Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on August 26, 2009, 06:53:23 pm

Title: Windows Protection Suite
Post by: eoin.miller on August 26, 2009, 06:53:23 pm
Once installed, malware calls home to prestotunerst.cn:

Code: [Select]
GET http://prestotunerst.cn/reports/get_product_domains.php?abbr=WINPS&pid=3 HTTP/1.0
User-Agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
Accept: text/html, */*
Host: prestotunerst.cn
Proxy-Connection: Keep-Alive

Response back includes domains for which to talk to:
Code: [Select]
[td_site]
http://windowsprotectionsuite.com
http://winprotection-suite.com

[td_update]
http://update1.windowsprotectionsuite.com
http://update2.windowsprotectionsuite.com
http://update1.winprotectionsuite.com
http://update2.winprotectionsuite.com

[td_presale]
http://pay1.winprotectionsuite.com
http://pay2.winprotectionsuite.com


Also contacts paymentvirusmelt.cn to produce html/image content for the fraud payment site:

http://paymentvirusmelt.cn/index.php?uid=7&mid=15edf56585c7bc5a46d843def95b7c48&wv=wvXP&bid=b_Unknown&sid=11011&ls=1&verint=601&errors=0&nid=MainWindow_16&abbr=WINPS&pid=3

Fraudulant payment processing is handled by ridebullet.com:
https://ridebullet.com/payment/?sku_name=WIPS_EN,WIPS_EN_00,WIPS_EN_01,ACTF_EN,EDS_EN_S&sku_checked=1&nid=15edf56585c7bc5a46d843def95b7c48&affid=7&lid=wvXP;b_Unknown;1;11011;0;0;-1;10

Some of the domains are in the MDL, but the following domains are not and should be considered for being added to MDL:
prestotunerst.cn
winprotection-suite.com
winprotectionsuite.com
paymentvirusmelt.cn
ridebullet.com