New Zeus server?

[jackberri]

Appears to be another Zeus server...

Code: [Select]

http://trafm.cn/forum/bin.bin
202.142.20.143

Domain Name: trafm.cn
ROID: 20090210s10001s51088812-cn
Domain Status: ok
Registrant Organization: Cehhost, icn.
Registrant Name: LucasSteven
Administrative Email: steven_lucas_2000@yahoo.com
Sponsoring Registrar: 厦门东南融通在线科技有限公司
Name Server:ns1.trafm.cn
Registration Date: 2009-02-10 05:42
Expiration Date: 2010-02-10 05:42

[SysAdMini]

Yes, it's Zeus.

binary url (returns 404 now)

Code: [Select]

trafm.cn/forum/gg.exe
drop zone:

Code: [Select]

trafm.cn/forum/antivirus.php

[jackberri]

Code: [Select]

hxxp://96.0.203.114/update.bin

[SysAdMini]

Code: [Select]

hxxp://96.0.203.114/update.bin

No, it's not a Zeus config file.

[jackberri]

Code: [Select]

hxxp:qbxq16.com/~admin/cp/gate.php
IP 200.106.149.171
AS27990

Created:2009-12-21

Registrant Contact: hilarykneber@yahoo.com

[SysAdMini]

Code: [Select]

hxxp:qbxq16.com/~admin/cp/gate.php
IP 200.106.149.171
AS27990

Created:2009-12-21

Registrant Contact: hilarykneber@yahoo.com

Probably Zeus. Registrant name is a good indicator for malware and url looks like Zeus drop zone.

[jackberri]

Code: [Select]

hxxp://www.ghostsection.com/dds/stt.php
IP 122.115.63.6
AS9803
Registrant:
Aleksandr Ermalaev bypas@mail.ru

[SysAdMini]

Code: [Select]

hxxp://www.ghostsection.com/dds/stt.php
IP 122.115.63.6
AS9803
Registrant:
Aleksandr Ermalaev bypas@mail.ru

No zeus.

http://www.threatexpert.com/report.aspx?md5=d2d9b3e0770468e4c7b184f779f2be22

[jackberri]

Code: [Select]

hxxp://93.174.93.137/admin/crypted.exe
AS29073

md5sum ===> 89853a2c8e7a48a82c762669c9278ed8
http://www.virustotal.com/analisis/a445655503d769e6ab823fe7705f7aebfa0e74f383d3b634a54910f46bc52a53-1264478891
VT 6/40 (15.00%)

[SysAdMini]

Code: [Select]

hxxp://93.174.93.137/admin/crypted.exe
AS29073

md5sum ===> 89853a2c8e7a48a82c762669c9278ed8
http://www.virustotal.com/analisis/a445655503d769e6ab823fe7705f7aebfa0e74f383d3b634a54910f46bc52a53-1264478891
VT 6/40 (15.00%)

No Zeus

http://camas.comodo.com/cgi-bin/submit?file=a445655503d769e6ab823fe7705f7aebfa0e74f383d3b634a54910f46bc52a53

[jackberri]

Code: [Select]

hxxp://adspacepoint.com85.17.136.139
Reverse: hosted-by.leaseweb.com
AS16265

Registrant: Seso Verr
Email: moldavimo@safe-mail.net

Code: [Select]

hxxp://adspacepoint.com/xl3.exemd5sum ===> 81eaae0fa6b7017691c63c2cf55b2cc6
http://www.virustotal.com/analisis/d50433719b4f62a26bb5d3ecbd4f118f196dbb3fca91cea15fac35a34dec049e-1265504482
VT 11/40 (27.5%)

Created files:
%SYSDIR%\crt4.dll
%SYSDIR%\kbupdate.dll
%SYSDIR%\kbdatat4.dll
%SYSDIR%\kboem32.dat

Code: [Select]

hxxp://adspacepoint.com/lx4.php

[jackberri]

Code: [Select]

hxxp://91.201.28.6
AS44107

Viktor Danilov
e-mail: vd@prombd.net

Code: [Select]

hxxp://91.201.28.6/ldr2.exemd5sum ===> 076e367f2911212bd7b211da57e26b3c
http://www.virustotal.com/analisis/d3fb1e2db89f97195330b51848b7e64a25f8f2fa794f8ca59100203bbeba642c-1265503271
VT 14/40 (35%)

Created files:

\Device\RasAcd
%SYSDIR%\crt4.dll
%SYSDIR%\kbupdate.dll
%SYSDIR%\kbdatat4.dll
%SYSDIR%\kboem32.dat

[SysAdMini]

hxxp://91.201.28.6/ldr2.exe
hxxp://adspacepoint.com/xl3.exe

Both aren't Zeus.

[jackberri]

Code: [Select]

hxxp://195.88.209.23:5412/guard/chk.php

[jackberri]

Code: [Select]

hxxp://vsezaebok.biz/httpd/httpd.swemd5sum ===> 2362cdf26c321bbbf51b7888ee258622

Code: [Select]

hxxp://92.60.177.242/sv_.exe    related zeusbotnet malware?md5sum ===> fd6ca18bce71efa9c41f471f1be21308
http://www.virustotal.com/analisis/c158305ad450031c69f0e999820e10562fbdbec4b425c0cf239f22561d26b3e0-1267182087
VT 11/42 (26.2%)

Code: [Select]

hxxp://vsezaebok.biz/plesk/erorr.php