report malicious domain

0 (0%)
0 (0%)

Total Members Voted: 0

Author Topic: new Malicious Domains of the malware p2p  (Read 6104 times)

0 Members and 1 Guest are viewing this topic.

December 07, 2011, 09:38:02 pm
Read 6104 times


  • Newbie

  • Offline
  • *

  • 2
my English is bad

itīs han malicious domains that download trojan


these pages every day is different Trojans not to be identified by anti-virus firms

these pages are open to run a malicious video (exploit video) downloaded from ares or emule p2p

This is a report of a malware of this page
report of threatexpert.com

Technical Details:

   File System Modifications

    The following files were created in the system:

#   Filename(s)   File Size   File Hash
1    %AppData%\f6dcfecc\@    2.048 bytes    MD5: 0x8B2AE2A4BB599B933E2CFC0FA6D9D1F3
SHA-1: 0x9970FE276FE56BA3BC2DA5CBEFA8F2928AF4CBE0
2    %AppData%\f6dcfecc\U\80000000.$
%AppData%\f6dcfecc\U\800000cf.$    0 bytes    MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
3    %AppData%\f6dcfecc\X    60.416 bytes    MD5: 0x9F15EC503A6FB22210A45323936B63D2
SHA-1: 0xC0B47D70872A8362A7DB71A8541AC6E112D4B926
4    [file and pathname of the sample #1]    363.008 bytes    MD5: 0x3E6963E23A65A38C5D565073816E6BDC
SHA-1: 0xE158E81424F57D0C07A526F30F4A444EB4738EB5

        %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

    The following directories were created:

        %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

   Registry Modifications

    The following Registry Keys were created:

    The newly created Registry Values are:
            u = 0x0000001C
            cid = 36 EE 98 3D 97 E0 50 0E
        [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
            Shell = "%AppData%\f6dcfecc\X"

        so that X runs every time Windows starts
            qid = 0x5AB41B83
            u = 0x0000001C
            id = 36 EE 98 3D 97 E0 50 0E

   Other details

    There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host   Port Number   21810   21810   21810   21810   21810   21810   80   22292   22292   22292   22292   22292   22292   22292   22292   22292

    The data identified by the following URLs was then requested from the remote web server:

   Outbound traffic (potentially malicious)

    There was an outbound traffic produced on port 21810:

00000000 | E5AA C031 9B0F 1041 315B 7408 4D9B 39C1 | ...1...A1[t.M.9. 00000010 | A532 2743 | .2'C

    There was an outbound traffic produced on port 22292:

00000000 | E5AA C031 7D97 452F 315B 7408 4D9B 39C1 | ...1}.E/1[t.M.9. 00000010 | AC06 3C40 | ..<@


name of malware is by
kaspersky:  Trojan.Win32.Jorik.ZAccess.azz
avira:         TR/Kazy.KG.The term "TR/
nod32:       Win32/Kryptik.WUU trojan
sophos:      Troj/Agent-UGF. An

December 07, 2011, 10:01:37 pm
Reply #1


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Thanks for submission and welcome to MDL.

Sample is rootkit ZeroAccess.

I have found some additional domains at same host.


Please click "New Topic" instead of "Post new Poll" next time. Thank you.
Ruining the bad guy's day