computershello

[gonzornung]

Does anyone have any information about http://computershello.cn.  It was in a SQL injection attempt.

[sowhat-x]

http://www.malwaredomainlist.com/mdl.php?search=computershello
It was added at some earlier moment from what I can see,during May...

[philipp]

Hi gonzornung,

if i recall correctly, computershello.cn was one of the hosts targeting worldofwarcraft players mainly, as described here:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513

i found this host, in a javascript on 9i5t.cn (on May 13th, same day it was mentioned in the shadowserver article) :

Code: [Select]

hxxp://9i5t.cn/a.js
- hxxp://computershello.cn/g.js
  - hxxp://computershello.cn/6.gif
    - le.htm (MDAC exploit)
      -> downloads hxxp://computershello.cn/test.exe
    - tt1.htm (animated cursor)
      -> downloads hxxp://61.188.38.158/images/test.exe
    - vv.js (MDAC exploit)
      -> downloads hxxp://computershello.cn/test.exe
    - old.htm (RealPlayer exploit)
    - xin.htm (RealPlayer exploit)

the binary test.exe has the following md5sum:
5c9322a95aaafbfabfaf225277867f5b

i still have the javascripts and binary.

also, check http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 to get a rough idea about the dimension of the injection.

regards,
philipp