Author Topic: xwarezzz.com - others  (Read 3218 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2008, 10:12:22 am
Read 3218 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
I am looking at the xwarezzz.com host because MVPHosts file author is removing it.  I wanted to understand why he was removing it.  So I followed some of your links and found the following.

1.  The download for the Acronis disk director is only pointed to by this site.  The actual download comes from:

demomovie.net/download/Keygen.Acronis.Disk.Director.Suite.10.0c3098.exe

It also had one more link in the file:

www.download-provider.com/download-k:Acronis Disk Director Suite 10.0.html?aff.id=1330

I couldn't find anything in the file from download-provider.com that was amiss.  I scanned the file that I downloaded from demomovie.net which had no copyright string, and used NullSoft installer at scanner.virus.org.  Only one, Sophos Sweep found anything wrong with it (Mal/TDSS-A).

2. The second one (Zlob trojan) also goes to this same host:

demomovie.net/download/serial.XChat.2.8.7c3098.exe

Again, packaged with the NullSoft installer, no copyright string.  I didn't bother to scan it but it will probably have similar results.

3. The third one (Trojan.Obfuscated.gx / Downloader) also pulled from the same host:

demomovie.net/download/Keygen.Vista.Codec.Package.4.6.1c3098.exe
- says it is keygen only but we also have
rapidshare.com/files/144330416/VistaCodecs_v461.exe
- which isn't an EXE file at all but an HTML file.

What I was trying to understand was why Mike was removing this host.   You may want to take a closer look at the host demomovie.net since this seems to be the actual host the downloads are coming from.  If I can remember, I will scan these files again in a few days to see if the scan count goes up.  But it leaves me not knowing what to do.  I am putting the whole mess up in your folder on my server.  I did the following renames (the first because it really is an HTML file, the others to quarantine them):

VistaCodecs_v461.exe  ---> VistaCodecs_v461.html
Keygen.Acronis.Disk.Director.Suite.10.0c3098.exe ---> Keygen.Acronis.Disk.Director.Suite.10.0c3098.exe.ck
Keygen.Vista.Codec.Package.4.6.1c3098.exe ---> Keygen.Vista.Codec.Package.4.6.1c3098.exe.ck
serial.XChat.2.8.7c3098.exe ---> serial.XChat.2.8.7c3098.exe.ck

All the stuff is in the following folder / files:

http://www.securemecca.com/MalwareDomainList/xwarezzz.com_OR_demomovie.net.7z
http://www.securemecca.com/MalwareDomainList/xwarezzz.com_OR_demomovie.net.zip

They are encrypted with password virus.  What I am searching for is who should be blocked.  It looks like the xwarezzz.com host is just the front end.  If a scan in a few days turns up something better I will be blocking demomovie.net in my next hosts file upgrade.  I will be removing the xwarezzz.com host since all of its exploits are contained by my hosts file blocks and the PAC filter stops it anyway (too much negative stuff associated with Warez).  I have even driven the block of warez down into the URL.

Regards