Author Topic: Trojan Ransom  (Read 406070 times)

0 Members and 1 Guest are viewing this topic.

August 02, 2011, 06:51:07 am
Reply #90

EP_X0FF

  • Guest
Pornoroliks

Quote
hxxp://pornositerufree.ru/11/video/porno-rolik11.avi.exe
hxxp://pornositerufree.ru/12/video/porno-rolik12.avi.exe
hxxp://pornositerufree.ru/13/video/porno-rolik13.avi.exe
hxxp://pornositerufree.ru/16/video/porno-rolik16.avi.exe
hxxp://pornositerufree.ru/17/video/porno-rolik17.avi.exe
hxxp://pornositerufree.ru/18/video/porno-rolik18.avi.exe
hxxp://pornositerufree.ru/20/video/porno-rolik20.avi.exe

Redirector to pornoroliks
Quote
hxxp://sko-vna.ru/dfdasae.cgi?11

LockEmAll ransom

Quote
hxxp://mirijikaporno.ru/300/xxx_video.exe

Redirector to lockemall
Quote
hxxp://lopojadinja.ru/in.cgi?2

August 04, 2011, 03:26:54 pm
Reply #91

EP_X0FF

  • Guest
Pornoroliks

Quote
hxxp://shkollnitsiebutsya.ru/11/video/porno-rolik11.avi.exe
hxxp://shkollnitsiebutsya.ru/12/video/porno-rolik12.avi.exe
hxxp://shkollnitsiebutsya.ru/13/video/porno-rolik13.avi.exe
hxxp://shkollnitsiebutsya.ru/14/video/porno-rolik14.avi.exe
hxxp://shkollnitsiebutsya.ru/16/video/porno-rolik16.avi.exe
hxxp://shkollnitsiebutsya.ru/17/video/porno-rolik17.avi.exe
hxxp://shkollnitsiebutsya.ru/18/video/porno-rolik18.avi.exe
hxxp://shkollnitsiebutsya.ru/20/video/porno-rolik20.avi.exe

Redirector for pornoroliks
Quote
hxxp://zirn-ba.ru/sdgerwgerh.cgi?11

August 05, 2011, 12:23:42 pm
Reply #92

EP_X0FF

  • Guest
Pornoroliks + redirector

Quote
hxxp://mamkidayutvpopku.ru/11/video/porno-rolik11.avi.exe
hxxp://mamkidayutvpopku.ru/12/video/porno-rolik12.avi.exe
hxxp://mamkidayutvpopku.ru/13/video/porno-rolik13.avi.exe
hxxp://mamkidayutvpopku.ru/14/video/porno-rolik14.avi.exe
hxxp://mamkidayutvpopku.ru/16/video/porno-rolik16.avi.exe
hxxp://mamkidayutvpopku.ru/17/video/porno-rolik17.avi.exe
hxxp://mamkidayutvpopku.ru/18/video/porno-rolik18.avi.exe
hxxp://mamkidayutvpopku.ru/20/video/porno-rolik20.avi.exe
hxxp://alop-sa.ru/fdsbthtrtj.cgi?12

August 08, 2011, 01:06:10 pm
Reply #93

EP_X0FF

  • Guest
LockEmAll ransom
Quote
hxxp://dqn6drj.ru/22/xxx_video.exe

Blackhole exploit kit
Quote
hxxp://demwful.ru/indexx.php?tp=1f2965b33ed2cc11

Redirector to LockEmAll ransom
Quote
hxxp://bliadipoo.ru/in.cgi?2


Pornoroliks
Quote
hxxp://veronikapornosex.ru/11/video/porno-rolik11.avi.exe
hxxp://veronikapornosex.ru/12/video/porno-rolik12.avi.exe
hxxp://veronikapornosex.ru/13/video/porno-rolik13.avi.exe
hxxp://veronikapornosex.ru/14/video/porno-rolik14.avi.exe
hxxp://veronikapornosex.ru/16/video/porno-rolik16.avi.exe
hxxp://veronikapornosex.ru/17/video/porno-rolik17.avi.exe
hxxp://veronikapornosex.ru/18/video/porno-rolik18.avi.exe
hxxp://veronikapornosex.ru/20/video/porno-rolik20.avi.exe

Redirector to pornorolik
Quote
hxxp://giri-ji.ru/fdbrehe.cgi?11

August 10, 2011, 12:06:55 pm
Reply #94

EP_X0FF

  • Guest
Pornoroliks, only updated binaries listed, all others (13, 16, 18, 20) not updated for a long time.

Quote
hxxp://pornovirtualxxx.ru/11/video/porno-rolik11.avi.exe
hxxp://pornovirtualxxx.ru/12/video/porno-rolik12.avi.exe
hxxp://pornovirtualxxx.ru/14/video/porno-rolik14.avi.exe
hxxp://pornovirtualxxx.ru/17/video/porno-rolik17.avi.exe

Redirector for pornoroliks

Quote
hxxp://arudir-z.ru/vbnmgfhm.cgi?11
hxxp://arudir-z.ru/vbnmgfhm.cgi?12
hxxp://arudir-z.ru/vbnmgfhm.cgi?14
hxxp://arudir-z.ru/vbnmgfhm.cgi?17

LockEmAll ransom
Quote
hxxp://hiokporno.ru/porn_video.exe
hxxp://wwvejwd.ru/12/xxx_video.exe

Redirector to LockEmAll ransom
Quote
hxxp://eriosporkas.ru/in.cgi?2

August 11, 2011, 04:32:55 pm
Reply #95

EP_X0FF

  • Guest
Pornoroliks (they seems started scheduler for auto re-crypt each few hours).

Quote
hxxp://ilikerusporevo.ru/11/video/porno-rolik11.avi.exe
hxxp://ilikerusporevo.ru/12/video/porno-rolik12.avi.exe
hxxp://ilikerusporevo.ru/14/video/porno-rolik14.avi.exe
hxxp://ilikerusporevo.ru/17/video/porno-rolik17.avi.exe

Redirectors to pornoroliks
Quote
hxxp://britol-x.ru/rehehdfbere.cgi?11
hxxp://britol-x.ru/rehehdfbere.cgi?12
hxxp://britol-x.ru/rehehdfbere.cgi?14
hxxp://britol-x.ru/rehehdfbere.cgi?17

LockEmAll ransom
Quote
hxxp://xp58iod.ru/77/xxx_video.exe

Redirector path
Quote
hxxp://bybybgydas.ru/ -> hxxp://bybybgydas.ru/video.htm ->
hxxp://nunutufaka.ru/in.cgi?2
hxxp://nunutufaka.ru/in.cgi?3

August 12, 2011, 01:35:17 pm
Reply #96

EP_X0FF

  • Guest
Pornoroliks (directs links because domain names heavily mutates each hour-two)

Quote
hxxp://195.226.220.142/11/video/porno-rolik11.avi.exe
hxxp://195.226.220.142/12/video/porno-rolik12.avi.exe
hxxp://195.226.220.142/13/video/porno-rolik13.avi.exe
hxxp://195.226.220.142/14/video/porno-rolik14.avi.exe
hxxp://195.226.220.142/16/video/porno-rolik16.avi.exe
hxxp://195.226.220.142/17/video/porno-rolik17.avi.exe
hxxp://195.226.220.142/18/video/porno-rolik18.avi.exe
hxxp://195.226.220.142/20/video/porno-rolik20.avi.exe

August 13, 2011, 03:48:01 pm
Reply #97

EP_X0FF

  • Guest
Ransom "System Antivirus Microsoft 2011"

Quote
hxxp://virobala.in/porn_video.exe

Another creature distributed by LockEmAll gang



August 15, 2011, 06:40:45 am
Reply #98

EP_X0FF

  • Guest
Ransom LockEmAll

Quote
hxxp://mirkapopas.ru/ -> hxxp://mirkapopas.ru/video.htm -> hxxp://milinixas.ru/in.cgi?2 -> hxxp://dwzporn4.ru/ -> hxxp://dwzporn4.ru/11/xxx_video.exe
Quote
hxxp://xpl0ics.ru/d.php?f=338&e=2

August 15, 2011, 09:31:47 am
Reply #99

EP_X0FF

  • Guest
Ransom

Quote
hxxp://togetgirl.net/porn_video.exe

hxxp://togetgirl.net/ contains embedded link to Blackhole

Quote
hxxp://officara.in/index.php?tp=792a34dfd2fe3709
(here http://pastebin.com/bKZD2n29 deobfuscated)

Ransom
Quote
hxxp://officara.in/d.php?f=251&e=2

Exploits
Quote
hxxp://officara.in/games/pch.php?f=251
hxxp://officara.in/games/2fdp.php?f=251
hxxp://officara.in/games/worms.jar
hxxp://officara.in/games/java_trust.php?f=251

August 16, 2011, 01:50:59 am
Reply #100

EP_X0FF

  • Guest
Pornorolik moved because of server shutdown.

New location
Quote
hxxp://91.228.160.52/20/video/porno-rolik20.avi.exe
hxxp://91.228.160.52/18/video/porno-rolik18.avi.exe
hxxp://91.228.160.52/17/video/porno-rolik17.avi.exe
hxxp://91.228.160.52/16/video/porno-rolik16.avi.exe
hxxp://91.228.160.52/14/video/porno-rolik14.avi.exe
hxxp://91.228.160.52/13/video/porno-rolik13.avi.exe
hxxp://91.228.160.52/12/video/porno-rolik12.avi.exe
hxxp://91.228.160.52/11/video/porno-rolik11.avi.exe

Redirector
Quote
hxxp://bon-mak-r.ru/trhtrhtrd.cgi?12

August 16, 2011, 07:52:48 am
Reply #101

EP_X0FF

  • Guest
Hoster webxhost (not sure if it's not malware support :D) blocked access by IP due to abuse, but files are still available through domain names.
Samples constantly repacking (one time per 15-20 minutes).

Quote
hxxp://insertpenisgirls.ru/11/video/porno-rolik11.avi.exe
hxxp://insertpenisgirls.ru/12/video/porno-rolik12.avi.exe
hxxp://insertpenisgirls.ru/13/video/porno-rolik13.avi.exe
hxxp://insertpenisgirls.ru/14/video/porno-rolik14.avi.exe
hxxp://insertpenisgirls.ru/16/video/porno-rolik16.avi.exe
hxxp://insertpenisgirls.ru/17/video/porno-rolik17.avi.exe
hxxp://insertpenisgirls.ru/18/video/porno-rolik18.avi.exe
hxxp://insertpenisgirls.ru/20/video/porno-rolik20.avi.exe

August 16, 2011, 11:37:08 am
Reply #102

EP_X0FF

  • Guest
New pornoroliks (previous locations gives 404)

Quote
hxxp://formulasporno.ru/11/video/porno-rolik11.avi.exe
hxxp://formulasporno.ru/12/video/porno-rolik12.avi.exe
hxxp://formulasporno.ru/13/video/porno-rolik13.avi.exe
hxxp://formulasporno.ru/14/video/porno-rolik14.avi.exe
hxxp://formulasporno.ru/16/video/porno-rolik16.avi.exe
hxxp://formulasporno.ru/17/video/porno-rolik17.avi.exe
hxxp://formulasporno.ru/18/video/porno-rolik18.avi.exe
hxxp://formulasporno.ru/20/video/porno-rolik20.avi.exe

August 16, 2011, 10:04:53 pm
Reply #103

EP_X0FF

  • Guest
Moved to new host (95.57.120.140).

Pornorolik renamed to videos

Quote
hxxp://hottotalporevo.ru/s11l/video/videos11.avi.exe
hxxp://deskxxxporno.ru/s11l/video/videos11.avi.exe
hxxp://supportpornoru.ru/s11l/video/videos11.avi.exe
hxxp://totralgoodporno.ru/s12o/video/videos12.avi.exe
hxxp://deskxxxporno.ru/s12o/video/videos12.avi.exe
hxxp://supportpornoru.ru/s17v/video/videos17.avi.exe
hxxp://hottotalporevo.ru/s17v/video/videos17.avi.exe
hxxp://deskxxxporno.ru/s17v/video/videos17.avi.exe

Redirector
Quote
hxxp://1triret.ru/dehehdsv.cgi?11
hxxp://1triret.ru/dehehdsv.cgi?12
hxxp://1triret.ru/dehehdsv.cgi?17

August 17, 2011, 04:48:58 am
Reply #104

mc0blck

  • Jr. Member

  • Offline
  • **

  • 14
Abuses have been sent to GOHost.kz and ADVANCEDHOSTERS