32110f
http://www.virustotal.com/es/analisis/25676e68dd3a3579e850a95421a0609b6f81e5863cbba5defbed4bb0ff32110f-1279283850 (http://www.virustotal.com/es/analisis/25676e68dd3a3579e850a95421a0609b6f81e5863cbba5defbed4bb0ff32110f-1279283850)
VT 9/42 (21.43%)
related (already listed):
Code: [Select]
hxxp://vendicious.com/images/powered.gif
hxxp://www.listwowgame.com/​webstate/webstat.php

IP Location:  United States - SERVEPATH ServePath, LLC
IP 74.3.203.91
[74-3-203-91.dsl-phx.179x.org]
AS26228
Registrant/Registrant Email: Norma Harris/NormaPHarris@gmail.com
Code: [Select]
hxxp://lightpalace.net/config.binmd5sum ===> e8c290894341cf9640e7894546688ec4
SHA256 ===>  5f0e55ed2dfc378ee27d4d595abe482ff5aecd9b7e3a60719a386567f903298b
Code: [Select]
hxxp://lightpalace.net/bot.exemd5sum ===> b74d9e64900c7aa3c3d1509893e7eee3
SHA256 ===>  1c08821eaebfaf366b3a55dc784fd614a10b3ed6c3bac18105bf8147b2b6d86d
http://www.virustotal.com/es/analisis/1c08821eaebfaf366b3a55dc784fd614a10b3ed6c3bac18105bf8147b2b6d86d-1279285492 (http://www.virustotal.com/es/analisis/1c08821eaebfaf366b3a55dc784fd614a10b3ed6c3bac18105bf8147b2b6d86d-1279285492)
VT 5/42 (11.91%)
Code: [Select]
hxxp://lightpalace.net/gateAK.php
Title: Re: New Zeus server
Post by: jackberri on July 25, 2010, 09:21:27 am
IP Location:  Moldova - STARNET
IP 195.206.246.250
AS31252
Registrant/Registrant Email: Kim Nasarov/admin@update-java2.com
Code: [Select]
hxxp://update-java2.com/src/update2.setmd5sum ===> 3690cdb0100e2ed72cf754b751b2e555
Code: [Select]
hxxp://update-java2.com/aaaa/11g.php
Code: [Select]
hxxp://update-java2.com/src/time.exemd5sum ===> c30ea1b6ab9cc249644fdb2708f53246
http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482 (http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482)
VT 22/42 (52.39%)

IP Location:  Moldova - STARNET
IP 195.5.161.224
AS31252
Registrant/Registrant Email: Kim Nasarov/admin@update-java2.com
Code: [Select]
hxxp://wxw.ms-update.net/cnf/msn.dllmd5sum ===> eeffcc08ca467882d32d112298590795
Code: [Select]
hxxp://wxw.ms-update.net/cnf/msn.exemd5sum ===> 9a603af868a3416af82ec042b7d51649
http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482 (http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482)
VT 27/42 (64.29%)
Code: [Select]
hxxp://wvvw.my-dns-stat.net/updates/updates.php
IP Location:  Moldova - STARNET
IP 195.5.161.224
AS31252
Code: [Select]
hxxp://wvvw.dns-configs.net/msn/ms_3.dllmd5sum ===> ffa2540b38cb9973dbe6a369592d14fa
Code: [Select]
hxxp://wvvw.dns-configs.net/cnf/msn.exemd5sum ===> 449cf4fd3742923a23755074bfe7fc94
http://www.virustotal.com/es/analisis/8549ee40dc8aebec77772ce517d1b53dbb2a900b120915b48a2d6d795b741026-1280046684 (http://www.virustotal.com/es/analisis/8549ee40dc8aebec77772ce517d1b53dbb2a900b120915b48a2d6d795b741026-1280046684)
VT 23/42 (54.77%)
Code: [Select]
hxxp://wvvw.my-dns-stat.net/updates/updates.php
IP Location:  United States - Endurance International Group - BIZLAND-ASN
IP 66.96.146.80
AS29873
Code: [Select]
hxxp://9999tech.com/ban00.jpgmd5sum ===> 3be6ff23e6ac14b4144a04fc226922ce
http://www.virustotal.com/es/analisis/6b8340e1ee8339b2dab30f4dc45f8323d4b3a2c5ed68535f36e2d08d294e0a81-1280048128 (http://www.virustotal.com/es/analisis/6b8340e1ee8339b2dab30f4dc45f8323d4b3a2c5ed68535f36e2d08d294e0a81-1280048128)
VT 19/42 (45.24%)
related (already listed):
Code: [Select]
hxxp://vendicious.com/images/powered.gif
hxxp://listwowgame.com/webstate/webstat.php

IP Location: Moldova - STARNET-AS
IP 195.5.161.5
AS31252
Code: [Select]
hxxp://slapfan.in/star/aol.exemd5sum ===> 0731b136ef2db2694ffdde68fc096537
http://www.virustotal.com/es/analisis/a773df9975fb190c1a7095b8ed5e3cba31911765f3d12f3347f16f62ab701459-1280048799 (http://www.virustotal.com/es/analisis/a773df9975fb190c1a7095b8ed5e3cba31911765f3d12f3347f16f62ab701459-1280048799)
VT 1/42 (2.39%)
related (already listed):
Code: [Select]
hxxp://regflinbullst.net/mas/pro/server.php
Title: Re: New Zeus server
Post by: jackberri on July 25, 2010, 12:48:17 pm
IP Location: Russian Federation - ENCORE-NET
IP 91.216.215.69
AS51274
Registrant/Registrant Email: Private Person/support@transjapan.ru
Code: [Select]
hxxp://transjapan.ru/7s9acfg/s8a3transjapandsd.jpgmd5sum ===> c5c543e1595f7ac4982a289b437d01b6
Code: [Select]
hxxp://transjapan.ru/japanexe/japaness.exemd5sum ===> 544edcd19cdab3795af440d68ba2dc98
http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482 (http://www.virustotal.com/es/analisis/51a6fbc12125046303df92f8b71b5147794942eae855efbdbdc51fd5cfd9ae91-1280045482)
VT 2/42 (4.77%)
Code: [Select]
hxxp://transjapan.ru/transfer/bits.php
IP Location: Russian Federation - Bank Moscowskiy Kapital Ltd.
AS42953
Code: [Select]
hxxp://91.194.0.160/admgustavo.bin md5sum ===> a311ea96bf53ffa36cf00ed94f72a682
Code: [Select]
hxxp://91.194.0.160/winrar_keyadmg.exemd5sum ===> 6bc1effde27f3b6b0f858d6136af180b
http://www.virustotal.com/es/analisis/bf602b74fea560985bacf665e98f4acc43f8fdc16cfc0059c2e90d19cb0d31ec-1280054411 (http://www.virustotal.com/es/analisis/bf602b74fea560985bacf665e98f4acc43f8fdc16cfc0059c2e90d19cb0d31ec-1280054411)
VT 22/42 (52.39%)

IP Location: Russian Federation - Bank Moscowskiy Kapital Ltd. 
AS42953
Code: [Select]
hxxp://91.194.0.109/admopera.binmd5sum ===> f16e5e2a81714459b78bbd352ea23c4f
Code: [Select]
hxxp://91.194.0.109/admmozlilla.exemd5sum ===> 5279d22947c50d63102b008fe3015bd6
http://www.virustotal.com/es/analisis/51340a028e59b6293cf42cc7c37746b0efc5c1f19b54a4c175bbc8a2e6b57e52-1280054934 (http://www.virustotal.com/es/analisis/51340a028e59b6293cf42cc7c37746b0efc5c1f19b54a4c175bbc8a2e6b57e52-1280054934)
VT 23/42 (54.77%)
Code: [Select]
hxxp://91.194.0.109/fast_forest.php
IP Location: Russian Federation - Bank Moscowskiy Kapital Ltd. 
AS42953
Code: [Select]
hxxp://91.194.0.107/zmansonz.binmd5sum ===> cdbdeaa0954df28c1aa0f22b0e565f7a

IP Location: United States - HOSTMYSITE
IP  67.59.188.60
AS20021
Registrant/Registrant Email: Parker Film Co/catherine@parkerfilmcompany.com
Code: [Select]
hxxp://untitled-themovie.com/ban00.jpgmd5sum ===> 0a4aae547c9f8ce4197a15da079d4984
http://www.virustotal.com/es/analisis/f71f39b9d91c2afc7b449754ff66a595a6aaea76ccf390a4d15b52423a1af9c2-1280056150 (http://www.virustotal.com/es/analisis/f71f39b9d91c2afc7b449754ff66a595a6aaea76ccf390a4d15b52423a1af9c2-1280056150)
VT 35/42 (83.34%)
related (already listed):
Code: [Select]
hxxp://visvrienden.nl/wp-includes/images/banner.gif
IP Location:  Kazakhstan  - ALFAHOSTNET
IP  193.105.207.103
AS50793
Registrant/Registrant Email: Private Person/gavrilov81@mail.ru
Code: [Select]
hxxp://massive-dynamic.ru/adm/mercedes.gifmd5sum ===> 5fa71005fbc9047c209e8b8b09c32bdc
Code: [Select]
hxxp://massive-dynamic.ru/adm/gate.php
IP Location:  Vietnam  - QTSC-AS-VN
IP  202.78.227.112
AS24085
Registrant/Registrant Email: Cindy Williams/CindySWilliams@yahoo.com
Code: [Select]
hxxp://liswegwegwegu.com/gamer/ewggg.imgmd5sum ===> b8aae00f51aeec0d1fb3f92e4d34ee0d
Code: [Select]
hxxp://liswegwegwegu.com/gamer/ewggg2.imgmd5sum ===> e851e81f12676fea67810335a00ffd26

IP Location: China - CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.198
AS4847
Registrant/Registrant Email: Oleg Lojko/oleg.loyko@yahoo.com
Code: [Select]
hxxp://net.lovealiy.com/nagakeane/config.binmd5sum ===> db35a61776086082dc3820e63ebc5e78
Title: Re: New Zeus server
Post by: jackberri on July 25, 2010, 04:51:46 pm
IP Location: Moldova - STARNET-AS
IP 195.5.161.228
AS31252
Registrant/Registrant Email: Private Person/mail2businessman@gmail.com
Code: [Select]
hxxp://dynamicnetwork.ru/staticdat/ess.cfgmd5sum ===> c404133102a6564945a9d1860c5723af

IP Location: United States - HOSTNOC-5BLK Block1 - BurstNet Technologies, Inc.
IP 64.120.161.73
[64-120-161-73.hostnoc.net]
AS21788
Registrant/Registrant Email: Evgeniya Kostikova/smut@fastermail.ru
Code: [Select]
hxxp://nfruhskhfts.com/bs/lusa.binmd5sum ===> 350dab17dc6550dc84989ba04249d951
Code: [Select]
hxxp://nfruhskhfts.com/bs/lv.php
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET
IP 193.105.207.103
AS50793
Registrant/Registrant Email: Private Person/gavrilov81@mail.ru
Code: [Select]
hxxp://bonokur.ru/eu/cf.binmd5sum ===> 78ef7d88c809db589a44d0c5484a4ca5
Code: [Select]
hxxp://bonokur.ru/eu/bt.exemd5sum ===> bdb4b848bdd563c03f7b703e1911e064
http://www.virustotal.com/es/analisis/43514339a82e73834eb76133af70f05390012ece647dfc07113c10bf3de056f4-1280075076 (http://www.virustotal.com/es/analisis/43514339a82e73834eb76133af70f05390012ece647dfc07113c10bf3de056f4-1280075076)
VT 2/42 (4.77%)
Code: [Select]
hxxp://bonokur.ru/eu/index.php
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET
IP 193.105.207.103
AS50793
Registrant/Registrant Email: Private Person/gavrilov81@mail.ru
Code: [Select]
hxxp://195.78.108.180/eu5.binmd5sum ===> 726e51fab51db96811269dd819ac7e8d
Code: [Select]
hxxp://195.78.108.180/eu5.exemd5sum ===> a498675a2747eadabf7bcdda86a0f26e
http://www.virustotal.com/es/analisis/7c6010278b0269ef876aeeade2efde812bd9ee9bab24b9d8cede61d0e25b7774-1280075940 (http://www.virustotal.com/es/analisis/7c6010278b0269ef876aeeade2efde812bd9ee9bab24b9d8cede61d0e25b7774-1280075940)
VT 26/41 (63.42%)
Title: Re: New Zeus server
Post by: jackberri on July 26, 2010, 12:12:51 pm
IP Location: Denmark - Tele Danmark - TDC Data Networks TDC A/S
IP 193.89.99.227
AS3292
Code: [Select]
hxxp://workway.dk/baner.jpgmd5sum ===> f0ca153099fb6ed852107de4122c9df0
http://www.virustotal.com/es/analisis/d490b1db2e3cad23caa4159120cc4889da479d6587fb54053352b1144fc3c5bf-1280145729 (http://www.virustotal.com/es/analisis/d490b1db2e3cad23caa4159120cc4889da479d6587fb54053352b1144fc3c5bf-1280145729)
VT 18/42 (42.86%)
related (already listed):
Code: [Select]
hxxp://www.pifa.se/banner.gif
Title: Re: New Zeus server
Post by: jackberri on July 27, 2010, 02:56:03 pm
IP Location: Ukraine - W-NET ISP - WNET W-NET
IP 92.60.177.252
[grusha-92-60-177-252.hostinghutor.com]
AS15772
Registrant/Registrant Email: max pet/maxpet1212@gmail.com
Code: [Select]
hxxp://x-cash-x.com/dll.somd5sum ===> 40cca083ff5cbe4aff572b7be2c39121

IP Location: Russian Federation - VLine Telecom Block Moscow - VLTELECOM-AS
IP 109.196.143.97
AS39150
Registrant/Registrant Email: Andrew Seminar/ad.dav@hotmail.com
Code: [Select]
hxxp://robertomilanomoreomglol.info/wild/cfg.binmd5sum ===> f11466b0127c088f45e44d5b61058c22
Code: [Select]
hxxp://robertomilanomoreomglol.info/wild/aol.exemd5sum ===> c3edeac972067bb4bed399c5df099fb0
http://www.virustotal.com/es/analisis/0d3765285eaf66c50229bdb27db00ade08cb81d1a0575aef379e5068a345dc66-1280231726 (http://www.virustotal.com/es/analisis/0d3765285eaf66c50229bdb27db00ade08cb81d1a0575aef379e5068a345dc66-1280231726)
VT 4/42 (9.53%)
Code: [Select]
hxxp://robertomilanomoreomglol.info/wild/zzs/server.php
IP Location: Latvia - Latvenergo - LATVENERGO-AS Latvian national Energy
IP 85.15.231.77
AS29600
[mail.mm88.lv]
Code: [Select]
hxxp://akapulkoparmitana.ws/8ff1051d8d01253c0ec1532c0493ef45/75c5dfb564d0e90c6712206b886241bf.php
Title: Re: New Zeus server
Post by: jackberri on July 27, 2010, 07:37:46 pm
IP Location: France - OVH ISP Paris - OVH Paris
IP 91.121.93.44
AS16276
[ttb-network.com]
Code: [Select]
hxxp://megusia.net:8080/images/bot.bin
hxxp://natalia.megastacja.net:8080/images/bot.bin
hxxp://ns28314.ovh.net:8080/images/bot.bin
hxxp:///ttb-network.com:8080/images/bot.bin
md5sum ===> 262024ea727cda63911a4b5da0da796f

IP Location: Russian Federation - DTZ-MOS-NET DTZ Debenham Zadelhoff LLC
IP 193.109.246.34
AS43074
Registrant/Registrant Email: Private person/admin@bestcasinotop.ru
Code: [Select]
hxxp://boshbf.ru/2c.binmd5sum ===> 99bcbc93ff3318bce480afd48b0f23d3
Code: [Select]
hxxp://boshbf.ru/fua.php
IP Location: Russian Federation - Encore Ltd. Route Object - ENCORE-NET
IP 91.216.215.69
AS51274
Registrant/Registrant Email: Private Person/support@worksofast.ru
Code: [Select]
hxxp://worksofast.ru/s8acfg/022dworksofast.jpgmd5sum ===> 02217c89f1cc5cf199a1e977b0f8fc7e
Code: [Select]
hxxp://worksofast.ru/workexe/sofast.exemd5sum ===> bab6d03332ca515adbea6c595df00165
http://www.virustotal.com/es/analisis/18ec0317b1a2a83abcd8fb551bacce4036dbec63479fdb91d41e689ecbe9ec89-1280258034 (http://www.virustotal.com/es/analisis/18ec0317b1a2a83abcd8fb551bacce4036dbec63479fdb91d41e689ecbe9ec89-1280258034)
VT 3/42 (7.15%)
Code: [Select]
hxxp://worksofast.ru/workadm/contact.php
Title: Re: New Zeus server
Post by: jackberri on July 27, 2010, 11:35:22 pm
IP Location: peer-to-peer networking?
IP ?
ASN ?
Registrant/Registrant Email: Andrey Sokolovsky/vivian@freenetbox.ru
Code: [Select]
hxxp://instamfan.net/chan/cfg.binmd5sum ===> 4513513ab9d68f3cf8baaaf07fecad93
Code: [Select]
hxxp://instamfan.net/chan/aol.exemd5sum ===> 1b5bb2963c5f4d197a483cdd3474bf1c
http://www.virustotal.com/es/analisis/69374f88c6c0826c667c313e92105e2e5924e1969ba1f291e04d491b017e9020-1280272888 (http://www.virustotal.com/es/analisis/69374f88c6c0826c667c313e92105e2e5924e1969ba1f291e04d491b017e9020-1280272888)
VT 0/42 (0%)
Title: Re: New Zeus server
Post by: jackberri on July 28, 2010, 06:56:39 am
IP Location: Moldova - STARNET-AS
IP 195.206.246.250
AS31252
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://update-java3.com/src/update2.setmd5sum ===> d17ccbd8db684a887ff7623ff6a29c88
Code: [Select]
hxxp://update-java3.com/src/ie82.chmmd5sum ===> d17ccbd8db684a887ff7623ff6a29c88
Code: [Select]
hxxp://update-java3.com/src/update1.exemd5sum ===> 018418fb056a9563378f1d4f4197c0ec
http://www.virustotal.com/es/analisis/2a70f1b72bbf31824cb75a9bb5972ab93312714a29c2c4478687a21822b2671f-1280297738 (http://www.virustotal.com/es/analisis/2a70f1b72bbf31824cb75a9bb5972ab93312714a29c2c4478687a21822b2671f-1280297738)
VT 11/42 (26.2%)
Code: [Select]
hxxp://update-java3.com/aaaa/11g.php
Code: [Select]
hxxp://update-java3.com/src/time.exemd5sum ===> 93e215db2982407425c311ccd0ab969e
http://www.virustotal.com/es/analisis/39552a5a1826cee9508271a11a015d0fc273ec86afc4eb2885cf1862cdd57b37-1280297892 (http://www.virustotal.com/es/analisis/39552a5a1826cee9508271a11a015d0fc273ec86afc4eb2885cf1862cdd57b37-1280297892)
VT 5/41 (12.20%)

new files:
Code: [Select]
hxxp://zouweengongohgaegeetiebi.com/bin/orahxa.binmd5sum ===> 0f3025edc1f9a57f900f5459c1ecf093
Code: [Select]
hxxp://zouweengongohgaegeetiebi.com/xman/xman.binmd5sum ===> afcf52d7f812c084816008ec0382a7cc
Code: [Select]
hxxp://zouweengongohgaegeetiebi.com/bin/orahxa.exemd5sum ===> d4a9a0f90082268ebe5b0ecb8c0d8844
http://www.virustotal.com/es/analisis/8f7074c17844d70b1da84771256367d3d088f0d039ee7758475d9bba09b461c5-1280296925 (http://www.virustotal.com/es/analisis/8f7074c17844d70b1da84771256367d3d088f0d039ee7758475d9bba09b461c5-1280296925)
VT 4/41 (9.76%)
Code: [Select]
hxxp://zouweengongohgaegeetiebi.com/xman/xman.exemd5sum ===> 4bb5fb9ffe431a576d539ea50f927331
http://www.virustotal.com/es/analisis/ddbe98c4d3af92bd6446850665bf39df47edbf6f0c94666ed399e21e4cfd990b-1280298484 (http://www.virustotal.com/es/analisis/ddbe98c4d3af92bd6446850665bf39df47edbf6f0c94666ed399e21e4cfd990b-1280298484)
VT 8/42 (19.05%)
Code: [Select]
hxxp://zouweengongohgaegeetiebi.com/cp01/zen.php
hxxp://zouweengongohgaegeetiebi.com/xman/gogo.php
Title: Re: New Zeus server
Post by: jackberri on July 29, 2010, 11:16:57 am
IP 74.52.14.98
[zeus.facilwebzeus.com]
AS21844
Registrant/Registrant Email: Eduardo Gonzalo Lopez Carmona/drummermx311@hotmail.com
Code: [Select]
hxxp://ideoma.com.ve/images/bg4.jpgmd5sum ===> 014fd2317ec2f005e16ab63d1a683fd5
Code: [Select]
hxxp://ideoma.com.ve/images/img.exemd5sum ===> dd61152d91f8373d2ce2191fa0bd460d
http://www.virustotal.com/es/analisis/2e21b53d48c47bbd2679823aae1f555bc9ffa70aa588495223be388560d4fd7a-1280400257 (http://www.virustotal.com/es/analisis/2e21b53d48c47bbd2679823aae1f555bc9ffa70aa588495223be388560d4fd7a-1280400257)
VT 5/42 (11.91%)
related:
Code: [Select]
hxxp://keybussines.com/soft/default.exemd5sum ===> caf116d1dd8202f8395fe00ce9cae081
http://www.virustotal.com/es/analisis/61178bdea61f1cacdb2f1bee3d0ab75358fd77de6892b9269d33910d125e59d4-1280400874 (http://www.virustotal.com/es/analisis/61178bdea61f1cacdb2f1bee3d0ab75358fd77de6892b9269d33910d125e59d4-1280400874)
VT 1/42 (2.39%)

IP 91.216.122.112
AS49544
Registrant Email: support@oliku.ru
Code: [Select]
hxxp://oliku.ru/images/1x1.gifmd5sum ===> 5d4947b067443ac26341096fad748184

IP 193.105.207.120
AS50793
Registrant/Registrant Email: Private Person/gavrilov81@mail.ru
Code: [Select]
hxxp://chudachok9.ru/botosinagoga/7-40.gifmd5sum ===> 2e9d7452513348300eb5a2679e8f7e59
Code: [Select]
hxxp://chudachok9.ru/botosinagoga/rapport.exemd5sum ===> fb072e35eae74de781a7e5a71e1d7932
http://www.virustotal.com/analisis/37bf653d0d99893376d1a6af16333231928a5ced0e169a0f10ff7a278cf39514-1280145239 (http://www.virustotal.com/analisis/37bf653d0d99893376d1a6af16333231928a5ced0e169a0f10ff7a278cf39514-1280145239)
VT 11/42 (26.2%)

other malware:
Code: [Select]
hxxp://virtstat.com/2.exemd5sum ===> 9209bcea94e4dc160587e64600a1297b
http://www.virustotal.com/es/analisis/607cca3df5f082e846227d8e4d6761ec8bc58b2bc046862892fb2f2bcf8399b7-1280390474 (http://www.virustotal.com/es/analisis/607cca3df5f082e846227d8e4d6761ec8bc58b2bc046862892fb2f2bcf8399b7-1280390474)
VT 7/42 (16.67%)
Title: Re: New Zeus server
Post by: jackberri on July 29, 2010, 04:59:31 pm
IP Location: United States - Endurance International Group - BIZLAND-ASN
IP 66.96.130.16
[16.130.96.66.static.eigbox.net]
AS29873
Registrant/Registrant Email: Bill Lilly/blilly@californialivingenergy.com
Code: [Select]
hxxp://califliving.com/images/zoom1.gifmd5sum ===> b94fb1a32bb3c1a57dc5a365c97d1750
http://www.virustotal.com/es/analisis/aa914e6495e5c2a09c7631052f69e7434e2e673981def019fe48f0ae555859ff-1280409188 (http://www.virustotal.com/es/analisis/aa914e6495e5c2a09c7631052f69e7434e2e673981def019fe48f0ae555859ff-1280409188)
VT 21/42 (50.00%)
related (already listed):
Code: [Select]
hxxp://linkbuilding.nl/boom.jpg
IP Location: Vietnam - QTSC-AS-VN Quang Trung Software City Development Company
IP 202.78.227.112
AS24085
Registrant/Registrant Email: Bernardo Smith/BernardoJSmith@example.com
Code: [Select]
hxxp://fortunametrila.com/~user0101/2065/bt/config.binmd5sum ===> def02041851428bd06d785492038d927
Code: [Select]
hxxp://fortunametrila.com/~user0101/2065/bt/test2065.exemd5sum ===> 80f2ed5c2d025fdf6655105d6956fa54
http://www.virustotal.com/es/analisis/65caccb1435115a741d8c58d5145987256b28c943fa2ea3a331943c228a80312-1280422469 (http://www.virustotal.com/es/analisis/65caccb1435115a741d8c58d5145987256b28c943fa2ea3a331943c228a80312-1280422469)
VT 18/42 (42.86%)
Code: [Select]
hxxp://fortunametrila.com/~user0101/2065/gate.php
Title: Re: New Zeus server
Post by: jackberri on July 30, 2010, 09:14:10 am
IP Location:  Kazakhstan  - AlfaHost LLP. Route Object - ALFAHOSTNET Alfa-Host LLP.
IP 193.105.207.120
AS50793
Registrant/Registrant Email: Private Person/gavrilov81@mail.ru
Code: [Select]
hxxp://ferdinandi.ru/localhost/nat.binmd5sum ===> 504776877383a44e4e31810b700b6daa
Code: [Select]
hxxp://ferdinandi.ru/localhost/nat.exemd5sum ===> a87b87aa302a57c373932a9c830125d0
http://www.virustotal.com/es/analisis/797b09d48f9120928f3da37f5503e054a705a3498ac8f09a83749e1fa82b08c1-1280477368 (http://www.virustotal.com/es/analisis/797b09d48f9120928f3da37f5503e054a705a3498ac8f09a83749e1fa82b08c1-1280477368)
VT 9/42 (21.43%)
Code: [Select]
hxxp://ferdinandi.ru/localhost/rapport.exemd5sum ===> 32ea4b3c0162bd2044a2c6372f3250e0
http://www.virustotal.com/es/analisis/62a76f8fc576feadf9b0995725875ba8918cdf0a56751111f764b2fd8784a5c5-1280477175 (http://www.virustotal.com/es/analisis/62a76f8fc576feadf9b0995725875ba8918cdf0a56751111f764b2fd8784a5c5-1280477175)
VT 7/41 (17.08%)

IP Location:  China  - CHINA-TELECOM
IP 59.53.91.191
AS4134
Registrant/Registrant Email: Anna Veprinceva/nora@fastermail.ru
Code: [Select]
hxxp://pitorysoue.com/ptz/por.tumd5sum ===> cee4f27b02d32347c6ed6d396df8cfb1
dropzone:
IP Location:  India  - ERNET India - ERX-ERNET-AS Education and Research Network India.
IP 144.16.111.140
[grid.puhep.res.in]
AS2697
Registrant/Registrant Email: Oksana Gerasimova/link@5mx.ru
Code: [Select]
hxxp://whiteagngo.com/prt/jkkoz.php
IP Location: Ukraine -
IP 188.95.159.28
AS196814
Registrant/Registrant Email: Viktor F Samoilenko/sol71@list.ru
Code: [Select]
hxxp://sthgsnhythsghxywtrs.in/admin/setup/data.binmd5sum ===> 36eb1dffa297fa6fb3f9fd8f96f445e5
Title: Re: New Zeus server
Post by: jackberri on July 30, 2010, 10:29:24 pm
IP Location: Ukraine - GlobalRouting-NL-NET - INTERACTIVE3D-AS Interactive3D
AS49544
Code: [Select]
hxxp://195.78.108.181/eu5.binmd5sum ===> 424166117c96e734f1a1cd018b8dfcf7
Code: [Select]
hxxp://195.78.108.181/eu5.exemd5sum ===> 28541237db684b9333604165669e0d14
http://www.virustotal.com/es/analisis/82367080c644ec0a4e1bc9076def5f16458c2febd33cd57908cdb379ff316fa7-1280488108 (http://www.virustotal.com/es/analisis/82367080c644ec0a4e1bc9076def5f16458c2febd33cd57908cdb379ff316fa7-1280488108)
VT 5/42 (11.91%)
Code: [Select]
hxxp://195.78.108.181/forum/gate.php
IP Location: Moldova - Najada route - INTERACTIVE3D-AS Interactive3D
IP  91.216.122.33
AS49544
Code: [Select]
hxxp://tomorrrrow.cc/beta1/beta1.cfgmd5sum ===> 41b1a1ca8dcb4aa4a8ed37164c8ccc77

IP Location: Ukraine - GlobalRouting-NL-NET - INTERACTIVE3D-AS Interactive3D
IP  193.109.246.220
AS43074
Code: [Select]
hxxp://hqll.ru/picture/gif.gifmd5sum ===> b11a665970fa429a20a62f12718916c9
Code: [Select]
hxxp://hqll.ru/picture/gaterrz.php
Title: Re: New Zeus server
Post by: jackberri on July 31, 2010, 08:08:47 pm
IP Location: Germany - ORG-nA8-RIPE - NETDIRECT AS
IP 212.95.32.248
AS28753
Registrant/Registrant Email: Derrick Grimes/ddgrimes@earthlink.net
Code: [Select]
hxxp://roideada.com/th.docmd5sum ===> 1b6b585d6e04a6c45fb7e38a7e21f526
Code: [Select]
hxxp://roideada.com/hotfoundfile.php
IP Location: Malaysia - Piradius route object - PIRADIUS-AS PIRADIUS NET
IP 111.90.138.152
[111-90-138-152.pegashosting.com]
AS45839
Registrant ID: DI_11655454
Registrant Email: dfgertertdfgdfg@myself.com
Code: [Select]
hxxp://gloubergs.biz/abc/abc.binmd5sum ===> bf322fea56f9d6e25f9b6c7926075eae
Code: [Select]
hxxp://gloubergs.biz/abc/abc.exemd5sum ===> d5dd0609cb8091d66c86d2029eab65f2
http://www.virustotal.com/es/analisis/01d66849d303a66936adff215d3c481e594db4ab4e372d7494c9ecb7e5561e02-1280593502 (http://www.virustotal.com/es/analisis/01d66849d303a66936adff215d3c481e594db4ab4e372d7494c9ecb7e5561e02-1280593502)
VT 8/42 (19.05%)

Backdoor Sheldor
IP Location: Russian Federation - Keyweb AG IP Network - KEYWEB-AS
IP 95.169.190.224
[ns.km35228.keymachine.de]
AS31103
Registrant ID:   DI_11520313
Registrant/Registrant Email: Alexander Tkachenko/snx777@mail.ru
Code: [Select]
hxxp://snxhost.in/tv777.exemd5sum ===> 7bd14aff590db1fc8a7b2c3e3ba7dac0
http://www.virustotal.com/es/analisis/b8162c451a1a77ed42f1730d5ef122c9dd866870c78784b9f9b52be6a569dfb7-1280568273 (http://www.virustotal.com/es/analisis/b8162c451a1a77ed42f1730d5ef122c9dd866870c78784b9f9b52be6a569dfb7-1280568273)
VT 31/42 (73.81%)
dropzone:
IP Location: Russian Federation - Keyweb AG IP Network - KEYWEB-AS
IP 95.169.190.224
[ns.km35228.keymachine.de]
AS31103
Registrant/Registrant Email: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://aptb.net/tx7/gtx32.php
Title: Re: New Zeus server
Post by: jackberri on August 01, 2010, 02:27:40 pm
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
Registrant ID:CO718353-RT
Registrant/Registrant Email: max pet/maxpet1212@gmail.com
Code: [Select]
hxxp://ubuuntu.info/u2.somd5sum ===> 1889ac0b273c9bb0aeae31c106668cf1
Code: [Select]
hxxp://ubuuntu.info/uk.phprelated:
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.107
AS29106
Registrant ID: CO701755-RT
Registrant/Registrant Email: max pet/maxpet1212@gmail.com
Code: [Select]
hxxp://livetrust.info/_3sun/crypt_KillEXE.exemd5sum ===> fe892289e80c5a43008adeab12a44652
http://www.virustotal.com/es/analisis/1df52650d6c8448e3f07dc1c62d63e25f74a9e8c3cc0442fe06a8b2ed86774ba-1280671892 (http://www.virustotal.com/es/analisis/1df52650d6c8448e3f07dc1c62d63e25f74a9e8c3cc0442fe06a8b2ed86774ba-1280671892)
VT 20/42 (47.62%)
Title: Re: New Zeus server
Post by: jackberri on August 02, 2010, 10:51:52 am
IP Location: Russian Federation - DTZ-MOS-NET DTZ Debenham Zadelhoff LLC
IP 193.109.246.77
AS43074
Registrant/Registrant Email: Private Person/admin@alarmingzone.ru
Code: [Select]
hxxp://ghyas.ru/2a.binmd5sum ===> 798f79b6dedd01b1de9d7671775d0b4e
Code: [Select]
hxxp://ghyas.ru/abc.php
IP Location: Netherlands - LeaseWeb AS
IP 95.211.129.43
[hosted-by.leaseweb.com]
AS16265
Registrant/Registrant Email: Volkaamens DataHome/vbastenstill@yahoo.com
Code: [Select]
hxxp://veridatalookup.com/ftp3287t32gu5yg3287g/config.binmd5sum ===> c580bdcef0e64bf8d4a4b23e1302d499
Code: [Select]
hxxp://veridatalookup.com/ftp3287t32gu5yg3287g/mydata37g3f.php
hxxp://veridatalookup.com/ftp3287t32gu5yg3287g/rpp.exe
md5sum ===> eddab8f73f2b72b96fb9f15a574a1c14
http://www.virustotal.com/es/analisis/ae627b5e2e6242c5f0cc05ec2a14486feb86d33de186028116de97f990d838b4-1280742615 (http://www.virustotal.com/es/analisis/ae627b5e2e6242c5f0cc05ec2a14486feb86d33de186028116de97f990d838b4-1280742615)
VT 3/42 (7.15%)

FAKE AV:
Code: [Select]
hxxp://store.natebennettfleming.com/main.php?i=Jc6vg9UVrvitihj7U8VCwpsXog==&e=3md5sum ===> 590534bc85412af298d5f751117de896
http://www.virustotal.com/es/analisis/ad3d47f9732d4e69b6d53ff325ee202e9249de8a3f49ff2b61dfad912091de82-1280741025 (http://www.virustotal.com/es/analisis/ad3d47f9732d4e69b6d53ff325ee202e9249de8a3f49ff2b61dfad912091de82-1280741025)
VT 11/42 (26.2%)
related:
Code: [Select]
hxxp://tjwlkss.pohuy.ws
Title: Re: New Zeus server
Post by: jackberri on August 02, 2010, 07:36:08 pm
IP Location: China - CHINANET-BJ-METRO BeijingTelecom
IP 121.101.216.234
AS4847
Registrant/Registrant Email: Chang So/changso@yahoo.com
Code: [Select]
hxxp://cavemonsterfromhell.net/jabulani/config.binmd5sum ===> 71d5da4ffea20a22f18bd7ba48da20cc
Code: [Select]
hxxp://cavemonsterfromhell.net/jabulani/fifaworldcup/jan.php
Title: Re: New Zeus server
Post by: jackberri on September 03, 2010, 09:20:33 am
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET Alfa-Host LLP
IP 193.105.207.105
AS50793
Registrant Email: dns@inkognittto.ru
Code: [Select]
hxxp://inkognittto.ru/wireshark/wire.rawmd5sum ===> 152e45400e2e68a1dd4ee7ccb2da0060
Code: [Select]
hxxp://wireshark/wireshark.exemd5sum ===> cb74fb88f36b667e26f41671de8e1841
http://www.virustotal.com/file-scan/report.html?id=73b9732ff7e8464bc49b756d21bf291feaf00447b01d0769623379c1625c596e-1283504801 (http://www.virustotal.com/file-scan/report.html?id=73b9732ff7e8464bc49b756d21bf291feaf00447b01d0769623379c1625c596e-1283504801)
VT 5/43 (11.6%)
Code: [Select]
hxxp://inkognittto.ru/wireshark/sniff.php
Title: Re: New Zeus server
Post by: jackberri on September 04, 2010, 03:54:07 pm
IP Location: Iran - DCI-Route - DCI-AS DCI Autonomous System Data communication Company of Iran
IP 78.39.243.50
AS12880
Registrant/Registrant Email: Andrey Malkov/admin@first-wave-aug.com
Code: [Select]
hxxp://first-wave-aug.com/EUADM/conf_uk01.binmd5sum ===> 31147dc05d1eac3b91470b67d1174f83
Code: [Select]
hxxp://first-wave-aug.com/EUADM/gotobot.php
Code: [Select]
hxxp://first-wave-aug.com/EUADM/rapport.exemd5sum ===> e6f3d5b66fe92432e1d8c9a585eec8ea
http://www.virustotal.com/file-scan/report.html?id=b070196d76c262e8af803499af76c0474ac1927256c3f5fa8c81570d4f270c19-1283615030 (http://www.virustotal.com/file-scan/report.html?id=b070196d76c262e8af803499af76c0474ac1927256c3f5fa8c81570d4f270c19-1283615030)
VT 22/43 (51.2%)
Title: Re: New Zeus server
Post by: jackberri on September 05, 2010, 07:54:00 am
IP Location: United States - Proxy-registered route object
IP 173.242.114.146
AS46664
Registrant/Registrant Email: Chang So/changso@yahoo.com
Code: [Select]
hxxp://festivaloffire.net/augur/cfg.binmd5sum ===> efe005636b6e29d96ea33d0bd8e81fdd
Code: [Select]
hxxp://festivaloffire.net/augur/hanna/power.php
Title: Re: New Zeus server
Post by: jackberri on September 05, 2010, 12:02:17 pm
IP Location: Latvia - ALTNET - ALTNET-LV DG Holding SIA
IP 195.3.145.92
AS41390
Registrant ID:   DI_12346142
Registrant/Registrant Email: Max Ali/max.ali@live.com
Code: [Select]
hxxp://zsbiznet.in/php/cfg002.binmd5sum ===> 8a10fcdca608fc237a9206ed8872e066
Code: [Select]
hxxp://zsbiznet.in/php/002.exemd5sum ===> 0ebde2c89c40493f9c6ca2f9a46a830c
https://www.virustotal.com/file-scan/report.html?id=798093458211da6a0aa0f4951088ce06fcbc029e127e7f37d00f3c6361e2dd30-1283686469 (https://www.virustotal.com/file-scan/report.html?id=798093458211da6a0aa0f4951088ce06fcbc029e127e7f37d00f3c6361e2dd30-1283686469)
VT 21/43 (48.8%)
Code: [Select]
hxxp://zsbiznet.in/php/gate.php
IP Location: Romania - STARNET-AS
IP 195.206.246.40
AS31252
Registrant ID:TOD-42526144
Registrant/Registrant Email: Jozef Bogdanowitch/bingobingo@gmail.com
Code: [Select]
hxxp://bingoshow.org/new_game/index/gort.somd5sum ===> 8d55a6d1ddf095dd971b6d430651e242
Code: [Select]
hxxp://bingoshow.org/new_game/202.php
IP Location: Latvia - LATNET - LatnetServiss-AS
IP 159.148.117.159
AS2588
Registrant/Registrant Email: Leonid S Virov/admin@secr86838.com
Code: [Select]
hxxp://secr86838.com/f34r3regwrew/d34f34r335z.binmd5sum ===> d3085218b21483adde20990e461e8b3c
Title: Re: New Zeus server
Post by: jackberri on September 06, 2010, 05:13:04 pm
IP Location: Moldova - STARNET-AS
IP 195.5.161.5
AS31252
Registrant/Registrant Email: Arnold Gee/listrecilert@yahoo.com
Code: [Select]
hxxp://gizmatool.net/server/config.binmd5sum ===> 264336e8bbc6a3ce6bd73f560fc76e6f
Code: [Select]
hxxp://gizmatool.net/server/gate.php
IP Location: China - CNC Group CHINA
LFT trace to tenziloper.com
[4837] [target open] 221.10.252.223
Registrant/Registrant Email: Sharon Lewers/d6eb7c720e608061729450f83e4ad10584976080@whois.gkg.net
Code: [Select]
hxxp://tenziloper.com/percent/update.binmd5sum ===> 756f826d4c40340cc064860dbcaf6285
Code: [Select]
hxxp://tenziloper.com/percent/update.exemd5sum ===> 1a018e43fd4ceb71a3b783d67a22c3bd
http://www.virustotal.com/file-scan/report.html?id=d74ad3e40d587ac2207c340cf42cab2e0656c1e8cbfcd5a7a59cfc44a99465ec-1283792157 (http://www.virustotal.com/file-scan/report.html?id=d74ad3e40d587ac2207c340cf42cab2e0656c1e8cbfcd5a7a59cfc44a99465ec-1283792157)
VT 19/43 (44.2%)
Code: [Select]
hxxp://tenziloper.com/percent/update.php
config file for Spyeye:
IP Location: Russian Federation - Antaro Ltd
[hosted-by.antaro-hosting.ru]
AS12695
Code: [Select]
hxxp://195.88.208.250/maincp/bin/config.binmd5sum ===> 0eb9772e8065cedc0f3bacdd3b818b50
pending:
Code: [Select]
hxxp://195.88.208.250/maincp/bin/upload/
Title: Re: New Zeus server
Post by: jackberri on September 08, 2010, 08:15:41 am
IP Location: United States - Proxy-registered route object
IP 173.242.114.146
AS46664
Registrant/Registrant Email: Chang So/changso@yahoo.com
Code: [Select]
hxxp://nagatkeaneworld.net/nagakeane/config.binmd5sum ===> d82afbc19efeb0a40af35bbf1462620d
Code: [Select]
hxxp://nagatkeaneworld.net/nagakeane/peacesoldier/roulet.php
IP Location: China - China Telecom jiangsu Province
IP 218.93.205.105
AS4134
Registrant/Registrant Email: maxim solncev/sonverr@gmail.com
Code: [Select]
hxxp://rapsvsvsn21.net/urla/c2.binmd5sum ===> c1cb2e663b8864e104ebb672c4d03a28
Title: Re: New Zeus server
Post by: jackberri on September 08, 2010, 09:26:04 am
IP Location: United States - SP1 datacenter - Yahoo-SP1
IP 67.195.140.220
[p8p1.geo.sp2.yahoo.com]
AS36752
Registrant Email: contact@myprivateregistration.com
Code: [Select]
hxxp://varvavabest.com/config.binmd5sum ===> a6d54f8a6aa001e30353b5684bbdcc9b
Code: [Select]
hxxp://varvavabest.com/bot.exemd5sum ===> 41298cedbef6979dcdb54ae1d9f4db4f
http://www.virustotal.com/file-scan/report.html?id=c179d848f0b6e65baa3c7ff96a04ef1f3c3c11521f2a7586354a6fc8f7d992a7-1283937399 (http://www.virustotal.com/file-scan/report.html?id=c179d848f0b6e65baa3c7ff96a04ef1f3c3c11521f2a7586354a6fc8f7d992a7-1283937399)
VT 26/41 (63.4%)
Code: [Select]
hxxp://varvavabest.com/redir.php
Title: Re: New Zeus server
Post by: jackberri on September 09, 2010, 08:53:29 am
IP Location: Moldova - STARNET-AS
IP 195.5.161.192
AS31252
Registrant/Registrant Email: Marcello Bologna/admin@greyrace8872.com
Code: [Select]
hxxp://interparceltd.com/xed/config.binmd5sum ===> 47c3f75d316e162423096dd4fb5fa27f
Code: [Select]
hxxp://interparceltd.com/xed/yourbot.exemd5sum ===> e16513ca4759f296acbed14f26495c1d
http://www.virustotal.com/file-scan/report.html?id=b35c774dc4320413e5bb1d82ee316e70d1b07eef34be837fae5481f02ecc61bb-1284021738 (http://www.virustotal.com/file-scan/report.html?id=b35c774dc4320413e5bb1d82ee316e70d1b07eef34be837fae5481f02ecc61bb-1284021738)
VT 11/43 (25.6%)
Code: [Select]
hxxp://interparceltd.com/xed/config.bin
IP Location: Suriname - GlobalNET Bosnia - BA-GLOBALNET-AS
IP 77.78.248.75
AS42560
Registrant/Registrant Email: Georgy Lamakov/admin@onlinefinancesecurity.net
Code: [Select]
hxxp://yourbankingsecurity.com/trololo/igrek.iksmd5sum ===> 0e15740410482eb86d1050f57099f17e
Code: [Select]
hxxp://yourbankingsecurity.com/zerkalo.php
Title: Re: New Zeus server
Post by: jackberri on September 10, 2010, 11:26:47 am
Code: [Select]
hxxp://113.11.194.152/us27/usdase.dbmd5sum ===> 1946ef16e5cc83ddbe91950bf60cf3ba
Code: [Select]
hxxp://113.11.194.152/us27/us.exemd5sum ===> 2e860582172ee256abf515c476ac1718
http://www.virustotal.com/file-scan/report.html?id=0bb8230cc9dd45f87267d5a22fa62294136870560806b68cd673319e7d5ab66e-1284111787 (http://www.virustotal.com/file-scan/report.html?id=0bb8230cc9dd45f87267d5a22fa62294136870560806b68cd673319e7d5ab66e-1284111787)
VT 14/42 (33.3%)
Code: [Select]
hxxp://91.216.215.101/woops/ttf.php
Title: Re: New Zeus server
Post by: jackberri on September 10, 2010, 11:29:22 pm
IP Location: Czech Republic - Softel Consulting s.r.o
IP 193.104.146.65
AS50134
Code: [Select]
hxxp://tsd1online.com/f_32thg2ihfloeil/yif3hj373959fd/up2/mxconfig.binmd5sum ===> fb063c4bb547d0d2d08647c5460c103a
Code: [Select]
hxxp:///tsd1online.com/f_32thg2ihfloeil/yif3hj373959fd/up2/bot_upp2_6.exemd5sum ===> f0118c4e79b3189a37ee198a3a3ca557
http://www.virustotal.com/file-scan/report.html?id=d2fa8a12604abd3186f7afcb845bed492633c987f08778c48271a8d83ea0221e-1284160923 (http://www.virustotal.com/file-scan/report.html?id=d2fa8a12604abd3186f7afcb845bed492633c987f08778c48271a8d83ea0221e-1284160923)
VT 15/43 (34.9%)
Code: [Select]
hxxp:///tsd1online.com/f_32thg2ihfloeil/yif3hj373959fd/gate_38g72fugh32ufi.php
Code: [Select]
hxxp://tsd1online.com/f_32thg2ihfloeil/yif3hj373959fd/rprt_315.exemd5sum ===> 88744a40f85d0d148bebbf9e26c8f018
http://www.virustotal.com/file-scan/report.html?id=f3c43e4b3a88fff78616adf22c33e16cf5cf4699bb7f7d0d6dcab5819c2bdb62-1284161692 (http://www.virustotal.com/file-scan/report.html?id=f3c43e4b3a88fff78616adf22c33e16cf5cf4699bb7f7d0d6dcab5819c2bdb62-1284161692)
VT 4/43 (9.3%)
Title: Re: New Zeus server
Post by: jackberri on September 11, 2010, 11:39:36 am
IP Location: Netherlands - ECATEL-AS
[hosted-by-ecatel.net]
AS29073
Code: [Select]
hxxp://94.102.51.38/sasmate/sas.exemd5sum ===> 7d010f60efa087953dc7827391481cda
http://www.virustotal.com/file-scan/report.html?id=1c32982c2e626f4cb61f74c4b2d09157b93495c54f5ba3a1d4fe2ce9668e4ea1-1284204454 (http://www.virustotal.com/file-scan/report.html?id=1c32982c2e626f4cb61f74c4b2d09157b93495c54f5ba3a1d4fe2ce9668e4ea1-1284204454)
VT 7/42 (16.7%)
related (already listed):
Code: [Select]
hxxp://nfruhskhfts.com/bs/nal.bin
Title: Re: New Zeus server
Post by: jackberri on September 11, 2010, 04:18:58 pm
IP Location: France - PROXAD Free SAS
IP 78.235.237.55
[sgn49-1-78-235-237-55.fbx.proxad.net]
AS12322
Registrant/Registrant Email: Tammy Holley/rexona1948@live.com
Registrant/Registrant Email: Sondra Bozard/procesingp@yahoo.com
Code: [Select]
hxxp://eminemm.net/~usa/us/img/init.bin
hxxp://platinumalbumm.com/~usa/us/img/init.bin
md5sum ===> c238be1a7cbceab3262b08fbf928b9a7
Code: [Select]
hxxp://eminemm.net/~usa/us/img/rent_jaba.exe
hxxp://platinumalbumm.com/~usa/us/img/rent_jaba.exe
md5sum ===> a66ffc9159456792cc87f5f7b5fd9d10
http://www.virustotal.com/file-scan/report.html?id=9470a6f789cf7bd4d9e338a391c25268960080b64a4fb152f65d876729627949-1284220915 (http://www.virustotal.com/file-scan/report.html?id=9470a6f789cf7bd4d9e338a391c25268960080b64a4fb152f65d876729627949-1284220915)
VT 19/42 (45.2%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/rent_jaba2.exe
hxxp://platinumalbumm.com/~usa/us/img/rent_jaba2.exe
md5sum ===> c077bbf21959ac104e3898b0505a0ad1
http://www.virustotal.com/file-scan/report.html?id=1a00774fc6798b2145774cc180ed5b7109af6faaedfd9d5747500be39d4ca807-1284220945 (http://www.virustotal.com/file-scan/report.html?id=1a00774fc6798b2145774cc180ed5b7109af6faaedfd9d5747500be39d4ca807-1284220945)
VT 19/40 (47.5%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/rent_jaba3.exe
hxxp://platinumalbumm.com/~usa/us/img/rent_jaba3.exe
md5sum ===> 390f232ccba503b33b89ae0044c07030
http://www.virustotal.com/file-scan/report.html?id=5ceb9c66249f0df60f80625b755862aeec4d1ca077be74f100f834d95afbc5d3-1284220894 (http://www.virustotal.com/file-scan/report.html?id=5ceb9c66249f0df60f80625b755862aeec4d1ca077be74f100f834d95afbc5d3-1284220894)
VT 5/43 (11.6%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/2070.exe
hxxp://platinumalbumm.com/~usa/us/img/2070.exe
md5sum ===> 665f2f38ffd51675aead02837bf1275f
http://www.virustotal.com/file-scan/report.html?id=4a58303897fdafea1f030a1bfaaafa325a5f839ec42822a9740dd4f7c217074d-1284220924 (http://www.virustotal.com/file-scan/report.html?id=4a58303897fdafea1f030a1bfaaafa325a5f839ec42822a9740dd4f7c217074d-1284220924)
VT 13/43 (30.2%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/2070.jpg
hxxp://platinumalbumm.com/~usa/us/img/2070.jpg
md5sum ===> 25f9e03ae83b9e8783cbd472f261a97d
http://www.virustotal.com/file-scan/report.html?id=da96109628e8c53a975be129eeccc074a47c37bd276e872af43a11c86d7eba51-1284220932 (http://www.virustotal.com/file-scan/report.html?id=da96109628e8c53a975be129eeccc074a47c37bd276e872af43a11c86d7eba51-1284220932)
VT 17/43 (39.5%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/sep_02.exe
hxxp://platinumalbumm.com/~usa/us/img/sep_02.exe
md5sum ===> 952541082fb78db4504706b81abaf1d4
http://www.virustotal.com/file-scan/report.html?id=0a7c7206533fcbaac91c0e6c7f8e912932db598783d367ebb8e534118b2b858a-1284220886 (http://www.virustotal.com/file-scan/report.html?id=0a7c7206533fcbaac91c0e6c7f8e912932db598783d367ebb8e534118b2b858a-1284220886)
VT 7/42 (16.7%)
Code: [Select]
hxxp://eminemm.net/~usa/us/img/shd093js.jpg
hxxp://platinumalbumm.com/~usa/us/img/shd093js.jpg
md5sum ===> e6d37230df1e94d1c9a0f552d4d8fb1b
http://www.virustotal.com/file-scan/report.html?id=df566662f56d40210f4df59cf87a0a1c54da672dad216d3062b6b578c4541c09-1284220877 (http://www.virustotal.com/file-scan/report.html?id=df566662f56d40210f4df59cf87a0a1c54da672dad216d3062b6b578c4541c09-1284220877)
VT 8/43 (18.6%)
Code: [Select]
hxxp://eminemm.net/~usa/us/shluz.php
hxxp://platinumalbumm.com/~usa/us/shluz.php
Title: Re: New Zeus server
Post by: jackberri on September 11, 2010, 06:24:28 pm
IP Location: Netherlands - MTO Telecom inc. Proxy Route Object Gogax - Maintainer for Tenino Telephone
[elixir.healthtopicstoday.com]
AS21793
Code: [Select]
hxxp://76.76.96.188/ps/hu.exemd5sum ===> d1a83126f62b036428aa1bd813443b37
http://www.virustotal.com/file-scan/report.html?id=8af625dea5a638825673a5668a2aa6a00cc79861d66e6c18b3860336e7949e3b-1284228998 (http://www.virustotal.com/file-scan/report.html?id=8af625dea5a638825673a5668a2aa6a00cc79861d66e6c18b3860336e7949e3b-1284228998)
VT 7/42 (16.7%)
related (already listed):
Code: [Select]
hxxp://nfruhskhfts.com/bs/lusa.bin
Title: Re: New Zeus server
Post by: jackberri on September 12, 2010, 12:31:34 pm
IP Location: Russian Federation - INTERA-AS Zhek-Universal Ltd
IP 194.79.250.57
AS48876
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://pnp2biztracker.com.tw/bin/allis.jsmd5sum ===> 2abcabf03d5ea32098109f099099a55a
Code: [Select]
hxxp://pnp2biztracker.com.tw/zs2biz/vorota.php
Title: Re: New Zeus server
Post by: jackberri on September 12, 2010, 07:05:11 pm
IP Location: Belize - ORG-nA8-RIPE - NETDIRECT AS
IP 188.72.199.43
[188.72.199.43.vps.network.paylicense.net]
AS28753
Registrant: Dan Henry Nicolson
Code: [Select]
hxxp://poolkill.co.uk/browers.binmd5sum ===> b7529dc60e85d8edb533d70e906a1058
Code: [Select]
hxxp://poolkill.co.uk/green/hoip.php
Title: Re: New Zeus server
Post by: jackberri on September 13, 2010, 02:13:37 pm
IP Location: Russian Federation - INTERA NET - INTERA-AS
IP 194.79.250.56
AS48876
Registrant/Registrant Email: Private Person/admin@alarmingzone.ru
Code: [Select]
hxxp://gyahw.ru/2d.binmd5sum ===> 50ff29c3cc497398bbe0db997f676c1f
Code: [Select]
hxxp://gyahw.ru/1.php
Title: Re: New Zeus server
Post by: jackberri on September 13, 2010, 08:19:58 pm
IP Location: Taiwan - KBT Koos Broadband Telecom
IP 61.63.60.123
[61-63-60-host123.kbtelecom.net.tw]
AS18042
Registrant/Registrant Email: Igor Darenko/coed@qx8.ru
Code: [Select]
hxxp://ya-beep.net/x8000_z/utoo.jpgmd5sum ===> dfa258baa41d3c5d9916a150f72f82b0
Code: [Select]
hxxp://ya-beep.net/x8000_z/dfj3i20jdss3fn.php
Title: Re: New Zeus server
Post by: jackberri on September 15, 2010, 06:55:25 am
Registrant/Registrant Email: Bailey H. Hardee/BaileyHHardee@example.com
Code: [Select]
hxxp://gfguhsdig.com/simpsons/qweqwe.imgmd5sum ===> f200e9c37f51d3b407be627bbb26cf9b
Code: [Select]
hxxp://gfguhsdig.com/simpsons/wert.phprelated:
Code: [Select]
hxxp://perscrt.com/rz/report.php
Title: Re: New Zeus server
Post by: jackberri on September 17, 2010, 03:09:26 pm
IP Location: Moldova - GlobalNET Bosnia - BA-GLOBALNET-AS
IP 77.78.240.36
AS42560
Registrant ID: CR62596107
Registrant/Registrant Email: Rasmus Nielsen/rasmusnielsen@email.com
Code: [Select]
hxxp://thereisnoss.biz/quote/config.binmd5sum ===> 1c4fa4f53402027813568a35c149ba1c
Code: [Select]
hxxp://thereisnoss.biz/quote/bot.exemd5sum ===> d46b2e5e869e1eed4f6d7ca7dee03ecd
http://www.virustotal.com/file-scan/report.html?id=aa9dc6bdb3e8ec7b34b0a901fa43068573505a248059acbea54abec3f818bb8f-1284735390 (http://www.virustotal.com/file-scan/report.html?id=aa9dc6bdb3e8ec7b34b0a901fa43068573505a248059acbea54abec3f818bb8f-1284735390)
VT 5/43 (11.6%)
Code: [Select]
hxxp://thereisnoss.biz/quote/gate.php
Title: Re: New Zeus server
Post by: jackberri on September 17, 2010, 07:02:07 pm
IP Location: China - CHINA-TELECOM
IP 218.93.248.112
AS4134
Registrant/Registrant Email: Vladimir Dudnik/pizza@fastermail.ru
Code: [Select]
hxxp://jadesquadg.com/eso/esa.spmd5sum ===> 928dd2063751f25401ed420904f23e87
dropzone:
Code: [Select]
hxxp://gnomsmotor.ru/esp/gujoh.php
Title: Re: New Zeus server
Post by: jackberri on September 18, 2010, 06:01:29 am
IP Location: United States - Huge Hosting ARIN Allocation - DATA393 - Datacenter INV01
IP 65.38.168.180
[2red.veraserve.com]
AS29863
Registrant/Registrant Email: John Wilt/jcwilt@sbcglobal.net
Code: [Select]
hxxp://pharmprops.com/images/hep1020.gifmd5sum ===> 6db54c0b8c47aca9da8e19e426630994
Code: [Select]
hxxp://keybizz.org/soft/new/ie.exemd5sum ===> 7a34fa585c794a90c7ca79b28bc1bee3
http://www.virustotal.com/file-scan/report.html?id=fd15059d479a863a74af4fb614cd55f07eb7f6ece34ee4603dfcb2650b6cdb1d-1284788361 (http://www.virustotal.com/file-scan/report.html?id=fd15059d479a863a74af4fb614cd55f07eb7f6ece34ee4603dfcb2650b6cdb1d-1284788361)
VT 3/42 (7.1%)
Title: Re: New Zeus server
Post by: jackberri on September 18, 2010, 07:30:01 pm
Registrant: Plane, Pearlie
Code: [Select]
hxxp://mysamsungapps.net/29akscfg/9lsasmysamsungapps.jpgmd5sum ===> d5d5ffd9f0047e6dc3bddf7e6db0aeaa
Code: [Select]
hxxp://mysamsungapps.net/samsung/samsung.php
Title: Re: New Zeus server
Post by: jackberri on September 21, 2010, 06:20:33 am
Registrant/Registrant Email: Ananoliy Kunirkin/boa@maillife.ru
Code: [Select]
hxxp://seowindow.net/x8000_b/htv.jpgmd5sum ===> 9c4021a51b89ceaeace330469d5a17a9
Code: [Select]
hxxp://seowindow.net/x8000_b/dfj3i20jdss3fn.php
Title: Re: New Zeus server
Post by: jackberri on September 21, 2010, 04:53:44 pm
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.19
AS29106
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://inweb11.com/ca1.somd5sum ===> 0387ed3630b9d3aae7e129501c2a0445
Code: [Select]
hxxp://inweb11.com/index.php
Title: Re: New Zeus server
Post by: jackberri on September 30, 2010, 12:48:08 pm
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.19
AS29106
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://panavan10.com/paf.somd5sum ===> b2550fec9af91c7ecc8babc8ec6f73b1
Code: [Select]
hxxp://panavan10.com/stats.php
Title: Re: New Zeus server
Post by: jackberri on October 01, 2010, 03:36:35 am
IP Location: Kazakhstan - ALFAHOSTNET Alfa-Host LLP
IP 193.105.207.104
AS50793
Registrant/Registrant Email: Private Person/dns@inkognittto.ru
Code: [Select]
hxxp://peeeeee.ru/support/oem/support/price.xmlmd5sum ===> e74098c963da611c053b6a9cf62bf1b3
Code: [Select]
hxxp://peeeeee.ru/support/oem/support/oem.exe md5sum ===> d0951209c5f3bf14f6392f2201a3859e
http://www.virustotal.com/file-scan/report.html?id=9bc70549fdc968bf8614434b35f3242469801c086225b25cae89c2da610cf4dc-1285853332 (http://www.virustotal.com/file-scan/report.html?id=9bc70549fdc968bf8614434b35f3242469801c086225b25cae89c2da610cf4dc-1285853332)
VT 13/43 (30.2%)
Code: [Select]
hxxp://peeeeee.ru/support/oem/support/support.php
IP Location: Kazakhstan - ALFAHOSTNET Alfa-Host LLP
IP 193.105.207.120
AS50793
Registrant/Registrant Email: Private Person/dns@stolimonov.ru
Code: [Select]
hxxp://dvestekkk.ru/404/lock/404.htaccessmd5sum ===> 756730837b91dfa25c77c4046c2c977c
Code: [Select]
hxxp://dvestekkk.ru/404/lock/404.exemd5sum ===> b23d9ad64cbaaaed4b58e8d9dc9f51de
http://www.virustotal.com/file-scan/report.html?id=c40aaf2dbcca1f4afa0de3e6a6e85dab39bec6b7926588dac2fa5d1443746481-1285903433 (http://www.virustotal.com/file-scan/report.html?id=c40aaf2dbcca1f4afa0de3e6a6e85dab39bec6b7926588dac2fa5d1443746481-1285903433)
VT 22/43 (51.2%)
Code: [Select]
hxxp://dvestekkk.ru/404/lock/block.phprelated:
Code: [Select]
hxxp://sworo.ru/localpeer/uttorent-updates/ip.txtmd5sum ===> 756730837b91dfa25c77c4046c2c977c
Code: [Select]
hxxp://sworo.ru/localpeer/uttorent-updates/2.4.exe md5sum ===> c4e28e07ebb3a69fd165977f0331f1c5
http://www.virustotal.com/file-scan/report.html?id=83c1f54f0704b79cf1a6221fa6614a635ba2288bd907c91d2d7f89fceaeae6c0-1285903574 (http://www.virustotal.com/file-scan/report.html?id=83c1f54f0704b79cf1a6221fa6614a635ba2288bd907c91d2d7f89fceaeae6c0-1285903574)
VT 3/42 (7.1%)
Code: [Select]
hxxp://sworo.ru/localpeer/uttorent-updates/utupdates.php
Title: Re: New Zeus server
Post by: jackberri on October 01, 2010, 02:38:34 pm
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.18
AS29106
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://pro100to.com/ca12.somd5sum ===> e3e92fe039e7f5d49f2caf23a629e963
Code: [Select]
hxxp://pro100to.com/index.php
IP Location: Russian Federation - Telos-Solutions-AS
IP 91.212.127.43
AS49087
Registrant/Registrant Email: Private Person/ol.feodosoff@yandex.ru
Code: [Select]
hxxp://padreim.ru/wbc/avg/index.php
Code: [Select]
hxxp://193.41.38.121/kazaki.binmd5sum ===> 88d7daaa0713d6ff35ce2f8d9e3b3060
Title: Re: New Zeus server
Post by: jackberri on October 02, 2010, 09:01:07 am
IP Location: Moldova - STARNET-AS
IP 195.206.246.92
AS31252
Name Server:NS1.DNS-DIY.NET             
Name Server:NS2.DNS-DIY.NET
Registrant ID:OLNI20163400
Registrant/Registrant Email: Mitley Noider/admin@hp3qvb.in
Code: [Select]
hxxp://hp3qvb.in/php/cfg004.binmd5sum ===> cf5f028a3f64945b1fe234c74917d361
Code: [Select]
hxxp://hp3qvb.in/php/IXsNjAfsRc1D.php
related zeusbotnet malware:

IP Location: Germany - HETZNER-RZ-FKS-BLK2
IP 178.63.123.226
[static.226.123.63.178.clients.your-server.de]
AS24940
ns2.vps-server.ru         
ns1.vps-server.ru
Registrant/Registrant Email: Aleksey Kolesnikov/wblake77@gmail.com
Code: [Select]
hxxp://gamersclubonline.net/gbot/s.cgi?q=WVQMBQMGBxZTDQADZDw0MTI2JmM%3Dmd5sum ===> d6d1a02b8da728ca0ac8e2cd4c979e4d
http://www.virustotal.com/file-scan/report.html?id=c7814002171e08d9e4a13288178498a463a8d0d48ebba3de3ad64e926dd3a8ee-1286009006 (http://www.virustotal.com/file-scan/report.html?id=c7814002171e08d9e4a13288178498a463a8d0d48ebba3de3ad64e926dd3a8ee-1286009006)
VT 7/43 (16.3%)
Code: [Select]
hxxp://gamersclubonline.net/gbot/sc.cgi?q=%2BI1O0fpZrz3y1EAcp6IclMGl6Q%3D%3D
Title: Re: New Zeus server
Post by: jackberri on October 02, 2010, 02:38:15 pm
IP Location: Russian Federation - ENCORE-NET
IP 91.216.215.195
AS51274
Name Server:ns1.promodns.ru             
Name Server:ns2.promodns.ru
Registrant/Registrant Email: Private Person/dns@visitmygame.ru
Code: [Select]
hxxp://visitmygame.ru/cfg/12visitmygame.jpgmd5sum ===> aa292470e7786a4bfa21dd59f82de3cd
Code: [Select]
hxxp://visitmygame.ru/mail/mail.exemd5sum ===> b9548be2563bf4734747bd7d52b47287
http://www.virustotal.com/file-scan/report.html?id=7b22b853beaaf63c0557acb069082554d2f2c9ba07bafd5d1afabcef06733663-1286029941 (http://www.virustotal.com/file-scan/report.html?id=7b22b853beaaf63c0557acb069082554d2f2c9ba07bafd5d1afabcef06733663-1286029941)
VT 9/43 (20.9%)
Code: [Select]
hxxp://visitmygame.ru/yahoo/yahoo.php
Title: Re: New Zeus server
Post by: jackberri on October 02, 2010, 05:10:33 pm
IP Location: Malaysia - MYKRIS-AS-MY
IP 27.131.32.153
[static-27-131-32-153.mykris.net]
AS23678
Name Server: ns1.freedns.ws             
Name Server: ns2.freedns.ws
Registrant/Registrant Email: Mark C Thomas/mcthomas34@first-host.net
Code: [Select]
hxxp://smartsall.com/gb2/miscmd5sum ===> 983929d6286f16f7b93c2df79d21cdc2
Code: [Select]
hxxp://smartsall.com/xml/googleads.php
Code: [Select]
hxxp://bingoso.net/ggg/mbzuchi.exemd5sum ===> c712c54779c89b0c800a302ad2c8c66f
http://www.virustotal.com/file-scan/report.html?id=ee3b8faf28052a5b790a4e548d43d29a786e557d9efba31f5c4c67f006e30fe1-1286038024 (http://www.virustotal.com/file-scan/report.html?id=ee3b8faf28052a5b790a4e548d43d29a786e557d9efba31f5c4c67f006e30fe1-1286038024)
VT 35/42 (83.3%)
Code: [Select]
hxxp://bingoso.net/nnn/miirzuchi.exemd5sum ===> c90c93e82741d0fb41573ea246030d96
http://www.virustotal.com/file-scan/report.html?id=80bef850e901beb023a502704710014032733e8813de7f4f22af06d63677bc94-1286038827 (http://www.virustotal.com/file-scan/report.html?id=80bef850e901beb023a502704710014032733e8813de7f4f22af06d63677bc94-1286038827)
VT 25/43 (58.1%)
Code: [Select]
hxxp://nonameal.com/www/mmrziche.exemd5sum ===> ad877b77745990da981a13b6ddf5864d
http://www.virustotal.com/file-scan/report.html?id=c9347d8c4cc0ee72f7c840748bc21fe6dfd4d1c12d58f1c306cdb23780e785da-1286038361 (http://www.virustotal.com/file-scan/report.html?id=c9347d8c4cc0ee72f7c840748bc21fe6dfd4d1c12d58f1c306cdb23780e785da-1286038361)
VT 33/43 (76.7%)
Title: Re: New Zeus server
Post by: jackberri on October 03, 2010, 08:50:57 am
Code: [Select]
hxxp://195.226.197.100/~hosting/kl/ukdase.dbmd5sum ===> c8448ad47eb199c5458af80cf1e10ff3
Code: [Select]
hxxp://195.226.197.100/~hosting/kl/uk-kl.exemd5sum ===> 929497489f0598e4e013131eadf522b9
http://www.virustotal.com/file-scan/report.html?id=ba36915fbf624eb4614354187b468989cc22a90da94b47037eefc64100a42dea-1286092454 (http://www.virustotal.com/file-scan/report.html?id=ba36915fbf624eb4614354187b468989cc22a90da94b47037eefc64100a42dea-1286092454)
VT 22/43 (51.2%)
dropzone:
Code: [Select]
hxxp://195.226.197.24/sas/ttf.php
Title: Re: New Zeus server
Post by: jackberri on October 03, 2010, 04:34:43 pm
Registrant/Registrant Email: Oksana Boiko/loom@maillife.ru

Code: [Select]
hxxp://tutubest.net/20aug_birdie.cpmmd5sum ===> 7f1504675467461cf29a13d457916d87
Code: [Select]
hxxp://tutubest.net/20aug_birdie.exemd5sum ===> 2637013044d4080efe160d10b686f250
http://www.virustotal.com/file-scan/report.html?id=5088e238bc2bc314512f00f2d5a22f83d8dc6c01b6f109ff2e105fa2013574b2-1286123241 (http://www.virustotal.com/file-scan/report.html?id=5088e238bc2bc314512f00f2d5a22f83d8dc6c01b6f109ff2e105fa2013574b2-1286123241)
VT 0/43 (0.0%)
Code: [Select]
hxxp://tutubest.net/yahooman.phprelated:
Code: [Select]
hxxp://dzenhottoo.cc
Title: Re: New Zeus server
Post by: jackberri on October 04, 2010, 11:40:21 am
IP Location: Russian Federation - INTERA-AS Zhek-Universal Ltd
IP 194.79.250.54
AS48876
Name Server: ns13.zoneedit.com             
Name Server: free02.editdns.net
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://biztracker24.com.tw/bin/allis.jsmd5sum ===> aa25196f45a54622fc821befde22ba17
Code: [Select]
hxxp://biztracker24.com.tw/biz2zs/ttss.exemd5sum ===> 8a90eea70deb1b278efdceb236025149
http://www.virustotal.com/file-scan/report.html?id=18e1be91f06da99ce70ccc0885b200d0d94400c27a26516a28f9e619f9fe090e-1286192156 (http://www.virustotal.com/file-scan/report.html?id=18e1be91f06da99ce70ccc0885b200d0d94400c27a26516a28f9e619f9fe090e-1286192156)
VT 24/43 (55.8%)
Code: [Select]
hxxp://biztracker24.com.tw/biz2zs/vrata.php
IP Location: Russian Federation - INTERA-AS Zhek-Universal Ltd
IP 194.79.250.24
[a4.vl3.ru]
AS48876
Name Server: free01.editdns.net           
Name Server: free02.editdns.net
Registrant ID: DOTCO89C783-20E5
Registrant/Registrant Email: domenic woalk/jselivan@googlemail.com
Code: [Select]
hxxp://jkhsdkfhaaahdhs.co/hysusjaxzhnujadj/unasyuwdhaz/nuaxshazyi.binmd5sum ===> 63fde6a0e8e03b9f43d9ae6e8a7bbd72
Title: Re: New Zeus server
Post by: jackberri on October 04, 2010, 05:59:35 pm
IP 193.23.126.42
AS34229
Name Server: ns2.reg.ru             
Name Server: ns1.reg.ru
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://sovtret.net/ukis1.somd5sum ===> 7e2711b43418c936c5dc0e6c02519dd9
Code: [Select]
hxxp://sovtret.net/stats.php
Title: Re: New Zeus server
Post by: jackberri on October 05, 2010, 11:08:43 am
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.19
AS29106
Name Server: ns2.reg.ru             
Name Server: ns1.reg.ru
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://tomsom10.com/un3.somd5sum ===> c1fe9c021509d191478b25c873a0782a
Code: [Select]
hxxp://tomsom10.com/stats.php
Title: Re: New Zeus server
Post by: jackberri on October 06, 2010, 02:42:13 am
IP Location: Russian Federation - K2K-AS Contel 2000 Ltd
IP 193.27.232.60
AS43181
Name Server: ns1.dns-diy.net             
Name Server: ns2.dns-diy.net
Registrant/Registrant Email: Anata Yoi/admin@rtydas.com
Code: [Select]
hxxp://hasffert.com/zz/config.binmd5sum ===> 403bde035f302d52dd67749f6378250a
Code: [Select]
hxxp://hasffert.com/zz/bot.exemd5sum ===> f57801a602b3bc3dde5e80dc715741bb
http://www.virustotal.com/file-scan/report.html?id=64d0eaa12199fe6e315bb6db2b31ed272ef1aac441200104a48d17540445308a-1286330791 (http://www.virustotal.com/file-scan/report.html?id=64d0eaa12199fe6e315bb6db2b31ed272ef1aac441200104a48d17540445308a-1286330791)
VT 24/42 (57.1%)
Code: [Select]
hxxp://hasffert.com/zz/gate.phprelated:
Code: [Select]
hxxp://xsoft.in/ztx.exemd5sum ===> 1f7bec4b6aabca1d40dacc09c2d63902
http://www.virustotal.com/file-scan/report.html?id=b3931ea42a0ef1bcd7920d32cdb922af4f7d3986f95b066163df64399acd4e16-1286332041 (http://www.virustotal.com/file-scan/report.html?id=b3931ea42a0ef1bcd7920d32cdb922af4f7d3986f95b066163df64399acd4e16-1286332041)
VT 9/40 (22.5%)
Code: [Select]
hxxp://188.65.74.163/vlx777_sdhgjklaogreah.exemd5sum ===> 8e6e7fff3ad500440c7725710b7b7d8f
http://www.virustotal.com/file-scan/report.html?id=1cf0f4baf67b8432feee4bf37a690b660af94924fc5812d1ba82a7263222704e-1286332449 (http://www.virustotal.com/file-scan/report.html?id=1cf0f4baf67b8432feee4bf37a690b660af94924fc5812d1ba82a7263222704e-1286332449)
VT 11/43 (25.6%)
(already listed):
Code: [Select]
hxxp://194.28.112.3/outlook.exemd5sum ===> b031bb5c89bf43382a4bed68043dbe6e
http://www.virustotal.com/file-scan/report.html?id=b0bfc8a7577cddb1175c2479588aab0aafba46b1fd3539355b5f0434af761deb-1286332564 (http://www.virustotal.com/file-scan/report.html?id=b0bfc8a7577cddb1175c2479588aab0aafba46b1fd3539355b5f0434af761deb-1286332564)
VT 9/43 (20.9%)
Title: Re: New Zeus server
Post by: jackberri on October 06, 2010, 10:19:47 am
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.19
AS29106
Name Server: ns2.reg.ru             
Name Server: ns1.reg.ru
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://init76al.com/un.somd5sum ===> 1a35390c84df5bb33c0b072c3fe64cdc
Code: [Select]
hxxp://init76al.com/stats.php
Title: Re: New Zeus server
Post by: jackberri on October 06, 2010, 02:48:31 pm
IP Location: Russian Federation - K2K-NET
IP 193.27.232.57
AS43181
Name Server: ns2.dns-diy.net             
Name Server: ns1.dns-diy.net
Registrant/Registrant Email: Joue Reade/admin@azcx.asia
Code: [Select]
hxxp://azcx.asia/zsx/new_order.docmd5sum ===> 2c2757170ccd1b745803c4a7c32d4b2c
Code: [Select]
hxxp://azcx.asia/zsx/stargates.php
Title: Re: New Zeus server
Post by: jackberri on October 07, 2010, 04:06:46 am
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.19
AS29106
Name Server: ns2.reg.ru             
Name Server: ns1.reg.ru
Registrant/Registrant Email: Anton Petushkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://intrusr10.com/un4.somd5sum ===> c1fe9c021509d191478b25c873a0782a
Code: [Select]
hxxp://intrusr10.com/index.php
IP Location: Taiwan - KBT Koos Broadband Telecom
IP 61.63.60.123
[61-63-60-host123.kbtelecom.net.tw]
AS18042
Name Server: NS1.PERFORMANCERY.NET            
Name Server: NS2.PERFORMANCERY.NET
Registrant ID:   DI_12320649
Registrant/Registrant Email: Michel Erta/nunolorst@hotmail.com
Code: [Select]
hxxp://parande.in/ppnl3.binmd5sum ===> e40e18d42ac41110cdb582b017966a5d
Code: [Select]
hxxp://parande.in/panel3/gotobank.php
related zeusbotnet malware:
Code: [Select]
hxxp://kdert.com/wmp/adq1.txt?t=0.8914227md5sum ===> 66317cddbd9067766ccdb236ba0eaf30
http://www.virustotal.com/file-scan/report.html?id=20cd752f9c8a5888159bc546b943159c67d08d3f8d15feb81b54727be246eaf7-1286404683 (http://www.virustotal.com/file-scan/report.html?id=20cd752f9c8a5888159bc546b943159c67d08d3f8d15feb81b54727be246eaf7-1286404683)
VT 2/38 (5.3%)
Title: Re: New Zeus server
Post by: jackberri on October 08, 2010, 07:59:52 am
IP Location: Bulgaria - EKK CATV SOFIA - IBGC Eurocom Cable Management
IP  85.130.15.182
[85-130-15-182.1713979.ddns.cablebg.net]
AS13124
Name Server: NS1.PERFORMANCERY.NET
Name Server: NS2.PERFORMANCERY.NET
Registrant ID:   DI_12320694
Registrant/Registrant Email: David Marshall/rosiaeconocko@hotmail.com
Code: [Select]
hxxp://parais.in/ppnl3.binmd5sum ===> 4a1527977d52899d4144f39a2a0b2948
Code: [Select]
hxxp://parais.in/panel3/ppnl3.binmd5sum ===> 44d981c6de5a5c0a76fbe72821575fdc4
Code: [Select]
hxxp://parais.in/panel3/ppnl3.exemd5sum ===> 6029b85108a392bf6bc8feb87e704a3d
http://www.virustotal.com/file-scan/report.html?id=7a51a0328b5d193a1df7181e6388a7bfe096a5a656da44b34ac040bebd1fa079-1286523894 (http://www.virustotal.com/file-scan/report.html?id=7a51a0328b5d193a1df7181e6388a7bfe096a5a656da44b34ac040bebd1fa079-1286523894)
VT 4/43 (9.3%)
dropzone (already listed):
Code: [Select]
hxxp:b6blxpxxrvbamxk3fomit77hqew.net/panel3/gotobank.phprelated:
Code: [Select]
hxxp://qsbj356jlkb24trhbj44dklasbkb.com/
Title: Re: New Zeus server
Post by: jackberri on October 08, 2010, 08:53:10 am
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET
IP  193.105.207.105
AS50793
Name Server: ns1.redinho.ru
Name Server: ns2.redinho.ru
Registrant/Registrant Email: Private Person/info@offshoreglobal.ru
Code: [Select]
hxxp://offshoreglobal.ru/moe/lolo.dllmd5sum ===> dbabbe68eaef9572366272dc8948b8f4
Code: [Select]
hxxp://offshoreglobal.ru/moe/lolo.exemd5sum ===> 7fd31163fe7d29c61767437b2b1234cd
http://www.virustotal.com/file-scan/report.html?id=15866d5e787a06272d17d01f5df8c945e322e8e5ae8a9478ee4e21bb26a61bff-1286527808 (http://www.virustotal.com/file-scan/report.html?id=15866d5e787a06272d17d01f5df8c945e322e8e5ae8a9478ee4e21bb26a61bff-1286527808)
VT 25/43 (58.1%)
Code: [Select]
offshoreglobal.ru/moe/lol.php
Title: Re: New Zeus server
Post by: jackberri on October 08, 2010, 07:22:32 pm
IP Location: Kazakhstan - ALFAHOSTNET Alfa-Host LLP
IP  193.105.207.130
AS50793
Name Server: ns1.nameself.com
Name Server: ns2.nameself.com
Code: [Select]
hxxp://aptitude.name/un5.somd5sum ===> 08cc56147a0c1ca7e01542f527b3632a
Code: [Select]
hxxp://aptitude.name/unn5.exemd5sum ===> d5add90ae1971bf18066055f3e06afdb
http://www.virustotal.com/file-scan/report.html?id=a177be668eb240fe77d038dc01edbed671cc4c3a78b8283c40cf2f156a224dc9-1286400700 (http://www.virustotal.com/file-scan/report.html?id=a177be668eb240fe77d038dc01edbed671cc4c3a78b8283c40cf2f156a224dc9-1286400700)
VT 1/43 (2.3%)
dropzone(already listed):
Code: [Select]
aptitude.name/login.phprelated:
Code: [Select]
hxxp://sunica.info/kill.exemd5sum ===> 656ccf8bb6bc7e4b033773b7a9e4e511
http://www.virustotal.com/file-scan/report.html?id=d1f43e715e992a1d659f19c8281b84dd4b5ae563f5e448640cccf2818d830a9d-1286564966 (http://www.virustotal.com/file-scan/report.html?id=d1f43e715e992a1d659f19c8281b84dd4b5ae563f5e448640cccf2818d830a9d-1286564966)
VT 4/43 (9.3%)

IP Location: Italy - INTERBUSINESS
IP  88.46.244.18
[host18-244-static.46-88-b.business.telecomitalia.it]
AS3269
Name Server: ns1.skinxm.net
Name Server: ns2.skinxm.net
Registrant/Registrant Email: Nataliya Styazhina/olson@fastermail.ru
Code: [Select]
hxxp://widelid.com/x9000_z/jq.jpgmd5sum ===> 7d48e854da346a54f120e4481212d266
Title: Re: New Zeus server
Post by: jackberri on October 10, 2010, 04:48:56 pm
IP Location: Panama - CAPITAL-COM SC
IP  193.104.12.125
AS49829
Name Server: ns3.cnmsn.com
Name Server: ns4.cnmsn.com
Registrant/Registrant Email: Dalia Lis/admin@ultrazzz.com
Code: [Select]
hxxp://ultrazzz.com/uploads/z2.nrgmd5sum ===> d76e20c4720220b5faac80472301a3bc
Code: [Select]
hxxp://ultrazzz.com/stat/counter.php
IP Location: Ukraine - ORION-AS ORION ISP
IP  193.201.192.63
AS25052
Name Server: ns1.freewax.net
Name Server: ns2.freewax.net
Code: [Select]
hxxp://fewmoney.com/kolrew/01/qol.binmd5sum ===> b034e197ea98d4cab1ccea2e4e5dd7b9
Code: [Select]
hxxp://fewmoney.com/kolrew/gatetok.php
IP Location: Bosnia - BA-GLOBALNET-AS
IP  77.78.239.62
AS42560
Code: [Select]
hxxp://trilolomo.cz.cc/sof/conf.cfgmd5sum ===> 44a6dd6459bdb9592b722a01ccc8ea59

related zeusbotnet malware:
Code: [Select]
hxxp://hotfile.com/dl/74070398/9e5f508/po.exe
hxxp://hotfile.com/dl/74280822/ba21a31/ppi1.exe
md5sum ===> 04b5115ee34ed05a76d951ab067fb398
http://www.virustotal.com/file-scan/report.html?id=d8c1b027255371b5ab8f9cf8731a06f9876afa2e5ed1301fe067d6d3a98f94bb-1286710548 (http://www.virustotal.com/file-scan/report.html?id=d8c1b027255371b5ab8f9cf8731a06f9876afa2e5ed1301fe067d6d3a98f94bb-1286710548)
VT 22/43 (51.2%)
Code: [Select]
hxxp://hotfile.com/dl/72536123/d5e8a1f/GoldenInstall11.exe
hxxp://hotfile.com/dl/72536142/6984375/GoldenInstall21.exe
md5sum ===> e952164ff30088ad78aa57569b4980ff
http://www.virustotal.com/file-scan/report.html?id=8aff53a3de5461888bf07cfd01c117bdfd4baaf355101c73d24f79fa9bff014b-1286711116 (http://www.virustotal.com/file-scan/report.html?id=8aff53a3de5461888bf07cfd01c117bdfd4baaf355101c73d24f79fa9bff014b-1286711116)
VT 36/43 (83.7%)

new files:

Code: [Select]
hxxp://193.201.192.82/~ms6/iwms6/cfg/eror.somd5sum ===> bc81fc930e45c3c5f7c974a1bcf7819f
Title: Re: New Zeus server
Post by: jackberri on October 12, 2010, 11:28:26 am
IP Location: Russian Federation - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.17
AS29106
Name Server: ns2.reg.ru
Name Server: ns1.reg.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://underddos.com/upp3.somd5sum ===> 7a6b3c5ff83eba9b69bbc3571426e8aa
Code: [Select]
hxxp://underddos.com/login.phprelated:
Code: [Select]
hxxp://x-trust.net/uk5.somd5sum ===> 08cc56147a0c1ca7e01542f527b3632a
Code: [Select]
hxxp://x-trust.net/_loades_sd.exemd5sum ===> 19283d1343ef0be90a317198585520c1
http://www.virustotal.com/file-scan/report.html?id=3cab860e5ab2c7dfac5f1bd656b0b31e58aa3d42cbdd67fdfbd0dc3591e68f4a-1286882478 (http://www.virustotal.com/file-scan/report.html?id=3cab860e5ab2c7dfac5f1bd656b0b31e58aa3d42cbdd67fdfbd0dc3591e68f4a-1286882478)
VT 9/41 (22.0%)
Code: [Select]
hxxp://x-trust.net/crypt_20.exemd5sum ===> 124960c4b1e002ac7725308e7912a64f
http://www.virustotal.com/file-scan/report.html?id=26ca928094211abe9f24a3d0c5fc35484782db8ec2b6c45e92bbf3ebdfe3db9e-1286882353 (http://www.virustotal.com/file-scan/report.html?id=26ca928094211abe9f24a3d0c5fc35484782db8ec2b6c45e92bbf3ebdfe3db9e-1286882353)
VT 7/42 (16.7%)
Code: [Select]
hxxp://www.sunica.info/kill.exe (already listed/new md5sum)md5sum ===> 7781735f2a4a1fb4bab1cb48a0e8f0aa
http://www.virustotal.com/file-scan/report.html?id=12a9aee949e35fe32db37e28ca2e7fa4ae001bbf4750f524070642af9a389ec1-1286881672 (http://www.virustotal.com/file-scan/report.html?id=12a9aee949e35fe32db37e28ca2e7fa4ae001bbf4750f524070642af9a389ec1-1286881672)
VT 10/38 (26.3%)
Title: Re: New Zeus server
Post by: jackberri on October 13, 2010, 08:23:17 pm
IP Location: Bosnia - BA-GLOBALNET-AS
IP  193.27.232.34
AS43181
Name Server: ns1.cloudns.net
Name Server: ns3.cloudns.net
Registrant/Registrant Email: Nataliya Kondrateva/sag@verifiedbyverisigned.com
Code: [Select]
hxxp://verifiedbyverisigned.com/inLayerArchive/stayrich.datmd5sum ===> 1f44965764bcbe0a4d3bf7a66a18acc7
Code: [Select]
hxxp://verisigntrustedservice.com/StatCounter/Tracker.php
IP Location: Russian Federation - KEYWEB-AS
IP  95.169.190.224
[ns.km35228.keymachine.de]
AS31103
Name Server: ns1.regway.com
Name Server: ns2.regway.com
Registrant/Registrant Email: Private Person/atx777@mail.ru
Code: [Select]
hxxp://imlady.ru/xtx.exemd5sum ===> 1f6293987e29cd32138ff7fdfa6f5feb
http://www.virustotal.com/file-scan/report.html?id=c4d3e36f971ec5058bcb6c4bea1816ffc26e1ae1cd661d4773b7319641353a17-1286960483 (http://www.virustotal.com/file-scan/report.html?id=c4d3e36f971ec5058bcb6c4bea1816ffc26e1ae1cd661d4773b7319641353a17-1286960483)
VT 4/42 (9.5%)
Code: [Select]
hxxp://imlady.ru/atx.exemd5sum ===> 0b3e906778334b5bec828c70715e665c
http://www.virustotal.com/file-scan/report.html?id=67a6b9e2271900a05481158f97196d039a77bf2a39b8e2c1a9610d3de8b532dd-1286960787 (http://www.virustotal.com/file-scan/report.html?id=67a6b9e2271900a05481158f97196d039a77bf2a39b8e2c1a9610d3de8b532dd-1286960787)
VT 9/40 (22.5%)

IP Location: Bosnia - BA-GLOBALNET-AS
IP  77.78.240.44
AS42560
Name Server: NS1.UKRNAMES.COM
Name Server: NS2.UKRNAMES.COM
Code: [Select]
hxxp://versusvianext.net/versustwo/in/cfg2.bin
Code: [Select]
hxxp://versusvianext.net/versustwo/in/agate.php
Code: [Select]
hxxp://195.189.226.107/news/?s=5964
Title: Re: New Zeus server
Post by: jackberri on October 14, 2010, 07:56:56 am
IP Location: Russian Federation - ENCORE-NET
IP  91.216.215.195
AS51274
Name Server: ns1.promodns.ru
Name Server: ns2.promodns.ru
Registrant/Registrant Email: Private Person/info@truststats.ru
Code: [Select]
hxxp://samsungstart.ru/cfg/23ddssamsungstart.jpgmd5sum ===> 45174c8ef09c17be50503d0479b28ce5
Code: [Select]
hxxp://samsungstart.ru/upload/update.exemd5sum ===> a94d8d952e071d5897fa6ef1539c6e59
http://www.virustotal.com/file-scan/report.html?id=e521d9d4610d90067b50df211240e0c72bbecf266bfa9dd29f999f28e6030493-1287006151 (http://www.virustotal.com/file-scan/report.html?id=e521d9d4610d90067b50df211240e0c72bbecf266bfa9dd29f999f28e6030493-1287006151)
VT 5/42 (11.9%)
Code: [Select]
hxxp://samsungstart.ru/more/contact.php
Title: Re: New Zeus server
Post by: jackberri on October 14, 2010, 08:36:38 am
IP Location: Ukraine - YaltaInfo ISP
AS34528
Code: [Select]
hxxp://193.41.38.54/admuser.binmd5sum ===> 362f44df584ac498629e3f243e93bca8
Code: [Select]
hxxp://193.104.153.101/admminner.exemd5sum ===> 8a76bafac951306fe36905b88c60769e
http://www.virustotal.com/file-scan/report.html?id=bd1f65c138e0f90c4cc298af00871f6c11650a36423dac2a63f3c3c0edce90f6-1287044997 (http://www.virustotal.com/file-scan/report.html?id=bd1f65c138e0f90c4cc298af00871f6c11650a36423dac2a63f3c3c0edce90f6-1287044997)
VT 18/41 (43.9%)
Code: [Select]
hxxp://193.41.38.55/admoutput.php
Title: Re: New Zeus server
Post by: crunchtime on October 14, 2010, 04:19:19 pm
hxxp://globalexstream.com/global/real.bin
Title: Re: New Zeus server
Post by: jackberri on October 15, 2010, 08:19:42 am
IP Location: Russian Federation - VLine Telecom Block - VLTELECOM-AS
IP  109.196.134.40
AS39150
Name Server: NS1.DNS-DIY.NET
Name Server: NS2.DNS-DIY.NET
Registrant ID:   K35-n201926_01
Registrant/Registrant Email: Natali Gill/admin@timeupdate.asia
Code: [Select]
hxxp://timeupdate.asia/t1me/timecfg2.binmd5sum ===> d5cbf82c002531ef070798a1df338b50
Code: [Select]
hxxp://timeupdate.asia/t1me/timeupdate2.exemd5sum ===> d9bf54baa1fa0c31d030642e5dd85708
http://www.virustotal.com/file-scan/report.html?id=ce7d33a616587bd668446272aa197034b854c6753b9ee708ce470936e3286579-1287130556 (http://www.virustotal.com/file-scan/report.html?id=ce7d33a616587bd668446272aa197034b854c6753b9ee708ce470936e3286579-1287130556)
VT 25/43 (58.1%)
Code: [Select]
hxxp://timeupdate.asia/t1me/gat3.php
Title: Re: New Zeus server
Post by: jackberri on October 15, 2010, 05:01:15 pm
IP Location: Russian Federation - VLine Telecom Block - VLTELECOM-AS
IP  109.196.130.58
AS39150
Name Server: ns1.vsvsn21221.net
Name Server: ns2.vsvsn21221.net
Registrant/Registrant Email: ChangSo/changso@yahoo.com
Code: [Select]
hxxp://vsvsn21221.net/url/c2.binmd5sum ===> 6d738f4ff7ce146e2cfa224bf4e5711d

IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.17
AS29106
Name Server: ns2.reg.ru
Name Server: ns1.reg.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://alfahitrate10.com/ca23.somd5sum ===> 90fe82013727cb8f88d67447ceb6c158
Code: [Select]
hxxp://alfahitrate10.com/login.php
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.19
AS29106
Name Server: ns2.reg.ru
Name Server: ns1.reg.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://mast99d.com/upp7.somd5sum ===> c23867e3f0f522f28fb0e4d7a994e8ca
Code: [Select]
hxxp://mast99d.com/login.php
related zeusbotnet malware:
Code: [Select]
hxxp://doggerman.com/b1/controller.php?action=bot&entity_list=&uid=UXXXX&first=1&guid=2293361022&v=15&rnd=1231253
Title: Re: New Zeus server
Post by: jackberri on October 15, 2010, 09:53:59 pm
IP Location: Russian Federation - INTERA NET - INTERA-AS Takomi Ltd
IP  194.79.250.24
[a4.vl3.ru]
AS48876
Name Server: FREE01.EDITDNS.NET
Name Server: FREE02.EDITDNS.NET
Registrant/Registrant Email: domen/hostmaster@uk2.net
Code: [Select]
hxxp://securityjobroberry.com/4cd6f256037165e08efe9fadba487d1d/165e08e.binmd5sum ===> 523817ef7f729790841ee7365961a83a
Code: [Select]
hxxp://securityjobroberry.com/30a1fe79d84e6032f268dfe1ed3d8337/5e1db481d2ce7d1d561e2879009c83e0.php
IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.17
AS29106
Name Server: ns2.reg.ru
Name Server: ns1.reg.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://0cccanad.com/ca13.somd5sum ===> e10652b44b267a6c685da9f371735e74
Code: [Select]
hxxp://0cccanad.com/index.php
Code: [Select]
hxxp://azuregroup.ru/isp/gujoh.php
Title: Re: New Zeus server
Post by: jackberri on October 17, 2010, 08:50:04 am
Code: [Select]
IP Location: FastFlux botnet
IP  193.201.192.67
[code]hxxp://klizmo4ka2.co.cc/1/jaba.bin
md5sum ===> e25c880cf8e180b8fa1266753dd10da5
Code: [Select]
hxxp://klizmo4ka1.co.cc/rty.phpother stuff:
code]hxxp://klizmo4ka1.co.cc/1/[/code]

related ZeuS/LICAT malware:
IP Location: Paraguay - donstroy-route-1 - ZeroHost SIA "RELIKTS BVK"
AS29557
Code: [Select]
hxxp://194.8.251.170/i/i.datmd5sum ===> e25c880cf8e180b8fa1266753dd10da5
http://www.virustotal.com/file-scan/report.html?id=4caa00d4a923f3b863f5f205f89e6a1a3a1e12e71fbdf429b34edcb2bbb44897-1287302171 (http://www.virustotal.com/file-scan/report.html?id=4caa00d4a923f3b863f5f205f89e6a1a3a1e12e71fbdf429b34edcb2bbb44897-1287302171)
VT 0/43 (0.0%)
http://camas.comodo.com/cgi-bin/submit?file=4caa00d4a923f3b863f5f205f89e6a1a3a1e12e71fbdf429b34edcb2bbb44897 (http://camas.comodo.com/cgi-bin/submit?file=4caa00d4a923f3b863f5f205f89e6a1a3a1e12e71fbdf429b34edcb2bbb44897)
Title: Re: New Zeus server
Post by: jackberri on October 18, 2010, 09:33:07 am
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.19
AS29106
Name Server: ns2.reg.ru
Name Server: ns1.reg.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://mumi0.com/upp8.somd5sum ===> 87876e4a653ae917dc4fb9d50239ab06
Code: [Select]
hxxp://mumi0.com/n.php
IP Location: Russian Federation - K2K-NET - K2K-AS
IP  193.27.232.42
AS43181
Name Server: ns3.01isp.com
Name Server: ns4.01isp.net
Registrant/Registrant Email: Laven Micrist/admin@yyxxqsqjyqneurfgtwjjpknfw.com
Code: [Select]
hxxp://yyxxqsqjyqneurfgtwjjpknfw.com/yxxq907070rrt/yxxqcfg087084e/yxxqcfgbin8u4r.binmd5sum ===> 91c0d3ded119ee1452cd8c16d4d5b22c
Code: [Select]
hxxp://yyxxqsqjyqneurfgtwjjpknfw.com/yxxq907070rrt/yxxqgatefioenoie80949hf.php
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET Alfa-Host LLP.
IP  193.105.207.104
AS50793
Name Server: ns1.inkognittto.ru
Name Server: ns2.inkognittto.ru
Registrant/Registrant Email: Private Person/domain@inkognittto.ru
Code: [Select]
hxxp://monitod.ru/123/killexe.exemd5sum ===> e9e53628628619b8fe02d248815344ef
http://www.virustotal.com/file-scan/report.html?id=708e81a4b8c22f9e37c97e20941511058e099075c1e82221fb7a9a4784fd0c2e-1287356920 (http://www.virustotal.com/file-scan/report.html?id=708e81a4b8c22f9e37c97e20941511058e099075c1e82221fb7a9a4784fd0c2e-1287356920)
VT 35/42 (83.3%)
related (already listed):
Code: [Select]
hxxp://doubletest4411.com/2x/b2/cfg_dtes2.binmd5sum ===> e63eb206bedcd6f5a7ad2e71c8fddd73
Code: [Select]
hxxp://doubletest4411.com/2x/e.php

IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.7
AS29106
Name Server: ns1.inkognittto.ru
Name Server: ns2.inkognittto.ru
Registrant/Registrant Email: ANTON PETUShKOV/antonpetushkov@yahoo.com
Code: [Select]
hxxp://0luxdan.com/ukmy1.somd5sum ===> 7d0859198c42f3289beb2e823d60e6c5

related zeusbotnet malware:
Code: [Select]
hxxp://83.133.122.54/r.php?type=0
Code: [Select]
hxxp://videomoneyblog.com/install110.exemd5sum ===> 9d5fd3f52eda1ee5975e4d0f6d8b3de7
http://www.virustotal.com/file-scan/report.html?id=06598c638f8ee1af3493d9d4de3c217388f1d111df7c3f8d78375b390537e2de-1287344637 (http://www.virustotal.com/file-scan/report.html?id=06598c638f8ee1af3493d9d4de3c217388f1d111df7c3f8d78375b390537e2de-1287344637)
VT 18/42 (42.9%)
Title: Re: New Zeus server
Post by: jackberri on October 18, 2010, 03:43:35 pm
IP Location: Russian Federation - RTCOMM-RU -RTCOMM-AS
IP  81.176.236.109
AS8342
Name Server: free01.editdns.net
Name Server: free02.editdns.net
Created: 2010-09-30
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://lernundsnej.com/a/k.exemd5sum ===> 7f1122d5af4d89ecbd09b5f09947a640
http://www.virustotal.com/file-scan/report.html?id=e039dd28cdf41139e9b4a9ff1f87a7d10331d1f4e87778685eab896833287674-1287416231 (http://www.virustotal.com/file-scan/report.html?id=e039dd28cdf41139e9b4a9ff1f87a7d10331d1f4e87778685eab896833287674-1287416231)
VT 18/43 (41.9%)
related (already listed):
Code: [Select]
hxxp://hguituih5h.com/vh65/bhkfs.bin
hxxp://hguituih5h.com/vh65/mas.exe
hxxp://hguituih5h.com/ms.php

IP Location: Russian Federation - RTCOMM-RU -RTCOMM-AS
IP  81.176.236.109
AS8342
Name Server: free01.editdns.net
Name Server: free02.editdns.net
Created: 2010-09-30
Registrant/Registrant Email: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://wekemenal.com/b/n.exemd5sum ===> 1cda45ef94c058fedf36a0e9b95cafa8
http://www.virustotal.com/file-scan/report.html?id=5193892e14584120d45a601fae825e7cfce3a8a4c01d08dabd6869a0a510eb80-1287416247 (http://www.virustotal.com/file-scan/report.html?id=5193892e14584120d45a601fae825e7cfce3a8a4c01d08dabd6869a0a510eb80-1287416247)
VT 2/43 (4.7%)
related (already listed):
Code: [Select]
hxxp://hguituih5h.com/vh65/bhkfs.bin
Title: Re: New Zeus server
Post by: jackberri on October 19, 2010, 08:14:28 am
IP Location: India - Reliance Communications -RIL-IDC RELIANCE INFOCOMM
IP  115.248.175.2
AS18101
Name Server: ns1.kanabios.net
Name Server: ns2.kanabios.net
Registrant/Registrant Email: Galina Kuznetsova/plod@ca4.ru
Code: [Select]
hxxp://schastlivieiveselierebyta0001.com/xed/config.bin
hxxp://schastlivieiveselierebyta0001.com/xed/recover.bin
md5sum ===> ddfd80fd639d7395a5856e9909c3c28b
Code: [Select]
hxxp://schastlivieiveselierebyta0001.com/xed/yourbot.exemd5sum ===> c66969874b5acc574743637e429b23b4
http://www.virustotal.com/file-scan/report.html?id=33eb81481ce793b1f3c8d8b9eea4f5ae90d05653124cf55ba1011cba4e04fdfd-1287475673 (http://www.virustotal.com/file-scan/report.html?id=33eb81481ce793b1f3c8d8b9eea4f5ae90d05653124cf55ba1011cba4e04fdfd-1287475673)
VT 4/42 (9.5%)
Code: [Select]
hxxp://schastlivieiveselierebyta0001.com/xed/gate.phprelated:
IP Location: United States - WEBAIR Internet Development INC
IP  209.200.17.226
AS27257
Name Server: ns.webair.net
Name Server: ns2.webair.net
Registrant/Registrant Email: WhoisGuard Protected/e90b34c434d7491bbc3c0f994a918ba0.protect@whoisguard.com
Code: [Select]
hxxp://orgasmicpics.com/bn/release/pl1.exemd5sum ===> 7399a818958d0f1d48aa29ee778670d2
http://www.virustotal.com/file-scan/report.html?id=3b0c8ee2da0012d5efda2b615b56e32f507f08e01c988020e9667157d5d0341b-1287470862 (http://www.virustotal.com/file-scan/report.html?id=3b0c8ee2da0012d5efda2b615b56e32f507f08e01c988020e9667157d5d0341b-1287470862)
VT 16/43 (37.2%)
Code: [Select]
hxxp://orgasmicpics.com/bn/release/pl2.exemd5sum ===> 029f1aa2c32b298ae3eeb9a4c44c6c2d
http://www.virustotal.com/file-scan/report.html?id=d2e18ddcfe36e106f4b1d55dfaebaa1ede1c736edde8d5187b2bee279f8257b2-1287471175 (http://www.virustotal.com/file-scan/report.html?id=d2e18ddcfe36e106f4b1d55dfaebaa1ede1c736edde8d5187b2bee279f8257b2-1287471175)
VT 37/43 (86.0%)
Code: [Select]
hxxp://orgasmicpics.com/bn/release/pl3.exe
hxxp://orgasmicpics.com/bn/release/pl4.exe
md5sum ===> a181236a31843b11117b9517c3834a09
http://www.virustotal.com/file-scan/report.html?id=eca36e03d90c71ad0d0f3a9b2ca2496ccc773dbcf5b73ac298c1100812122793-1287471363 (http://www.virustotal.com/file-scan/report.html?id=eca36e03d90c71ad0d0f3a9b2ca2496ccc773dbcf5b73ac298c1100812122793-1287471363)
VT 0/43 (0.0%)
Title: Re: New Zeus server
Post by: jackberri on October 19, 2010, 04:18:47 pm
IP Location: Latvia - ALTNET - ALTNET-LV DG Holding SIA
IP  195.3.145.174
AS41390
Name Server: dc2.nserver.ru
Name Server: dc1.nserver.ru
Registrant/Registrant Email: Wendell Bijvoet/bijvoet@live.com
Code: [Select]
hxxp://zsbiz.net/php/cfg001.binmd5sum ===> 5d3e7b59cac8645035bc8c46606a2353
Code: [Select]
hxxp://zsbiz.net/php/cfg002.binmd5sum ===> 2e69266a93190c7839f84f2423054d08
Code: [Select]
hxxp://zsbiz.net/php/cfg003.binmd5sum ===> 7b96fa1393a43ecdbeefb9e7508c4330
Code: [Select]
hxxp://zsbiz.net/php/001.exemd5sum ===> 6f4e9f53fa386e05bf8d524b5a347dbd
http://www.virustotal.com/file-scan/report.html?id=c6f2189650618bc122e1d6cec9daf3439bbfa156136e08878e7226a8f1c7f5a8-1287429523 (http://www.virustotal.com/file-scan/report.html?id=c6f2189650618bc122e1d6cec9daf3439bbfa156136e08878e7226a8f1c7f5a8-1287429523)
VT 5/43 (11.6%)
Code: [Select]
hxxp://zsbiz.net/php/002.exemd5sum ===> 91059d31e2bfef0906879a02c60b2216
http://www.virustotal.com/file-scan/report.html?id=69cadca1b6c1915a7e9e262d63ce3da5586090b2ea954beb2d424c247c2acfaf-1287431486 (http://www.virustotal.com/file-scan/report.html?id=69cadca1b6c1915a7e9e262d63ce3da5586090b2ea954beb2d424c247c2acfaf-1287431486)
VT 6/43 (14.0%)
Code: [Select]
hxxp://zsbiz.net/php/003.exemd5sum ===> c32cff9d3c864ac2ecb9d26e1c3818f2
http://www.virustotal.com/file-scan/report.html?id=cc5a17c5793f01fec957d9b1a93221aebe0a5de68cba541a68e2ea7c357c6410-1287429670 (http://www.virustotal.com/file-scan/report.html?id=cc5a17c5793f01fec957d9b1a93221aebe0a5de68cba541a68e2ea7c357c6410-1287429670)
VT 4/42 (9.5%)
Code: [Select]
hxxp://zsbiz.net/php/gate.php
Title: Re: New Zeus server
Post by: jackberri on October 19, 2010, 05:30:32 pm
IP Location: Russian Federation - Encore Ltd. Route Object -ENCORE-NET
IP  91.216.215.195
AS51274
Name Server: NS1.DOMAINSERVICE.COM
Name Server: NS2.DOMAINSERVICE.COM
Registrant/Registrant Email: Marshall Morgan/webmaster@bewilderedbord.com
Code: [Select]
hxxp://smartrendfree.net/cfg/9ladsmartrendfree.jpgmd5sum ===> c0926d854b3938a39d135cde75420c2e
Code: [Select]
hxxp://smartrendfree.net/upload/windows.exemd5sum ===> 3c72b776bad7572e15547ede94c4294a
http://www.virustotal.com/file-scan/report.html?id=a549a0386ec2e8c0a8c6416adbce9dc60f9f91b7cf43ed4a1302b1e0dcd8210b-1287506227 (http://www.virustotal.com/file-scan/report.html?id=a549a0386ec2e8c0a8c6416adbce9dc60f9f91b7cf43ed4a1302b1e0dcd8210b-1287506227)
VT 1/43 (2.3%)
Code: [Select]
hxxp://smartrendfree.net/more/contacts.php
Title: Re: New Zeus server
Post by: jackberri on October 20, 2010, 06:39:53 am
IP Location: China - China Telecom JiangXi province -CHINA-TELECOM
IP  59.53.91.124
AS4134
Name Server: ns1.bubbleseao.com
Name Server: ns2.bubbleseao.com
Registrant/Registrant Email: Pavel Bubnov/wars@bigmailbox.ru
Code: [Select]
hxxp://bubbleseao.com/eso/esa.spmd5sum ===> fb874e254894b8b6ffeb65edce8f8c6b
Code: [Select]
hxxp://bubbleseao.com/eso/isp.exemd5sum ===> 9535f78b5ba69d2d5724d6aea12bf9f4
http://www.virustotal.com/file-scan/report.html?id=cd701bc5ad3c41b857a6da66fcffc864955b6fca4656e2181bf9fff9c8980312-1287538272 (http://www.virustotal.com/file-scan/report.html?id=cd701bc5ad3c41b857a6da66fcffc864955b6fca4656e2181bf9fff9c8980312-1287538272)
VT 29/43 (67.4%)
Title: Re: New Zeus server
Post by: jackberri on October 20, 2010, 02:23:26 pm
IP Location: Russian Federation - OJSC Sibsvyaz - ZAOPROXY-AS OJSC Public Corporation Sibsvyaz
IP  77.238.126.242
AS39482
Name Server: ns1.spacemybonus.com
Name Server: ns2.spacemybonus.com
Registrant/Registrant Email: Michele Smith/MicheleKSmith@ymail.com
Code: [Select]
hxxp://euutywetwi.com/bestwork/prime.imgmd5sum ===> 8207f23b4fdbba293bdbafe86bce5336
Code: [Select]
hxxp://euutywetwi.com/bestwork/paradise.php
Title: Re: New Zeus server
Post by: jackberri on October 20, 2010, 06:28:51 pm
IP Location: United States - ThePlanet.com Internet Services, Inc. - THEPLANET-AS2
IP  174.122.116.196
AS21844
Name Server: ns1.simplerom.net
Name Server: ns2.simplerom.net
Registrant/Registrant Email: Igor Nikenin/i-nikitin.2000@gmail.com
Code: [Select]
hxxp://parmspss.net/ppnl3.binmd5sum ===> 5b7ef566aa761e8425f29fb7ee262c73
Code: [Select]
hxxp://parmspss.net/panel3/ppnl3.binmd5sum ===> 6544f36201584cd376fffcf9bdf150c6
Code: [Select]
hxxp://parmspss.net/panel3/ppnl3.exemd5sum ===> ad7d42a365ad95f3e300754de302c64d
http://www.virustotal.com/file-scan/report.html?id=09db33e9fc242bb9ea186bfae6b72bc53245069fc2de7849f292a8d30241db60-1287598505 (http://www.virustotal.com/file-scan/report.html?id=09db33e9fc242bb9ea186bfae6b72bc53245069fc2de7849f292a8d30241db60-1287598505)
VT 8/43 (18.6%)
Code: [Select]
hxxp://b6blxpxxrv8bamxk3fomit77hqew.net/panel3/gotobank.phprelated:
Code: [Select]
dzenhottoo.cc
euutywetwi.com
iejtuqutqe.com
Title: Re: New Zeus server
Post by: jackberri on October 21, 2010, 03:55:44 pm
IP Location: Russian Federation - K2K-NET - K2K-AS Contel 2000 Ltd.
IP  193.27.232.43
AS43181
ns1.klarrrq.ru
ns2.klarrrq.ru
Registrant/Email Registrant: Private Person/admin@nvffr.ru
Code: [Select]
hxxp://klarrrq.ru/g.binmd5sum ===> 5c8d32abc910152476a842ae116fc9c7
Code: [Select]
hxxp://klarrrq.ru/a.php
Title: Re: New Zeus server
Post by: jackberri on October 22, 2010, 09:55:28 am
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET
IP  193.105.207.120
AS50793
ns1.semeroumok.ru
ns2.semeroumok.ru
Registrant/Email Registrant: Private Person/dns@semeroumok.ru
Code: [Select]
hxxp://fireshow777.ru/show/dns/dns.gifmd5sum ===> 51a43bb2d2906ab9ef72a632c16c591a
Code: [Select]
hxxp://fireshow777.ru/show/dns/svchost.exemd5sum ===> b112f4bc3450ae1ca0a3bc9194ec4b77
http://www.virustotal.com/file-scan/report.html?id=0d5038afd615eb48eb663e83a096a411013beaf1cada9dec7a6e828de2dc826e-1287740639 (http://www.virustotal.com/file-scan/report.html?id=0d5038afd615eb48eb663e83a096a411013beaf1cada9dec7a6e828de2dc826e-1287740639)
VT 3/43 (7.0%)
Code: [Select]
hxxp://fireshow777.ru/show/dns/images.php
Title: Re: New Zeus server
Post by: jackberri on October 23, 2010, 08:31:51 am
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.6
AS29106
NS1.NAMESELF.COM
NS2.NAMESELF.COM
Registrant ID:CO778176-RT
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://etopizdec0.info/pzdc1.somd5sum ===> 2984e22c0ae2daacd714ea56fa95ba88
Code: [Select]
hxxp://etopizdec0.info/mail.phprelated:
Code: [Select]
hxxp://sunica.info/crypted.exemd5sum ===> 6b2026a95b27c15ee7c72ca86cc9e9ba
http://www.virustotal.com/file-scan/report.html?id=818131e374649f977697accadde06b4512d2130020c8500f7af961c0b0ab6957-1287822115 (http://www.virustotal.com/file-scan/report.html?id=818131e374649f977697accadde06b4512d2130020c8500f7af961c0b0ab6957-1287822115)
VT 18/43 (41.9%)
Title: Re: New Zeus server
Post by: jackberri on October 23, 2010, 09:55:51 am
IP Location: China - China Telecom
IP  59.53.91.124
AS4134
ns1.silvecoolg.com
ns2.silvecoolg.com
Registrant/Email Registrant: Elena Gavrilova/rex@maillife.ru
Code: [Select]
hxxp://silvecoolg.com/ptz/por.tumd5sum ===> 3e5fc2051ba81ee4bf8385cae032f009
Code: [Select]
hxxp://silvecoolg.com/ptz/ptg.exemd5sum ===> 8820d159ae7402f9bd5f5f669fce85e3
http://www.virustotal.com/file-scan/report.html?id=f058cc4d745dcb845f331511c6c10124acb92554f35cca54522d15fb115095e1-1287825038 (http://www.virustotal.com/file-scan/report.html?id=f058cc4d745dcb845f331511c6c10124acb92554f35cca54522d15fb115095e1-1287825038)
VT 36/43 (83.7%)
dropzone (already listed):
Code: [Select]
hxxp://flipharborj.com/prt/jkkoz.php
IP Location: Russian Federation - VLine Telecom Block - VLTELECOM-AS
IP  109.196.130.58
AS39150
ns1.1vsvsn21221.net
ns2.1vsvsn21221.net
Registrant/Email Registrant: Chang So/changso@yahoo.com
Code: [Select]
hxxp://1vsvsn21221.net/urla/c2.binmd5sum ===> 5110afafc90abb39b96a5b2d7d34548e
Title: Re: New Zeus server
Post by: jackberri on October 24, 2010, 07:15:19 pm
IP Location: Kazakhstan - ALFAHOSTNET
IP 193.105.207.125
AS50793
NS1.DOMAINSERVICE.COM
NS2.DOMAINSERVICE.COM
Registrant/Email Registrant: Marshall Morgan/webmaster@bewilderedbord.com
Code: [Select]
hxxp://freemysmartrend.net/cfg/9asdfreemysmartrend.jpgmd5sum ===> 3d4689cc39c2d8e7fecb78775f474955
Code: [Select]
hxxp://freemysmartrend.net/upload/update.exemd5sum ===> 8c66ecc985ec66c1a2b51c97d4ea169e
http://www.virustotal.com/file-scan/report.html?id=b3a1ef8897c43df428aa3bb01da0a05f0825d35a9c28b8555c53189f65132c9c-1287947459 (http://www.virustotal.com/file-scan/report.html?id=b3a1ef8897c43df428aa3bb01da0a05f0825d35a9c28b8555c53189f65132c9c-1287947459)
VT 4/43 (9.3%)
Code: [Select]
hxxp://freemysmartrend.net/more/contacts.php
Title: Re: New Zeus server
Post by: jackberri on October 24, 2010, 10:22:12 pm
IP Location: China - China Telecom jiangsu Province
IP 218.93.248.112
AS4134
ns1.freedns.ws
ns2.freedns.ws
Registrant ID: IVB514I-RU
Registrant/Email Registrant: Vladimir V Silianov/frogs@bigmailbox.ru
Code: [Select]
hxxp://vertierogovq.net/dee/ger.mamd5sum ===> df59d545ce173f270cae7801b73cb8ee
Code: [Select]
hxxp://vertierogovq.net/dee/dee.exemd5sum ===> db5c0b4841548e34cc83e2f7535bd0b3
http://www.virustotal.com/file-scan/report.html?id=e1c5b643e2e4cbd49f1b921a63f8d5a3add1c6a76bd467ede8049a8d2baffa66-1287958751 (http://www.virustotal.com/file-scan/report.html?id=e1c5b643e2e4cbd49f1b921a63f8d5a3add1c6a76bd467ede8049a8d2baffa66-1287958751)
VT 33/42 (78.6%)
Title: Re: New Zeus server
Post by: jackberri on October 25, 2010, 01:27:22 pm
IP Location: Netherlands - NL PA route - Verizon Business EMEA
IP 193.67.17.58
AS702
ns1.undertrack.net
ns1.undertrack.net
Registrant ID: IVB514I-RU
Registrant/Email Registrant: Registration Service Provided By: Register.com/nsrm@register.com
Code: [Select]
hxxp://aple-juice-sok.com/conf_uk01.binmd5sum ===> c4ba98f91aecb175ede4b92e826c2923
Code: [Select]
hxxp://aple-juice-sok.com/UK01.exemd5sum ===> 9c959e271d1c27b77be5751bdf7d1d9e
http://www.virustotal.com/file-scan/report.html?id=1165c3cdea3d7916cfbea6a1c575bb6db69026fb370aaf1cbddfb8cc0df9f055-1288012802 (http://www.virustotal.com/file-scan/report.html?id=1165c3cdea3d7916cfbea6a1c575bb6db69026fb370aaf1cbddfb8cc0df9f055-1288012802)
VT 22/43 (51.2%)
Code: [Select]
hxxp://aple-juice-sok.com/EUADM/gotobot.php
Title: Re: New Zeus server
Post by: jackberri on October 26, 2010, 07:54:09 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://under-atack.com/pzdc2.somd5sum ===> c0eba270a8bb796feeea1fedb765e825
Code: [Select]
hxxp://under-atack.com/mail.php
Title: Re: New Zeus server
Post by: jackberri on October 27, 2010, 02:08:17 pm
IP Location: United Kingdom - Positive Infrastructure - POSITIVE-INTERNET-UK-AS
IP 80.87.143.6
[truth-php5.positive-internet.com]
AS21260
ns1.positive-internet.com
ns0.positive-internet.com
Registrant/Email Registrant: Highmore, Martin/Martin.Highmore@act365.com
Code: [Select]
hxxp://act365.com/cricket/archive/old.exemd5sum ===> 11664151c739847f68b15ca767e1ebbb
http://www.virustotal.com/file-scan/report.html?id=25fdb97692eb9cc10a1489f19cf7461e12d6b88171ef66827a01441ad0cf4914-1288188080 (http://www.virustotal.com/file-scan/report.html?id=25fdb97692eb9cc10a1489f19cf7461e12d6b88171ef66827a01441ad0cf4914-1288188080)
VT 27/43 (62.8%)
related (already listed):
Code: [Select]
hxxp://seowindow.net/x8000_b/ht.jpg trojan hiloti:
Code: [Select]
hxxp://act365.com/cricket/archive/setup.exe md5sum ===> 4fa1afc36d75249a293b2783391b70a0
http://www.virustotal.com/file-scan/report.html?id=cb3b4f23b0a086d32c0c4cbfc98e1c99c8c837d4411fa7f23af9adc1fc6475d4-1288188088 (http://www.virustotal.com/file-scan/report.html?id=cb3b4f23b0a086d32c0c4cbfc98e1c99c8c837d4411fa7f23af9adc1fc6475d4-1288188088)
VT 29/43 (67.4%)
Title: Re: New Zeus server
Post by: jackberri on October 27, 2010, 04:16:22 pm
IP Location: Hungary - UPC UPC Magyarorszag Kft. - UPC Broadband
IP 80.98.199.41
[catv-80-98-199-41.catv.broadband.hu]
AS6830
ns1.liokichi.net
ns2.liokichi.net
Registrant/Email Registrant: Galina Kuznetsova/hip@freenetbox.ru
Code: [Select]
hxxp://gopheisstoo.cc/22oct_ic3.cpmmd5sum ===> 7ba1404b1ce9cd017211281bd9a495a2
Code: [Select]
hxxp://gopheisstoo.cc/22oct_ic3.exemd5sum ===> 6bda82c3e49fe8d260bd638cea74430e
http://www.virustotal.com/file-scan/report.html?id=93ec9fae32edce8d9c516cc52bae365f7a50fc6450138847fde6d0cfab4d0ac9-1288195747 (http://www.virustotal.com/file-scan/report.html?id=93ec9fae32edce8d9c516cc52bae365f7a50fc6450138847fde6d0cfab4d0ac9-1288195747)
VT 2/43 (4.7%)

IP Location: Israel - 013 Netvision Network - NV-ASN 013 NetVision Ltd.
IP 80.98.199.41
[85.65.139.69.dynamic.barak-online.net]
AS1680
ns1.liokichi.net
ns2.liokichi.net
Registrant/Email Registrant: Dmitrij Kolobanov/pains@5mx.ru
Code: [Select]
hxxp://gophottoo.cc/22oct_ic3.cpmmd5sum ===> 7ba1404b1ce9cd017211281bd9a495a2
Code: [Select]
hxxp://gophottoo.cc/22oct_ic3.exemd5sum ===> 6bda82c3e49fe8d260bd638cea74430e
http://www.virustotal.com/file-scan/report.html?id=93ec9fae32edce8d9c516cc52bae365f7a50fc6450138847fde6d0cfab4d0ac9-1288195747 (http://www.virustotal.com/file-scan/report.html?id=93ec9fae32edce8d9c516cc52bae365f7a50fc6450138847fde6d0cfab4d0ac9-1288195747)
VT 2/43 (4.7%)
Title: Re: New Zeus server
Post by: jackberri on October 27, 2010, 07:02:27 pm
IP Location: Kazakhstan - AlfaHost LLP. Route Object - ALFAHOSTNET
IP 193.105.207.125
AS50793
ns1.domainservice.com
ns2.domainservice.com
Registrant/Email Registrant: Marshall Morgan/webmaster@bewilderedbord.com
Code: [Select]
hxxp://desertadaria.com/cfg/001desertadaria.jpgmd5sum ===> e217010b09a9d47de76a3deed4920353
Code: [Select]
hxxp://desertadaria.com/upload/update.exemd5sum ===> 01fc9ae5bb175fb6e5178ec63bdb8a99
http://www.virustotal.com/file-scan/report.html?id=2c96c8e331f4e07fbab833d821e9a820b530d288cae0de5f6655e1bf32f14a21-1288205549 (http://www.virustotal.com/file-scan/report.html?id=2c96c8e331f4e07fbab833d821e9a820b530d288cae0de5f6655e1bf32f14a21-1288205549)
VT 0/43 (0.0%)
Code: [Select]
hxxp://desertadaria.com/more/contacts.php
other domains in the same IP:
Code: [Select]
aboutlook.net
freemysmartrend.net
officialshow.net
tanlineranch.com
tanworldindia.com
Title: Re: New Zeus server
Post by: jackberri on October 28, 2010, 03:07:31 pm
IP Location: Kazakhstan - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://lon0park.com/pzdc3.somd5sum ===> e217010b09a9d47de76a3deed4920353
Code: [Select]
hxxp://lon0park.com/mail.php
IP Location: Russian Federation - RUSONYX-RU - RUSONYX-AS
IP 89.253.240.229
AS41535
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Krasnov Roman/romankrasnov@yahoo.com
Code: [Select]
hxxp://nokiaadapters.com/fonts/gothicbi.ttfmd5sum ===> 2894a999053ac4f517f2c207753b4ee3
Code: [Select]
hxxp://jscmsdev.com/view.php
Title: Re: New Zeus server
Post by: jackberri on October 28, 2010, 06:27:44 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://cagohome.com/a2.somd5sum ===> e217010b09a9d47de76a3deed4920353
Code: [Select]
hxxp://cagohome.com/index.php
IP Location: Bosnia and Herzegovina - BA-GLOBALNET-AS
IP 77.78.240.83
AS42560
ns1.everydns.net
ns2.everydns.net
Registrant/Email Registrant: VenTya Tya/ventya@yahoo.com
Code: [Select]
hxxp://dortmundgoesbest.com/sajdhwkqej.exemd5sum ===> 8572f6511376bf531475ab9f23d6161d
http://www.virustotal.com/file-scan/report.html?id=5100baf1c8189f979f25cf0c0c5f764882689e94884aeb09280fb55d1bc7e6fc-1288281981 (http://www.virustotal.com/file-scan/report.html?id=5100baf1c8189f979f25cf0c0c5f764882689e94884aeb09280fb55d1bc7e6fc-1288281981)
VT 18/43 (41.9%)
related (already listed):
Code: [Select]
hxxp://hguituih5h.com/vh65/h79on.bin
IP Location: Russian Federation - K2K-NET - K2K-AS Contel 2000 Ltd.
IP 193.27.232.122
AS43181
ns31.domaincontrol.com
ns32.domaincontrol.com
Domain ID: D34928105-LRMS
Registrant ID: CR64076840
Registrant/Email Registrant: Brian Readman/brianreadm@yahoo.co.uk
Code: [Select]
hxxp://digitalimageprints.info/usa.binmd5sum ===> a4f566eb19d29e0e71c1ac766aee11e6
Code: [Select]
hxxp://digitalimageprints.info/redir.php
Title: Re: New Zeus server
Post by: jackberri on October 29, 2010, 07:20:58 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Andrey Aleksandrovich Polev/o00o.code@gmail.com
Code: [Select]
hxxp://3color3.com/777u1.somd5sum ===> 8590168002d935a2ab1abae96cec8a89
Code: [Select]
hxxp://3color3.com/i.php
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://opiumaslt.com/paf3.somd5sum ===> 464ac77804692d7d2e436cc96f0fa727
Code: [Select]
hxxp://opiumaslt.com/stats.php
Title: Re: New Zeus server
Post by: jackberri on October 30, 2010, 06:10:01 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Andrey Aleksandrovich Polev/o00o.code@gmail.com
Code: [Select]
hxxp://jankult.com/777u2.somd5sum ===> ae67072611b3580296d3ba8cde2c0842
Code: [Select]
hxxp://jankult.com/i.phprelated:
Code: [Select]
hxxp://193.105.207.130/ee.exemd5sum ===> 11b8213d293a9e28d280079253a90429
http://www.virustotal.com/file-scan/report.html?id=e9499282a7849096f82e1887e79bd022ce031eff03851e00e0e8c6b6944ae00f-1288461701 (http://www.virustotal.com/file-scan/report.html?id=e9499282a7849096f82e1887e79bd022ce031eff03851e00e0e8c6b6944ae00f-1288461701)
VT 5/43 (11.6%)
Title: Re: New Zeus server
Post by: jackberri on October 31, 2010, 09:34:06 am
Code: [Select]
hxxp://qazino.ru/garena/garena.inimd5sum ===> 3f5f4d4e0d6324a3dc3b0d88865613e1
Code: [Select]
hxxp://qazino.ru/garena/webgate/webstat.php
Title: Re: New Zeus server
Post by: jackberri on November 01, 2010, 06:51:00 am
IP Location: Russian Federation - K2K-NET Route Object - K2K-AS
IP 193.27.232.122
AS43181
ns53.domaincontrol.com
ns54.domaincontrol.com
Registrant ID:CR64076829
Registrant/Email Registrant: Brian Readman/brianreadm@yahoo.co.uk
Code: [Select]
hxxp://digitalimageprintsite.info/usa.binmd5sum ===> b8fb9d9d8db7e6e78b57563610d826a1
Code: [Select]
hxxp://digitalimageprintsite.info/usab.exemd5sum ===> 19ed8b4b7381e1002a97b55dacf56524
http://www.virustotal.com/file-scan/report.html?id=a08e054f01ba93e9ff5de47bfb14cde20d61776e06b086d11d7c32447641c059-1288592752 (http://www.virustotal.com/file-scan/report.html?id=a08e054f01ba93e9ff5de47bfb14cde20d61776e06b086d11d7c32447641c059-1288592752)
VT 12/43 (27.9%)
Code: [Select]
hxxp://digitalimageprintsite.info/redir.php
Code: [Select]
hxxp://digitalimageprintonline.info/usa.binmd5sum ===> fd14cbc705bb906591131ba76dbd3461
Code: [Select]
hxxp://digitalimageprintonline.info/usab.exemd5sum ===> 4aafb3b1b3f64edc9acba59ff30ba4e6
http://www.virustotal.com/file-scan/report.html?id=b7ba2043d27de982dfeda6f41a921179e8dffd468f0df3b200f2fc7d2b213bc1-1288593890 (http://www.virustotal.com/file-scan/report.html?id=b7ba2043d27de982dfeda6f41a921179e8dffd468f0df3b200f2fc7d2b213bc1-1288593890)
VT 27/41 (65.9%)
Code: [Select]
hxxp://digitalimageprintonline.info/redir.php
Title: Re: New Zeus server
Post by: jackberri on November 01, 2010, 07:48:05 pm
IP Location: United States - COLOAT Colo@ Network Opperations Center
IP 98.142.220.136
AS46562
ns1.undertrack.net
ns2.undertrack.net
Registrant/Email Registrant: David Formenti/frutis32@gmail.com
Code: [Select]
hxxp://barabashechka-it.com/conf_uk01.binmd5sum ===> 0b02b366b3e6c4ff66ab88d196f8d5d0
Code: [Select]
hxxp://barabashechka-it.com/UK01.exemd5sum ===> c6f18a746f1964730f19cdcdbf4d80c2
http://www.virustotal.com/file-scan/report.html?id=e27f04e30b0c76e14b9c3a57b69ea6d98e699c1a165f0c517d7e4741441acd99-1288638763 (http://www.virustotal.com/file-scan/report.html?id=e27f04e30b0c76e14b9c3a57b69ea6d98e699c1a165f0c517d7e4741441acd99-1288638763)
VT 13/43 (30.2%)
Code: [Select]
hxxp://barabashechka-it.com/EUADM/gotobot.php
IP Location: China - Proxy-registered route object - CHINA-TELECOM
IP 122.225.38.43
AS4134
ns1.simswarmsad.com
ns2.simswarmsad.com
Registrant/Email Registrant: Tatiana Matukhova/totem@bz3.ru
Code: [Select]
hxxp://simswarmsad.com:81/usu/col.skmd5sum ===> dc4324edfb5faad8e59fd024ba2d0358
related:
IP Location: Bosnia and Herzegovina - BA-GLOBALNET-AS
IP 77.78.240.156
AS42560
ns1.afraid.org
ns2.afraid.org
Registrant/Email Registrant: Andrej Kolesnikov/knox@ca4.ru
Code: [Select]
hxxp://videoiumons.com/setup.exemd5sum ===> 62119c314048af89bfc5ac96511059b9
http://www.virustotal.com/file-scan/report.html?id=6546d436c90f96210ec36c2736cb333dc4dc0cfeb3d072bd0853eb2da27d5898-1288640060 (http://www.virustotal.com/file-scan/report.html?id=6546d436c90f96210ec36c2736cb333dc4dc0cfeb3d072bd0853eb2da27d5898-1288640060)
VT 16/43 (37.2%)
Title: Re: New Zeus server
Post by: jackberri on November 02, 2010, 11:13:21 am
IP Location: United States - PNAP-LAX softlayerexempt - SOFTLAYER
IP 67.228.244.194
[voda9.voda9.com]
AS36351
ns15.vodahost.com
ns16.vodahost.com
Registrant/Email Registrant: VodaHost/support@vodahost.com
Code: [Select]
hxxp://thetradesjournal.com/apps/logos/awning3.jpgmd5sum ===> 2a1619b99505e5983a06f160ac38b127
Code: [Select]
hxxp://thetradesjournal.com/apps/logos/roof4.exe
hxxp://thetradesjournal.com/apps/logos/yset.exe
md5sum ===> 6eb947e92e894aa6a68a4243512240ea
http://www.virustotal.com/file-scan/report.html?id=5b56b54e5f82763afbf511dfc581084673b05f1887de08c146116f39733d3704-1288693729 (http://www.virustotal.com/file-scan/report.html?id=5b56b54e5f82763afbf511dfc581084673b05f1887de08c146116f39733d3704-1288693729)
VT 8/43 (18.6%)
Code: [Select]
hxxp://thetradesjournal.com/apps/logos/des3.exemd5sum ===> 181aea20e3f50b5d0560f6f926943436
http://www.virustotal.com/file-scan/report.html?id=bbed1ced548abb670012c54a11b3d7aef42b80621a27cf5f20c47b3ca3a43d73-1288695462 (http://www.virustotal.com/file-scan/report.html?id=bbed1ced548abb670012c54a11b3d7aef42b80621a27cf5f20c47b3ca3a43d73-1288695462)
VT 29/43 (67.4%)
Code: [Select]
hxxp://articonti.net/504index.php (already listed)related:
Code: [Select]
hxxp://dlphonethems.com/bod_cb.ttfmd5sum ===> ecf4f26dd480a43210614f1333709cd2
Code: [Select]
hxxp://nokiaadapters.com
Title: Re: New Zeus server
Post by: jackberri on November 02, 2010, 12:58:11 pm
IP Location: Ukraine - INFORMEX-NET -INFORMEX-MNT
IP 193.178.172.79
AS20564
ns1.dns-diy.net
ns2.dns-diy.net
Registrant/Email Registrant: Ignat Jasse/admin@vikingsnotdead.com
Code: [Select]
hxxp://vikingsnotdead.com/zs/cofag56.binmd5sum ===> f6cc97e6384e21af540777fddad7f3d6
Code: [Select]
hxxp://vikingsnotdead.com/zs/botetz.exemd5sum ===> eaeb98bd07e5ca57d974c6fb8bb7ab01
http://www.virustotal.com/file-scan/report.html?id=5aaf305d7c9a2e7c17d68a12d960b2cc32fe3af678e44ab7bb9537d46fa112c7-1288702318 (http://www.virustotal.com/file-scan/report.html?id=5aaf305d7c9a2e7c17d68a12d960b2cc32fe3af678e44ab7bb9537d46fa112c7-1288702318)
VT 22/43 (51.2%)
Code: [Select]
hxxp://vikingsnotdead.com/zs/gates5.php
Title: Re: New Zeus server
Post by: jackberri on November 02, 2010, 05:26:08 pm
IP Location: Kazakhstan - ALFAHOSTNET
IP 193.105.207.120
AS50793
ns1.semeroumok.ru
ns2.semeroumok.ru
Registrant/Email Registrant: Private Person/dns@semeroumok.ru
Code: [Select]
hxxp://derejablik.ru/images/logo.gifmd5sum ===> fe1e3f0ffb340e32eb490c0a5c37372d
Code: [Select]
hxxp://derejablik.ru/images/1c.exemd5sum ===> ee87c98816ef4e84f88d7e7bfd032bb3
http://www.virustotal.com/file-scan/report.html?id=bc0632079ad16dcff1fa018322be00526f10af21ec09044fb3d441b93c489d2e-1288718151 (http://www.virustotal.com/file-scan/report.html?id=bc0632079ad16dcff1fa018322be00526f10af21ec09044fb3d441b93c489d2e-1288718151)
VT 5/43 (11.6%)
Code: [Select]
hxxp://derejablik.ru/images/img.php
Title: Re: New Zeus server
Post by: jackberri on November 02, 2010, 06:19:48 pm
IP Location: Russian Federation - LEKUS-AS OOO
IP 95.215.140.65
AS48949
ns1.free-advertisement.net
ns2.free-advertisement.net
Registrant/Email Registrant: Max Klimov/7333h@yaebal.com
Code: [Select]
hxxp://wvvw.statistic-servers-configs.net/members/msn.dllmd5sum ===> fe1e3f0ffb340e32eb490c0a5c37372d
Code: [Select]
hxxp://wvw.statistic-servers-configs.net/google/google-toolbar.exemd5sum ===> 6dfbaa9db6a709f7139ff2e5d68af318
http://www.virustotal.com/file-scan/report.html?id=e7f875f53019b5672c74d353a417b6db61831f93bad3963d79884c8a58d5b346-1288720540 (http://www.virustotal.com/file-scan/report.html?id=e7f875f53019b5672c74d353a417b6db61831f93bad3963d79884c8a58d5b346-1288720540)
VT 26/43 (60.5%)

Registrant/Email Registrant: Mayo Mukko/MMuu@gmali.com
Code: [Select]
hxxp://wvw.aol-serv.net/jwd/builder/file/file.exemd5sum ===> dfe3ea487740c563d007391c0387c928
http://www.virustotal.com/file-scan/report.html?id=22ceb66c7d04362ced7c3f99a9c3793c2e5cf34283a2cdbfa6d4ee2c8723d53d-1288720452 (http://www.virustotal.com/file-scan/report.html?id=22ceb66c7d04362ced7c3f99a9c3793c2e5cf34283a2cdbfa6d4ee2c8723d53d-1288720452)
VT 15/43 (34.9%)

Registrant/Email Registrant: Inya Nihao/hina@hao.cn
Code: [Select]
hxxp://wvw.server-dns-stat.net/404.php
Title: Re: New Zeus server
Post by: jackberri on November 03, 2010, 07:41:28 pm
IP Location: ?? - L-NET Route Objec - LYAHOV-AS Lyahovich Maksim
IP 91.217.249.171
AS51554
ns1.domainservice.com
ns2.domainservice.com
Registrant/Email Registrant: Marshall Morgan/webmaster@bewilderedbord.com
Code: [Select]
hxxp://firstdfyria.com/cfg/ass3firstdfyria.jpgmd5sum ===> adc3d9d9b63060cdbedc4364d7960868

IP Location: Ukraine - INFORMEX-NET -INFORMEX-MNT
AS20564
Registrant: grafomedia srl
Code: [Select]
hxxp://193.178.172.60/siki/sit/xinu.somd5sum ===> c320b376dc59ece256daad3f4afa4704
Code: [Select]
hxxp://193.178.172.60/siki/fuck.php
Title: Re: New Zeus server
Post by: jackberri on November 04, 2010, 11:07:27 am
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://file-system5.com/777u3.somd5sum ===> 6e09bcd905165c1c8cba382a889e5a4f
Code: [Select]
hxxp://file-system5.com/i.php
IP Location: Russian Federation - VLine Telecom Block Moscow - VLTELECOM-AS
IP 109.196.130.58
AS39150
ns1.122vsvsn21221.net
ns2.122vsvsn21221.net
Registrant/Email Registrant: Chang So/changso@yahoo.com
Code: [Select]
hxxp://122vsvsn21221.net/urla/c2.binmd5sum ===> 96e706dba5b2e8633c79094349d31570
Title: Re: New Zeus server
Post by: jackberri on November 04, 2010, 07:58:17 pm
IP Location: Ukraine - HITLINE PI ROUTE -INTERPHONE-AS
IP 91.197.237.64
AS24881
ns1.holdglass.com
ns2.holdglass.com
Registrant/Email Registrant: Igor Nikenin/ChapoohNet-domains@gmail.com
Code: [Select]
hxxp://chokeapple.net/ppnl3.bin
hxxp://chokeapple.net/panel3/ppnl3.bin
hxxp://coffeemilkgogo.net/ppnl3.bin
hxxp://coffeemilkgogo.net/panel3/ppnl3.bin
hxxp://kBneKuZF9FZ3cIIJHA44QrQA1.net/ppnl3.bin
hxxp://kBneKuZF9FZ3cIIJHA44QrQA1.net/panel3/ppnl3.bin
md5sum ===> 237c8a287d76b766ca6f6b07bb0f7e67
Code: [Select]
hxxp://chokeapple.net/ppnl3.exe
hxxp://chokeapple.net/panel3/ppnl3.exe
hxxp://coffeemilkgogo.net/panel3/ppnl3.exe
hxxp://kBneKuZF9FZ3cIIJHA44QrQA1.net/panel3/ppnl3.exe
md5sum ===> ac4bd1359b493a8ec118370398c39914
http://www.virustotal.com/file-scan/report.html?id=1df2015b68a43302d18ed74ce570d706055f549932c6496cc1bcfb4b66cfe1f6-1288899245 (http://www.virustotal.com/file-scan/report.html?id=1df2015b68a43302d18ed74ce570d706055f549932c6496cc1bcfb4b66cfe1f6-1288899245)
VT 7/43 (16.3%)
Code: [Select]
hxxp://chokeapple.net/panel3/gotobank.php
hxxp://kbnekuzf9fz3ciijha44qrqa1.net/panel3/gotobank.php
Title: Re: New Zeus server
Post by: jackberri on November 06, 2010, 06:30:59 am
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.6
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Anton pet/maxpet1212@gmail.com
Code: [Select]
hxxp://eat0good.com/777u4.somd5sum ===> 0f40b37526340d4d02cc06b0e577ec3c
Code: [Select]
hxxp://eat0good.com/i.php
Title: Re: New Zeus server
Post by: jackberri on November 06, 2010, 02:35:52 pm
IP Location: Czech Republic - Softel Consulting
IP 193.104.146.77
AS50134
dns1.webdrive.ru
dns2.webdrive.ru
Code: [Select]
hxxp://mxlink.ws/f1_heiught3o2iryhe/2uiew__t/zxconfig.binmd5sum ===> 623fcd07fe505446deb1f41da3b43368
Code: [Select]
hxxp://mxlink.ws/f1_heiught3o2iryhe/2uiew__t/gt_gewjhi3.php
IP Location: Armenia - K-Telecom specific Route -  K-Telecom CJSC
IP 217.76.2.152
[152.2.76.217.in-addr.mts.am]
AS43733
ns1.totalpersonpa.net
ns2.totalpersonpa.net
Registrant/Email Registrant: Ana D. Marshall/AnaDMarshall@gmail.com
Code: [Select]
hxxp://ritandbliuss.com/work/bestwork.imgmd5sum ===> 24e261fe9246b726f7f0c81f92c61cb8
Title: Re: New Zeus server
Post by: jackberri on November 08, 2010, 08:25:58 am
IP Location: Ukraine - HITLINE PI ROUTE -INTERPHONE-AS
IP 91.197.237.64
AS24881
ns1.holdglass.com
ns2.holdglass.com
Registrant/Email Registrant: Igor Nikenin/ChapoohNet-domains@gmail.com
Code: [Select]
hxxp://popsurface.net/ppnl3.bin
hxxp://popsurface.net/panel3/ppnl3.bin
hxxp://1lqqcprexq4f4gg84aiisomxt.net/ppnl3.bin
hxxp://1lqqcprexq4f4gg84aiisomxt.net/panel3/ppnl3.bin
md5sum ===> 74e2d093984822b7193b4bbe88f15ed3
Code: [Select]
hxxp://popsurface.net/panel3/ppnl3.exe
hxxp://1lqqcprexq4f4gg84aiisomxt.net/panel3/ppnl3.exe
md5sum ===> 50a57c592735f67952b5126f776e3300
http://www.virustotal.com/file-scan/report.html?id=20902a6063b9e94386b82a5254ca162641fd539ea6a1a9ab36b86a4cb5a405e7-1289204354 (http://www.virustotal.com/file-scan/report.html?id=20902a6063b9e94386b82a5254ca162641fd539ea6a1a9ab36b86a4cb5a405e7-1289204354)
VT 25/43 (48.8%)
Code: [Select]
hxxp://popsurface.net/panel3/gotobank.php
hxxp://1lqqcprexq4f4gg84aiisomxt.net/panel3/gotobank.php

IP Location: Malaysia - Gigabit Hosting - GIGABIT-MY THEGIGABIT
IP 223.25.242.43
AS55720
ns13.zoneedit.com
ns9.zoneedit.com
Registrant/Email Registrant: Mark C Thomas/mcthomas34@first-host.net
Code: [Select]
hxxp://testdouble666111.com/2x/b2/cfg_dtes2.binmd5sum ===> 0eccfd9cea940a2b85fa284757ebcd28
Code: [Select]
hxxp://testdouble666111.com/2x/e.php
Code: [Select]
hxxp://testdouble666111.com/123/killexe.exemd5sum ===> e9e53628628619b8fe02d248815344ef
http://www.virustotal.com/file-scan/report.html?id=708e81a4b8c22f9e37c97e20941511058e099075c1e82221fb7a9a4784fd0c2e-1289129561 (http://www.virustotal.com/file-scan/report.html?id=708e81a4b8c22f9e37c97e20941511058e099075c1e82221fb7a9a4784fd0c2e-1289129561)
VT 35/43 (81.4%)
Title: Re: New Zeus server
Post by: jackberri on November 09, 2010, 04:51:07 am
IP Location: Bosnia and Herzegovina  - BA-GLOBALNET-AS
IP 77.78.239.132
AS42560
ns2.regway.com -AS36351
ns1.regway.com -AS15830
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://alizesex.com/sx14a/fda.binmd5sum ===> 25120ef0ca3fbb10b483f6b39f90ac03
Code: [Select]
hxxp://alizesex.com/sx14a/fda.exemd5sum ===> 2129a8b72a56cf82acb7da81a7ccea90
http://www.virustotal.com/file-scan/report.html?id=5880cb5e6db83948d806734ec7d084c08484308da055cfbe07f242f98a5e94b5-1289277884 (http://www.virustotal.com/file-scan/report.html?id=5880cb5e6db83948d806734ec7d084c08484308da055cfbe07f242f98a5e94b5-1289277884)
VT 11/43 (25.6%)
Code: [Select]
hxxp://alizesex.com/zss37.php
Title: Re: New Zeus server
Post by: jackberri on November 10, 2010, 07:22:47 pm
IP Location: Russian Federation - L-NET Route Object -  LYAHOV-AS Lyahovich Maksim
IP 91.217.249.171
AS51554
ns1.dontouchme.ru - AS51554
ns2.dontouchme.ru - AS51554
Registrant/Email Registrant: Private Person/dns@dontouchme.ru
Code: [Select]
hxxp://dontouchme.ru/cfg/as66dontouchme.jpgmd5sum ===> 9a9ca3aaa220710d58f85d87dced90c2
Code: [Select]
hxxp://dontouchme.ru/upload/update.exemd5sum ===> a1b61b2131d98762b72eb7b513f5ad67
http://www.virustotal.com/file-scan/report.html?id=73abaec5afda4ffc0ec0a49ebac77ac7af052fe4d069227d30b95c494d88c0ac-1289411648 (http://www.virustotal.com/file-scan/report.html?id=73abaec5afda4ffc0ec0a49ebac77ac7af052fe4d069227d30b95c494d88c0ac-1289411648)
VT 8/43 (18.6%)
Code: [Select]
hxxp://dontouchme.ru/more/contacts.php
IP Location: Ukraine - Hostpro Ltd. -  Datagroup PRIVATE JOINT STOCK COMPANY
IP 194.28.84.248
[194.28.84.248.hostpro.com.ua]
AS21219
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Chernov Kiril/kirilchernov@yahoo.com
Code: [Select]
hxxp://pressirononline.com/bg.gifmd5sum ===> d8a88ba32052a679916ff3d707214fdd
Title: Re: New Zeus server
Post by: jackberri on November 11, 2010, 08:59:46 pm
IP Location: China - China Telecom JiangXi province -  CHINA-TELECOM
IP 59.53.91.124
AS4134
ns1.nisferylos.com
ns2.nisferylos.com
Registrant/Email Registrant: Olesya Sorokina/chew@freenetbox.ru
Code: [Select]
hxxp://nisferylos.com/gbt/uka.okmd5sum ===> 5f3bf34269ab4a9ced320b97ecdb4676

IP Location: Ukraine - K2K-NET -  K2K-AS
IP 193.27.232.119
AS43181
ns1.dreamhost.com AS26347
ns2.dreamhost.com AS26228
Domain ID:D35321324-LRMS
Registrant/Email Registrant: A Happy DreamHost Customer/supertoysshops.info@proxy.dreamhost.com
Code: [Select]
hxxp://supertoysshops.info/usa.binmd5sum ===> 2e3b339ef43c3c5555e8ce9930685694
Code: [Select]
hxxp://supertoysshops.info/redir.php
IP Location: Ukraine - VHost route -  VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.10
AS29106
ns1.nameself.com AS43146
ns1.nameself.com AS30968
Code: [Select]
hxxp://2myagust.com/777u6.somd5sum ===> b87b673b2b892394e80409f56d2a200d
Code: [Select]
hxxp://2myagust.com/i.php
Code: [Select]
hxxp://timesync.asia/t1me/cash1.binmd5sum ===> e187a435f3099c060ed7afc1126c89aa
Title: Re: New Zeus server
Post by: jackberri on November 12, 2010, 06:35:22 am
related zeusbotnet malware
Code: [Select]
hxxp://2myagust.com/777u6.so  (already listed)
Code: [Select]
hxxp://91.217.249.160/KILL.exemd5sum ===> ac617536de4bbb507a48e7e4e658616d
http://www.virustotal.com/file-scan/report.html?id=750945cf7355cd35e31d439d18dd9a922ffe5d451819f55238245b7b717088a8-1289493582 (http://www.virustotal.com/file-scan/report.html?id=750945cf7355cd35e31d439d18dd9a922ffe5d451819f55238245b7b717088a8-1289493582)
VT 30/43 (69.8%)
Title: Re: New Zeus server
Post by: jackberri on November 12, 2010, 12:25:01 pm
IP Location: Romania - STARNET-AS
IP 195.206.246.246
AS31252
ns1.dns-diy.net AS16805
ns2.dns-diy.net AS16805
Registrant ID:K35-n203173_00
Registrant/Email Registrant: Kleon maba/admin@oztime.azia
Code: [Select]
hxxp://oztime.asia/6ucks/oztime1.binmd5sum ===> 8040847ab7c292aae1baed92812a9636
Code: [Select]
hxxp://oztime.asia/6ucks/oztime1.exemd5sum ===> bfca6966bd363acdac0f45a760543cf7
http://www.virustotal.com/file-scan/report.html?id=722bcbed835a96a2479dd5ac3869b703562e637edbdf0ba03531b1becd32a54c-1289563930 (http://www.virustotal.com/file-scan/report.html?id=722bcbed835a96a2479dd5ac3869b703562e637edbdf0ba03531b1becd32a54c-1289563930)
VT 6/43 (14.0%)
Code: [Select]
hxxp://oztime.asia/6ucks/gat3.php
Title: Re: New Zeus server
Post by: jackberri on November 13, 2010, 12:27:02 pm
IP Location: Czech Republic - Softel Consulting s.r.o
AS50134
Code: [Select]
hxxp://193.104.146.77/f1_heiught3o2iryhe/2uiew__t/zxconfig.binmd5sum ===> cbd6498168b4bb6f155c0248caaf78cd
Code: [Select]
hxxp://193.104.146.77/f1_heiught3o2iryhe/2uiew__t/up1/bot_up1_144.exemd5sum ===> edc9b26239435565af56995a0d9ac1e4
http://www.virustotal.com/file-scan/report.html?id=8317453280cf49d1c0669920dd1139aa49238a996d9146740c3c6d0a85884154-1289650856 (http://www.virustotal.com/file-scan/report.html?id=8317453280cf49d1c0669920dd1139aa49238a996d9146740c3c6d0a85884154-1289650856)
VT 23/43 (53.5%)
Code: [Select]
hxxp://193.104.146.77/f1_heiught3o2iryhe/2uiew__t/gt_gewjhi3.php
Title: Re: New Zeus server
Post by: jackberri on November 14, 2010, 05:59:10 pm
IP Location: Russian Federation - CenterTelecom Bryansk PPPoE customers - DEBRYANSK-AS
IP 109.198.206.102
[host-109-198-206-x.tts.debryansk.ru]
AS34267
ns1.holdglass.com - AS29873
ns2.holdglass.com - AS10455
Registrant/Email Registrant: Igor Nikenin/ChapoohNet-domains@gmail.com
Code: [Select]
hxxp://blindwife.net/ppnl3.bin
hxxp://blindwife.net/panel3/ppnl3.bin
hxxp://S8lW0v7iYI1KWgOevNWVJCn85.net/ppnl3.bin
hxxp://S8lW0v7iYI1KWgOevNWVJCn85.net/panel3/ppnl3.bin
md5sum ===> a5699f5abbcbe18df304e84789e3a778
Code: [Select]
hxxp://blindwife.net/panel3/ppnl3.exe
hxxp://S8lW0v7iYI1KWgOevNWVJCn85.net/panel3/ppnl3.exe
md5sum ===> eff32f023319d42073e952653595a8ab
http://www.virustotal.com/file-scan/report.html?id=2245a0e6c95e0ffc03587f949d67295362491aee49e624908d56ce9e0c03a229-1289741192 (http://www.virustotal.com/file-scan/report.html?id=2245a0e6c95e0ffc03587f949d67295362491aee49e624908d56ce9e0c03a229-1289741192)
VT 3/43 (7.0%)
Code: [Select]
hxxp://blindwife.net/panel3/gotobank.php
hxxp://S8lW0v7iYI1KWgOevNWVJCn85.net/panel3/gotobank.php
Title: Re: New Zeus server
Post by: jackberri on November 15, 2010, 07:19:30 am
Code: [Select]
hxxp://195.226.197.100/~host/us/usdase.dbmd5sum ===> 830f70536e371493a0106d9dc97b2320
Code: [Select]
hxxp://195.226.197.100/~host/us/us.exemd5sum ===> 8c24a09a9306199285dd6703ebc845c7
http://www.virustotal.com/file-scan/report.html?id=ba0e6fcc76cb2d75b7fe031e322674a5085e47fca9c5e0c38ad09165827c588b-1289805169 (http://www.virustotal.com/file-scan/report.html?id=ba0e6fcc76cb2d75b7fe031e322674a5085e47fca9c5e0c38ad09165827c588b-1289805169)
VT 4/43 (9.3%)
Title: Re: New Zeus server
Post by: jackberri on November 15, 2010, 11:46:07 am
IP Location: Latvia - ALTNET
IP 195.3.145.40
AS41390
ns1.nameself.com AS43146
ns1.nameself.com AS30968
Registrant/Email Registrant: Private Person/esmekere@yahoo.com
Code: [Select]
hxxp://microupdates.ru/_crfz/cr2z2md5sum ===> 219b2e17adc8c3fa3d28b4f3bd8c11cb
Code: [Select]
microupdates.ru/_r02x/_zen0r.php
Title: Re: New Zeus server
Post by: jackberri on November 16, 2010, 09:33:40 am
IP Location: Latvia - Agava JSC - AGAVA3
IP 89.108.109.107
[unknown-5897.agava.net]
AS43146
ns1.nameself.com AS43146
ns1.nameself.com AS30968
Registrant/Email Registrant: Mihailov Igor/i.mihailov@yahoo.com
Code: [Select]
hxxp://carsforrichandother.com/images/logo.jpgmd5sum ===> 25b1d13ea0269c8287989850cbc662b3
dropzone (already listed):
Code: [Select]
hxxp://goodsandserv.com/index.php
IP Location: Armenia - K-Telecom specific Route - K-Telecom CJSC
IP 217.76.2.152
[152.2.76.217.in-addr.mts.am]
AS43733
ns1.kanabios.net AS13237
ns2.kanabios.net AS4713
Registrant/Email Registrant: Oksana Gerasimova/glow@yourisp.ru
Code: [Select]
hxxp://dilidam0001.com/xed/config.binmd5sum ===> e35b3628f09202844a45801dad9d33b0
Code: [Select]
hxxp://dilidam0001.com/xed/yourbot.exemd5sum ===> ebfe2fd848a3eddb80cd21511e364919
http://www.virustotal.com/file-scan/report.html?id=4ade06ea2377d4ee6aed5be60331305df7049412f9ba45aea9c5e19e8b94ed5f-1289899092 (http://www.virustotal.com/file-scan/report.html?id=4ade06ea2377d4ee6aed5be60331305df7049412f9ba45aea9c5e19e8b94ed5f-1289899092)
VT 3/42 (7.1%)
Code: [Select]
hxxp://dilidam0001.com/xed/gate.php
Title: Re: New Zeus server
Post by: jackberri on November 16, 2010, 04:14:24 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.10
AS29106
ns1.nameself.com AS43146
ns1.nameself.com AS30968
Registrant/Email Registrant: Maksim A Roslyakov/zurihpwd@yahoo.com
Code: [Select]
hxxp://oslolstal.com/000u1.somd5sum ===> 62abe07bd68959e2c7d4f1c99c250f03
Code: [Select]
hxxp://oslolstal.com/i.php
related:
Registrant/Email Registrant: Anton S Petuchkov/antonpetushkov@yahoo.com
Code: [Select]
hxxp://32agora.com/r_KillEXE.exemd5sum ===> 73f88372e462fe213fddcea2a4327a6c
http://www.virustotal.com/file-scan/report.html?id=5bb2452cf879cd91f8de2835741ee3943aecb9702abe278025d23eca32f45eec-1289901254 (http://www.virustotal.com/file-scan/report.html?id=5bb2452cf879cd91f8de2835741ee3943aecb9702abe278025d23eca32f45eec-1289901254)
VT 30/40 (75.0%)

IP Location: Ukraine - Tavrahost network route object - UAIP-AS PAN-SAM
IP 188.95.159.128
AS51306
ns1.everydns.net AS15135
ns2.everydns.net AS15135
Registrant ID:CR58024825
Registrant/Email Registrant: Denis Zagrebin/order@iphoster.ru
Code: [Select]
hxxp://contentserver001.info/forum/img/img_1582.jpgmd5sum ===> a1a3c0cba8ef0c28ff73150da4a3d0c3
Code: [Select]
hxxp://contentserver001.info/tmp/update_4812648.exemd5sum ===> b58fcee9bcb86d023f998f481e82fd38
http://www.virustotal.com/file-scan/report.html?id=37a0f5f73267790c58c1c0097fcd86a414d12d3336b4b658b73134a16b2c27f8-1289904177 (http://www.virustotal.com/file-scan/report.html?id=37a0f5f73267790c58c1c0097fcd86a414d12d3336b4b658b73134a16b2c27f8-1289904177)
VT 24/39 (61.5%)
Code: [Select]
hxxp://contentserver001.info/forum/profile.php

IP Location: Ukraine - L-NET Route Object - LYAHOV-AS
IP 91.217.249.171
AS51554
ns1.bestwebrecords.ru
ns2.bestwebrecords.ru
Registrant/Email Registrant: Private Person/info@bestwebrecords.ru
Code: [Select]
hxxp://bestwebrecords.ru/cfg/lks34bestwebrecords.jpgmd5sum ===> 064b27093806a722d4fdd14fc13353b9

Title: Re: New Zeus server
Post by: jackberri on November 16, 2010, 05:45:31 pm
IP Location: Ukraine - L-NET Route Object - LYAHOV-AS
IP 91.217.249.168
AS51554
ns1.isshconnect.ru.
ns1.isshconnect.ru.
Registrant/Email Registrant: Private Person/domain@lolkins.ru
Code: [Select]
hxxp://ghostbustards.ru/bunghole/umax.dllmd5sum ===> fb666a96314cd9ed1c6e9ec951ea3407
Code: [Select]
hxxp://ghostbustards.ru/bunghole/umax.exemd5sum ===> 9f746cb971a33df9e6c65b1829057fcb
http://www.virustotal.com/file-scan/report.html?id=c82b373e60889ee587a2ff8f0aa60e0117024fae8f56652fdb7cc9ceb5b8e9b3-1289928641 (http://www.virustotal.com/file-scan/report.html?id=c82b373e60889ee587a2ff8f0aa60e0117024fae8f56652fdb7cc9ceb5b8e9b3-1289928641)
VT 24/43 (55.8%)
Code: [Select]
hxxp://ghostbustards.ru/bunghole/umax.php
Title: Re: New Zeus server
Post by: jackberri on November 17, 2010, 03:10:58 pm
IP Location: Ukraine - INFORMEX-NET - INFORMEX-MNT
IP 193.178.172.55
AS20564
dns.rebel.com - AS26499
dns2.rebel.com - AS174
Registrant/Email Registrant: James McElreath/axakixugynedo@yahoo.com
Code: [Select]
hxxp://193.178.172.55/news/?s=2040
hxxp://koeronpluytgcu.com/news/?s=2040
md5sum ===> 837d04c709e3e5815c26ecba6ca674df
Code: [Select]
hxxp://193.178.172.55/news/?s=6225
hxxp://koeronpluytgcu.com/news/?s=6225
md5sum ===> d15fedc4ff921e9bde375028ba88c098
http://www.virustotal.com/file-scan/report.html?id=634553336f8a0394819c39b33e2e99f863b305c809e8a13e467d218eb54aa56f-1290001586 (http://www.virustotal.com/file-scan/report.html?id=634553336f8a0394819c39b33e2e99f863b305c809e8a13e467d218eb54aa56f-1290001586)
VT 13/43 (30.2%)

IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.8
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Maksim A Roslyakov/zurihpwd@yahoo.com
Code: [Select]
hxxp://gvhfreesow.com/000u2.somd5sum ===> 2035d7ed2f74d8358a9e82d6402a0520
Code: [Select]
hxxp://gvhfreesow.com/i.php
IP Location: United Kingdom - C4L-AS
IP 84.45.20.124
[oberon.freezone.co.uk]
AS25577
ns0.freezone.co.uk
ns1.freezone.co.uk
Email Registrant: Chris Sale
Code: [Select]
hxxp://chrissale.co.uk/thumbs/whf24.exemd5sum ===> dc65ce21c8d5e22130d099c473227491
http://www.virustotal.com/file-scan/report.html?id=15ff8a58ca567c662b68d578784e00fd90a123e66a287b5d323ed79838094c33-1289951578 (http://www.virustotal.com/file-scan/report.html?id=15ff8a58ca567c662b68d578784e00fd90a123e66a287b5d323ed79838094c33-1289951578)
VT 21/43 (48.8%)
related (already listed):
Code: [Select]
hxxp://ourpole.com/x9000_z/jq.jpg
Title: Re: New Zeus server
Post by: jackberri on November 18, 2010, 10:15:16 am
IP Location: Israel - 013 Netvision Network - NV-ASN 013 NetVision Ltd
IP 85.64.199.184
[85.64.199.184.dynamic.barak-online.net]
AS1680
ns1.realtynmotio.com AS29550
ns2.realtynmotio.com AS6389
Registrant/Email Registrant: Egor Romanov/ju@cheapbox.ru

Code: [Select]
hxxp://decreasein.net/14oct_usa.cpm
hxxp://thinkpadus.cc/14oct_usa.cpm
hxxp://realemotion.cc/14oct_usa.cpm
md5sum ===> 0805e1f020b2806b6b9d5d89fd37d79b

Code: [Select]
hxxp://decreasein.net/22oct_den.cpm
hxxp://thinkpadus.cc/22oct_den.cpm
hxxp://realemotion.cc/22oct_den.cpm
md5sum ===> a1b5bb9952f8db170278acee31ec9cd2

Code: [Select]
hxxp://decreasein.net/22oct_dmi.cpm
hxxp://thinkpadus.cc/22oct_dmi.cpm
hxxp://realemotion.cc/22oct_dmi.cpm
md5sum ===> 97bbb9b06eae58867d566b258baab9be

Code: [Select]
hxxp://decreasein.net/22oct_pac.cpm
hxxp://thinkpadus.cc/22oct_pac.cpm
hxxp://realemotion.cc/22oct_pac.cpm
md5sum ===> 92e5ed932915f0128f5a7d0dd7fdbb71

Code: [Select]
hxxp://decreasein.net/22oct_ic3.cpm
hxxp://thinkpadus.cc/22oct_ic3.cpm
hxxp://realemotion.cc/22oct_ic3.cpm
md5sum ===> a3140861080da50d3968da4cc6dfe04c

Code: [Select]
hxxp://decreasein.net/22oct_bir.cpm
hxxp://thinkpadus.cc/22oct_bir.cpm
hxxp://realemotion.cc/22oct_bir.cpm
md5sum ===> 83f17059b6301634d4539e185708afb9

Code: [Select]
hxxp://decreasein.net/14oct_usa.exe
hxxp://thinkpadus.cc/14oct_usa.exe
hxxp://realemotion.cc/14oct_usa.exe
md5sum ===> 627677910089b8acfd8f6f40f3ce8e0d
http://www.virustotal.com/file-scan/report.html?id=5a91b58d9e507544612c94e199e0f6b3476e8754c629bf46ea3f0ebfbaf3ad93-1290073087 (http://www.virustotal.com/file-scan/report.html?id=5a91b58d9e507544612c94e199e0f6b3476e8754c629bf46ea3f0ebfbaf3ad93-1290073087)
VT 9/43 (20.9%)


Code: [Select]
hxxp://decreasein.net/22oct_den.exe
hxxp://thinkpadus.cc/22oct_den.exe
hxxp://realemotion.cc/22oct_den.exe
md5sum ===> e73c16cf2d9447d2ffec134f976b146b
http://www.virustotal.com/file-scan/report.html?id=18c1c56d7f652ec92e75a75e11fa91225dde48b7de67b35469e7e0756ed6e5e1-1290071904 (http://www.virustotal.com/file-scan/report.html?id=18c1c56d7f652ec92e75a75e11fa91225dde48b7de67b35469e7e0756ed6e5e1-1290071904)
VT 7/41 (17.1%)

Code: [Select]
hxxp://decreasein.net/22oct_dmi.exe
hxxp://thinkpadus.cc/22oct_dmi.exe
hxxp://realemotion.cc/22oct_dmi.exe
md5sum ===> 94623540bfdcc25e4fcf9ccfe484ce5d
http://www.virustotal.com/file-scan/report.html?id=44d56068da0ed404bf5df7294b4f7552a1bf64168cbd4abe0a06caac0115d8e3-1290074171 (http://www.virustotal.com/file-scan/report.html?id=44d56068da0ed404bf5df7294b4f7552a1bf64168cbd4abe0a06caac0115d8e3-1290074171)
VT 5/43 (11.6%)

Code: [Select]
hxxp://decreasein.net/22oct_pac.exe
hxxp://thinkpadus.cc/22oct_pac.exe
hxxp://realemotion.cc/22oct_pac.exe
md5sum ===> 58d4a5c9b962a573c0ddf161fdd2a927
http://www.virustotal.com/file-scan/report.html?id=a0f5054174e3d74a30210d441ab0c8cdcb45a762fab063eaef6158281a54d60c-1290074424 (http://www.virustotal.com/file-scan/report.html?id=a0f5054174e3d74a30210d441ab0c8cdcb45a762fab063eaef6158281a54d60c-1290074424)
VT 10/43 (23.3%)

Code: [Select]
hxxp://decreasein.net/22oct_ic3.exe
hxxp://thinkpadus.cc/22oct_ic3.exe
hxxp://realemotion.cc/22oct_ic3.exe
md5sum ===> bdaf2ede28dd5124cc58de958f5bc76b
http://www.virustotal.com/file-scan/report.html?id=4139867e73fcf14c0e634c495d2f470d0724b2f88ac2cf8e753f4be824f829dc-1290074669 (http://www.virustotal.com/file-scan/report.html?id=4139867e73fcf14c0e634c495d2f470d0724b2f88ac2cf8e753f4be824f829dc-1290074669)
VT 9/41 (20.9%)

Code: [Select]
hxxp://decreasein.net/22oct_bir.exe
hxxp://thinkpadus.cc/22oct_bir.exe
hxxp://realemotion.cc/22oct_bir.exe
md5sum ===> ca855478e605cbfa1390393534fb3fbc
http://www.virustotal.com/file-scan/report.html?id=c4440fc1078253f96cc99fa8b66c02a9c594df605f8417efe18b582784dbeff1-1290074957 (http://www.virustotal.com/file-scan/report.html?id=c4440fc1078253f96cc99fa8b66c02a9c594df605f8417efe18b582784dbeff1-1290074957)
VT 8/43 (18.6%)
Code: [Select]
realemotion.cc/yahooman.php
Title: Re: New Zeus server
Post by: jackberri on November 18, 2010, 12:20:54 pm
IP Location: Malaysia - Gigabit Hosting - GIGABIT-MY
IP 223.25.242.86
AS55720
ns1.freedns.ws
ns2.freedns.ws
Registrant/Email Registrant: Private Person/thelastnetmaster@gmail.com
Code: [Select]
hxxp://maxpowerlimitco.ru/zozo/anime.jpgmd5sum ===> 97acaaeb6b6b10a02daada8cdb8e0a56
Code: [Select]
maxpowerlimitco.ru/zozo/music.php

IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.9
AS29106
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://kernelcompiz.com/000u3.somd5sum ===> efec4ff57ed7432759eddc8a0566a41d
Code: [Select]
hxxp://kernelcompiz.com/i.php
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.10
AS29106
ns1.nameself.com AS43146
ns2.nameself.com AS30968
Registrant/Email Registrant: Maksim A Roslyakov/zurihpwd@yahoo.com
Code: [Select]
hxxp://muszzaks.com/00ca1.somd5sum ===> c1620fc1c8cfe55a78b605df3d3a8747
Code: [Select]
hxxp://muszzaks.com/index.php
Title: Re: New Zeus server
Post by: jackberri on November 18, 2010, 07:59:03 pm
IP Location: United States - Proxy for Wiresix - WIRESIX Proxy aut-num by GNAX for WireSix
IP 66.71.245.206
[hal.g33k.ws]
AS14141
ns1.bidisa.net
ns2.bidisa.net
Registrant/Email Registrant: Cross, Matthew/dendy75@rocketmail.com
Code: [Select]
hxxp://samsung-tv-3dmy.com/conf_uk01.binmd5sum ===> e47f2e79d2f6db3a9608b764b7645511
Code: [Select]
hxxp://samsung-tv-3dmy.com/UK01.exemd5sum ===> 30e52c1104a0de343dccd124880d3283
http://www.virustotal.com/file-scan/report.html?id=2084531221dfd14fd6b8ab06e79a08ea31dd1a037d7c1d1149ae6591315c5838-1290109959 (http://www.virustotal.com/file-scan/report.html?id=2084531221dfd14fd6b8ab06e79a08ea31dd1a037d7c1d1149ae6591315c5838-1290109959)
VT 18/43 (41.9%)
Code: [Select]
hxxp://samsung-tv-3dmy.com/EUADM/gotobot.php
Code: [Select]
hxxp://samsung-tv-3dmy.com/EUADM/rapport.exemd5sum ===> 6118f37f9d0b7db157d2bd99eaa261c4
http://www.virustotal.com/file-scan/report.html?id=cee4e04fb7abdf64f648dd06bf2af8d316d84456afc0a66bb5a1dfb6396a7ec9-1290109657 (http://www.virustotal.com/file-scan/report.html?id=cee4e04fb7abdf64f648dd06bf2af8d316d84456afc0a66bb5a1dfb6396a7ec9-1290109657)
VT 3/41 (7.3%)
Title: Re: New Zeus server
Post by: jackberri on November 18, 2010, 09:04:06 pm
IP Location: Ukraine - INFORMEX-NET - INFORMEX-MNT
IP 193.178.172.85
AS20564
ns1.iciq.biz
ns2.iciq.biz
Registrant/Email Registrant: Jenna Miller/Jenna@ersafunds.com
Code: [Select]
hxxp://dakpowj.com/snksy.binmd5sum ===> 81213cf0139dd3a21eefce37961e915a
Code: [Select]
hxxp://dakpowj.com/snk.php

IP Location: Russian Federation - K2K-NET - K2K-AS Contel 2000 Ltd
AS43181
Code: [Select]
hxxp://193.27.232.50/1/usa.binmd5sum ===> cec8ac6a6d71061f9ecd93afce134518

IP Location: Ukraine - YaltaInfo ISP
AS34528
Code: [Select]
hxxp://193.41.38.143/zorrin6.binmd5sum ===> cd57fe62ce47364bf117c1dabe24fa7a
Code: [Select]
hxxp://193.41.38.144/zoroute.php
Title: Re: New Zeus server
Post by: jackberri on November 19, 2010, 01:01:49 pm
IP Location: Ukraine - GORBY-AS Alexandr Gorbunov
IP  195.226.197.27
AS51303
ns1.freedns.ws AS24940
ns2.freedns.ws AS50297
Registrant/Email Registrant: Loann T Young/admin@frasertooper.com
Code: [Select]
hxxp://frasertooper.com/abudabi/ukdase.dbmd5sum ===> 4842fa0526e314d17c9d49565ef14600
Code: [Select]
hxxp://frasertooper.com/abudabi/uk.exemd5sum ===> 351038dfc5c0622ce66b3000c62fd566
http://www.virustotal.com/file-scan/report.html?id=b019df7f88b3ca440205a059e4b6e2659ac99ac1900885d6b4d5f3db62ea39a5-1290171516 (http://www.virustotal.com/file-scan/report.html?id=b019df7f88b3ca440205a059e4b6e2659ac99ac1900885d6b4d5f3db62ea39a5-1290171516)
VT 3/42 (7.1%)
Title: Re: New Zeus server
Post by: jackberri on November 19, 2010, 09:06:51 pm
IP Location: United States - MTO Telecom inc. Proxy Route Object Gogax - MAINT AS
IP  76.76.99.52
[reverse-mtl-76-76-99-52.gogax.com]
AS21793
free01.editdns.net AS33517
free02.editdns.net AS32748
Code: [Select]
hxxp://makasim48dnara.com/hhruhsDDd/hggtik.binmd5sum ===> 1b55e75994b281d235674e6a5f50a095
Code: [Select]
hxxp://77.120.109.24/sa.c.exemd5sum ===> b6fc7db948b9e3e6775d983f4ec072c4
http://www.virustotal.com/file-scan/report.html?id=1d533cb415116751696b042e07943aef871d893c4db949599f1559c135601962-1290199841 (http://www.virustotal.com/file-scan/report.html?id=1d533cb415116751696b042e07943aef871d893c4db949599f1559c135601962-1290199841)
VT 12/42 (28.6%)
Code: [Select]
hxxp://77.120.109.24/updatewin7.exe md5sum ===> ad14dbc371b71d7653a13f95e81b3745
http://www.virustotal.com/file-scan/report.html?id=0f8c26d5eaa327a1610aa2492587408d40e54fade6828d9b8688eb2768c3f851-1290200373 (http://www.virustotal.com/file-scan/report.html?id=0f8c26d5eaa327a1610aa2492587408d40e54fade6828d9b8688eb2768c3f851-1290200373)
VT 5/43 (11.6%)
Code: [Select]
hxxp://makasim48dnara.com/hhruhsDDd/lvv.php
Title: Re: New Zeus server
Post by: jackberri on November 20, 2010, 10:25:53 am
IP Location: Russian Federation - VLine Telecom - VLTELECOM-AS
IP  109.196.130.58
AS39150
ns1.1223vsvsn21221.net
ns2.1223vsvsn21221.net
Registrant/Email Registrant: Malus Ozanakis/malusozanakis@yahoo.com
Code: [Select]
hxxp://1223vsvsn21221.net/urla/c2.binmd5sum ===> ea3a690b8d0249a1fdbb452ddc5c2a7c

IP Location: Russian Federation - L-NET Route Object - LYAHOV-AS Lyahovich Maksim
IP  91.217.249.167
AS51554
ns1.derttttt.ru
ns2.derttttt.ru
Email Registrant: info@derttttt.ru
Code: [Select]
hxxp://basildomut.ru/files/file.exemd5sum ===> 91e3f63be4c3d71fd920c7d45b537909
http://www.virustotal.com/file-scan/report.html?id=7ea21ea7efad475d22d7189a09331792ec88bda569b9615c8916b1a27daa52cb-1290208558 (http://www.virustotal.com/file-scan/report.html?id=7ea21ea7efad475d22d7189a09331792ec88bda569b9615c8916b1a27daa52cb-1290208558)
VT 8/43 (18.6%)

IP Location: Russian Federation - K2K-NET - K2K-AS
IP  193.27.232.51
AS43181
ns1.nameself.com AS43146
ns2.nameself.com AS30968
Email Registrant: admin@nvffr.ru
Code: [Select]
hxxp://ulssew.ru/a.binmd5sum ===> 002ade0a52c34c82bd0d9dd997de12f5
Code: [Select]
hxxp://ulssew.ru/b.php

IP Location: Singapore - AH-INC Go Daddy Software
IP  182.50.134.1
[sg2nlhg96c1096.shr.prod.sin2.secureserver.net]
AS26496
ns1.freedns.ws AS24940
ns2.freedns.ws AS50297
Code: [Select]
hxxp://chilliwinefactory.com/last/fversionmd5sum ===> 68650d695ecfd2055f32d28df70d4ce8
Code: [Select]
hxxp://chilliwinefactory.com/gamecenter/versioncheck.php

Title: Re: New Zeus server
Post by: jackberri on November 21, 2010, 09:22:02 am
IP Location: Tanzania - ASN-WIATZ WIA
IP 41.221.61.109
AS36965
ns1.uniqol.net
ns2.uniqol.net
Registrant/Email Registrant: Igor Nikenin/ChapoohNet-domains@gmail.com
Code: [Select]
hxxp://fryloop.net/ppnl3.bin
hxxp://fryloop.net/panel3/ppnl3.bin
hknwc9ncmehqblccyflrm9nkr.net/ppnl3.bin
hknwc9ncmehqblccyflrm9nkr.net/panel3/ppnl3.bin
md5sum ===> a1bbf4ed69971c623acaace3d1b5ccb5
Code: [Select]
hxxp://fryloop.net/panel3/ppnl3.exe
hknwc9ncmehqblccyflrm9nkr.net/ppnl3.exe
md5sum ===> 249b4b05e3678564a47a9fedbf171dce
http://www.virustotal.com/file-scan/report.html?id=6e77c46db6c7c786b46ce232543fb526674aab9a6804cb5ba5e55a34660b70d0-1290258365 (http://www.virustotal.com/file-scan/report.html?id=6e77c46db6c7c786b46ce232543fb526674aab9a6804cb5ba5e55a34660b70d0-1290258365)
VT 10/39 (25.6%)
Code: [Select]
hxxp://fryloop.net/panel3/gotobank.php
hknwc9ncmehqblccyflrm9nkr.net/panel3/gotobank.php
Title: Re: New Zeus server
Post by: jackberri on November 21, 2010, 11:07:12 pm
IP Location: Ukraine - W-NET ISP - WNET W-NET
IP  92.60.177.243
[grusha-92-60-177-243.hostinghutor.com]
AS15772
ns2.3i3i3i3i.net
ns1.3i3i3i3i.net
Registrant/Email Registrant: Tedy Moon/tedy.moon@yahoo.ca
Code: [Select]
hxxp://3i3i3i3i.net/frame.somd5sum ===> 10972372d64829dc46d3cc10c35a3684
Code: [Select]
hxxp://3i3i3i3i.net/analytics.php
IP Location: Ukraine - Tob Intelektyalni Telecomynikacijni Merezhi
IP  194.1.220.43
AS50738
ns1.nameself.com  AS43146
ns2.nameself.com  AS8342
Registrant/Email Registrant: Private Person/admin@ruoff.ru
Code: [Select]
hxxp://intupdate.ru/fhiuqw8713fs10f/W7Ou3P.binmd5sum ===> a3598c98dc4193b5ffc5013f678e7a60

IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.9
AS29106
ns2.reg.ru AS42244
ns1.reg.ru AS25532
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://xinetdstart.com/000u5.somd5sum ===> e2e8a42326d5a67c61646139cdc5b7da
Code: [Select]
hxxp://xinetdstart.com/i.php
IP Location: Ukraine - INFORMEX-NET - INFORMEX-MNT
IP  193.178.172.38
AS20564
ns3.cnmsn.com  AS24544
ns4.cnmsn.com  AS4134
Registrant ID:orgvb89908697002
Email Registrant: ijghhrgcsq@whoisservices.cn
Code: [Select]
hxxp://az-investment.org/cms/321i9uasdhdas/data_base.mysqlmd5sum ===> 538d1b216e78ca67617714000a14364d
Code: [Select]
hxxp://az-investment.org/cms/9918ahbbdklkshgfpa.php
Title: Re: New Zeus server
Post by: jackberri on November 22, 2010, 10:32:35 am
IP Location: Russian Federation - ISPsystem-RU - ISPSYSTEM-AS
IP  188.120.225.116
AS29182
ns2.firstvds.ru
ns1.firstvds.ru
Registrant/Email Registrant: Private Person/abuse1@privatdot.com
Code: [Select]
hxxp://privacyposta.com/zxc/config.binmd5sum ===> 59764bf1ae3ae0704d1d9343a1cba137
Code: [Select]
hxxp://privacyposta.com/zxc/bot.exemd5sum ===> e05909ac2dd0754161b5d8bc8e662ea6
http://www.virustotal.com/file-scan/report.html?id=435b78bfa61dfb6e920e0fc82b0fb36b69aa8091057fec84b65efe39ea503b59-1290421345 (http://www.virustotal.com/file-scan/report.html?id=435b78bfa61dfb6e920e0fc82b0fb36b69aa8091057fec84b65efe39ea503b59-1290421345)
VT 3/43 (7.0%)
Code: [Select]
hxxp://privacyposta.com/zxc/gate.php
Title: Re: New Zeus server
Post by: jackberri on November 22, 2010, 05:54:05 pm
Code: [Select]
hxxp://195.226.197.27/abudabi/ukdase.dbmd5sum ===> 579df790d304d5aad7af5dc6f1a83422
Code: [Select]
hxxp://195.226.197.27/abudabi/uk.exemd5sum ===> de62f8894967531d68b95e0e3aa33609
http://www.virustotal.com/file-scan/report.html?id=c10c8eff899f7a6e98fcf3b47cbbbf27a5b75d4a4f933b3b0afa0d93ff93f7f0-1290448225 (http://www.virustotal.com/file-scan/report.html?id=c10c8eff899f7a6e98fcf3b47cbbbf27a5b75d4a4f933b3b0afa0d93ff93f7f0-1290448225)
VT 2/43 (4.7%)

IP Location: Russian Federation - L-NET Route Object - LYAHOV-AS Lyahovich Maksim
IP  91.217.249.171
AS51554
ns1.bestwebrecords.ru. 91.217.249.171
ns2.bestwebrecords.ru. 91.217.249.172
Registrant/Email Registrant: Private Person/info@bestwebrecords.ru
Code: [Select]
hxxp://bestwebrecords.ru/cfg/lks34bestwebrecords.jpgmd5sum ===> 702fabec07e06af6fea4fa85f8b4c9f8

IP Location: Russian Federation - L-NET Route Object - LYAHOV-AS Lyahovich Maksim
IP  91.217.249.168
AS51554
ns1.superboy999.ru
ns2.superboy999.ru
Registrant/Email Registrant: Private Person/dns@superboy999.ru
Code: [Select]
hxxp://mnogofiilok.ru/public_htlm/baskov.binmd5sum ===> 03cd0400dea1c00f742602090ebff676
Title: Re: New Zeus server
Post by: jackberri on November 24, 2010, 05:58:57 am
IP Location: United Kingdom - FasthostInternet Ltd - FASTHOSTS-INTERNET
IP  213.171.218.9
[server213-171-218-9.livedns.org.uk]
AS15418
ns1.streamlinedns.co.uk
ns2.streamlinedns.co.uk
Registrant: James Connolly
Code: [Select]
hxxp://jdconnolly.co.uk/music/x9000.exemd5sum ===> 9a127dc840c1868e18077a0cf31c10f6
http://www.virustotal.com/file-scan/report.html?id=2fae778b4f787d8e0d018bc8eb8be515588f1ea6f663180d0143040e2144cd7c-1290577974 (http://www.virustotal.com/file-scan/report.html?id=2fae778b4f787d8e0d018bc8eb8be515588f1ea6f663180d0143040e2144cd7c-1290577974)
VT 23/43 (53.5%)
related (already listed):
Code: [Select]
hxxp://ourpole.com/x9000_z/jq.jpg
Title: Re: New Zeus server
Post by: jackberri on November 24, 2010, 10:03:56 am
IP Location: Latvia -GreatHost-ALTNET - ALTNET-LV DG Holding SIA
IP  91.217.153.50
AS41390
ns3.cnmsn.com AS24544
ns4.cnmsn.com AS4134
Registrant/Email Registrant: Whois Privacy Protection Service/napjxicxle@whoisservices.cn
Code: [Select]
hxxp://universaladp.com/qwresrtyhgfadwet4y5/codssase/confdsfdsgfig.binmd5sum ===> daf22ca892b2b00ec1570d1dc0acc234
Code: [Select]
hxxp://universaladp.com/qwresrtyhgfadwet4y5/codssase/bofdaededdsft.exemd5sum ===> af6184bdb7b59f98a561b84ea0dcdb3a
http://www.virustotal.com/file-scan/report.html?id=f51aa0c583f57d36e9314bdaff9618519cca702e217e5a6f41c038f180e1e629-1290590710 (http://www.virustotal.com/file-scan/report.html?id=f51aa0c583f57d36e9314bdaff9618519cca702e217e5a6f41c038f180e1e629-1290590710)
VT 25/42 (59.5%)
Code: [Select]
hxxp://qwresrtyhgfadwet4y5/codssase/gafsddsdsrdasdete.php
Title: Re: New Zeus server
Post by: jackberri on November 25, 2010, 03:11:06 pm
IP Location: Ukraine - GORBY-AS Route Object - GORBY-AS Alexandr Gorbunov
IP  195.226.197.27
AS51303
ns1.freedns.ws AS24940
ns2.freedns.ws AS50297
Registrant/Email Registrant: Cuc H Rogers/admin@for-advanced-cfg1.com
Code: [Select]
hxxp://for-advanced-cfg1.com/abudabi/uk.dbmd5sum ===> b35ad52663bc35a5f601b620f9848250
Code: [Select]
hxxp://for-advanced-cfg1.com/monte-karlo/usdase.dbmd5sum ===> 06b24ccca94384bf58ea17e03869f01d
Code: [Select]
hxxp://for-advanced-cfg1.com/abudabi/uk.exemd5sum ===> 0738aaaf5fb77f13ac0413c1641670ce
http://www.virustotal.com/file-scan/report.html?id=b33cdf620f0ffd5b992f30d09ce3f8519b997aa202cdd701f5a7272115423430-1290695986 (http://www.virustotal.com/file-scan/report.html?id=b33cdf620f0ffd5b992f30d09ce3f8519b997aa202cdd701f5a7272115423430-1290695986)
VT 3/43 (7.0%)
Code: [Select]
hxxp://for-advanced-cfg1.com/monte-karlo/us.exemd5sum ===> 611adf9caec8bf9b248bf679d680d5a4
http://www.virustotal.com/file-scan/report.html?id=723edd29801405f1c590f47c1586e90ea1e88362ef79f8df6f3662d1873bd7e4-1290696500 (http://www.virustotal.com/file-scan/report.html?id=723edd29801405f1c590f47c1586e90ea1e88362ef79f8df6f3662d1873bd7e4-1290696500)
VT 3/42 (7.1%)
already listed:
Code: [Select]
hxxp://195.226.197.24/~hosting/woops/ttf.php
Title: Re: New Zeus server
Post by: jackberri on November 26, 2010, 05:46:29 pm
IP Location: Latvia -NET-VPNME Route Object - VPNME-AS Igor Vladimirovich Kanaev
IP  195.226.220.45
AS51354
ns1.freedns.ws AS24940
ns2.freedns.ws AS50297
Registrant/Email Registrant: Private Person/dm.nagib@ymail.com
Code: [Select]
hxxp://gocontinental.com/cdlist/covers/0102_mgm9.jpgmd5sum ===> cd7e1f3c7882111e38267cf3c1e90d70
Code: [Select]
hxxp://fireshowonline.com/index.php
IP Location: Ukraine - it-outsource-as LLC
IP  91.207.182.25
AS48280
ns1.dns-diy.net
ns2.dns-diy.net
Registrant/Email Registrant: Fleya Marla/admin@ramblegara-torentilla.com
Code: [Select]
hxxp://ramblegara-torentilla.com/tor1n0mosk/JNYi8Ge4FEf2re65.binmd5sum ===> de1ec4bc4456fa5d6899da2c74e3e0d0
Code: [Select]
hxxp://ramblegara-torentilla.com/tor1n0mosk/muBvc4cjF5876fVKG4TfU6gf65gtft022Htu.php
Title: Re: New Zeus server
Post by: jackberri on December 01, 2010, 11:48:42 am
IP Location: Ukraine - Alexandr Gorbunov
IP  195.226.197.27
AS51303
ns1.freedns.ws
ns2.freedns.ws
Registrant/Email Registrant: Kuanita Thompson/admin@for-advanced-cfg2.com
Code: [Select]
hxxp://for-advanced-cfg2.com/monte-karlo/usdase.dbmd5sum ===> ea40ea75c06baf297607acc8193b1efb
Code: [Select]
hxxp://for-advanced-cfg2.com/abudabi/uk.dbmd5sum ===> 6c88164d42099036a7b0712a96618382
Code: [Select]
hxxp://for-advanced-cfg2.com/abudabi/uk.exemd5sum ===> bbfc8adad69895c51ced1430f7e9cb0e
http://www.virustotal.com/file-scan/report.html?id=69451ec09555ff19f418c04acec44a9d6c0ea5e5e59d9b369d4f556ca52d9918-1291203033 (http://www.virustotal.com/file-scan/report.html?id=69451ec09555ff19f418c04acec44a9d6c0ea5e5e59d9b369d4f556ca52d9918-1291203033)
VT 12/43 (27.9%)
Code: [Select]
hxxp://for-advanced-cfg1.com/monte-karlo/us.exemd5sum ===> 536815f08c4ecf152b4c6f65c62e9e06
http://www.virustotal.com/file-scan/report.html?id=361229ff420a65a77370826953adc59d8706bfb67ba22a167935303397791970-1291202979 (http://www.virustotal.com/file-scan/report.html?id=361229ff420a65a77370826953adc59d8706bfb67ba22a167935303397791970-1291202979)
VT 4/43 (9.3%)

IP Location: Ukraine -VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  195.226.220.45
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Evgeniy Jaakson/eejaak@aol.com
Code: [Select]
hxxp://linuxfesttallins.com/0099.somd5sum ===> 90144206b695349222b3719b035a5994
Code: [Select]
hxxp://linuxfesttallins.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 01, 2010, 03:14:03 pm
IP Location: Ukraine -ITMUA-AS TOB
IP  194.1.220.48
AS50738
ns3.gkg.net
ns4.gkg.net
Registrant/Email Registrant: James Pokracki/duqiledibegaseci@yahoo.com
Code: [Select]
hxxp://fvrwqtvedjqthln.com/news/?s=9032
hxxp://uqmiqmvsnsjsnxol.info/news/?s=9032
hxxp://194.1.220.48/news/?s=9032
md5sum ===> a8c4f0d2918783a4c2c3146fc58e67d9
Code: [Select]
hxxp://fvrwqtvedjqthln.com/news/?s=6225
hxxp://uqmiqmvsnsjsnxol.info/news/?s=6225
hxxp://194.1.220.48/news/?s=6225
md5sum ===> 885254e2cb1b9645ed952de3ba29402e
http://www.virustotal.com/file-scan/report.html?id=9351e95d5829e818f58cc2a25a42d83a2d9e0326ec1b0a13258a5a97aff48dbb-1291210202 (http://www.virustotal.com/file-scan/report.html?id=9351e95d5829e818f58cc2a25a42d83a2d9e0326ec1b0a13258a5a97aff48dbb-1291210202)
VT 33/43 (76.7%)
Code: [Select]
hxxp://fvrwqtvedjqthln.com/main.exe
hxxp://uqmiqmvsnsjsnxol.info/main.exe
hxxp://194.1.220.48/news/main.exe

md5sum ===> 1e1770e129aebdbb41da6e382643d178
http://www.virustotal.com/file-scan/report.html?id=3baddae4668aeecb011017b5a7824cc43125e8629f6e26375469774ae5a751a3-1291211548 (http://www.virustotal.com/file-scan/report.html?id=3baddae4668aeecb011017b5a7824cc43125e8629f6e26375469774ae5a751a3-1291211548)
VT 16/43 (37.2%)

IP Location: Germany -Keyweb AG IP Network - KEYWEB-AS
IP  95.169.186.126
[ns.km33904.keymachine.de]
AS31103
ns2.regway.com
ns1.regway.com
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://myloanandcredit.net/777.binmd5sum ===> bc4f4ee5169aa70fda8b742df1bc8ee9
Title: Re: New Zeus server
Post by: jackberri on December 01, 2010, 05:53:04 pm
IP Location: Ukraine -VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.44
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Evgeniy Jaakson/eejaak@aol.com
Code: [Select]
hxxp://seadistaminefast.com/1111.somd5sum ===> 280687c0c1fa50cc6bf1749a0ebf4e95
Code: [Select]
hxxp://seadistaminefast.com/i.phprelated:
Code: [Select]
hxxp://lll3zast.com/crypt_KillEXE.exemd5sum ===> 76b3414d7e24e0ad9ba49b4270163a0b
http://www.virustotal.com/file-scan/report.html?id=32a33bdb627300386523dad859b95ecafbbfa06ae29ae561433e9e4a6f0d2d50-1291217097 (http://www.virustotal.com/file-scan/report.html?id=32a33bdb627300386523dad859b95ecafbbfa06ae29ae561433e9e4a6f0d2d50-1291217097)
VT 27/42 (64.3%)

IP Location: United States -Ace Data Centers, Inc. - Bluehost Inc.
IP  91.213.174.44
[host150.hostmonster.com]
AS11798
ns1.hostmonster.com
ns2.hostmonster.com
Registrant/Email Registrant: DrummingMad/Dean@DrummingMad.com
Code: [Select]
hxxp://drummingmad.com/images/smilies/joke.gifmd5sum ===> 280687c0c1fa50cc6bf1749a0ebf4e95
Code: [Select]
hxxp://www.dimental.com/coolstar/coolstar.phprelated:
Code: [Select]
hxxp://privateconfigurationforme.com/index/header.exemd5sum ===> 16b9fdb3eb29eef3d703e5126d911f94
http://www.virustotal.com/file-scan/report.html?id=903ddd63715dfd829af48528be6a557829b2bbd44fabd9f463c3955ee9c49ae2-1291225248 (http://www.virustotal.com/file-scan/report.html?id=903ddd63715dfd829af48528be6a557829b2bbd44fabd9f463c3955ee9c49ae2-1291225248)
VT 1/43 (2.3%)
Title: Re: New Zeus server
Post by: jackberri on December 01, 2010, 07:59:03 pm
IP Location: United States - InternetNamesForBusiness.com - INFB InternetNamesForBusiness.com
IP  209.235.144.9
[hostedc31.carrierzone.com]
AS30447
dns01.gpn.register.com
dns02.gpn.register.com
Registrant/Email Registrant: PERFORMANCE CAR COMPANY/performancecars@btconnect.com
Code: [Select]
hxxp://performancecarcompany.com/stats/setup.exemd5sum ===> b56de435cc07131d6f6f7d9a6794dee1
http://www.virustotal.com/file-scan/report.html?id=93b73298be2d815a6652488dd4595a442f162054e89e73181b978fea42fc4048-1291232535 (http://www.virustotal.com/file-scan/report.html?id=93b73298be2d815a6652488dd4595a442f162054e89e73181b978fea42fc4048-1291232535)
VT 21/43 (48.8%)
Code: [Select]
hxxp://performancecarcompany.com/stats/x9000.exemd5sum ===> 1343dcb5e4b0bf84e0da8426b23ab613
http://www.virustotal.com/file-scan/report.html?id=575db55b0eabbdb35ae59ea9be714600a87aabeffe62ea6f489414702a1a89ee-1291232878 (http://www.virustotal.com/file-scan/report.html?id=575db55b0eabbdb35ae59ea9be714600a87aabeffe62ea6f489414702a1a89ee-1291232878)
VT 22/43 (51.2%)

related (already listed):
Code: [Select]
hxxp://ourpole.com/x9000_z/jqgrt.bin
hxxp://ourpole.com/x9000_z/jfde03jda32wlkv.php
Title: Re: New Zeus server
Post by: jackberri on December 02, 2010, 12:58:00 pm
IP Location: Ukraine -ITMUA-AS TOB
IP  194.1.220.48
AS50738
ns3.gkg.net
ns4.gkg.net
Registrant/Email Registrant: roger nunez/etiqawahobisyr@yahoo.com
Code: [Select]
hxxp://tafutxqvzkiqnsp.com/news/?s=9032
hxxp://194.1.220.142/news/?s=3230
md5sum ===> f7dc13022ca4c4b174bba373c50d19a7
Code: [Select]
hxxp://tafutxqvzkiqnsp.com/news/?s=6225
hxxp://194.1.220.142/news/?s=6225
md5sum ===> b9a2de97e2e8e1aa056fe7f240ec33a2
http://www.virustotal.com/file-scan/report.html?id=dc514ef65567cbf8b327bffa877f2d515253c33500b124c9226ede5cd5917836-1291294247 (http://www.virustotal.com/file-scan/report.html?id=dc514ef65567cbf8b327bffa877f2d515253c33500b124c9226ede5cd5917836-1291294247)
VT 9/43 (20.9%)
Title: Re: New Zeus server
Post by: jackberri on December 02, 2010, 06:23:45 pm
IP Location: China - CNC Group CHINA - China-Network-Communications (CNC Group)
IP 122.156.219.126
AS4837
ns1.uniqol.net
ns2.uniqol.net
Registrant/Email Registrant: Igor Nikenin/ChapoohNet-domains@gmail.com
Code: [Select]
hxxp://timewhich.net/ppnl3.bin
hxxp://timewhich.net/panel3/ppnl3.bin
hxxp://bd0hjsknhafokysl4yltpkutm.net/ppnl3.bin
hxxp://bd0hjsknhafokysl4yltpkutm.net/panel3/ppnl3.bin
md5sum ===> f9026842cac55729d85e1d9703d9b944
Code: [Select]
hxxp://timewhich.net/panel3/ppnl3.exe
hxxp://bd0hjsknhafokysl4yltpkutm.net/ppnl3.exe
md5sum ===> 547c0e1a9fd93b52f95ce6b4cb3e30dd
http://www.virustotal.com/file-scan/report.html?id=03a4369f802f8e348f22d2c691cf1044172637ff979844d1e0a20844578ae07c-1291313631 (http://www.virustotal.com/file-scan/report.html?id=03a4369f802f8e348f22d2c691cf1044172637ff979844d1e0a20844578ae07c-1291313631)
VT 7/43 (16.3%)
Code: [Select]
hxxp://timewhich.net/panel3/gotobank.php
hxxp://bd0hjsknhafokysl4yltpkutm.net/panel3/gotobank.php
Title: Re: New Zeus server
Post by: jackberri on December 02, 2010, 08:35:53 pm
IP Location: Ukraine -INFORMEX-NET - INFORMEX-MNT
AS20564
Code: [Select]
hxxp://193.178.172.53/news/?s=3104md5sum ===> 11324f1361f35f1de6dc16aae5c8ebd3
Code: [Select]
hxxp://193.178.172.53/news/?s=6225md5sum ===> 56ae39b67657f0ea358ee32ec7592d78
http://www.virustotal.com/file-scan/report.html?id=4c9ec0754caf1e224e3d948fd73018d528503adc47ee4341d09ea53731dbdfe7-1291321763 (http://www.virustotal.com/file-scan/report.html?id=4c9ec0754caf1e224e3d948fd73018d528503adc47ee4341d09ea53731dbdfe7-1291321763)
VT 30/43 (69.8%)
Title: Re: New Zeus server
Post by: jackberri on December 07, 2010, 04:48:02 pm
IP Location:  China  - Chinanet-zj Quzhou Node Network
IP  122.227.108.26
AS4134
ns1.holdglass.com
ns2.holdglass.com
Registrant/Email Registrant: Vladislav Petrenko/altsrv@gmail.com
Code: [Select]
hxxp://trhxzrdqtgsmru8lulzuzwwax.net/ppnl3.bin
hxxp://trhxzrdqtgsmru8lulzuzwwax.net/panel3/ppnl3.bin
md5sum ===> cb6c98dfd1739f02225a7df15202a2d2
Code: [Select]
hxxp://trhxzrdqtgsmru8lulzuzwwax.net/panel3/ppnl3.exemd5sum ===> 8df7643a4c2d3014e8000d59e1674c72
http://www.virustotal.com/file-scan/report.html?id=eefffb421327847a0e2dac88eda2ea272dfacb00cce93641682a8cb72737e8a6-1291658261 (http://www.virustotal.com/file-scan/report.html?id=eefffb421327847a0e2dac88eda2ea272dfacb00cce93641682a8cb72737e8a6-1291658261)
VT 16/43 (37.2%)
Code: [Select]
hxxp://trhxzrdqtgsmru8lulzuzwwax.net
IP Location: Ukraine - ITMUA-AS TOB
IP 194.1.220.43
AS50738
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@ruoff.ru
Code: [Select]
hxxp://newupdate.ru/s0la6rleswoa4ia/p21agO.binmd5sum ===> 6c83d9fc2c2030a0aea4790f1e3cf266

IP Location: Russian Federation - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://notephgotolib.com/de1.somd5sum ===> 079e2d5bc3c374ff49166c7cfe8046b4
Title: Re: New Zeus server
Post by: jackberri on December 09, 2010, 10:59:34 am
IP Location: Ukraine - ITMUA-AS TOB
IP 109.196.130.58
AS39150
ns1.niceday242steal.net 109.196.130.58
ns2.niceday242steal.net 109.196.130.58
Registrant/Email Registrant: Victor I Brikatnin/mire@maillife.ru
Code: [Select]
hxxp://niceday242steal.net/nnesx/cf2.binmd5sum ===> e03ca0dcd2db149e3781f6187be09c8c
Title: Re: New Zeus server
Post by: jackberri on December 09, 2010, 09:28:35 pm
IP Location: Ukraine - ITMUA-AS TOB
IP 194.1.220.43
AS50738
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@ruoff.ru
Code: [Select]
hxxp://sysupdate.ru/XIu2LaboagOUmOU/g8eHlu.binmd5sum ===> b40957b98a0016f82765e2697b2f2085
Title: Re: New Zeus server
Post by: jackberri on December 10, 2010, 08:04:54 pm
IP Location: United States - THEPLANET-AS2
IP 75.125.133.82
[cp102.hostingcare.net]
AS21844
Registrant/Email Registrant: Mr Asif/info@ebusinesssubmit.com
Code: [Select]
hxxp://ebusinesssubmit.com/images/menu_005.gifmd5sum ===> b0f1038a773e5677b70dd0ab711b6223
Code: [Select]
hxxp://doberenz.net/pickpic/images/list.php
IP Location: Russian Federation - Antarktida-PLUS
IP 91.220.62.35
AS51699
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://rewadotkant.com/11x88.somd5sum ===> 3ce31c458606a65c29ca10af5c5c454d
Title: Re: New Zeus server
Post by: jackberri on December 11, 2010, 07:39:01 am
IP Location: Ukraine - INTERPHONE NET
IP 195.214.238.241
AS24881
Registrant/Email Registrant: Dean E. Taul/DeanETaul@gmail.com
Code: [Select]
hxxp://eimhuwyt.com/best/gwgw222.imgmd5sum ===> 241827e6534c3b06f0e61cc6f9573aed
Code: [Select]
hxxp://eimhuwyt.com/best/qwert.php
IP Location: Ukraine - Antarktida-PLUS
IP 91.220.62.35
AS51699
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://kameltruksc.com/11x10.somd5sum ===> bca5a2cdb68a5913088de5362bcf9615
Code: [Select]
hxxp://kameltruksc.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 11, 2010, 11:42:02 am
IP Location: Russian Federation - Delfa network - DELFANET-AS
IP 194.0.245.78
AS42533
Registrant/Email Registrant: john Malsa/admin@answerone.asia
Code: [Select]
hxxp://answerone.asia/zs/config.binmd5sum ===> 4b04444c6e445cb5f1f5668d4cd0ec2c
Code: [Select]
hxxp://answerone.asia/zs/bot.exemd5sum ===> db746488f1138d9a66565f66dda20b63
http://www.virustotal.com/file-scan/report.html?id=16e527b805c47b6bc2e33a77ae3f00126d9909214d8cfbd877530f79d5878ac6-1292067098 (http://www.virustotal.com/file-scan/report.html?id=16e527b805c47b6bc2e33a77ae3f00126d9909214d8cfbd877530f79d5878ac6-1292067098)
VT 39/43 (90.7%)
Code: [Select]
hxxp://answerone.asia/zs/gate.php
Title: Re: New Zeus server
Post by: jackberri on December 11, 2010, 07:31:43 pm
IP Location: Ukraine - GORBY-AS Alexandr Gorbunov
IP 195.226.197.35
AS51303
Registrant/Email Registrant: Cobos V Sanchez/admin@for-advanced-cfg3.com
Code: [Select]
hxxp://for-advanced-cfg3.com/abudabi/uk.dbmd5sum ===> b0c83f11ad8156c539510c01db0f92a2
Code: [Select]
hxxp://for-advanced-cfg3.com/monte-karlo/usdase.dbmd5sum ===> ea7ff87d5b061cd384c10a4de7ecdfb7
Code: [Select]
hxxp://for-advanced-cfg3.com/abudabi/uk.exemd5sum ===> 22a28c8317d49d98d1114e43991fc9a5
http://www.virustotal.com/file-scan/report.html?id=d27365424fbd3e52dc1bfceaf8f54a95c76031eaef911d68d5c7f9f6893494ce-1292095222 (http://www.virustotal.com/file-scan/report.html?id=d27365424fbd3e52dc1bfceaf8f54a95c76031eaef911d68d5c7f9f6893494ce-1292095222)
VT 1/43 (2.3%)
Code: [Select]
hxxp://for-advanced-cfg3.com/monte-karlo/us.exemd5sum ===> 96bda1cf5b2f45e829ae9a81b8372de3
http://www.virustotal.com/file-scan/report.html?id=120775468daf3b3d3d4cdfb5fff35b1817bbb7e1e592219bdcd7a49d00f7d3f3-1292095204 (http://www.virustotal.com/file-scan/report.html?id=120775468daf3b3d3d4cdfb5fff35b1817bbb7e1e592219bdcd7a49d00f7d3f3-1292095204)
VT 3/43 (7.0%)
already listed:
Code: [Select]
hxxp://195.226.197.24/~hosting/woops/ttf.php
Title: Re: New Zeus server
Post by: jackberri on December 12, 2010, 01:54:50 pm
Code: [Select]
hxxp://rs719l3.rapidshare.com/files/433742163/fotos.jpgmd5sum ===> d3d80725002f80760e0c8f9c6e7e6906
http://www.virustotal.com/file-scan/report.html?id=531d61d985fd57562bdb6a4c8b62915cab52a191b17f779b5b9a27e0697c32ca-1292160814 (http://www.virustotal.com/file-scan/report.html?id=531d61d985fd57562bdb6a4c8b62915cab52a191b17f779b5b9a27e0697c32ca-1292160814)
VT 26/43 (60.5%)
IP Location: Ukraine - NET-VPNME Route Object -  VPNME-AS Igor Vladimirovich Kanaev
IP 195.226.220.45
AS51354
Registrant/Email Registrant: Private Person/dm.nagib@ymail.com
Code: [Select]
hxxp://maxpowerlatam.ru/max/anime.jpgmd5sum ===> 0bb56775a48c30bd969914d18c6dc1d6
Code: [Select]
hxxp://maxpowerlatam.ru/max/music.phprelated:
IP Location: Germany - Deutsche Telekom AG -  DTAG Deutsche Telekom AG
IP 80.150.6.143
[tld.t-online.de]
AS3320
Code: [Select]
hxxp://modellbau-cleeberg.de/img/jSpread.exemd5sum ===> d80ea394ecc849ff1130266502351a12
http://www.virustotal.com/file-scan/report.html?id=f4f60ee3c6044874c2e5278ef1b42fd8d2fbde691b55aad5716a6c77ac8d44a3-1292159737 (http://www.virustotal.com/file-scan/report.html?id=f4f60ee3c6044874c2e5278ef1b42fd8d2fbde691b55aad5716a6c77ac8d44a3-1292159737)
VT 32/43 (74.4%)
IP Location: Germany - DE-HEC - HOSTEUROPE-AS
IP 80.237.132.213
[wp206.webpack.hosteurope.de]
AS20773
Code: [Select]
hxxp://hswshop.de/foto.jpg.exemd5sum ===> 588de01d66c30af7dada7314f466345f
http://www.virustotal.com/file-scan/report.html?id=9ebff4a323e10ab780c023ed241974764df5d7236998eb9cc77ed082efe0dae8-1292161542 (http://www.virustotal.com/file-scan/report.html?id=9ebff4a323e10ab780c023ed241974764df5d7236998eb9cc77ed082efe0dae8-1292161542)
VT 14/43 (32.6%)
Title: Re: New Zeus server
Post by: jackberri on December 13, 2010, 10:40:11 am
IP Location: United States - THEPLANET-AS2
IP 67.18.8.98
[datsun.websitewelcome.com]
AS21844
Registrant/Email Registrant: ProfitBiz.net/suprman5225@aol.com
Code: [Select]
hxxp://frilled-dragon.com/comments/selectandthe.exemd5sum ===> 3454164605d20d7a41fef13f3fef87a2
http://www.virustotal.com/file-scan/report.html?id=7ebfe96f1c7250b8e34246f16151516fb0d5d6aa98f5647eb93031f5cacf63ac-1292235837 (http://www.virustotal.com/file-scan/report.html?id=7ebfe96f1c7250b8e34246f16151516fb0d5d6aa98f5647eb93031f5cacf63ac-1292235837)
VT 18/43 (41.9%)
related (already listed):
Code: [Select]
hxxp://fishnetministries.org/templates/list.php
IP Location: Russian Federation - VLine Telecom -VLTELECOM-AS
IP 109.196.142.35
AS39150
Registrant/Email Registrant: Evgeniy Drobovich/handle@bigmailbox.ru
Code: [Select]
hxxp://udodirchots.com/esw/rog.ermd5sum ===> c72a9075f1e81df332eaff48ad1a1a06

IP Location: Ukraine - VHost route- VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://milkdrinktea.com/11x13.somd5sum ===> 6d440b9a470a361c6a360c7dcbecffe6
Code: [Select]
hxxp://milkdrinktea.com/i.php
IP Location: Ukraine - VHost route- VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://kaapuchinram.com/11x12.somd5sum ===> 33e305b56c6c70f528b499dc0bd6b75f
Code: [Select]
hxxp://kaapuchinram.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 13, 2010, 09:17:34 pm
IP Location: Ukraine - VHost route - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
Registrant/Email Registrant: Evgeniy Jaakson/eejaak@aol.com
Code: [Select]
hxxp://unagimakimoto.com/11x15.somd5sum ===> b4a8b363caccf0ef7e98ba6ad45043d5
Code: [Select]
hxxp://unagimakimoto.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 14, 2010, 10:06:42 am
IP Location: Ukraine - NET-VPNME Route Object - VPNME-AS Igor Vladimirovich Kanaev
IP 195.226.220.50
AS51354
ns1.everydns.net
ns2.everydns.net
ns3.everydns.net
ns4.everydns.net
Registrant/Email Registrant: Mark C TH/mcthomas34@first-host.net
Code: [Select]
hxxp://dtdtdtdouble6677.com/2xx/c2/cfg_doubtes2.binmd5sum ===> a8bc63e5c52ca104f7e9349f97cf4f14
Code: [Select]
hxxp://dtdtdtdouble6677.com/2xx/e.php
Title: Re: New Zeus server
Post by: jackberri on December 14, 2010, 05:59:33 pm
IP Location: Ukraine - Antarktida-PLUS
IP 91.220.62.35
AS51699
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://polirtikolost.com/000x118.somd5sum ===> cf0cbefaaf8a8eecc871d64b5a102be8
Code: [Select]
hxxp://polirtikolost.com/i.php
IP Location: Ukraine - ITMUA-AS TOB
IP 194.1.220.80
AS50738
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@nvffr.ru
Code: [Select]
hxxp://jjjayy.ru/a.binmd5sum ===> 01a1828c78e8dc01f1b9e044c269a248
Code: [Select]
hxxp://jjjayy.ru/d.php
Title: Re: New Zeus server
Post by: jackberri on December 14, 2010, 08:39:39 pm
IP Location: United States - iWeb Route Object -  IWEB-AS
IP 67.205.111.22
AS32613
Code: [Select]
hxxp://all4corp.com/xed/config.bin
hxxp://all4corp.com/xed/recover.bin
md5sum ===> c94531f29253dced04791837c4df42ff
Code: [Select]
hxxp://all4corp.com/xed/yourbot.exemd5sum ===> 63ed9ce45590427b17ed293246fa7935
http://www.virustotal.com/file-scan/report.html?id=a78ae65f4b529109b44b9e51acbe3cb4c51e9a51073ccfa24f8c935f95520f64-1292341955 (http://www.virustotal.com/file-scan/report.html?id=a78ae65f4b529109b44b9e51acbe3cb4c51e9a51073ccfa24f8c935f95520f64-1292341955)
VT 23/43 (53.5%)
Code: [Select]
hxxp://all4corp.com/xed/gate.php
Title: Re: New Zeus server
Post by: jackberri on December 15, 2010, 05:37:32 pm
IP Location: Ukraine - ITMUA-AS TOB
IP 194.1.220.35
AS50738
ns1.no-more-sleep.com
ns2.no-more-sleep.com
Registrant/Email Registrant: Sigurny Parker/admin@no-more-sleep.com
Code: [Select]
hxxp://no-more-sleep.com/z2/config.binmd5sum ===> 0444d129b431101d953bd8a5a7d470fb
Code: [Select]
hxxp://no-more-sleep.com/z2/bot.exemd5sum ===> 0a1addfe1423891b80afba1df567dd99
http://www.virustotal.com/file-scan/report.html?id=50bf72a171dd401a4415fec17c0c5017c1b0686a87899b6b5910656c82a4faf7-1292434204 (http://www.virustotal.com/file-scan/report.html?id=50bf72a171dd401a4415fec17c0c5017c1b0686a87899b6b5910656c82a4faf7-1292434204)
VT 4/43 (9.3%)
Code: [Select]
hxxp://no-more-sleep.com/z2/gate.php
IP Location: Ukraine - L-NET Route Object - LYAHOV-AS Lyahovich Maksim
IP 91.217.249.140
AS51554
free01.editdns.net
free02.editdns.net
Registrant/Email Registrant: Pavel Pugachev/ya_whois@yandex.ru
Code: [Select]
hxxp://shitorfuck.com/gorozo/y.bmd5sum ===> 0c154c4c5567b1561950fff3eb617236
Code: [Select]
hxxp://shitorfuck.com/gorozo/olololo.php
IP Location: Ukraine -ITMUA-AS TOB
IP 194.1.220.142
AS20564
NS1.DOMAINSERVICE.COM         208.73.210.41
NS2.DOMAINSERVICE.COM         208.73.211.42
NS3.DOMAINSERVICE.COM
NS4.DOMAINSERVICE.COM
Registrant/Email Registrant: Mark Carter/oxumafehidygady@yahoo.com
Code: [Select]
hxxp://ngmsoggkrrriljrv.com/news/?s=161356md5sum ===> 041ba8cae1a8176f1fd88c5e6bcf1b6d
Code: [Select]
hxxp://ngmsoggkrrriljrv.com/news/?s=6225md5sum ===> a43202b4492e4fa036e7dcdb3c35548e
http://www.virustotal.com/file-scan/report.html?id=7eb9a3c17c6fc4ce5c08c5bfa48b8621d9128a5a1152a11d8012bd414ff77949-1292429585 (http://www.virustotal.com/file-scan/report.html?id=7eb9a3c17c6fc4ce5c08c5bfa48b8621d9128a5a1152a11d8012bd414ff77949-1292429585)
VT 18/43 (41.9%)

IP Location:  China  - CHINA-TELECOM
IP  122.227.108.26
AS4134
ns1.holdglass.com
ns2.holdglass.com
Registrant/Email Registrant: Igor Nikenin/i-nikitin.2000@gmail.com
Code: [Select]
hxxp://flowershopco.com/panel3/ppnl3.exe
hxxp://wzcqwrmchtl4flrhdfngr4jnl.net/panel3/ppnl3.exe
md5sum ===> 57571888ad9d1dc4774863fdb10b58c8
http://www.virustotal.com/file-scan/report.html?id=f2d1c4895e41beb2d3411a43c8a6986ea2d0d9432dcdd5576f54a056b01ee58e-1292430380 (http://www.virustotal.com/file-scan/report.html?id=f2d1c4895e41beb2d3411a43c8a6986ea2d0d9432dcdd5576f54a056b01ee58e-1292430380)
VT 24/43 (55.8%)
Code: [Select]
hxxp://flowershopco.com/panel3/gotobank.php
hxxp://wzcqwrmchtl4flrhdfngr4jnl.net/panel3/gotobank.php

IP Location: Ukraine - Antarktida-PLUS
IP 91.220.62.35
AS50738
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://illusiohstar.com/000x119.somd5sum ===> 2a9496a4edee4cc8f6c23055fd18d3a5
Code: [Select]
hxxp://illusiohstar.com/i.php
IP Location: Ukraine - Antarktida-PLUS
IP 91.220.62.35
AS50738
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://interodialset.com/000x120.somd5sum ===> 240e74250254543e4b7d38f0b9016021
Code: [Select]
hxxp://interodialset.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 15, 2010, 08:58:10 pm
IP Location: Ukraine - L-NET Route Object -  LYAHOV-AS Lyahovich Maksim
IP 91.217.249.167
AS51554
ns1.derttttt.ru
ns2.derttttt.ru
Registrant/Email Registrant: Private Person/dns@derttttt.ru
Code: [Select]
hxxp://ocmande222.ru/data/data.jpg
IP Location: China - CHINANET-SCIDC-AS
IP 221.236.15.4
AS38283
ns1.python-blog.net
ns2.python-blog.net
Registrant/Email Registrant: Sandra Alonso/sandraalonso90@yahoo.com
Code: [Select]
hxxp://ary-neigeborn.com/stars.o1md5sum ===> 8243894e36586d8c22dce87d88f61f7f
Code: [Select]
hxxp://ary-neigeborn.com/stars.php
Title: Re: New Zeus server
Post by: jackberri on December 16, 2010, 11:30:27 am
IP Location: Ukraine -Antarktida-PLUS
IP  91.220.62.35
AS51699
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Evgeniy Jaakson/eejaak@aol.com
Code: [Select]
hxxp://jakudzahamato.com/000x121.somd5sum ===> 27b51d4b76f08d3fed8901f9665c8812
Code: [Select]
hxxp://jakudzahamato.com/i.php
IP Location: China -CHINANET-JS-AS-AP
IP  61.147.67.237
AS23650
ns.xost.com.ua
ns2.xost.com.ua
Registrant/Email Registrant: anatoliy Petrenko/sasaluschik@mail.ru
Code: [Select]
hxxp://gmailservices.com/fvto/conf.blrmd5sum ===> a427d79e18ae061344fdd25cc463a180
Code: [Select]
hxxp://gmailservices.com/drots/notrbl.php
IP Location: United States
IP 96.31.64.227
[server18.imaginadw.com]
AS29802
ns2.imaginadw.com
ns1.imaginadw.com
Registrant/Email Registrant: Carlos Devia/carlosdevia@imaginacolombia.com
Code: [Select]
hxxp://tecnimercedes.com/images/logo.jpgmd5sum ===> 130c7fc7958fa250b1ef3967c9a96ce9
Title: Re: New Zeus server
Post by: jackberri on December 16, 2010, 06:02:02 pm
IP Location: Ukraine - GORBY-AS Alexandr Gorbunov
IP  195.226.197.36
AS51303
ns1.freedns.ws
ns2.freedns.ws
Registrant/Email Registrant: Cachetta Harris/admin@for-advanced-cfg4.com
Code: [Select]
hxxp://for-advanced-cfg4.com/monte-karlo/usdase.dbmd5sum ===> 74664662ca26e803d3201708b9fe5c67
Code: [Select]
hxxp://for-advanced-cfg4.com/abudabi/uk.dbmd5sum ===> 3a8dd01ce9312f4aeb156461c6b9e4d5
Code: [Select]
hxxp://for-advanced-cfg4.com/abudabi/uk.exemd5sum ===> d791ed9bd83cf47b94067f79551dbb8c
http://www.virustotal.com/file-scan/report.html?id=c854f743769e79d886107c9b5e02e306a51a065006c233374c819716f76f658e-1292521874 (http://www.virustotal.com/file-scan/report.html?id=c854f743769e79d886107c9b5e02e306a51a065006c233374c819716f76f658e-1292521874)
VT 3/43 (7.0%)
Code: [Select]
hxxp://for-advanced-cfg4.com/monte-karlo/us.exemd5sum ===> 232aed6f0c4d11cff07720ffea73e2c6
http://www.virustotal.com/file-scan/report.html?id=f53db9435c2081ac51c003fa57c513425b1ddc03a3bd04aec5e55e5da47e26c6-1292521911 (http://www.virustotal.com/file-scan/report.html?id=f53db9435c2081ac51c003fa57c513425b1ddc03a3bd04aec5e55e5da47e26c6-1292521911)
VT 1/43 (2.3%)
Code: [Select]
hxxp://195.226.197.24/~hosting/woops/ttf.php
IP Location: United States -tyBit add -AITNET Advanced Internet Technologies
IP 216.117.129.32
[nameservices.net]
AS10843
ns0.aitcom.net
ns1.aitcom.net
Registrant/Email Registrant: Bob Roberts/bginkc@gmail.com
Code: [Select]
hxxp://knuckleheadskc.commd5sum ===> d6acd9e1894ef64178330c3697901996
Code: [Select]
hxxp://www.iberianlawyer.com/components/com_jobline/jobline.list.php
Title: Re: New Zeus server
Post by: jackberri on December 16, 2010, 07:05:58 pm
Code: [Select]
hxxp://knuckleheadskc.commd5sum ===> d6acd9e1894ef64178330c3697901996
Code: [Select]
hxxp://www.iberianlawyer.com/components/com_jobline/jobline.list.php

Code: [Select]
hxxp://knuckleheadskc.com/image04.jpgmd5sum ===> d6acd9e1894ef64178330c3697901996
Code: [Select]
hxxp://www.iberianlawyer.com/components/com_jobline/jobline.list.php
Title: Re: New Zeus server
Post by: jackberri on December 16, 2010, 08:09:17 pm
IP Location: Ukraine -VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
ns1.reg.ru
ns2.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://werlijokityp.com/000x124.somd5sum ===> edac1f41cdf70befe6b1fe5526072b8a
Code: [Select]
hxxp://werlijokityp.com/i.php
Code: [Select]
hxxp://91.213.174.6/ups/crypt_ALL.exe
hxxp://91.213.174.10/ups/crypt_ALL.exe
hxxp://91.213.174.44/ups/crypt_ALL.exe
md5sum ===> 31c51d3b6c637ff66bfb84c5c1bcdbad
http://www.virustotal.com/file-scan/report.html?id=fceed6adaee5900c05af0f716262e7414427331d00483f324aa4c3c4c3849d32-1292528961 (http://www.virustotal.com/file-scan/report.html?id=fceed6adaee5900c05af0f716262e7414427331d00483f324aa4c3c4c3849d32-1292528961)
VT 2/42 (7.0%)

Code: [Select]
hxxp://91.213.174.6/ups/Output.exe
hxxp://91.213.174.10/ups/Output.exe
hxxp://91.213.174.44/ups/Output.exe
md5sum ===> df29b9866397fd311a5259c5d4bc00dd
http://www.virustotal.com/file-scan/report.html?id=09e67b5fba19cd441f8df70b30e54afa925e6597d1db64b3465b2433d1a9e4e5-1292529219 (http://www.virustotal.com/file-scan/report.html?id=09e67b5fba19cd441f8df70b30e54afa925e6597d1db64b3465b2433d1a9e4e5-1292529219)
VT 3/43 (2.3%)
Title: Re: New Zeus server
Post by: jackberri on December 17, 2010, 08:09:49 am
IP Location: Russian Federation - VLine Telecom Block - VLTELECOM-AS
IP  109.196.142.37
AS39150
ns1.sharedfvm.com
ns2.sharedfvm.com
Email Registrant: Sean T Ryan/sryan@infin8web.com
Code: [Select]
hxxp://firefoxantiscam.com/grep/pluginsmd5sum ===> cff5b8c95f65d515d4453676486db120

Code: [Select]
hxxp://91.207.182.50/z2/config.binmd5sum ===> d0fb59cace1daeca0e5aaff192655d54
Code: [Select]
hxxp://91.207.182.50/z2/bot.exemd5sum ===> db29c546d6ee598805c7d5f9f6500344
http://www.virustotal.com/file-scan/report.html?id=97435989c5be0e37fc235f6c23daeeef06ae60ec1ab563f67e810dc68149eed1-1292572186 (http://www.virustotal.com/file-scan/report.html?id=97435989c5be0e37fc235f6c23daeeef06ae60ec1ab563f67e810dc68149eed1-1292572186)
VT 20/43 (46.5%)
Code: [Select]
hxxp://91.207.182.50/z2/gate.php
Title: Re: New Zeus server
Post by: jackberri on December 17, 2010, 07:47:45 pm
IP Location: United States- SAVVIS Communications
IP  64.14.68.87
[server286.com]
AS3561
ns1.server286.com
ns2.server286.com
Email Registrant: RICHARD MARTEL/(INSPECTOR-RICH@USA.NET, IMNOT12@AOL.COM)
Code: [Select]
hxxp://ohiolabradoodles.com/Labradoodles/birthi7.jpgmd5sum ===> 88e6ee95ed3c2abacabd0bb5a63093ed5
Code: [Select]
hxxp://massski.com/includes/CDDB.php
IP Location: Ukraine -VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Aaltonen Alexander/aolalexalt@yahoo.com
Code: [Select]
hxxp://lib32listends.com/000x125.somd5sum ===> cd6150e073aaee5917622b204f465401
Code: [Select]
hxxp://lib32listends.com/i.php
IP Location: Ukraine -VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.44
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Aaltonen Alexander/aolalexalt@yahoo.com
Code: [Select]
hxxp://enkwertiout.com/000x126.somd5sum ===> b1a363eb8046d98b622a188365c309c0
Code: [Select]
hxxp://enkwertiout.com/i.php
Title: Re: New Zeus server
Post by: jackberri on December 18, 2010, 07:00:33 pm
IP Location: Romania - Sc Grand Confort Srl
IP  188.229.90.159
AS49469
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Whois Privacy Protection Service/hconvcromu@whoisservices.cn
Code: [Select]
hxxp://rainjournalhere.com/test/config.binmd5sum ===> ce4215bd5a1a78fd3b817fc533b29e20
Code: [Select]
hxxp://rainjournalhere.com/test/bot.exemd5sum ===> 9042122db925ed4e254e46dd7bfe92e5
http://www.virustotal.com/file-scan/report.html?id=810523a3967411a13c2eb491d947d09a87a5fc2be0c2a7f4e672c275e11a497d-1292698571 (http://www.virustotal.com/file-scan/report.html?id=810523a3967411a13c2eb491d947d09a87a5fc2be0c2a7f4e672c275e11a497d-1292698571)
VT 20/43 (46.5%)
Code: [Select]
hxxp://rainjournalhere.com/test/gate.php
Title: Re: New Zeus server
Post by: jackberri on December 21, 2010, 04:26:55 pm
IP Location: Russian Federation - VLine Telecom - VLTELECOM-AS
IP  109.196.142.39
AS39150
dns1.webdrive.ru
dns2.webdrive.ru
Registrant/Email Registrant: Viktoriya Stimtseva/nahi83@mail.ru
Code: [Select]
hxxp://sbooking.ws/f_ewghkwegr/heku779/btn3/f2re65.binmd5sum ===> bf941954749923fd7f25018263cd063b

IP Location: Russian Federation - Antarktida-PLUS
IP  91.220.62.35
AS51699
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Evgeniy Jaakson/eejaak@aol.com
Code: [Select]
hxxp://dkfbjkbgbfowerg.com/000x130.somd5sum ===> a4da11fb5880a6a7819fe8e2c7cd2be7
Code: [Select]
hxxp://dkfbjkbgbfowerg.com/i.php
IP Location: Ukraine - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP  91.213.174.221
AS29106
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Kovaleva Nadejda/nadejda_kovaleva@yahoo.com
Code: [Select]
hxxp://jscompressing.com/img/logo.jpgmd5sum ===> af3bbfa1f928209e528d894080f77088
Title: Re: New Zeus server
Post by: jackberri on December 22, 2010, 10:27:23 am
IP Location: Russian Federation - Route for Yuzhno-Sakhalinsk Internet Exchange -ASN-YS-IX Yuzhno-Sakhalinsk
IP  194.88.11.143
AS31506
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Vladimir Bevza/admin@dpxp.net
Code: [Select]
hxxp://fsdm.net/sx881/gta77.binmd5sum ===> 470bcd4e01632c31955eea956962f498

IP Location: Russian Federation - VLTELECOM-AS
IP  109.196.142.35
AS39150
ns1.infonoteoda.com
ns2.infonoteoda.com
Registrant/Email Registrant: Vladimir Bevza/admin@dpxp.net
Code: [Select]
hxxp://infonoteoda.com/auu/auv.mumd5sum ===> 48ca4991247482b2ee794daa7b6da245

IP Location: Ukraine - INFORMEX-MNT
IP  193.178.172.88
AS20564
ns3.cnmsn.com
ns4.cnmsn.com
Created: 2010-12-14
Registration Service Provided By: Bizcn.com
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://hosting-place.cc/1/cgi.binmd5sum ===> 255c1a5187b4710d7a83eb68b3f37285
Code: [Select]
hxxp://dfi-university.com/images/gif/3/_tmp/003/tmp/gate7489.php
Title: Re: New Zeus server
Post by: jackberri on December 22, 2010, 01:40:44 pm
IP Location: Russian Federation -Route for Yuzhno-Sakhalinsk Internet Exchange - ASN-YS-IX
AS31506
dns.rebel.com
dns2.rebel.com
Registrant ID: RBL1901486
Registrant/Email Registrant: Michael Krejci/ovylypetutyz@yahoo.com
Code: [Select]
hxxp://expqlojkxytqp.biz/news/?s=76514
hxxp://ytlupjhtokqhhqwf.com/news/?s=76514
hxxp://oryxyioosnrmfvvq.com/news/?s=76514
hxxp://194.88.11.48/news/?s=76514
md5sum ===> 8697d747d2c2c194dadf19c1c2242ce3
Code: [Select]
hxxp://expqlojkxytqp.biz/news/?s=81321
hxxp://ytlupjhtokqhhqwf.com/news/?s=81321
hxxp://oryxyioosnrmfvvq.com/news/?s=81321
hxxp://194.88.11.48/news/?s=81321
md5sum ===> 67b3b1d270a21c841827f0d1d10e2f34
Code: [Select]
hxxp://expqlojkxytqp.biz/news/?s=6225
hxxp://ytlupjhtokqhhqwf.com/news/?s=6225
hxxp://oryxyioosnrmfvvq.com/news/?s=6225
hxxp://194.88.11.48/news/?s=6225
md5sum ===> e28ac6318d4417218a1052e2e2b3b4a1
http://www.virustotal.com/file-scan/report.html?id=bd65ba00555822cddc050af39a64509a7bbef00e6fe4b4f19a3ad1a1933aab3a-1293024393 (http://www.virustotal.com/file-scan/report.html?id=bd65ba00555822cddc050af39a64509a7bbef00e6fe4b4f19a3ad1a1933aab3a-1293024393)
VT 22/42 (52.4%)
Title: Re: New Zeus server
Post by: jackberri on December 23, 2010, 04:02:48 pm
IP Location: China - CHINANET GuangDong - CHINA-TELECOM
IP  113.105.152.19
AS4134
ns7.cnmsn.net
ns8.cnmsn.net
Registrant/Email Registrant: zonghui he/hzhwsk@126.com
Code: [Select]
hxxp://aiyanxinxi.com:443/img/logo.jpgmd5sum ===> 17ac6654ee96a5241fc8a7f83a82b505
Code: [Select]
hxxp://aiyanxinxi.com:443/rssfeed/index.asp
IP Location: Russian Federation - Route for Yuzhno-Sakhalinsk Internet Exchange -ASN-YS-IX Yuzhno-Sakhalinsk
IP  194.88.11.53
AS31506
ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhost.com
Domain ID:D35813527-LRMS
Registrant/Email Registrant: watchense.info Private Registrant/watchense.info@proxy.dreamhost.com
Code: [Select]
hxxp://watchense.info/usa.binmd5sum ===> f8186fd5a3a2a63f6f355b642905a78e
Code: [Select]
hxxp://watchense.info/redir.php
Title: Re: New Zeus server
Post by: jackberri on December 29, 2010, 08:21:05 pm
IP Location: Ukraine - Pe Bondarenko Dmitriy Vladimirovich
IP  91.213.174.43
AS29106
ns2.reg.ru
ns1.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://erj439ujje.com/005.somd5sum ===> 74336aa5f9cc53eb32d8cbb0db5ec722
Code: [Select]
hxxp://erj439ujje.com/i.php
IP Location: Romania - SA-NOVA-TELECOM-GRUP-SRL
IP  188.229.90.138
AS49469
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Whois Privacy Protection Service/rnyfxwgrjk@whoisservices.cn
Code: [Select]
hxxp://securedalertcheck.com/trash/oldinfo/deleted/stdata.binmd5sum ===> 218be4f34792e8e0a07785f8f0e4081b
Code: [Select]
hxxp://securedalertcheck.com/service/repair/backup/setup/login.php
IP Location: Ukraine - it-outsource-as LLC
IP  91.207.182.50
AS48280
NS01.DOMAINCONTROL.COM
NS02.DOMAINCONTROL.COM
Registrant ID: CR70183061
Registrant/Email Registrant: Julie Hennessey/juliehennessey81@yahoo.com
Code: [Select]
hxxp://sparkgirls.biz/z2/config.binmd5sum ===> 66342adb1a865bb1476e7e15e8d481b1
Code: [Select]
hxxp://sparkgirls.biz/z2/bot.exemd5sum ===> 94a9a1bb68411343205b0862d9f89193
http://www.virustotal.com/file-scan/report.html?id=c10c8eff899f7a6e98fcf3b47cbbbf27a5b75d4a4f933b3b0afa0d93ff93f7f0-1290448225 (http://www.virustotal.com/file-scan/report.html?id=c10c8eff899f7a6e98fcf3b47cbbbf27a5b75d4a4f933b3b0afa0d93ff93f7f0-1290448225)
VT 20/43 (46.5%)
Code: [Select]
hxxp://sparkgirls.biz/z2/gate.php
IP Location: Russian Federation - VLTELECOM-AS
IP  109.196.130.58
AS39150
ns1.niceday242steal.net 109.196.130.58
ns2.niceday242steal.net 109.196.130.58
Registrant ID: SXCKEOV-RU
Registrant/Email Registrant: Victor I Brikatnin/mire@maillife.ru
Code: [Select]
hxxp://niceday242steal.net/nnesx/cf2.binmd5sum ===> 156a55d94f6203d971357f79100fe74a

IP Location: China - CRNET_BJ_IDC-CNNIC-AP
IP  222.35.139.225
AS24138
ns1.r3registry.com
ns2.r3registry.com
Registrant ID: DI_13517667
Registrant/Email Registrant: Yosha Harimo/info@yahooanalytics.in
Code: [Select]
hxxp://dvadoma.in/traher/tashmik.binmd5sum ===> 21705df723735b4f2807de6c86ce4dc7
Code: [Select]
hxxp://odindoma.in/yptas/francherinki.php
Title: Re: New Zeus server
Post by: jackberri on December 31, 2010, 12:53:04 pm
IP Location: Russian Federation - VLTELECOM-AS VLineTelecom LLC
IP  109.196.142.35
AS39150
ns2.kamantistol.com
ns1.kamantistol.com
Registrant/Email Registrant: Nataliya Kondrateva/usage@cheapbox.ru
Code: [Select]
hxxp://kamantistol.com/ger/ber.lnmd5sum ===> 1689e22241f6e2ed0b1baf5c8a91632e

IP Location: Russian Federation - VLTELECOM-AS VLineTelecom LLC
IP  109.196.142.37
AS39150
ns1.sharedfvm.com
ns2.sharedfvm.com
Registrant/Email Registrant: Sean T Ryan/sryan@infin8web.com
Code: [Select]
hxxp://firefoxantiscam.com/grep/pluginsmd5sum ===> c1d2f9c74819ace766b0eee3b9b27868
Title: Re: New Zeus server
Post by: jackberri on December 31, 2010, 05:57:07 pm
IP Location: Malaysia - Gigabit Hosting - GIGABIT-MY
IP  223.25.242.107
AS55720
NS3.MYNSHOSTING.NET
NS4.MYNSHOSTING.NET
Registrant ID:orghm90527321035
Code: [Select]
hxxp://systemtime.org//kn11ff/config.binmd5sum ===> 55d73dae78d52531b4530e8786b52620

IP Location: Malaysia - Gigabit Hosting - GIGABIT-MY
IP  223.25.242.107
AS55720
NS1.FREEDNS.WS
NS2.FREEDNS.WS
Registrant ID: DI_12886840
Registrant/Email Registrant: Kramor Savva/dreamergus@yahoo.com
Code: [Select]
hxxp://abba31.biz/fifa/load/source.binmd5sum ===> 90ffe810320796f42dc6ffaa57f7240e
Code: [Select]
hxxp://abba31.biz/fifa/gate.php
IP Location: Ukraine
AS196957
Code: [Select]
hxxp://193.107.172.11/abr.v.algZ/config.binmd5sum ===> e1fa2d896d4c5126570c158f39fd8587
Code: [Select]
hxxp://193.107.172.11/abr.v.algZ/vorota.php
Title: Re: New Zeus server
Post by: jackberri on January 03, 2011, 08:36:23 pm
IP Location: Russian Federation - PROMIRANET
IP  194.63.144.80
AS31478
ns1.nameself.com.
ns2.nameself.com.
Registrant/Email Registrant: Private Person/admin@nvffr.ru
Code: [Select]
hxxp://yyyaanve.ru/b.binmd5sum ===> b46a195e393dc2962a4f2c8dbffac6aa

IP Location: Russian Federation - LYAHOV-AS Lyahovich Maksim
IP  91.217.249.168
AS51554
ns1.letuchiyman.ru
ns2.letuchiyman.ru
Registrant/Email Registrant: Private Person/dns@letuchiyman.ru
Code: [Select]
hxxp://uskamalchik.ru/trust/trust.docmd5sum ===> 6adb2d643d3879e394921a9effe2e818

IP Location:  Ukraine  - Igor Vladimirovich Kanaev
IP  195.226.220.55
AS51354
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Tom Anron/anrontom@aol.com
Code: [Select]
hxxp://5d3jwnf43f.com/l3.7zmd5sum ===> cf02863219cf3cf7aa9e9fa65f64ee5f
Code: [Select]
hxxp://5d3jwnf43f.com/index.php
Title: Re: New Zeus server
Post by: jackberri on January 04, 2011, 10:06:54 am
Fast Flux Botnet
Registrant/Email Registrant: Private Person/eta@yourisp.ru
Code: [Select]
hxxp://extratopupgrade.ru/config.i0md5sum ===> 418826358fec49ca477e96751df4bf6c
Title: Re: New Zeus server
Post by: jackberri on January 06, 2011, 07:37:09 pm
IP Location: Russian Federation  - PROMIRANET-MNT
IP  194.63.144.98
AS31478
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://ergvb433s.com/asdewq/biiin/uj.binmd5sum ===> 73ea9aa3534fcd3cbbe51880788f7099
Code: [Select]
hxxp://ergvb433s.com/asdewq/gatte.php
Title: Re: New Zeus server
Post by: jackberri on January 10, 2011, 07:22:31 am
IP Location: Lithuania  - SPLIUS-AS
IP  77.79.13.241
[hst-13-241.duomenucentras.lt]
AS25406
Registrant/Email Registrant: chang chen/ftgy23fge@126.com
Code: [Select]
hxxp://forum.worldwideplasticsforum.com/forum/logo.jpgmd5sum ===> 40e4d3e912337900fa5b747ce1337d5a
Code: [Select]
hxxp://forum.worldwideplasticsforum.com/forum/index.php
IP Location: Russian Federation -PMN-AS PROMIRANET multihomed network
IP  194.63.144.146
AS31478
ns3.gkg.net
ns4.gkg.net
Registrant/Email Registrant: todd brandau/asybubiqutofo@yahoo.com
Code: [Select]
hxxp://194.63.144.146/news/?s=187430
hxxp://cpviyhcsmrnitoei.com/news/?s=187430
hxxp://bxvtlnbwsqloppl.org/news/?s=187430
md5sum ===> 962e3914786313cc2497827d9b975e5a
Code: [Select]
hxxp://194.63.144.146/news/?s=128647
hxxp://cpviyhcsmrnitoei.com/news/?s=128647
hxxp://bxvtlnbwsqloppl.org/news/?s=128647
md5sum ===> 5eee837cbc27c1c1e98c39df2dd6d7a3
Code: [Select]
hxxp://194.63.144.146/news/?s=6225
hxxp://cpviyhcsmrnitoei.com/news/?s=6225
hxxp://bxvtlnbwsqloppl.org/news/?s=6225
md5sum ===> 0d9f8434b14445b2b1a2e0cc402aeaff
http://www.virustotal.com/file-scan/report.html?id=7a009c4d277a653796747a9d4b2358eff9f6e5ce33248fe90d9a9893ad0cd9ef-1294643045 (http://www.virustotal.com/file-scan/report.html?id=7a009c4d277a653796747a9d4b2358eff9f6e5ce33248fe90d9a9893ad0cd9ef-1294643045)
VT 24/41 (58.5%)
Title: Re: New Zeus server
Post by: jackberri on January 10, 2011, 08:43:24 pm
IP Location: Russian Federation - PMN-AS PROMIRANET multihomed network
IP  194.63.144.56
AS31478
ns3.cnmsn.net
ns4.cnmsn.net
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://stayfreeatall.com/TrustedWithSign/ownresponse.datmd5sum ===> 0a6536120042f53e74df7f8229df92a2
Title: Re: New Zeus server
Post by: jackberri on January 11, 2011, 09:13:28 am
IP Location: Russian Federation - PMN-AS PROMIRANET multihomed network
IP  194.63.144.44
AS31478
Code: [Select]
hxxp://boing747100jet.name/fg74jutr7g4fg5/ghr7je8gk4gjrtg.tmpmd5sum ===> 0e9462a66cee30a660b8f7eb7761536a

IP Location: Russian Federation - L-NET Route Object - LYAHOV-AS Lyahovich Maksim
IP 91.217.249.140
AS51554
ns26.dnsever.com
ns39.dnsever.com
ns51.dnsever.com
ns231.dnsever.com
ns259.dnsever.com
Registrant/Email Registrant: Ahmed Shamirov/ytraeior@mail.com
Code: [Select]
hxxp://sioalio.com/kindoro/corofak.jpgmd5sum ===> 492fa1b82eff736e90142ac541459508
Code: [Select]
hxxp://sioalio.com/kindoro/DGhskll83.php
Title: Re: New Zeus server
Post by: jackberri on January 13, 2011, 06:46:02 pm
IP Location: Ukraine - Llc Promiranetru
IP  91.200.188.99
AS44016
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
Code: [Select]
hxxp://automauto.com/thfhc/biiin/uj.binmd5sum ===> bc81e983a8efe919bb94e05fb8b18b51

IP Location: Ukraine - Llc Promiranetru
IP 91.200.188.191
AS44016
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Security Inc. John Kolomon/admin@thisisgoodcorp.com
Code: [Select]
hxxp://blogspotstone.com/montblanc.binmd5sum ===> 5a5d8b074145d6956e89baede79b61ad

IP Location: United States - BurstNET Technologies
IP 66.197.250.198
[trailblazer.stressfreetechnologies.com]
AS21788
ns2.000webhost.com
ns1.000webhost.com
Code: [Select]
hxxp://ifr001.comli.com/logo.gifmd5sum ===> edb28b7ec8998ea603b4a04777086d0f
Title: Re: New Zeus server
Post by: jackberri on January 14, 2011, 01:05:49 pm
IP Location: United States - RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
IP  173.208.154.30
AS32097
free01.editdns.net
free02.editdns.net
Registrant/Email Registrant: Hilary Kneber/ hilarykneber@yahoo.com
Code: [Select]
hxxp://mb53juu347d.com/durnr/hee3.binmd5sum ===> 184fee09134d3c6b3c76bf6a656858e5
Code: [Select]
hxxp://mb53juu347d.com/durnr/ghzf6.binmd5sum ===> d5c14b953e9c78142382f7f834fc147e
Code: [Select]
hxxp://mb53juu347d.com/vuhb/obdrs.binmd5sum ===> 2e2dc89538e8c96dfe442cd5f01bb7e6
Code: [Select]
hxxp://mb53juu347d.com/vuhb/ubzu6.binmd5sum ===> 6f76975bf227b98aa1a385d6697e4387
Code: [Select]
hxxp://b5k34o3i.info/su/wm.exemd5sum ===> 3ce6a383621cdfa9622da79dbe7d90ce
http://www.virustotal.com/file-scan/report.html?id=bde9eca3c225fe16eca29330819ef84d446c6e0ddd5930aae01244632e15c788-1295009998 (http://www.virustotal.com/file-scan/report.html?id=bde9eca3c225fe16eca29330819ef84d446c6e0ddd5930aae01244632e15c788-1295009998)
VT 15/43 (34.9%)
Code: [Select]
hxxp://mb53juu347d.com/durnr/mkw.php
hxxp://mb53juu347d.com/durnr/m4sd.php
hxxp://mb53juu347d.com/vuhb/hhe.php
hxxp://mb53juu347d.com/vuhb/mad.php
Title: Re: New Zeus server
Post by: jackberri on January 17, 2011, 10:52:08 am
IP Location: Romania - SA-NOVA-TELECOM-GRUP-SRL
IP 188.229.90.158
AS49469
ns5.cnmsn.net
ns6.cnmsn.net
Registrant/Email Registrant: wang cheng/giuitryuvg@hotmail.com
Code: [Select]
hxxp://microsupdates.com/_crfz/cr2zpmd5sum ===> b6487f908cb9d3bc9accbf21acc0d32c

IP Location: Ukraine - VolgaHost-as PE Bondarenko Dmitriy Vladimirovich
IP 91.213.174.221
AS29106
ns3.01isp.com
ns4.01isp.net
Registrant/Email Registrant: Luis R. Percy/luisrpercy@gmail.com
Code: [Select]
hxxp://specialfospmdate.net/list.php
Title: Re: New Zeus server
Post by: CkreM on January 17, 2011, 11:43:25 am
New Zeus version 2.0.8.9

Code: [Select]
http://oboabo.info/cache/exe.exe
http://oboabo.info/cache/live.bin
http://oboabo.info/xoiwuqpasd.php
Title: Re: New Zeus server
Post by: jackberri on January 17, 2011, 02:15:19 pm
IP Location: Romania - SA-NOVA-TELECOM-GRUP-SRL
IP 188.229.90.144
AS49469
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Whois Privacy Protection Service/nlttgqxehl@whoisservices.cn
Code: [Select]
hxxp://elliota.com/sas/server[php]/cfg2.binmd5sum ===> 0d51a25fdcd945789b8766fa22a86293
Code: [Select]
hxxp://elliota.com/sas/crdqargrxn8.exemd5sum ===> cdf660d9a8c99cca312bbd0fb95383a8
http://www.virustotal.com/file-scan/report.html?id=b5415f73852c1b0b3839afd4c1cfaea9110a5de965ab1294eba661a69e1993e6-1295273425 (http://www.virustotal.com/file-scan/report.html?id=b5415f73852c1b0b3839afd4c1cfaea9110a5de965ab1294eba661a69e1993e6-1295273425)
VT 5/42 (11.9%)
Code: [Select]
hxxp://elliota.com/sas/server[php]/22gate22me.php
Title: Re: New Zeus server
Post by: jackberri on January 19, 2011, 08:27:33 pm
IP Location: Russian Federation - VLTELECOM-AS VLineTelecom LLC
IP 109.196.142.42
AS39150
ns2.ccatalunya.com
ns1.ccatalunya.com
Registrant/Email Registrant: Olesya Bogolepova/finale@bigmailbox.ru
Code: [Select]
hxxp://ccatalunya.com/gbt/uka.okmd5sum ===> 84732a30cbcdf8b6da798df58ea2d985
Code: [Select]
hxxp://ccatalunya.com/gbt/ang.exemd5sum ===> 65b3341d91451f9e3e2389ba7516b73c
http://www.virustotal.com/file-scan/report.html?id=98f1d38be5b43e495c19a38929ab05194e4e71a16a3953a2fd09476ed4bf291d-1295467503 (http://www.virustotal.com/file-scan/report.html?id=98f1d38be5b43e495c19a38929ab05194e4e71a16a3953a2fd09476ed4bf291d-1295467503)
VT 19/43 42 (45.2%)

IP Location: Moldova - SunCommunications-AS - JV
IP 83.218.223.11
[dt.globnet.md]
AS31204
ns1.beatsbyct.net
ns2.beatsbyct.net
Registrant/Email Registrant: Kirill Sulkhanyants/shea@free-id.ru
Code: [Select]
hxxp://eamba.com/vvx2222x/xxzz2.jpgmd5sum ===> 0e8b36df29149a1b94ff676ac77b7cf9
Code: [Select]
hxxp://eamba.com/vvx2222x/sdfn923kjlfan29iolafsd3.php
Title: Re: New Zeus server
Post by: jackberri on January 20, 2011, 12:28:45 pm
IP Location: Ukraine - NNCNT route -  NICE-AS Nice LTD
AS49158
Code: [Select]
hxxp://91.212.158.52/z2/config.binmd5sum ===> c1adcbac358bda63b7eae76f24006132
Code: [Select]
hxxp://91.212.158.52/z2/bot.exemd5sum ===> c3152209ac6ceb3b672ec35addfc1296
http://www.virustotal.com/file-scan/report.html?id=92e722b8f507809a5d9e54264ab2ae18c7afd7f3100ec4a1e2358c7e497eed3c-1295526251 (http://www.virustotal.com/file-scan/report.html?id=92e722b8f507809a5d9e54264ab2ae18c7afd7f3100ec4a1e2358c7e497eed3c-1295526251)
VT 9/42 (21.4%)
Title: Re: New Zeus server
Post by: jackberri on January 21, 2011, 08:05:27 pm
IP Location: Russian Federation - VLTELECOM-AS VLineTelecom LLC
IP 109.196.142.37
AS39150
ns1.glasgosurvine.com 109.196.142.37
ns2.glasgosurvine.com 109.196.142.37
Registrant ID:           QTVMYUB-RU
Registrant/Email Registrant: Landysh F Akhmadullina/snowy@freenetbox.ru
Code: [Select]
hxxp://glasgosurvine.com/scr/pokermd5sum ===> 9c40b1ac7b10f67647ce4f0c17bf4a48
Code: [Select]
hxxp://glasgosurvine.com/scr/poker2md5sum ===> ee64bf068899eaf76d439fa0a639cb61

IP Location: Ukraine - VLTELECOM-AS VLineTelecom LLC
IP 91.200.188.230
AS44016
ns1.reg.ru
ns2.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://t3onyghop.com/you1.7zmd5sum ===> ad19cb70eae38404cdcedacecb3f51f8
Title: Re: New Zeus server
Post by: jackberri on January 21, 2011, 11:13:46 pm
IP Location: Russian Federation - ServerSnab network - SERVERSNAB-AS
IP 94.127.68.37
[s094127068037.m.truevds.ru]
AS48235
ns1.freedns.ws
ns2.freedns.ws
Registrant/Email Registrant: Chang So/changso@yahoo.com
Code: [Select]
hxxp://arakasa.com/svhost.pdf
hxxp://dishicage.net/svhost.pdf
md5sum ===> cb5c98bde98807c10591e34a78b19098
Code: [Select]
hxxp://arakasa.com/roub/google.php
hxxp://dishicage.net/roub/google.php

IP Location: Netherlands - ServerBoost network - INTERACTIVE3D-AS
IP 188.95.48.103
[ns1.h18server.info]
AS49544
DNS1.NAME-SERVICES.COM
DNS2.NAME-SERVICES.COM
DNS3.NAME-SERVICES.COM
DNS4.NAME-SERVICES.COM
DNS5.NAME-SERVICES.COM
Registrant ID:a6821a602156a110
Registrant/Email Registrant: Malus  Ozanakis/malusozanakis@yahoo.com
Code: [Select]
hxxp://stersboy777.in/rang/dast.binmd5sum ===> 8ba562ab6313f63aaec2ecbd4ff4d0a5
Code: [Select]
hxxp://stersboy777.in/forum/support.php
Title: Re: New Zeus server
Post by: jackberri on January 22, 2011, 11:00:59 am
IP Location: Ukraine - Pvkp Pacservice
IP 91.200.188.230
AS44016
ns1.reg.ru
ns2.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://3tnoongfed.com/you2.7zmd5sum ===> 79509fa238061f0d043e365ced90ee42
Title: Re: New Zeus server
Post by: jackberri on January 23, 2011, 09:06:21 pm
IP Location: Ukraine - Pvkp Pacservice
IP 91.200.188.96
AS44016
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Vishnjakov Viktor Stepanovich/actionreklama@yandex.ru
Code: [Select]
hxxp://ltrdnt.net/cfg554/logo.gifmd5sum ===> 5b5f97078a2280f824b44550f69dfdeb
Code: [Select]
hxxp://ltrdnt.net/vavilo/iktrkdjslppld.php
IP Location: Ukraine - Pvkp Pacservice
IP 91.200.188.235
AS44016
ns1.iciq.biz
ns2.iciq.biz
Registrant/Email Registrant: Jenna Miller/Jenna@ersafunds.com
Code: [Select]
hxxp://djskdbks.com/dsadsa.bin
md5sum ===> 9672ab819d649d9054d98e187dec54f5
Title: Re: New Zeus server
Post by: CkreM on January 24, 2011, 03:54:09 pm
Zeus Ver: 1.3.3.0

Code: [Select]
http://txcp.co.cc/files/21
http://txcp.co.cc/files/22
http://pregport.org:81/one/upload/sys.tif
http://pregport.org:81/one/go.php
Title: Re: New Zeus server
Post by: jackberri on January 24, 2011, 04:08:15 pm
IP Location: China - CHINANET-JS-AS-AP
IP 61.147.67.249
AS23650
yns1.yahoo.com
yns2.yahoo.com
Registrant/Email Registrant: Alex Straub/straubalex93@yahoo.com
Code: [Select]
hxxp://buildyoursleep.com/images/logo.jpg
md5sum ===> 561a214bbd18e0e8e82a63c57f4b5ddc
Title: Re: New Zeus server
Post by: jackberri on January 25, 2011, 04:03:59 pm
IP Location: Russian Federation - Info-Media route - VLTELECOM-AS
AS39150
Code: [Select]
hxxp://91.213.29.24/~kotosel/new/tt/saaa.somd5sum ===> e318ed43838829bd085eaac4b8713a1f
Code: [Select]
hxxp://91.213.29.24/~kotosel/new/saxa.php
IP Location: Russian Federation - VLine Telecom Block - VLTELECOM-AS
IP 109.196.142.35
AS39150
NS1.GAMEMATOROG.COM
NS2.GAMEMATOROG.COM
Code: [Select]
hxxp://gamematorog.com/ger/ber.lnmd5sum ===> 832727e3584f70768b07e8cdfbb7bbbf
Code: [Select]
hxxp://gamematorog.com/ger/dea.exemd5sum ===> 6a6e8071a846074dd185513d7106d079
http://www.virustotal.com/file-scan/report.html?id=9d961739a5733630e0a97da2a7f26612c96ef4c5cbf9803ecd9cc79358e3b91b-1295969216 (http://www.virustotal.com/file-scan/report.html?id=9d961739a5733630e0a97da2a7f26612c96ef4c5cbf9803ecd9cc79358e3b91b-1295969216)
VT 16/43 (37.2%)
Title: Re: New Zeus server
Post by: jackberri on January 26, 2011, 11:35:30 am
IP Location: China - CHINANET-JS-AS-AP
IP 61.147.67.249
AS23650
ns3.01isp.com
ns4.01isp.net
Registrant/Email Registrant: Virgina K. Mello/virginakmello@gmail.com
Registrant/Email Registrant: Sally J. Carroll/SallyJCarroll@gmail.com
Code: [Select]
hxxp://spfpratinendfggtone.net/images/logo.jpgmd5sum ===> 2c157fe7488cada33529c3dcd0b8c5cc
Code: [Select]
hxxp://specialforspmdate.net/list.php
Title: Re: New Zeus server
Post by: jackberri on January 26, 2011, 08:07:25 pm
IP Location: Ukraine - Digital Network JSC - DINET-AS
IP 91.200.188.231
AS12695
ns1.reg.ru
ns2.reg.ru
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org
Code: [Select]
hxxp://f4o3thboifmsr.com/G3.7zmd5sum ===> e16d56ad0a1e07e03706197ccf42afce
Title: Re: New Zeus server
Post by: jackberri on January 27, 2011, 12:24:12 pm
IP Location: Netherlands Antilles - COLUMBUS NETWORKS BLOCK
IP 72.252.8.103
AS27781
ns1.realtynmotio.com
ns2.realtynmotio.com
Registrant/Email Registrant: Private Person/cave@ca4.ru
Code: [Select]
hxxp://oneboy.ru/au.cpm
hxxp://oneboy.ru/22oct_bir.cpm
hxxp://oneboy.ru/22oct_ic3.cpm
hxxp://oneboy.ru/22oct_pac.cpm
hxxp://oneboy.ru/22oct_dmi.cpm
hxxp://oneboy.ru/22oct_den.cpm
hxxp://oneboy.ru/14oct_usa.cpm
md5sum ===> bd25942f77779476a2e77c710c0cf518
Code: [Select]
hxxp://oneboy.ru/au.exemd5sum ===> a30f7446024ad8aea2b0be6f6f6b2598
http://www.virustotal.com/file-scan/report.html?id=f8e1fa6a790117c5d699c0b633dc439d5697cb4b5eabbdfeaedc3e419f9bd029-1296129622 (http://www.virustotal.com/file-scan/report.html?id=f8e1fa6a790117c5d699c0b633dc439d5697cb4b5eabbdfeaedc3e419f9bd029-1296129622)
VT 27/43 (62.8%)
Code: [Select]
hxxp://oneboy.ru/22oct_bir.exemd5sum ===> f508e43496c078f71953487232c3ac73
http://www.virustotal.com/file-scan/report.html?id=50663abc87834f967231b886344546cc870b0ed54fffbec1b0f7936a53e8b14e-1296129758 (http://www.virustotal.com/file-scan/report.html?id=50663abc87834f967231b886344546cc870b0ed54fffbec1b0f7936a53e8b14e-1296129758)
VT 21/43 (48.8%)
Code: [Select]
hxxp://oneboy.ru/22oct_ic3.exemd5sum ===> ee68283c0c8494c322c8f6d41aa4e8d6
http://www.virustotal.com/file-scan/report.html?id=ef70f2a7fc9c987e9d1420f12dcc83899e822cf68f86a4f6006e4553faa7c9d2-1296129905 (http://www.virustotal.com/file-scan/report.html?id=ef70f2a7fc9c987e9d1420f12dcc83899e822cf68f86a4f6006e4553faa7c9d2-1296129905)
VT 40/42 (95.2%)
Code: [Select]
hxxp://oneboy.ru/22oct_pac.exemd5sum ===> eefbe4c73a25a44bcc0d5df146b13fce
http://www.virustotal.com/file-scan/report.html?id=b68072cc74f356106fc638ce0d912a1fe4f6573da26336e80aabea89cbebca2c-1296130091 (http://www.virustotal.com/file-scan/report.html?id=b68072cc74f356106fc638ce0d912a1fe4f6573da26336e80aabea89cbebca2c-1296130091)
VT 42/43 (97.7%)
Code: [Select]
hxxp://oneboy.ru/22oct_dmi.exemd5sum ===> add058a4f13c3b5f2a97ecc80933cfff
http://www.virustotal.com/file-scan/report.html?id=6266922df8b6574a0e6c4a8049e691fbc86673764c908f107eb479dacc485a4a-1296130266 (http://www.virustotal.com/file-scan/report.html?id=6266922df8b6574a0e6c4a8049e691fbc86673764c908f107eb479dacc485a4a-1296130266)
VT 42/43 (97.7%)
Code: [Select]
hxxp://oneboy.ru/22oct_den.exemd5sum ===> 16f092ac72fa89def619e7e45c1b023d
http://www.virustotal.com/file-scan/report.html?id=1c5731ed76ec501dd41504269d56b1b374163de3c48626c5205f02b8e728fc39-1296130388 (http://www.virustotal.com/file-scan/report.html?id=1c5731ed76ec501dd41504269d56b1b374163de3c48626c5205f02b8e728fc39-1296130388)
VT 21/43 (48.8%)
Code: [Select]
hxxp://oneboy.ru/14oct_usa.exemd5sum ===> 70734b55ab2fe874e44706be389dc77b
http://www.virustotal.com/file-scan/report.html?id=c3a0d72b6c2d1d885117685d0548d976a00e7a5b9efb6c30e0edd8cd16431960-1296130508 (http://www.virustotal.com/file-scan/report.html?id=c3a0d72b6c2d1d885117685d0548d976a00e7a5b9efb6c30e0edd8cd16431960-1296130508)
VT 42/43 (97.7%)
Title: Re: New Zeus server
Post by: jackberri on January 29, 2011, 03:40:28 pm
IP Location: Ukraine - FIN-ACTIVE-NET
AS44209
ns3.co.cc
ns.co.cc
Code: [Select]
hxxp://193.186.9.81/1.binmd5sum ===> 0789e76662701ed4b0e79343757d3ff7
Code: [Select]
hxxp://193.186.9.81/~lamparasc/error2/gate.php
IP Location: Ukraine - FIN-ACTIVE-NET
IP 193.186.9.77
AS44209
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@nvffr.ru
Code: [Select]
hxxp://khfsdki.ru/e.binmd5sum ===> ee9181dd5327ba5d4d00412085158fee
Title: Re: New Zeus server
Post by: jackberri on January 30, 2011, 02:14:55 pm
IP Location: United States - ENRON-wvision - CALPOP proxy aut-num for CALPOP by Mzima
IP 216.240.151.98
[asualcance.com]
AS7796
ns57.domaincontrol.com
ns58.domaincontrol.com
Registrant/Email Registrant: tobon, john/jtobon@asualcance.com
Code: [Select]
hxxp://www.mrdcolombia.com/admin/linkpt.binmd5sum ===> 0477c783490560ddc14674901ef0ae64
Code: [Select]
hxxp://www.mrdcolombia.com/admin/linkpt.exemd5sum ===> f6d70dae9ef7812954f36e6a64d556e2
http://www.virustotal.com/file-scan/report.html?id=c4f652bd8fbba29f275ea5a2b2197efc9b59f53b1079ef3544c5e7231decffe9-1296396236 (http://www.virustotal.com/file-scan/report.html?id=c4f652bd8fbba29f275ea5a2b2197efc9b59f53b1079ef3544c5e7231decffe9-1296396236)
VT 20/41 (48.8%)
Code: [Select]
hxxp://www.mrdcolombia.com/admin/colombia.php
Title: Re: New Zeus server
Post by: jackberri on January 30, 2011, 08:06:59 pm
IP Location: United States - PAH-INC Go Daddy Software, Inc.
IP 97.74.144.127
[p3nlh127.shr.prod.phx3.secureserver.net]
AS26496
NS03.DOMAINCONTROL.COM
NS04.DOMAINCONTROL.COM
Registrant/Email Registrant: Kevin Kroes/dr.kevinkroes@yahoo.com
Code: [Select]
hxxp://irvine-chiropracticcenter.com/images/vitamin.jpgmd5sum ===> 93f8f9cb2c4b70b342542c9bb7179921
related:
IP Location: China - CHINANET-JS-AS-AP AS
IP 61.147.67.249:80
AS23650
ns3.01isp.com
ns4.01isp.com
Registrant/Email Registrant: Sally J. Carroll/SallyJCarroll@gmail.com
Code: [Select]
hxxp://hryyyymerwireless.net/list.php
Title: Re: New Zeus server
Post by: jackberri on February 01, 2011, 08:27:03 am
IP Location: Ukraine -Infium Ltd
IP 91.218.39.52
[unassigned52.infiumhost.com]
AS197145
LOVINGNAME.MERCURY.ORDERBOX-DNS.COM
LOVINGNAME.VENUS.ORDERBOX-DNS.COM
LOVINGNAME.EARTH.ORDERBOX-DNS.COM
LOVINGNAME.MARS.ORDERBOX-DNS.COM
Registrant ID:AT_13950582
Registrant/Email Registrant: Emelyanov Mihail/emihail201@yandex.ru
Code: [Select]
hxxp://blueservices.net.in/style/css/css.binmd5sum ===> 73ed3f92b472a8f72b6d825a4e0f8557
Code: [Select]
hxxp://blueservices.net.in/style/css/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 01, 2011, 05:21:00 pm
IP Location: Germany -Technische Universitaet Dresden - DFN-IP service G-WiN
IP 141.30.119.3
AS680
NS1.CARGO-TRAILERSNJ.NET
NS2.CARGO-TRAILERSNJ.NET
Registrant ID: SPAG-40380125
Registrant/Email Registrant: William Kelly/hostmaster@1and1.com
Code: [Select]
hxxp://poehali002.info/xed/config.bin
hxxp://poehali002.info/xed/recover.bin
md5sum ===> 04f6de4afa43ddd437bc9ad40cde21f3
Code: [Select]
hxxp://poehali002.info/xed/yourbot.exemd5sum ===> 1f6add204d304629a16971894f52d4e9
http://www.virustotal.com/file-scan/report.html?id=15e278ee92c4fc034bf12a869abf0dad894a6e966a82acc827a0cdab9b0f806e-1296580205 (http://www.virustotal.com/file-scan/report.html?id=15e278ee92c4fc034bf12a869abf0dad894a6e966a82acc827a0cdab9b0f806e-1296580205)
VT 7/43 (16.3%)
Code: [Select]
hxxp://poehali002.info/xed/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 02, 2011, 09:34:36 am
IP Location: Netherlands - LEASEWEB - LeaseWeb AS
IP 62.212.74.208
[62.212.74.208.com]
AS16265
Code: [Select]
hxxp://evelins.cz.cc/asdweb/icon.tifmd5sum ===> 259f7d4930cd5e693aa9c91c66e1a4a1
Code: [Select]
hxxp://evelins.cz.cc/static.phprelated:
trojan Oficla
Code: [Select]
hxxp://onlineloads.cz.cc/builder/ve.exemd5sum ===> 117557fba716e76ab2083c11e5ea3ace
http://www.virustotal.com/file-scan/report.html?id=bc9432ac01c2d4d9acbfc0a1a897ecc571a6cc362275cddbca25eb3f4cc4f614-1296638294 (http://www.virustotal.com/file-scan/report.html?id=bc9432ac01c2d4d9acbfc0a1a897ecc571a6cc362275cddbca25eb3f4cc4f614-1296638294)
VT 4/43 (9.3%)
Title: Re: New Zeus server
Post by: SysAdMini on February 02, 2011, 10:41:25 am
IP Location: Netherlands - LEASEWEB - LeaseWeb AS
IP 62.212.74.208
[62.212.74.208.com]
AS16265
Code: [Select]
hxxp://evelins.cz.cc/asdweb/icon.tifmd5sum ===> 259f7d4930cd5e693aa9c91c66e1a4a1

Did you look inside the config file ? :)
Quote
url_loader (binary download)
  hxxps://zeustracker.abuse.ch/aion.exe
Title: Re: New Zeus server
Post by: jackberri on February 03, 2011, 09:09:25 am
Did you look inside the config file ? :)
Quote
url_loader (binary download)
  hxxps://zeustracker.abuse.ch/aion.exe
I guess i'm pretty blind, lately  ;)
Title: Re: New Zeus server
Post by: CkreM on February 03, 2011, 11:19:01 am
Zeus Version: 1.2.7.19
Code: [Select]
http://217.23.11.215/~newworld/trusteer.exe
http://217.23.11.215/~newworld/cfg.bin
http://217.23.11.215/~newworld/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 03, 2011, 03:15:05 pm
IP Location: Canada - MTO Telecom inc. Proxy Route Object Gogax - GOGAX Netelligent Proxy Record for Customer
IP  76.76.107.50
[generic.gogax.com]
AS21793
ns1.afraid.org
ns2.afraid.org
Registrant ID:ndn-1292366
Registrant/Email Registrant: Mariya Varshavskaya/xy@cheapbox.ru
Code: [Select]
hxxp://consolemato.com/auk/sid.nemd5sum ===> 43e3f945c2071afe7f4a2f03f6dc8248
Code: [Select]
hxxp://consolemato.com/auk/aug.exemd5sum ===> e1026b29fde50f52db3e26269894de18
http://www.virustotal.com/file-scan/report.html?id=4c18ee7195d0c5b8fb3cf9ef5484a3282e652edaeb91a98b23987585a878c895-1296740295 (http://www.virustotal.com/file-scan/report.html?id=4c18ee7195d0c5b8fb3cf9ef5484a3282e652edaeb91a98b23987585a878c895-1296740295)
VT 19/43 (44.2%)
related:
IP Location: Mexico - Proxy-registered route objec - MX-AXTE-LACNIC Axtel
IP  201.140.57.249
[dedint-201-140-57-249.mtyxl.static.axtel.net]
AS14000
ns1.kidssnowbootsstore.net
ns1.pikstop.com
Registrant ID: IAOGGAX-RU
Registrant/Email Registrant: Evgenia Kostikova/grasp@yourisp.ru
Code: [Select]
hxxp://browndrives.com/auy/depoi.php
IP Location: Russian Federation -Delfa network - DELFANET-AS
IP  194.0.245.71
AS42533
NS1.DREAMHOST.COM
NS2.DREAMHOST.COM
NS3.DREAMHOST.COM
Registrant ID:ndn-1292366
Registrant/Email Registrant: Terry Buss/terrybuss@live.co.uk
Code: [Select]
hxxp://addaxonahacko.info/usa.binmd5sum ===> 9548bb1b9931c163ada73dafa51dd2ec
Code: [Select]
hxxp://addaxonahacko.info/redir.php
Title: Re: New Zeus server
Post by: jackberri on February 04, 2011, 10:00:41 am
IP Location: Ukraine - FIN-ACTIVE-NET - FINACTIVE-AS
IP  193.186.9.94
AS44209
YNS1.YAHOO.COM
YNS2.YAHOO.COM
Registrant ID: D129646477456239
Registrant/Email Registrant: Christina Nijankin/nijankinchristina@yahoo.com
Code: [Select]
hxxp://amstelone3.biz/z2/config.binmd5sum ===> 55160d8c8cae20e70a9a894958cd2d7d
Code: [Select]
hxxp://amstelone3.biz/z2/bot.exemd5sum ===> 2a45f45d0d6e828ae10629d60645fd75
http://www.virustotal.com/file-scan/report.html?id=21830d35dc468e8f24e0f9149cba51e61d3321127cb5c5c6df988e0ff1cc5743-1296813383 (http://www.virustotal.com/file-scan/report.html?id=21830d35dc468e8f24e0f9149cba51e61d3321127cb5c5c6df988e0ff1cc5743-1296813383)
VT 7/43 (16.3%)
Code: [Select]
hxxp://amstelone3.biz/z2/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 04, 2011, 04:24:02 pm
IP Location: China - CHINATELECOM-HLJ-AS-AP
IP  219.147.255.39
AS17897
ns1.counselingcareer.net
ns2.counselingcareer.net
Registrant/Email Registrant: Private Person/eta@yourisp.ru
Code: [Select]
hxxp://extratopupgrade.ru/satan.bin
hxxp://movenestecobra.ru/satan.bin
md5sum ===> 67a3c3e0a742f70492b8261402ced0ff
Code: [Select]
hxxp://extratopupgrade.ru/load.bin
hxxp://movenestecobra.ru/load.bin
md5sum ===> 88f27f26ce199de08e4147cbef88cf60
Code: [Select]
hxxp://extratopupgrade.ru/stars.php
hxxp://movenestecobra.ru/stars.php
Title: Re: New Zeus server
Post by: jackberri on February 05, 2011, 05:22:29 pm
IP Location: China - CMNET-GD Guangdong Mobile Communication
IP  211.138.121.4
AS9808
ns1.taohap.net
ns2.taohap.net
Registrant/Email Registrant: Private Person/matt@yourisp.ru
Registrant/Email Registrant: Private Person/sobs@cheapbox.ru
Code: [Select]
hxxp://espmexusa.ru/sonshine.binmd5sum ===> 7e96349a2dcfa93fc11ab0d58b3b3c1e
Code: [Select]
hxxp://tunisianowar.ru/bookings3.php
Title: Re: New Zeus server
Post by: jackberri on February 06, 2011, 02:51:15 pm
IP Location: Ukraine - S.Point - SPOINT-AS
IP  91.204.48.132
AS24965
ns3.gkg.net
ns4.gkg.net
Registrant ID: GKG-C00002E5D8
Registrant/Email Registrant: DAVID PIERCE/okehukugalyp@yahoo.com
Code: [Select]
hxxp://ktpprfipzqkmwu.org/news/?s=7962md5sum ===> bbc2d9c2d597fcae9b3f500cd3d513f2
Code: [Select]
hxxp://ktpprfipzqkmwu.org/news/?s=6225md5sum ===> 7945c5eadb0f93078f244bd9c7f444e1
http://www.virustotal.com/file-scan/report.html?id=3006ea7b928fe805bc7dff4d2ee628b51633c37f450dd434cb0d0a1ef2d04cc6-1296995713 (http://www.virustotal.com/file-scan/report.html?id=3006ea7b928fe805bc7dff4d2ee628b51633c37f450dd434cb0d0a1ef2d04cc6-1296995713)
VT 27/43 (62.8%)

IP Location: Ukraine - FIN-ACTIVE-NET route - FINACTIVE-AS
IP  193.186.9.79
AS44209
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@nvffr.ru
Code: [Select]
hxxp://hdjfyi.ru/f.binmd5sum ===> 6909b0775f3589488f66c28d8a28ec8b
Code: [Select]
hxxp://hdjfyi.ru/3.php
Title: Re: New Zeus server
Post by: jackberri on February 06, 2011, 06:44:25 pm
IP Location: Finland - EUHOSTFI-NET - EUHOST-AS
IP  91.221.67.4
[host-91-221-67-4.euhost.fi]
AS51765
ns1.nameself.com
ns2.nameself.com
Registrant/Email Registrant: Vishnjakov Viktor Stepanovich/actionreklama@yandex.ru
Code: [Select]
hxxp://vimizont.com/cfg554/logo.gifmd5sum ===> d988e1575dba8aa1089b37c38e3e3367
Code: [Select]
hxxp://vimizont.com/vavilo/iktrkdjslppld.php
Title: Re: New Zeus server
Post by: CkreM on February 09, 2011, 10:45:04 am
Zeus version 2.0.8.9:

Code: [Select]
http://micr0supdates.com/_crfsz/crzp11.exe
http://micr0supdates.com/_crfsz/crzp11
http://micr0supdates.com/_r0sx/_zen0r.php
Title: Re: New Zeus server
Post by: jackberri on February 09, 2011, 04:21:47 pm
IP Location: Ukraine -FIN-ACTIVE-NET - FINACTIVE-AS
IP  193.186.9.94
AS44209
YNS1.YAHOO.COM
YNS2.YAHOO.COM
Registrant ID: E129705761092690
Registrant/Email Registrant: Donna Snyder/dadasd1231dadsadasda@yahoo.com
Code: [Select]
hxxp://iesnare.us/z2/config.binmd5sum ===> b5b89a3934582709e11bc7182e4a1b3e
Code: [Select]
hxxp://iesnare.us/z2/bot.exemd5sum ===> d33cdd00214d481127dfb3ecbb02d2bb
http://www.virustotal.com/file-scan/report.html?id=791d76089084e81cf82805615087c3b695dc478c758950abd515ec73e9020153-1297267840 (http://www.virustotal.com/file-scan/report.html?id=791d76089084e81cf82805615087c3b695dc478c758950abd515ec73e9020153-1297267840)
VT 5/43 (11.6%)
Code: [Select]
hxxp://iesnare.us/z2/gate.php
IP Location: Ukraine - S.Point - SPOINT-AS
AS24965
Code: [Select]
hxxp://91.204.48.128/news/?s=36868md5sum ===> 511e164e5f9ab8a9f1d938298656e0d1
Code: [Select]
hxxp://91.204.48.128/news/?s=6225md5sum ===> 96217704be097f9c5adfeefe9d2dfa4c
Title: Re: New Zeus server
Post by: jackberri on February 10, 2011, 11:16:33 am
IP Location: Ukraine - S.Point - SPOINT-AS
AS24965
see: http://sitevet.com/db/asn/AS24965 (http://sitevet.com/db/asn/AS24965)
Code: [Select]
hxxp://91.204.48.147/news/?s=169150md5sum ===> 5c6cf680ba39411165f6126333e9383f
Code: [Select]
hxxp://91.204.48.128/news/?s=6225md5sum ===> 7860bf837edb928d8f2b74bab354cba5


Title: Re: New Zeus server
Post by: jackberri on February 11, 2011, 01:26:25 pm
IP  Location: Bosnia and Herzegovina - BA-GLOBALNET-AS
IP  77.77.193.21
AS42560
ns.xinnet.cn
ns.xinnetdns.com
Registrant/Email Registrant: zhang hai/gfhfghfg@126.com
Code: [Select]
hxxp://officeupdates0.com/_upd/updzcmd5sum ===> fd13735e8c627fdbe91b84cbc6958533
Code: [Select]
hxxp://officeupdates0.com/_upd/updzc.exemd5sum ===> f0d40ba4fe0a42f3b87e4352ed47fdf2
http://www.virustotal.com/file-scan/report.html?id=8f40f04ddb4c5e54b64b6f862bcf2b5d0511d1fbe1e28537b9f4629dc8e6afdb-1297430059 (http://www.virustotal.com/file-scan/report.html?id=8f40f04ddb4c5e54b64b6f862bcf2b5d0511d1fbe1e28537b9f4629dc8e6afdb-1297430059)
VT 26/43 (60.5%)

IP  Location: Ukraine - AGGREGATE BLOCK FOR UKRTELECOM DATA CENTER - UKRTELNET JSC UKRTELECOM
IP  195.64.185.123
[vps-618.ukraine.com.ua]
AS6849
ns3.co.cc
ns.co.cc
Code: [Select]
hxxp://entandy.co.cc/yappaskdkasd.binmd5sum ===> 3f0e81f8e5030673e5228681ca80ac9e
Code: [Select]
hxxp://entandy.co.cc/trA212alalalsjqIiqjaks.php
IP  Location: Germany - netdirect Frankfurt, DE - NETDIRECT AS
IP  89.149.223.250
[89-149-223-250.local]
AS28753
ns1.googletrackgeo.com
ns2.googletrackgeo.com
Registrant/Email Registrant: Linda Sanlin/lindasanlin@hotmailbox.com
Code: [Select]
hxxp://googletrackgeo.com/src/img1/stats.binmd5sum ===> a049b2f7321340a98b7c65e10d377298
Code: [Select]
hxxp://googletrackgeo.com/src/img1/legom.php
Title: Re: New Zeus server
Post by: jackberri on February 11, 2011, 08:04:54 pm
IP  Location: Russian Federation - Wahome - WEBALTA-AS
IP  77.91.227.245
AS41947
auth02.ns.uu.net
a.nic.ir
Registrant/Email Registrant: Amir Ahmadi/jamcnutt111@hotmail.com
Code: [Select]
hxxp://e-exchanger.ir/nem/de.binmd5sum ===> 9061da1b5dda89a54afd72e4752b0095
Code: [Select]
hxxp://e-exchanger.ir/nem/game.php
IP  Location: Taiwan -Taiwan Fixed Network - TFN-NET
IP  60.199.114.85
AS9924
ns1.dns-diy.net
ns2.dns-diy.net
Registrant/Email Registrant: Vlad Kissmet/admin@seololo.com
Code: [Select]
hxxp://vizanie3d.com/c.binmd5sum ===> 33eb6af93abcba8dc4abcb94371577d5
Code: [Select]
hxxp://seololo.com/alt/frami.php
IP  Location: United States - THEPLANET-AS2
IP  174.120.104.251
[fb.68.78ae.static.theplanet.com]
AS21844
NS1940.HOSTGATOR.COM
NS1939.HOSTGATOR.COM
Registrant/Email Registrant: Rick Black Photography/rick@rickblackphoto.com
Code: [Select]
hxxp://rickblackphoto.com/images/bg1.jpgmd5sum ===> 3f13221ef9cfcdf8332ee315258d1300
Title: Re: New Zeus server
Post by: jackberri on February 12, 2011, 09:22:11 am
IP  Location: Panama - COLUMBUS NETWORKS TRANSIT CUSTOMERS - NEWWORLDNETWORK
IP  190.123.46.149
AS23520
NAME1.ICIQ.BIZ
NAME2.ICIQ.BIZ
Registrant/Email Registrant: nilesh kalathia/nilesh@ersafunds.com
Code: [Select]
hxxp://oiewjpos.com/dnasssd.binmd5sum ===> 4eba80646814c12ca418d3f7f924037c
Code: [Select]
hxxp://oiewjpos.com/intravaca.php
IP  Location: Russian Federation - Info-Media route - COMCORNET-AS
AS51247
Code: [Select]
hxxp://91.213.29.42/~samui/jhgth/fgdsfdty/hhaas/gadea.somd5sum ===> c789ab1d1d3e4a56a70272e50c80d4d9
Title: Re: New Zeus server
Post by: jackberri on February 13, 2011, 07:42:48 pm
IP  Location: Ukraine - FIN-ACTIVE-NET route - FINACTIVE-AS
IP  193.186.9.76
AS44209
ns1.dns-diy.net
ns2.dns-diy.net
Registrant/Email Registrant: Inos Vitos/admin@grb1501.com
Code: [Select]
hxxp://grb1501.com/grb.swfmd5sum ===> e2adec1f5c39f6c8a06953aa1649553d

IP  Location: Russian Federation - Wahome IP's - WEBALTA-AS
IP  92.241.162.220
AS41947
ns1.3hosting4u.ir
ns4.3hosting4u.ir
Registrant/Email Registrant: Amir Ahmadi/jamcnutt111@hotmail.com
Code: [Select]
hxxp://www.3hosting4u.ir/kont/call.binmd5sum ===> bb713abe97b0d8134a21ad6f97eb2a52
Title: Re: New Zeus server
Post by: jackberri on February 14, 2011, 06:54:38 pm
IP  Location: Romania - GLOBAL-ONLINE-DATA
IP  94.63.243.15
AS49469
ns1.adventureiz.com
ns2.adventureiz.com
Registrant/Email Registrant: Vitalij Filipov/og@ppmail.ru
Code: [Select]
hxxp://adventureiz.com/auk/sid.nemd5sum ===> 46b1d981a4f3678d5ca2f662ef1cf7e6
Code: [Select]
hxxp://adventureiz.com/auk/aug.exemd5sum ===> 92ab0a095f74051ca17e649c60afb296
http://www.virustotal.com/file-scan/report.html?id=e4e81fbdca5955a4ff849a2afb63606543fcc1b7bc05beeac05cd05ae28a85ba-1297708937 (http://www.virustotal.com/file-scan/report.html?id=e4e81fbdca5955a4ff849a2afb63606543fcc1b7bc05beeac05cd05ae28a85ba-1297708937)
VT 25/42 (59.5%)

IP  Location: Panama - COLUMBUS NETWORKS TRANSIT CUSTOMERS - Private Layer Inc
IP  190.211.252.135
AS52288
ns3.cnmsn.com
ns4.cnmsn.com
Registrant/Email Registrant: Whois Privacy Protection Service/fnzjiwjkgm@whoisservices.cn
Code: [Select]
hxxp://freephoenixbirdspace.com/vip/vip.binmd5sum ===> 87aa32dfd2c8a5a751482b2bb858ef2b
Code: [Select]
hxxp://freephoenixbirdspace.com/vip/vip.exemd5sum ===> cca73cd60c27fe5684895b629b0d66a3
https://www.virustotal.com/file-scan/report.html?id=824b5fcc7a9fa25353d90d8d9c3ef316c36b60fabe45a59470c3935e73d0071f-1297709021 (https://www.virustotal.com/file-scan/report.html?id=824b5fcc7a9fa25353d90d8d9c3ef316c36b60fabe45a59470c3935e73d0071f-1297709021)
VT 2/43 (4.7%)
Code: [Select]
hxxp://freephoenixbirdspace.com/vip/vip.php
Title: Re: New Zeus server
Post by: jackberri on February 15, 2011, 11:47:43 am
IP  Location: United States - RoadRunner RR-RC-Wholesale Internet
IP  208.89.210.118
AS32097
ns1.carterhammer.net
ns2.carterhammer.net
Registrant/Email Registrant: Roman Blats/waved@ca4.ru
Code: [Select]
hxxp://schastlivieiveselierebyta0003.com/xed/config.binmd5sum ===> be93300e2ff1d891f79e94d76f96482b
Code: [Select]
hxxp://schastlivieiveselierebyta0003.com/xed/yourbot.exemd5sum ===> 89f60c3956c75223a55f3630356f73b7
http://www.virustotal.com/file-scan/report.html?id=e4e81fbdca5955a4ff849a2afb63606543fcc1b7bc05beeac05cd05ae28a85ba-1297708937 (http://www.virustotal.com/file-scan/report.html?id=e4e81fbdca5955a4ff849a2afb63606543fcc1b7bc05beeac05cd05ae28a85ba-1297708937)
VT 1/43 (2.3%)
Code: [Select]
hxxp://schastlivieiveselierebyta0003.com/xed/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 16, 2011, 09:44:36 am
IP  Location: China - CHINATELECOM-HLJ-AS-AP
IP  219.147.255.39
AS17897
ns1.jobrecruitingstrategy.com
ns2.jobrecruitingstrategy.com
Registrant/Email Registrant: Waneta Herman/stemcell@email.com
Code: [Select]
hxxp://baciq.net/biggone.binmd5sum ===> 697435a6e8f1428f21b5ed3d2d52eeb9

IP  Location: Brazil - Brasil Telecom Network
IP  189.75.118.154
[189-75-118-154.bsace1010.ipd.brasiltelecom.net.br]
AS8167
ns1.linmaxs.com  207.126.167.57
ns1.amassari.net 207.126.167.57
Registrant/Email Registrant: Andrei Vozhlak/info@gname.net
Code: [Select]
hxxp://vdir.kz/zlu/kow.grmd5sum ===> 99511c06bc418abd89d5af14517eb98a
IP  Location: Korea - CNU-AS-KR
IP  168.131.30.97
AS10197
ns1.linmaxs.com  207.126.167.57
ns1.amassari.net 207.126.167.57
Registrant/Email Registrant: Vladislav Grenich/info@gname.net
Code: [Select]
hxxp://dsrv.kz/zsu/dehid.php
Title: Re: New Zeus server
Post by: jackberri on February 16, 2011, 01:46:08 pm
IP Location: Ukraine  - S.Point - SPOINT-AS
IP  91.204.48.120
[24965]
NS3.GKG.NET
NS4.GKG.NET
Registrant/Email Registrant: Louise Braff/vycepetamyxeve@yahoo.com
Code: [Select]
hxxp://tbkyorrxohtqqc.com/news/?s=169150md5sum ===> 3bc702d98119de136cb4c0795f42b45f
Code: [Select]
hxxp://tbkyorrxohtqqc.com/news/?s=6225md5sum ===> a5a1b674f65d566e332b6378cd26b438
Title: Re: New Zeus server
Post by: jackberri on February 17, 2011, 11:45:09 am
IP  Hong Kong - REACH Network Border AS
IP  202.40.142.93
[unknown.net.reach.com]
AS4637
NS1.JOBRECRUITINGSTRATEGY.COM 184.154.140.36 NS2.JOBRECRUITINGSTRATEGY.COM  92.84.23.131
Registrant/Email Registrant: flores, fausto/condorbirt@aol.com
Code: [Select]
http://www.hiringdivisionjob.com/froster4321.phprelated (already uploaded):
Code: [Select]
http://baciq.net/biggone.bin
Title: Re: New Zeus server
Post by: jackberri on February 18, 2011, 06:05:20 am
IP Location: Ukraine  - S.Point - SPOINT-AS
IP  91.204.48.134
AS24965
dns1.registrar-servers.com dns2.registrar-servers.com dns3.registrar-servers.com dns4.registrar-servers.com dns5.registrar-servers.com
Code: [Select]
http://tzknqnskplusgkv.info/news/?s=57206           Registrant/Email Registrant: WhoisGuard  Protected/3cd554c6cff84c1ea986029c2b257273.protect@whoisguard.com
http://zptwqlwiwfrliomw.org/news/?s=57206                 Registrant/Email Registrant: Stephanie  Byers/posyjizavogalori@yahoo.com
http://vonotphkopnkkp.info/news/?s=57206                Registrant/Email Registrant: Robert  Burns/avuxahegefyxaruj@yahoo.com
http://ttpfsomintklncl.com/news/?s=57206                 Registrant/Email Registrant: Robert Scribner/iducaxuxysyva@yahoo.com
http://rrqqrvtgcemfpo.com/news/?s=57206               Registrant/Email Registrant: David Weller/imemomaqexur@yahoo.com
http://pgkxokzipelhx.biz/news/?s=57206                   Registrant/Email Registrant: tim  moon/moduxovuwexiju@yahoo.com
http://duqwcgkylsuetuev.com/news/?s=57206         Registrant/Email Registrant: Cameron Bruce/kuzegucojokepop@yahoo.com
md5sum ===> ee754bb75903dc0bb78d7a76ecaf7d23
Code: [Select]
http://tzknqnskplusgkv.info/news/?s=6225
http://zptwqlwiwfrliomw.org/news/?s=6225
http://vonotphkopnkkp.info/news/?s=6225
http://ttpfsomintklncl.com/news/?s=6225
http://rrqqrvtgcemfpo.com/news/?s=6225
http://pgkxokzipelhx.biz/news/?s=6225
http://duqwcgkylsuetuev.com/news/?s=6225
md5sum ===> 46e8fec3376302da609fef2b1f49218b
Title: Re: New Zeus server
Post by: jackberri on February 18, 2011, 01:44:28 pm
trojan Carberp:
IP  Location: Ukraine - net-0x2a-as Private Entrepreneur Zharkov Mukola Mukolayovuch
IP  91.211.117.38
AS48587
1ST.REGISTERDOMAIN.NAME 2ND.REGISTERDOMAIN.NAME 3RD.REGISTERDOMAIN.NAME 4TH.REGISTERDOMAIN.NAME
Registrant/Email Registrant: Tikitaka/shakeyourstickie@88-56.com
Code: [Select]
http://kaisserz-awe.net.in/l/ldr-godlike.exemd5sum ===> 6e1fcfd0235386cb0c5e1a54fb68228a
http://www.virustotal.com/file-scan/report.html?id=333433430bd4ebefb390ead2cc7f0f1bf8adb255eeefa6590f1d11e82ed4fc1f-1298036070 (http://www.virustotal.com/file-scan/report.html?id=333433430bd4ebefb390ead2cc7f0f1bf8adb255eeefa6590f1d11e82ed4fc1f-1298036070)
VT 5/42 (11.9%)
related:
IP  Location: Lithuania - SPLIUS-AS
IP  77.79.11.117
[hst-11-117.duomenucentras.lt]
AS25406
ns2.dns.com.cn ns1.dns.com.cn
Registrant/Email Registrant: chang chen/ftgy23fge@126.com
Code: [Select]
http://onlybusinessdomainee.com/sector/config.binmd5sum ===> a16213049a619ad968876257d8a577f7
Code: [Select]
http://onlybusinessdomainee.com/sector/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 19, 2011, 08:24:25 pm
IP  France - OVH ISP - OVH Paris
IP  91.121.154.162
[ks358914.kimsufi.com]
AS16276
ns2.everydns.net ns1.everydns.net ns4.everydns.net ns3.everydns.net
Code: [Select]
hxxp://bbcreation.pl/~biuroart/images/img/config.binmd5sum ===> 0caebd0b570026e6fae07ca52c32be66

IP  France - IKOULA Net SAS
IP  213.246.38.30
[game30.ikoula.com]
AS21409
ns1.cz.cc ns2.cz.cc
Code: [Select]
http://gmotors.cz.cc/asd/icon.tifmd5sum ===> 2da39727829255ed2a0358b2eec89324
Code: [Select]
http://gmotors.cz.cc/gfyHGuytguyg546545445/aion.exemd5sum ===> 274d95cec04dd16acf871ae89be945ed
http://www.virustotal.com/file-scan/report.html?id=75bb11a92aa96157591b74d4c733a49d588c37fc95a97acfc57e987f03bd3e14-1298067437 (http://www.virustotal.com/file-scan/report.html?id=75bb11a92aa96157591b74d4c733a49d588c37fc95a97acfc57e987f03bd3e14-1298067437)
VT 27/42 (64.3%)
Code: [Select]
http://gmotors.cz.cc/asf/staticd.php
IP  France - IKOULA Net SAS
IP  213.246.42.243
AS21409
Code: [Select]
http://ik42243.ikexpress.com/komand/erergerg/has/graa.somd5sum ===> 87c9f1f3b9c780dea9b2bcb6a9cbb596

IP  Czech Republic - HAKVA-AS
IP  95.64.13.12
AS51786
Name Servers: ns1.tor4ok.com ns2.tor4ok.com
Registrant/Email Registrant: Oksana Boiko/vault@bz3.ru
Code: [Select]
http://tor4ok.com/heltorr/cfgw.binmd5sum ===> b43fede98539caba35c21b3307475fda

IP  Romania - Sa Nova Telecom Grup SRL
IP  94.63.243.14
AS49469
Name Servers: ns1.coralmothodosa.com ns2.coralmothodosa.com
Registrant/Email Registrant: Andrej Chalkov/rick@ppmail.ru
Code: [Select]
http://coralmothodosa.com/itt/rom.enmd5sum ===> 91e44dae19ac6339bc57b21a30df2e61

IP  Croatia - LURA-AS
IP  193.22.81.103
AS28920
Name Servers: free01.editdns.net free02.editdns.net
Registrant/Email Registrant: Georgij Kiosov/oi@ppmail.ru
Code: [Select]
http://90fd78b9078bd0g.com/79fd9/80gf9nn.binmd5sum ===> ff815b4ababe6fd589fe8f27acea5e27
Title: Re: New Zeus server
Post by: jackberri on February 20, 2011, 11:53:55 am
IP Location:  China - CHINATELECOM-HA-AS-AP
IP 222.88.205.209
[209.205.88.222.broad.jz.ha.dynamic.163data.com.cn]
AS17785
Name Server: ns3.cnmsn.com ns4.cnmsn.com
Registrant/Email Registrant: Hilary Kneber/hilarykneber@yahoo.com
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Created: 2010-12-14
Expires: 2011-12-14
Code: [Select]
http://security-force.net/asd/cgi.binmd5sum ===> edf599bb17f1169c56d18d5d5d81b26a
Code: [Select]
http://security-group.cc/samples/mp3/bethoven/single/2000/01/gate9854.php
Title: Re: New Zeus server
Post by: jackberri on February 20, 2011, 07:30:29 pm
IP Location:  Ukraine - FIN-ACTIVE-NET route - FINACTIVE-AS
IP 193.186.9.164
AS44209
Name Server: ns1.nameself.com ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@nvffr.ru                             
Code: [Select]
http://uuquhc.ru/g.binmd5sum ===> c522626fd005f7ddde51cbe22e3971da

IP Location:  Ukraine - Fortune Science and Production Company - FORTUNE-AS
IP 195.242.161.39
AS47434
Name Server: ns1.karma2you.net ns2.karma2you.net
Registrant/Email Registrant: Evgeniy Simonov/simonich@inbox.ru                             
Code: [Select]
http://karma2you.net/kar/dsa.jpgmd5sum ===> 1885d067d5541cebe3f8ec94926b399e
Code: [Select]
http://karma2you.net/kar/s14.php
Title: Re: New Zeus server
Post by: jackberri on February 21, 2011, 09:39:41 am
IP Location:  Italy - ARUBA-ASN
IP 62.149.128.166
[mxd3.aruba.it]
AS31034
Name Server: dns.technorail.com  dns2.technorail.com
Registrant: ERALDO MORETTO                           
Code: [Select]
http://www.lacesira.it/bannerbottom.gif           md5sum ===> 8e0c45d8c3df1b08b4b54d124e54cc22
IP Location:  Ukraine - FINACTIVE-AS
IP 193.186.9.94
AS44209
Name Server: yns1.yahoo.com  yns2.yahoo.com
Registrant/Email Registrant: Shaoming Zhou/zhoushaoming@yahoo.com                         
Code: [Select]
http://anysnare.us/z2/config.bin                 md5sum ===> 72e4dfe689d0bc6d63bb3a5c888e1c84
Code: [Select]
http://anysnare.us/z2/bot.exe                    md5sum ===> 607ab19d66a472e160e7f344a27846behttp://www.virustotal.com/file-scan/report.html?id=698758f8928f1bbaaf06c6dd148fb6c9af9b58043ca32a998f2cbb2eeaadfac6-1298280148 (http://www.virustotal.com/file-scan/report.html?id=698758f8928f1bbaaf06c6dd148fb6c9af9b58043ca32a998f2cbb2eeaadfac6-1298280148)
VT 6/42 (14.3%)
Code: [Select]
http://anysnare.us/z2/gate.php
IP Location:  China - CHINATELECOM-HLJ-AS-AP
IP 219.147.255.39
AS17897
Name Server: ns1.jobrecruitingstrategy.com   184.154.140.36/ns2.jobrecruitingstrategy.com   92.84.23.131
Registrant/Email Registrant: T Frisbee, William/corvusion@yahoo.com                             
Code: [Select]
http://zemondocooler.com/kutimabiz.bin
http://bebookfunk.com/kutimabiz.bin
md5sum ===> e8500fda6c180df46b26b305055b2a1a
Code: [Select]
http://bebookfunk.com/dutarobilok.php
Title: Re: New Zeus server
Post by: jackberri on February 22, 2011, 12:15:12 pm
IP Location:  France - France Telecom - Orange IP Backbone for Enterprise and french consumers
IP 92.131.44.226
[ALille-156-1-117-226.w92-131.abo.wanadoo.fr]
AS3215
Name Server: nf1.no-ip.com  nf2.no-ip.com                       
Code: [Select]
http://beautybiz.no-ip.org/config.bin                 md5sum ===> 72e4dfe689d0bc6d63bb3a5c888e1c84
Code: [Select]
http://beautybiz.no-ip.org/gate.php
IP Location:  United Kingdom - INSTANTEXCHANGER-AS
IP 195.80.151.195
AS50877
Name Server: ns1.ihc.ru  ns2.ihc.ru
Registrant/Email Registrant: Vitalij Tiaskevic/stormpayclicker@gmail.com                       
Code: [Select]
http://radiosci.info/1/bin/config.bin                 md5sum ===> 3d0c3e792c7b1772f6d6407c746aff9d
Code: [Select]
http://radiosci.info/1/bin/upload/113.exe             md5sum ===> c36d3e682b6cd921900207a72a8eae64http://www.virustotal.com/file-scan/report.html?id=36ab8d1806e987e2612b6625c85ac602332402972e57ea6faf55788884b024aa-1298369046 (http://www.virustotal.com/file-scan/report.html?id=36ab8d1806e987e2612b6625c85ac602332402972e57ea6faf55788884b024aa-1298369046)
VT 31/43 (72.1%)
Code: [Select]
http://radiosci.info/1/gate.php
Title: Re: New Zeus server
Post by: jackberri on February 22, 2011, 08:48:34 pm
Code: [Select]
IP Location:  United Kingdom - INSTANTEXCHANGER-AS
IP 195.80.151.195
AS50877
Name Server: ns1.ihc.ru  ns2.ihc.ru
Registrant/Email Registrant: Vitalij Tiaskevic/stormpayclicker@gmail.com                       
Code: [Select]
http://140.116.60.29/images/ufo/.thumbs/flashtest.gif                 md5sum ===> cac042a68c7d34e4c55d42b1dbc87cbb
Code: [Select]
http://www.lrtaxfin.co.za/test.php
Code: [Select]
http://uuquhc.ru/g.bin                 md5sum ===> 50778c80829fb99d087432c2a20461c9
http://uuquhc.ru/4.php
Title: Re: New Zeus server
Post by: jackberri on February 25, 2011, 06:26:15 am
IP Location:  United States - SERVERCENTRAL
IP 75.102.22.9
[unknown.hostforweb.net]
AS23352
Name Server: ns1.scenovia.com.au  ns2.scenovia.com.au
Registrant/Email Registrant: Garry Henshall/info@scenovia.com                       
Code: [Select]
http://parks-leisure.com.au/HEC/index.pdf                 md5sum ===> 6c06dc710cf800832927864ce2c30ae7
Code: [Select]
http://parks-leisure.com.au/HEC/i.1.exe                   md5sum ===> 76eea5afc4e85cf3f341f75677d1246fhttp://www.virustotal.com/file-scan/report.html?id=e791752b01d1e9ba29698179b0fe791c30ec92a9d3bd3f94f2b28edd14ec9ba1-1298568240 (http://www.virustotal.com/file-scan/report.html?id=e791752b01d1e9ba29698179b0fe791c30ec92a9d3bd3f94f2b28edd14ec9ba1-1298568240)
VT 25/43 (58.1%)
Code: [Select]
http://parks-leisure.com.au/HEC/index.jpg
IP Location:  Ukraine - ANSUA-AS PE Sergey Demin
IP 91.206.201.100
AS47781
Name Server: ns1.inf0z.com.ua  91.206.200.75 ns2.inf0z.com.ua 91.206.201.70
Email Registrant: pi222-uanic@priv.uanic.ua                       
Code: [Select]
http://inf0z.com.ua/forum/fig.bin                 md5sum ===> 8b329d7ba20645b4dab830268a70cbaf
Code: [Select]
http://inf0z.com.ua/forum/load.exe                   md5sum ===> f1d9d8bd77962f321524bcf2cafc34a3http://www.virustotal.com/file-scan/report.html?id=72bab23bd5be2b050519765420b1c069a64f12fff558f40d3d1d22fab8c0d9c2-1298611213 (http://www.virustotal.com/file-scan/report.html?id=72bab23bd5be2b050519765420b1c069a64f12fff558f40d3d1d22fab8c0d9c2-1298611213)
VT 16/43 (37.2%)
Code: [Select]
http://inf0z.com.ua/forum/login.php
IP Location:  China - Proxy-registered route object - CHINA-TELECOM
IP 122.224.6.36
AS4134
Name Server: ns3.cnmsn.com  ns4.cnmsn.com
Registrant/Email Registrant: Vyacheslav Vozovikov/admin@famontare80.net                       
Code: [Select]
http://famontare3.net:81/s2/cfgmix.bin                 md5sum ===> 7220c6ef8f72dd20d8df5482ea11e78a
Code: [Select]
http://famontare80.net:81/s/statistics.php
IP Location: Russian Federation -TPIC-AS
IP 194.60.205.202
AS49017
Code: [Select]
hxxp://194.60.205.202/news/?s=9400                 md5sum ===> 75c170baffd28087c1ced7f92aaa9a60
[code]hxxp://194.60.205.202/news/?s=6225                 md5sum ===> dd77b3893116325519262ed2a0ec5dfd

IP Location:  United States - THEPLANET-AS2
IP 174.120.204.178
[b2.cc.78ae.static.theplanet.com]
AS21844
Name Server: ns1.digibizsites.com  ns2.digibizsites.com
Registrant/Email Registrant: Tom Gruich/tgruich@twmi.rr.com                       
Code: [Select]
http://tipsmakingmoneyonline.com/q4.drv                 md5sum ===> 8474011629899f2b345d0da11b11a19c
IP Location:  Russian Federation - Wahome IP's - WEBALTA-AS
IP 92.241.162.214
AS41947
Name Server: ns1.pochemuchka.ir  ns2.pochemuchka.ir
Registrant/Email Registrant: Amir Ahmadi/jamcnutt111@hotmail.com                       
Code: [Select]
http://pochemuchka.ir/obl/call.bin                 md5sum ===> 9828c60d0ff2c33893fb959f5faa713d[/code]
Title: Re: New Zeus server
Post by: jackberri on February 25, 2011, 05:25:00 pm
IP Location: Ukraine  - FINACTIVE-AS
IP 193.186.9.96
AS44209
Name Server: ns1.reg.ru  ns2.reg.ru
Registrant/Email Registrant: Aleksandr B Hvalovskii/hvalovsky@yandex.ru   
Code: [Select]
http://cnnus.ru/auc/n.exe      zeus trojan v2.1             md5sum ===> ae3ad3abc8dbabcc579283b73bf8f926http://www.virustotal.com/file-scan/report.html?id=06d5daae7db754367bac9434c454c5596ecd600b98f9cfe3c49916f845d7c4d9-1298654343 (http://www.virustotal.com/file-scan/report.html?id=06d5daae7db754367bac9434c454c5596ecd600b98f9cfe3c49916f845d7c4d9-1298654343)
VT [color=red14/[/color]43 (32.6%)
Code: [Select]
http://cnewsus.ru/naol/news/index.php
Title: Re: New Zeus server
Post by: jackberri on February 27, 2011, 10:05:17 am
IP Location: Hong Kong  - SUNNYVISION-AS-AP
IP 117.18.64.132
[117-18-64-132.sunnyvisiondatacenter.com]
AS38478
Name Server: ns.xinnet.cn  ns.xinnetdns.com
Registrant/Email Registrant: chang chen/ftgy23fge@126.com 
Code: [Select]
http://onlinesspacesz.com/vip/online                               md5sum ===> 8db74b8be34e497ae46491b0898efae8
Code: [Select]
http://onlinesspacesz.com/vip/onlinesrv.exe                        md5sum ===> 11eaf781d42fec99d2402107600eefa2http://www.virustotal.com/file-scan/report.html?id=318edf6657cff9a70fd7a46bf9de3dbd170af79cd8968a9c32649aa29b6c6ba7-1298664407 (http://www.virustotal.com/file-scan/report.html?id=318edf6657cff9a70fd7a46bf9de3dbd170af79cd8968a9c32649aa29b6c6ba7-1298664407)
VT 3/43 (7.0%)

IP Location: Croatia  - LURA-AS
IP 193.22.81.103
AS28920
Name Server: free01.editdns.net  free02.editdns.net
Registrant/Email Registrant: Tomas Lokinston/admin@jghrt9frgtr9.com
Code: [Select]
http://jghrt9frgtr9.com/9dg9j/khjf7.bin                               md5sum ===> ac1308d8a8af7bf94036adea59dab865
IP Location:  United States -PAH-INC Go Daddy Software
IP 97.74.215.158
[[p3nw8sh134.shr.prod.phx3.secureserver.net]]
AS26496
Name Server: NS17.DOMAINCONTROL.COM  NS18.DOMAINCONTROL.COM
Registrant/Email Registrant: Walza Starr/wstarr1@kc.rr.com                       
Code: [Select]
http://faithcitychristiancenter.org/IMAGES/barrett_08.jpg                 md5sum ===> cac042a68c7d34e4c55d42b1dbc87cbb
IP Location: Azerbaijan  - ADaNet-AS Azerbaijan Data Network Autonomous System
IP 109.127.8.242
[host-242-8-127-109.azdata.net]
AS15621
Name Server: ns7.01isp.com  ns8.01isp.net
Registrant/Email Registrant: Resano Jasa/admin@testonlyforfhj3355591.com.tw 
Code: [Select]
http://testonlyforfhj3355591.com.tw/2x/b2/cfg_tes2.bin             md5sum ===> ec221241aabd28d7832d29df48706579
Title: Re: New Zeus server
Post by: jackberri on February 27, 2011, 07:08:29 pm
IP Location: Ukraine  - FINACTIVE-AS
AS44209
Name Server: ns.xinnet.cn  ns.xinnetdns.com
Code: [Select]
http://193.186.9.76/q4.drv                               md5sum ===> f5faef7e06d421062a9af12e22bc883e

IP Location: Israel  - NV-ASN
IP 212.150.164.76
[164.76.loads.co.il]
AS1680
Name Server: DNS1.NAME-SERVICES.COM  DNS2.NAME-SERVICES.COM  DNS3.NAME-SERVICES.COM  DNS4.NAME-SERVICES.COM  DNS5.NAME-SERVICES.COM
Registrant/Email Registrant: Greg  Mitchell/Tendervisits@yahoo.com  
Code: [Select]
http://stounkram653.in/rang/dast.bin                               md5sum ===> 4b513412ca9ead8b47719dac37413e7c
Code: [Select]
http://stounkram653.in/forum/support.php
IP Location: China  - CHINATELECOM-HLJ-AS-AP
IP 219.147.255.39
AS17897
Name Server: ns1.worldfamoucomposer.net 173.231.26.102  ns1.ginndom.net 173.231.26.102
Registrant/Email Registrant: Joseph G. Wargo/solarstorm@dr.com  
Code: [Select]
http://ebebguere.com/quatoorezo.bin                               md5sum ===> 48922f062ea1ae55e42a08f13cb9e2bc
Code: [Select]
http://ebebguere.com/finkazibuk.exe                               md5sum ===> cb55b8ae105a5b166fdc4343d091c58ehttp://www.virustotal.com/file-scan/report.html?id=d07e954d177ef5da7e7922263bb056ed31c14ef86503e8958219cad2ce7c81d3-1298832783 (http://www.virustotal.com/file-scan/report.html?id=d07e954d177ef5da7e7922263bb056ed31c14ef86503e8958219cad2ce7c81d3-1298832783)
VT 26/43 (61.9%)
Code: [Select]
http://dubanubicom.com/windows7xp.php
Title: Re: New Zeus server
Post by: jackberri on March 01, 2011, 08:53:54 am
IP Location: France  - IKOULA Net SAS
IP 213.246.38.36
AS21409
Code: [Select]
http://interraoo.cz.cc/saimwebs/seFgg66/canon.tif                               md5sum ===> cf975e21e3486ca52b0d8a14fbfc7e57                           
http://interraoo.cz.cc/saimwebs/hhhasann/gaoowebs.php
http://interraoo.cz.cc/saimwebs/GHjhuguygftuftf656546554654445/aion.exe

IP Location: Germany  - ASGHOSTNET
IP 94.249.139.4
[box7.host1free.com]
AS12586
Name Server: ns1.host1free.com  ns2.host1free.com
Code: [Select]
http://token.128pro.net/UPCHK.bin                               md5sum ===> cd800d2933ee3e03bfaf9e77c615f428                           
http://oskoloblyadntia.ru/update.php

IP Location:  United States - NETRIPLEX01 NETRIPLEX LLC
IP 46.29.252.2
[box-2e1dfc2.brtarget.net]
AS36167
Name Server: ns20.netriplex.com  ns21.netriplex.com
Registrant/Email Registrant: Lom Lom/lom01@live.com                       
Code: [Select]
http://halifexonline.com/coolirc/hola/config.bin                 md5sum ===> 367ba5fdefc64ab32038d754ee9b9dbf
http://halifexonline.com/coolirc/hola/gate.php
Title: Re: New Zeus server
Post by: jackberri on March 01, 2011, 03:51:17 pm
IP Location:  Canada - SOFTCOMCA
IP 168.144.38.41
[vps-1030962-2238.manage.myhosting.com]
AS14166
Name Server: ns1.casino-game-report.com  ns1.firespiner.com
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org                       
Code: [Select]
http://nastorone.com/xed/config.bin                       md5sum ===> eb788b302d831b40e960bf1eb5496428
http://nastorone.com/xed/yourbot.exe                      md5sum ===> d6a41a7ea79cc146f0f6be99e755c81a
http://nastorone.com/xed/gate.php
http://www.virustotal.com/file-scan/report.html?id=ebeb69b9fb89aaa5ec3adcdd66eeba19fd2a2419d741208808c71b3768a16dd8-1298994257 (http://www.virustotal.com/file-scan/report.html?id=ebeb69b9fb89aaa5ec3adcdd66eeba19fd2a2419d741208808c71b3768a16dd8-1298994257)
VT 39/43 (90.7%)

IP Location:  Romania - iTelecom Pixel View SRL
IP 95.64.9.58
[customer-58.wehostshits.com]
AS50244
Name Server: ns1.yrganosserx122108.net  ns2.yrganosserx122108.net
Registrant/Email Registrant: Bingven Way/bingven2000@yahoo.com                       
Code: [Select]
http://yrganosserx122108.net/vbsa/cc2.bin                 md5sum ===> 7f250a52fef9ad072a1940720385f3c3
Title: Re: New Zeus server
Post by: jackberri on March 02, 2011, 07:22:48 pm
IP Location:  Korea - KT-NET KORnet Powered BY Korea Telecom
IP 119.195.196.168
AS4766
Name Server: ns1.ramfors.net  ns2.ramfors.net
Registrant/Email Registrant: Cicelia J Patterson/admin@ramfors.net                       
Code: [Select]
http://ramfors.net/new3/gif.png                 md5sum ===> 51e6f96b27b24f5b41986a215e1c2e0a
IP Location:  China - CHINATELECOM-HLJ-AS-AP
IP 219.147.255.39
AS17897
Name Server: ns1.ginndom.net  ns1.worldfamoucomposer.net
Registrant/Email Registrant: Gano, Leatrice/soldwia@usa.com
Registrant/Email Registrant: Private Person/zc@bz3.ru                 
Code: [Select]
http://strategiesrecruiting.com/qundarilez.bin                  md5sum ===> cffcdd0c7d44f8a3f67f1ac5d0f6aad9
http://solidbin.ru/qundarilez.bin                               md5sum ===> 72b82eda05caa6d3d5de482262664251
http://oneant.ru/stopelko.exe                                   md5sum ===> ff07394036050ce7b1a987dc5e77c570
http://www.virustotal.com/file-scan/report.html?id=a61ed539115fa63f8fe4ccb7aea68d06d4d4bbd32cb30d778acdca0dfda0ecd1-1299092837 (http://www.virustotal.com/file-scan/report.html?id=a61ed539115fa63f8fe4ccb7aea68d06d4d4bbd32cb30d778acdca0dfda0ecd1-1299092837)
VT 19/43 (44.2%)
Code: [Select]
http://strategiesrecruiting.com/stopelko.exe                    md5sum ===> 91aa0f07c6d96fca088c57305e993caehttp://www.virustotal.com/file-scan/report.html?id=ebeb69b9fb89aaa5ec3adcdd66eeba19fd2a2419d741208808c71b3768a16dd8-1298994257 (http://www.virustotal.com/file-scan/report.html?id=ebeb69b9fb89aaa5ec3adcdd66eeba19fd2a2419d741208808c71b3768a16dd8-1298994257)
VT 22/43 (51.2%)
Code: [Select]
http://strategiesrecruiting.com/founderzilla.php
http://oneant.ru/founderzilla.php

IP Location:  Ukraine - FINACTIVE-AS
IP 193.186.9.102
AS44209
Name Server: ns1.dns-diy.net  ns2.dns-diy.net
Registrant/Email Registrant: Binnie Fullz/admin@furerr.com                       
Code: [Select]
http://gistapo.net/favicon.ico                 md5sum ===> 9e3d5dc71f8474037e7e0f389b75b9b6
http://gistapo.net/vb9.php
Title: Re: New Zeus server
Post by: jackberri on March 05, 2011, 09:41:01 pm
IP Location:  Russian Federation - HOSTING-COMPANY-AS
IP 79.174.78.244
AS47385
Name Server: ns1.hc.ru  ns2.hc.ru
Registrant/Email Registrant: R01 Personal Data Operator protected/fashion-report.ru@r01-service.ru                       
Code: [Select]
http://fashion-report.ru/afisha/etc/etc/cfg.bin                 md5sum ===> b0288a0b1ebb60f8c53911948bdf0437
http://fashion-report.ru/afisha/etc/etc/gate.php

IP Location:  Ukraine - FINACTIVE-AS
IP 193.186.9.165
AS44209
Name Server: ns1.nameself.com  ns2.nameself.com
Registrant/Email Registrant: Private Person/admin@nvffr.ru                 
Code: [Select]
http://kudwda.ru/h.bin                 md5sum ===> 5efb1ca08dc4d4450a6908f9cc746361
http://kudwda.ru//5.php

IP Location:  Ukraine - ANSUA-AS PE Sergey Demin
IP 91.206.201.236
AS47781
Name Server: ns1.ecommersik.com  ns2.ecommersik.com               
Code: [Select]
http://highcliks.co.cc/wll/cnf/nes.dll                 md5sum ===> 1add2d7582fdc8ba2511eff9aefd8947
IP Location:  Russian Federation - YABA-AS
AS50877                 
Code: [Select]
http://91.206.200.132/3/config.bin                 md5sum ===> 99c7c163d487704e59c88de164576dde
http://91.206.200.132/3/bot.exe                      md5sum ===> 34005608d496de3566e97a8beaf48dda
http://xenicalquestions.com/ld.exe                      md5sum ===> 11fd7f65f091d7d2c1d624295477dcaa
http://91.206.200.132/3/gate.php
http://www.virustotal.com/file-scan/report.html?id=0e671d8ad2599571fe646c7232973128df4688621e1c152c195946168a2cc690-1299359585 (http://www.virustotal.com/file-scan/report.html?id=0e671d8ad2599571fe646c7232973128df4688621e1c152c195946168a2cc690-1299359585)
VT 29/43 (67.4%)
http://www.virustotal.com/file-scan/report.html?id=1af9d3ed3b714f17154f2195284cc41e82690388cfd8b1a4aa70951ee79e089d-1299359585 (http://www.virustotal.com/file-scan/report.html?id=1af9d3ed3b714f17154f2195284cc41e82690388cfd8b1a4aa70951ee79e089d-1299359585)
VT 33/42 (78.6%)

IP Location:  Malaysia - GIGABIT-MY
IP 223.25.242.107
AS55720
Name Server: ns3.mynshosting.net  ns4.mynshosting.net
Registrant/Email Registrant: John Evans/jhnvns92@gmail.com                 
Code: [Select]
http://adcust.com/kofff111/config.bin               md5sum ===> de0432f88d176804ee29b71451142e3b
related zeusbotnet malware:
IP Location:  Panama - COLUMBUS NETWORKS TRANSIT CUSTOMERS - NEWWORLDNETWORK
IP 190.123.46.146
AS23520
Name Server: ns1.reg.ru  ns2.reg.ru
Registrant/Email Registrant: Aleksandr B Hvalovskii/hvalovsky@yandex.ru                 
Code: [Select]
http://hotcnn.ru/point/forum/index.php
IP Location:  United Kingdom - Instantexchanger Ltd
AS50877       
Code: [Select]
http://195.80.151.194/jjnb.exe                      md5sum ===> d659cadd857d3c8d3e2e82baf50c7ea4http://www.virustotal.com/file-scan/report.html?id=732e594af3b491edadaa5e16693cc1b2488a16f764bc8373b2f8539f6dd9b964-1299360615 (http://www.virustotal.com/file-scan/report.html?id=732e594af3b491edadaa5e16693cc1b2488a16f764bc8373b2f8539f6dd9b964-1299360615)
VT 34/42 (79.1%)
Title: Re: New Zeus server
Post by: jackberri on March 07, 2011, 09:02:58 am
IP Location:  Romania - SA-NOVA-TELECOM-GRUP-SRL
IP 94.63.243.21
AS49469
Name Server: ns1.blackmemoso.com 94.63.243.21  ns2.blackmemoso.com 94.63.243.21
Registrant/Email Registrant: Evgenia Kostikova/grasp@yourisp.ru               
Code: [Select]
http://blackmemoso.com/ger/ber.ln                 md5sum ===> 3e6f57846bcaec167398323f3944eeab
http://blackmemoso.com/ger/dea.exe                      md5sum ===> d606f2403a51d19248b72b6cf052ae47
http://www.virustotal.com/file-scan/report.html?id=a89d7c607f28077b951fdf622537cc04e0920fb6131fd0a816901d32bdce0416-1299487591 (http://www.virustotal.com/file-scan/report.html?id=a89d7c607f28077b951fdf622537cc04e0920fb6131fd0a816901d32bdce0416-1299487591)
VT 22/43 (51.2%)

IP Location:  Denmark - ONECOM A/S
IP 193.202.110.127
[srv127.one.com]
AS51468
Name Server: ns01.one.com  ns02.one.com
Registrant/Email Registrant: One.com Hostmaster/one@andypoulton.com               
Code: [Select]
http://159.be/images/twiter.jpg                 md5sum ===> 929f838fa4e559519d8e896d645beb4c
http://needmoneytohelp.com/images/list.php

IP Location:  Romania - HAKVA LLC 2H
IP 95.64.13.12
AS51786
Name Server: ns1.tor4ok.com  ns2.tor4ok.com
Registrant/Email Registrant: Oksana Boiko/vault@bz3.ru               
Code: [Select]
http://tor4ok.com/heltorr/cfgw.bin                 md5sum ===> b43fede98539caba35c21b3307475fda
IP Location:  China - GIGABIT-MY
IP 223.25.242.107
AS55720
Name Server: ns3.mynshosting.net  ns4.mynshosting.net         
Code: [Select]
http://linksofhouse.co.cc/wass.bin                 md5sum ===> e35c95cfd1cabb407051f3340f58eb2a
IP Location:  Croatia - LURA-AS
IP 193.22.81.72
AS28920
Name Server: NS1.NAME.COM  NS2.NAME.COM  NS3.NAME.COM  NS4.NAME.COM
Registrant/Email Registrant: Brian Gamble/gamble.brian@yahoo.com               
Code: [Select]
http://furzest.info/usa.bin                 md5sum ===> ef46856bd377664a97b00fd6a0edda3c
http://furzest.info/redir.php

IP Location:  China - CHINATELECOM-HLJ-AS-AP
IP 219.147.255.39
[srv127.one.com]
AS51468
Name Server: ns1.ginndom.net  ns1.worldfamoucomposer.net
Registrant/Email Registrant: Private Person/zc@bz3.ru               
Code: [Select]
http://ironsum.ru/dongiklim.bin                       md5sum ===> 457061cb39dbc85055c7ebf5214fda7e
http://mildtune.ru/blazers66.exe                      md5sum ===> e5cfae9bdec97fecf1bc527a18098f17
http://mildtune.ru/viewforum3.php
http://www.virustotal.com/file-scan/report.html?id=1128102503794fa0255ed2031636a2e2f977e37ec4f5ca21c6b071b6cf759d95-1299487587 (http://www.virustotal.com/file-scan/report.html?id=1128102503794fa0255ed2031636a2e2f977e37ec4f5ca21c6b071b6cf759d95-1299487587)
VT 30/43 (69.8%)

related zeusbotnet malware:
Code: [Select]
hxxp://195.80.151.194/jjnb2.exe                           md5sum ===> 4b0b6bd747c9b1faf360a8030e7db711http://www.virustotal.com/file-scan/report.html?id=5ba023508c47986ec27edb241b12b5fb528761b202800b3e7c77e4519c9a27c9-1299488017 (http://www.virustotal.com/file-scan/report.html?id=5ba023508c47986ec27edb241b12b5fb528761b202800b3e7c77e4519c9a27c9-1299488017)
VT 24/43 (55.8%)
Title: Re: New Zeus server
Post by: jackberri on March 07, 2011, 08:25:38 pm
IP Location:  United Kingdom - OH Telecom - OPENHOSTING M247 Ltd
IP 89.238.131.66
[november.ourwindowsnetwork.com]
AS33970
Name Server: ns2.keynect.co.uk  ns3.keynect.co.uk  ns1.keynect.co.uk
Registrant/Email Registrant: Vanishing Point/admin@keynect.co.uk       
Code: [Select]
http://vanishingpoint-art.com/securimage/audio/gbold.exe                      md5sum ===> 368f05d4f2ae5d6c934e80ca90a10e29http://www.virustotal.com/file-scan/report.html?id=27362bcbe507dcd175cc23ca5c6abd5bc4a21fc41e8403135fe89e99a8180cde-1299529202 (http://www.virustotal.com/file-scan/report.html?id=27362bcbe507dcd175cc23ca5c6abd5bc4a21fc41e8403135fe89e99a8180cde-1299529202)
VT 24/42 (57.1%)
related:
Code: