Author Topic: kisswow.com.cn  (Read 4739 times)

0 Members and 1 Guest are viewing this topic.

May 10, 2008, 09:44:33 am
Read 4739 times

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
hxxp://www.kisswow.com.cn/

The above is the most I can get, I got a iframe alert and my computer totally attacked.

I did look at this at vURL, so I kinda of see what it is doing.

May 10, 2008, 02:49:30 pm
Reply #1

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Hello,

From a fast analysis the other extracted intersing Websites are:

Code: [Select]
hxxp://www.ririwow.cn/14.htm
hxxp://www.ririwow.cn/real.htm
hxxp://www.ririwow.cn/real11.htm
hxxp://www.ririwow.cn/07004.htm
hxxp://js.users.51.la/1866439.js

kisswow.com.cn implements an exploit (MDAC - MS06-14), you can see it by strcat()ting the clsid, tha is clsid:BD96C556-65A3-11D0-983A-00C04FC29E36

ririwow.cn/07004.htm
implements another exploit Microsoft Windows VML Element Integer Overflow Vulnerability clsid:10072CEC-8CC1-11D1-986E-00A0C955B42E

and from comes out another intersting link hxxp://www.ririwow.cn/14.htm

Code: [Select]
hxxp://dj.jueduizuan.com/ri.exe
that I'm going to reverse :)

Regards,
Evilcry


Deep Root Never Freezes - Tolkien

May 10, 2008, 02:55:27 pm
Reply #2

sowhat-x

  • Guest
...welcome on board,Evilcry - nice to have you around here ;)

May 10, 2008, 05:53:33 pm
Reply #3

Evilcry

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 39
Thank you sowhat :)

ri.exe is  Trojan.Win32.Agent.lpv, better known as TR/Dropper.Gen

Regards,
Evilcry
Deep Root Never Freezes - Tolkien

May 10, 2008, 06:24:20 pm
Reply #4

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thank you.

May 11, 2008, 01:02:38 am
Reply #5

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Thank you for the answers. I started out trying to check a link to a credit card portal and got a exploit alert from my software. So I tried to google the link instead and got hit with alerts again for exploits being blocked to my computer. Thanks again.