Author Topic: More Trojan/Bancos  (Read 3289 times)

0 Members and 1 Guest are viewing this topic.

April 01, 2011, 09:58:30 am
Read 3289 times

rawdata

  • Jr. Member

  • Offline
  • **

  • 14
Site is hosted at:
Code: [Select]
http://mail.rqys.com.au/pagi.asp?4959322000000
   
This redirects to:
Code: [Select]
https://eoficina.e.telefonica.net/sites/1204/Org300690/pwe/pwe/images/comprovativo2910002938104.exe this is a trojan/Downloader, which after being run downloads files from:
Code: [Select]
https://eoficina.e.telefonica.net/sites/1204/Org300690/pwe/pwe/images/01.exe
https://eoficina.e.telefonica.net/sites/1204/Org300690/pwe/pwe/images/02.exe
https://eoficina.e.telefonica.net/sites/1204/Org300690/pwe/pwe/images/03.exe

www.szkolabg.org/cutenews/.../wab.php

And downloads itself again from the same address:
Code: [Select]
https://eoficina.e.telefonica.net/sites/1204/Org300690/pwe/pwe/images/comprovativo2910002938104.exe
There is a counter of the number of infections at:
Code: [Select]
200.13.244.245/cw-assenda/bin/ru/contador.asp

Virustotal report:
Code: [Select]
http://www.virustotal.com/file-scan/report.html?id=657e03e2668f4bba9c117b4e244d90d2756053ea0b707aaabfcd670b59a1c641-1301648128

April 01, 2011, 11:01:24 am
Reply #1

rawdata

  • Jr. Member

  • Offline
  • **

  • 14
And another one:


The site is hosted at:
Code: [Select]
http://gemma.unisabana.edu.co/scredito/Ver.asp?BaixarComprovante6528.php-Cliente?MostraComprovanteCliente=6528
This redirects to:
Code: [Select]
http://204.16.197.216/aspnet_client/system_web/Comprovante5428.pdf.exe this is a trojan/Downloader, which after being run downloads files from:
Code: [Select]
www.barceltecnica.com//media/system/images/mootre_k.gif
121.15.139.169/WebAccess/editor/ng/new/in.asp?tipo=2
www.derany.com/2010/media/system/images/mootree_ki.gif