New Zeus server

[jackberri]

IP Location:    Kazakhstan - JSC Kazakhtelecom
IP 95.57.120.162
[ip162.gohost.kz]
AS9198
Name Server: ns1.freedns.ws | ns2.freedns.ws

Code: [Select]

hxxp://turbozalupa.ce.ms/job2/cfg.bin            md5sum ===> edf00b7243a7fc1133e93980ee2cb07e
hxxp://turbozalupa.ce.ms/job2/shit.exe                 md5sum ===> 237420d7cb8ab954e7a6279f30382113
hxxp://turbozalupa.ce.ms/job2/exit.phphttp://www.virustotal.com/file-scan/report.html?id=f9915b14b4db52c5ab151f8aa4928f109d0a324d897abbf278dfce9be609a4e1-1320426548
VT 22/43 (51.2%)

IP Location: Hungary - NET23-AS
IP 94.199.51.10
[ded-srv-pool-51-10.23net.hu]
AS30836
Name Server: ns1.example.com | ns2.example.com
Registrant/Email Registrant: Luong Dinh Nhan/chris.deakle82@ymail.com

Code: [Select]

hxxp://artisot.com/zs/woody.bin                 md5sum ===> 6e5d5dea6b52f4a7a2aabdaf3c645c7a
hxxp://artisot.com/zs/woody.exe                 md5sum ===> 99b1e043752b075eb632bd6978cb1448
hxxp://artisot.com/zs/woody.exehttp://www.virustotal.com/file-scan/report.html?id=f40c7103a3aa2dc205aff9ce86c64f09e93cbb30f822901de20f9b580b697f08-1320427220
VT 23/43 (53.5%)

IP Location: Sweden - GleSYS-AS
IP 109.74.6.15
[109-74-6-15-static.serverhotell.net]
AS43948
Name Server: ns.co.cc | ns1.co.cc

Code: [Select]

hxxp://redirstregentedhosplings.co.cc/redir.php
hxxp://redirstregentedhosplings.co.cc/2/up.phprelated

Code: [Select]

hxxp://artechellirat.com/config.php

[jackberri]

Your website is up and running!
IP Location: United States - HOSTING-MEDIA
IP 31.170.161.16
[31-170-161-16.main-hosting.com]
AS47583
Name Server: ns1.000webhost.com | ns2.000webhost.com
Registrant/Email Registrant: II Hosting Media/

Code: [Select]

hxxp://redusaxu.hostoi.com/sf/prof.bin         md5sum ===> 01e8195ac3c0fdee7a89ddce0d847f78
hxxp://redusaxu.hostoi.com/sf/s.php
IP Location: United States - BurstNet Technologies, Inc.
IP 184.82.87.211
[server.wehostitbest.com]
AS21788
Name Server: NS1.NOCSU.COM | NS2.NOCSU.COM
Registrant/Email Registrant: Oleg Gudiev/aeronitro@ymail.com

Code: [Select]

hxxp://aeronitrex.com/special/status/aero.bin           md5sum ===> 836204b1e311e53f7e2cb8444c906e85
hxxp://aeronitrex.com/upgrade/aero.bin                  md5sum ===> 44b12962f7919518116ff4a98e740ddc
hxxp://178.18.249.66/progressive/order/info/encrypted/zsearch.php
IP Location: Sweden - SERVERCONNECT-AS
IP 95.143.198.136
AS49770
Name Server: ns3.cnmsn.com | ns4.cnmsn.com
Registrant/Email Registrant: Tan Goodween/admin@duglascagemike.com

Code: [Select]

hxxp://duglascagemike.com/uk1/bot/bot.exe           md5sum ===> 59883751cbeebc5a789003e39cf767f6
hxxp://duglascagemike.com/uk1/config/config.phphttp://www.virustotal.com/file-scan/report.html?id=c6750e0b77037ad63b2d1440483ba70fce0eb515f2d5846c96c3f55f5b4b8907-1320515419
VT 28/43 (65.1%)

IP Location: Germany - LEASEWEB-DE
IP 89.149.226.195
AS28753
Name Server: NS41.DOMAINCONTROL.COM | NS42.DOMAINCONTROL.COM
Registrant/Email Registrant: Mark Oldwin/kenithsnowppq@yahoo.com

Code: [Select]

hxxp://jds923fdsfjsd.info/cache/srv/cf3           md5sum ===> fb797af0d5bfa3c7a3d2c9184c2383d4
hxxp://jds923fdsfjsd.info/cache/srv/cf4           md5sum ===> 7144a8eeb8d917ac5d2f22b5ff24bfca
hxxp://jds923fdsfjsd.info/cache/srv/ex3           md5sum ===> 039ce25d495fa555ae1c210592b564d0
hxxp://jds923fdsfjsd.info/cache/srv/ex4           md5sum ===> bbbe9f1c8118c905a384015849cf110b
hxxp://jds923fdsfjsd.info/cache/srv/join.phphttp://www.virustotal.com/file-scan/report.html?id=94fff127753ed1d704c781b5c391f5e62f4a907b67f7e1d51c3c84addd5851ab-1320515256
VT 20/43 (46.5%)
http://www.virustotal.com/file-scan/report.html?id=72b75551d07c61fb6c006086161c83eedeb2f12debeff822eab00b8e967cb79c-1320515293
VT 26/43 (60.5%)

[jackberri]

IP Location:  Serbia - SERBIA-BROADBAND-AS
IP 94.189.138.5
[cable-94-189-138-5.dynamic.sbb.rs]
AS31042
Name Server: ns2.retunger.com  | ns6.retunger.com  | ns1.dveduneyq.ce.ms  | ns2.dveduneyq.ce.ms
Registrant/Email Registrant: Zonemaster STRATO AG Webhosting/zonemaster@strato.de

Code: [Select]

hxxp://dveduneyq.ce.ms/isuspm.exe        md5sum ===> 51bc1787ac3429a717498bb4ac8fab38http://www.virustotal.com/file-scan/report.html?id=b8a7ef3ca807660c2cb2784049792f6c318e1b0e29e63c779eb826074cffdd65-1320592489
VT 12/42 (28.6%)


IP Location: Russian Federation - ALTURA-AS
IP 95.141.193.54
AS44158
Name Server: ns1.nameself.com | ns2.nameself.com
Registrant/Email Registrant: Andrei Ivanov/jeksobelgir@mail.ru

Code: [Select]

hxxp://getupsend.com/mssend.php
hxxp://getupsend.com/cfg/config.php

[jackberri]

IP Location: Russian Federation - ISPSYSTEM-AS
IP 82.146.44.107
[bitrixvl.ru]
AS29182
Name Server: ns1.firstvds.ru | ns2.firstvds.ru
Registrant/Email Registrant: Private Person/archerserver@mail.ru

Code: [Select]

hxxp://bonus-sms.ru/salvador1conf/settings.bin                  md5sum ===> 6c8b645a1ef7440f7d0de508e2431e71
hxxp://junesommerlivez.com/salvador1conf/settings.bin           md5sum ===> 6c8b645a1ef7440f7d0de508e2431e71
hxxp://lobsterlivever.com/salvador1conf/settings.bin            md5sum ===> 6c8b645a1ef7440f7d0de508e2431e71
hxxp://torscandpower.com/salvador1conf/settings.bin             md5sum ===> 6c8b645a1ef7440f7d0de508e2431e71
hxxp://82.146.44.107/salvador1conf/settings.bin                 md5sum ===> 6c8b645a1ef7440f7d0de508e2431e71
hxxp://bonus-sms.ru/salvador1conf/AJs.exe                       md5sum ===> 8699a5d7ead32f4c917faf074ad75d90
hxxp://junesommerlivez.com/salvador1conf/AJs.exe                md5sum ===> 8699a5d7ead32f4c917faf074ad75d90
hxxp://lobsterlivever.com/salvador1conf/AJs.exe                 md5sum ===> 8699a5d7ead32f4c917faf074ad75d90
hxxp://torscandpower.com/salvador1conf/AJs.exe                  md5sum ===> 8699a5d7ead32f4c917faf074ad75d90
hxxp://82.146.44.107/salvador1conf/AJs.exe                      md5sum ===> 8699a5d7ead32f4c917faf074ad75d90
hxxp://bonus-sms.ru/salvador1conf/redir.php
hxxp://junesommerlivez.com/salvador1conf/redir.php
hxxp://lobsterlivever.com/salvador1conf/redir.php
hxxp://torscandpower.com/salvador1conf/redir.php
hxxp://82.146.44.107/salvador1conf/redir.php
hxxp://bonus-sms.ru/salvador1conf/config.php
hxxp://junesommerlivez.com/salvador1conf/config.php
hxxp://lobsterlivever.com/salvador1conf/config.php
hxxp://torscandpower.com/salvador1conf/config.php
hxxp://82.146.44.107/salvador1conf/config.phphttp://www.virustotal.com/file-scan/report.html?id=4e305efd772d89a941268a172023f3886cbd4bb0345cfe9657bc1d3f87d9f68b-1320683106
VT 1/43 (2.3%)

[jackberri]

IP Location: Canada - ASN-CIPHERKEY Exchange Corp Routing
IP 204.239.157.2
[flame.blaze.ca]
AS25668
Name Server: flame.blaze.ca | spark.blaze.ca
Registrant/Email Registrant: Gordon Russell Limited/gr@gordonrussell.com

Code: [Select]

hxxp://www.gordonrussell.com/Images/sp.exe           md5sum ===> b5d19c17858339a3d49eb6d41bce00e0http://www.virustotal.com/file-scan/report.html?id=8ec5998a682d062469f1c03099f63a34b4298841d0691e9787b566c8ab79f200-1320949007
VT 25/43 (58.1%)
related
IP Location: United States - DREAMHOST-AS
IP 69.163.176.89
[apache2-kip.vikings.dreamhost.com]
AS26347
Name Server: NS1.DREAMHOST.COM | NS2.DREAMHOST.COM | NS3.DREAMHOST.COM
Registrant/Email Registrant: Kim Johnstone/StarbuckQAF@netscape.net

Code: [Select]

hxxp://idina-here.com/fans/gallery/themes/fruity/themes.phprelated
IP Location: United States - GODADDY
IP 184.168.230.128
[p3nlhg180c1180.shr.prod.phx3.secureserver.net]
AS26496
Name Server: ns07.domaincontrol.com | ns08.domaincontrol.com
Registrant/Email Registrant: Myrtle Beach Screen Printing/beachscreenprint@aol.com

Code: [Select]

hxxp://myrtlebeachscreenprinting.com/images/config.php
IP Location: Kazakhstan - Kazakhtelecom
[ip214.gohost.kz]
AS9198

Code: [Select]

hxxp://95.57.120.214/~zxc/de/2/gate.php
IP Location: Poland - ASTER-CITY-CABLE-AS
IP 82.210.157.9
[poczta.orgmasz.pl]
AS12476
Name Server: NS1.STOSPORTS.COM | NS2.STOSPORTS.COM
Registrant/Email Registrant: Emerenciana Abrego/baron@fxmail.net

Code: [Select]

hxxp://sweetplex.com/wonderful.php

[jackberri]

Code: [Select]

[color=blue]IP Location: Russian Federation[/color] - DINET-AS
IP 92.38.209.194
AS12695
Name Server: ns-canada.topdns.com | ns-uk.topdns.com | ns-usa.topdns.com
Registrant/Email Registrant: Private Whois Service/a5m8ux54eab13d99a015@oqjij874d9300d54bd95.privatewhois.net
[code]hxxp://adslayer.net/up/upt.png                    md5sum ===> 8a814c0f79c46d382e5b6ad4d0334b74
hxxp://adslayer.net/downloads/uratr.exe                 md5sum ===> d4774f39ad032485074a256a26be033f
hxxp://adslayer.net/adv/login.phphttp://www.virustotal.com/file-scan/report.html?id=2b3bb9802d99fcb118dc6823c1d38368475f1588d6f86132b98779c695618259-1321265998
VT 21/41 (51.2%)

Code: [Select]

hxxp://adslayer.net/options/update.jpg           md5sum ===> 71dc00f6a1e3d3a427c8e976f15cb8bd
hxxp://adslayer.net/downloads/frukla.exe         md5sum ===> 5fb26a4e7b56bb5b752caa609192c8dchttp://www.virustotal.com/file-scan/report.html?id=9046b668663a9a03845e16bb130d95219707789729bf48c08f8ee1470c6c2d6f-1321283994
VT 28/42 (66.7%)[/code]

[jackberri]

IP Location: Russian Federation - GARANT-PARK-TELECOM
AS5537

Code: [Select]

hxxp://195.128.121.50/zeus/config.bin         md5sum ===> 505822008fa156cf255afed43b287a74
hxxp://195.128.121.50/zeus/bot.exe            md5sum ===> 6bca25d9f05bd8daf3b698bd2dd44e69
hxxp://195.128.121.50/zeus/gate.phphttp://www.virustotal.com/file-scan/report.html?id=31c4177e1c712cb637c6a684c3cd569cb2c28e02a8c914d8da28eabaf1bb22ca-1321291355
VT 31/42 (73.8%)


IP Location: United States - Qwest Communications
IP 71.217.16.11
[71-217-16-11.tukw.qwest.net]
AS209
Name Server: ns1.footwalmoth.ru | ns1.linkuniv.net.
Registrant/Email Registrant: Private Person/

Code: [Select]

hxxp://tixuanabridge.ru/fur/chi.ps         md5sum ===> b2a69280de500a7a3e6a3f2edafd3355
hxxp://tixuanabridge.ru/fur/chi.exe        md5sum ===> a69e4db3f4b71307d1a5dbc9a214a87fhttp://www.virustotal.com/file-scan/report.html?id=2bf91aa04410b3a9e727ed174be6e90dbdbbbd917ee27b1142940791ff8d6c45-1321342538
VT 31/42 (73.8%)
related
IP Location: United States - Qwest Communications
IP 71.217.3.223
[71-217-3-223.tukw.qwest.net]
AS209
Name Server: ns1.booksforbool.com | ns1.tablebridgeh.com
Registrant/Email Registrant: Private Person/

Code: [Select]

hxxp://uklopandaberk.ru/cll/perfp.php

[jackberri]

IP Location: Ukraine - INFIUM
[ip-188-190-98-111.hosted-in.infiumhost.com]
AS197145

Code: [Select]

hxxp://188.190.98.111/1515/a/cf         md5sum ===> 948266832294fe0aea82aa596efceca5
hxxp://188.190.98.111/1515/a/tick.php

related zeusbotnet malware:

IP Location:  Russian Federation - HIXU-AS
IP 91.228.160.85
AS56815
Name Server: NS1.DAODOMAINS.COM | NS2.DAODOMAINS.COM
Registrant/Email Registrant: Maksim Karpenko/karpenko.karpenko@gmail.com

Code: [Select]

hxxp://helpforyou.in/status.php
hxxp://helpforyou.in/c/index.php

[jackberri]

IP Location: Lithuania - DC-AS
[hst-11-45.duomenucentras.lt]
IP 77.79.11.45
AS16125
Name Server: NS3.01ISP.COM | NS4.01ISP.NET
Registrant/Email Registrant: Vault Miner/admin@vassalitetsmanst.com

Code: [Select]

hxxp://vassalitetsmanst.com/weber/sando.php
IP Location: Russian Federation - ELTEL-AS
[mailgermes.beget.ru]
IP 81.222.215.236
AS20597
Name Server: ns1.beget.ru | ns2.beget.ru

Code: [Select]

hxxp://eeesad.bget.ru/pol/game.exe         md5sum ===> 8848fb36b5adb77e99769ecead598947[urlhttp://www.virustotal.com/file-scan/report.html?id=cd70f9a656391a8334bbb68c2e774900267025330fd7b66d94e2902a061715c6-1321699624[/url]
VT 34/42 (81.0%)

[jackberri]

IP Location: Ukraine - Energomontazh Ltd
IP 91.223.89.100
AS197569
Name Server: NS1.NAMESELF.COM | NS2.NAMESELF.COM
Registrant/Email Registrant: Clara Cipperman/clarene420@yahoo.com

Code: [Select]

hxxp://kamerer.info/maxim.bin       md5sum ===> be6a2bbf085b68ef6f7fc4784416bd8f

[jackberri]

IP Location: China - China-Network-Communications-Group
IP 60.19.30.135
AS4837
Name Server: ns1.stosports.com | ns2.stosports.com

Code: [Select]

hxxp://witlion.ru/inbox876.php
IP Location: United States - ASRELINK
IP 31.41.45.42
AS56577
Name Server: NS-CANADA.TOPDNS.COM | NS-UK.TOPDNS.COM | NS-USA.TOPDNS.COM
Registrant/Email Registrant: Private Whois Service/m69swo74ec7928bb20c0@oqjij874d9300d54bd95.privatewhois.net

Code: [Select]

hxxp://berlinonlinestar.net/date/time.php

[jackberri]

IP Location: Korea - KT-NET
IP 61.74.61.46
AS4766
Name Server: ns2.dns.com.cn | ns1.dns.com.cn
Registrant/Email Registrant: liu wei/liuwei1000@gmail.com

Code: [Select]

hxxp://abc.googlezuju.com/logo.jpg       md5sum ===> 3caa0d4c0f893e68570083c757930647

[jackberri]

IP Location: United States  - ONEANDONE-AS
IP 50.21.181.124
[s15447727.onlinehome-server.com]
AS8560
Name Server: NS51.1AND1.COM | NS52.1AND1.COM
Registrant/Email Registrant: Jan Lambert/j.lamber@aol.com

Code: [Select]

hxxp://trustbilling.net/config.php
IP Location: Germany  - HETZNER-AS
IP 178.63.38.187
[static.187.38.63.178.clients.your-server.de]
AS24940
Name Server: ns1.dns-diy.net | ns2.dns-diy.net
Registrant/Email Registrant: Sasha Matveeva/admin@howareudoing56.com

Code: [Select]

hxxp://howareudoing56.com/c.bin       md5sum ===> 528ecc8c827be62545406442f31d2f1f
hxxp://howareudoing56.com/in.php
IP Location: Russian Federation  - ANDERS-AS
IP 87.251.154.44
[t42.e61.su]
AS39792
Name Server: dns01.gpn.register.com | dns02.gpn.register.com | dns03.gpn.register.com | dns04.gpn.register.com | dns05.gpn.register.com
Registrant/Email Registrant: ENZO DE FEO/enzodefeo61@yahoo.com

Code: [Select]

hxxp://lobsterliveverromez.com/rome2ceasar/redir.php

[jackberri]

IP Location:  United States - NTTC-GIN-AS
IP 209.238.142.176
AS2914
Name Server: NS55.WORLDNIC.COM  | NS56.WORLDNIC.COM
Registrant/Email Registrant: Max Coupling and Hose Corp./rr2gm2et62b@networksolutionsprivateregistration.com

Code: [Select]

hxxp://maxcoupling.com/wp-content/plugins/js/inv.exe        md5sum ===> aaae17c8fe31009163825e76355ac9d9http://www.virustotal.com/file-scan/report.html?id=69cb6bc8fc8fce89cf4311f2609fd64f31f473fb10f7295df0cec014b974184d-1322241181
VT 24/43 (55.8%)
related:
IP Location:  Russian Federation - Anders Telecom Ltd
AS39792

Code: [Select]

hxxp://87.251.154.158/phpbb/logo.jpg       md5sum ===> 8518871d2ac3a64e0a8734f2eaf2e469
hxxp://87.251.154.158/phpbb/login.php

[jackberri]

IP Location:  Australia  - Connect Infobahn Australia
IP 116.0.23.220
[morrigan.instanthosting.com.au]
AS9280
Name Server: ns1.webcity.com.au  | ns2.webcity.com.au  | ns3.webcity.com.au
Registrant/Email Registrant: Russell Dwyer/russelld@trafficsafety.com.au

Code: [Select]

hxxp://barriersales.com.au/i28.png      md5sum ===> 31a7d5124c289701c30a42a2d335674a
IP Location:  China  - China-Network-Communications-Group
IP 60.19.30.135
AS4837
Name Server: ns1.grapecomputers.com.  | ns2.grapecomputers.com.

Code: [Select]

hxxp://cakerecipes.ru/xx.bin      md5sum ===> c32aac1354c078004c82026a29c647ed
IP Location:  Romania  - ATOM-HOSTING
AS13209

Code: [Select]

hxxp://91.217.82.156/config.bin      md5sum ===> e2582b56f697fe49343b8e52d3799b5c
hxxp://91.217.82.156/bot.exe         md5sum ===> 85a1551e6a6dec3b5e707c3de40678b6
hxxp://91.217.82.156/gate.phphttp://www.virustotal.com/file-scan/report.html?id=6f03fd3252573589d70ab701aa39bf27d2e2dfe8cedac200e529360c69c3641a-1322336134
VT 37/43 (86.0%)

IP Location:  United States  - HURRICANE Electric
IP 64.62.236.148
[intel-proto46.fox-den.com]
AS6939
Name Server: ns1.acbmemphis.net | ns1.cuba-maxtel.com
Registrant/Email Registrant: PrivacyProtect.org/contact@privacyprotect.org

Code: [Select]

hxxp://audiocdfz.com/document.doc         md5sum ===> 2ba30771c6571a938677ec039da4fe29