60.190.203.154 and 888.jopenqc.com

[sowhat-x]

Most of them Upacked in this first domain...

hxxp://60.190.203.154/100.exe
hxxp://60.190.203.154/101.exe
hxxp://60.190.203.154/102.exe
hxxp://60.190.203.154/103.exe
hxxp://60.190.203.154/104.exe
hxxp://60.190.203.154/105.exe
hxxp://60.190.203.154/106.exe
hxxp://60.190.203.154/107.exe
hxxp://60.190.203.154/108.exe
hxxp://60.190.203.154/109.exe
hxxp://60.190.203.154/110.exe
hxxp://60.190.203.154/112.exe
hxxp://60.190.203.154/114.exe
hxxp://60.190.203.154/115.exe
hxxp://60.190.203.154/117.exe
hxxp://60.190.203.154/118.exe

========================

hxxp://888.jopenqc.com/881.exe
hxxp://888.jopenqc.com/882.exe
hxxp://888.jopenqc.com/883.exe
hxxp://888.jopenqc.com/884.exe
hxxp://888.jopenqc.com/885.exe
hxxp://888.jopenqc.com/886.exe
hxxp://888.jopenqc.com/887.exe
hxxp://888.jopenqc.com/888.exe
hxxp://888.jopenqc.com/889.exe
hxxp://888.jopenqc.com/8810.exe
hxxp://888.jopenqc.com/8811.exe
hxxp://888.jopenqc.com/8812.exe
hxxp://888.jopenqc.com/8813.exe
hxxp://888.jopenqc.com/8814.exe
hxxp://888.jopenqc.com/8815.exe
hxxp://888.jopenqc.com/8816.exe
hxxp://888.jopenqc.com/8817.exe
hxxp://888.jopenqc.com/8818.exe
hxxp://888.jopenqc.com/8819.exe
hxxp://888.jopenqc.com/8820.exe
hxxp://888.jopenqc.com/8821.exe
hxxp://888.jopenqc.com/8822.exe

==========================
...this third domain is already in the list from what I saw,just a few samples more...

hxxp://just.yule2007.com/dh.exe
hxxp://just.yule2007.com/fy.exe
hxxp://just.yule2007.com/jh.exe
hxxp://just.yule2007.com/tl.exe
hxxp://just.yule2007.com/wd.exe
hxxp://just.yule2007.com/wow.exe
hxxp://just.yule2007.com/zt.exe
hxxp://just.yule2007.com/zx.exe

[JohnC]

Thanks, these will be added soon.

[sowhat-x]

...and a few more IFrame friends of the "888.jopenqc.com" guy above...

hxxp://xx.9365.org/ip/1.htm
hxxp://web.2008yi.com/
hxxp://web.2008yi.com/dyy.htm
hxxp://aa.llsging.com/ww/new82.htm
hxxp://nn.mm5208.com/nn.htm
hxxp://a.2008yi.com/zu.htm
hxxp://acc.jqxx.org/live/index.htm
hxxp://boc.sbb22.com/home/index.htm
hxxp://888.jopenqc.com/ms33.htm?8818
hxxp://888.jopenqc.com/88/881.htm
hxxp://888.jopenqc.com/88/882.htm
hxxp://888.jopenqc.com/88/883.htm
hxxp://888.jopenqc.com/88/bf.htm
hxxp://888.jopenqc.com/888down.cab

hxxp://aa.llsging.com/aa/pps.htm

-> RealPlayer exploit...

...too many crap in here,so I just continue in the same thread...

hxxp://www.ip530.com/newbala.htm
hxxp://www.ip530.com/wm/g14.htm
hxxp://www.ip530.com/wm/du66.htm
hxxp://www.ip530.com/Baidu1.cab
hxxp://www.ip530.com/Baidu.exe

And this extra sample also,following domain is already in list...

hxxp://268ip.com/ad.exe

[sowhat-x]

...moving around in circles...

hxxp://www.91zc.com/rm001/
hxxp://123.91zc.com/rm001/
hxxp://www.youkum.cn/css.htm
hxxp://www.cp16688.cn/wmpu/yukuma.htm
hxxp://www.cp16688.cn/root/1.gif -> ...malformed/exploit...
hxxp://webye163.cn/root/vip.exe
hxxp://www.bedr.cn/css.htm
hxxp://aa.llsging.com/ww/new09.htm?057
hxxp://aa.llsging.com/aa/haha.htm
hxxp://www.motoog.cn/css2.htm
hxxp://5.xqhgm.com/mian1.htm?5
hxxp://5.xqhgm.com/new/1.htm
hxxp://1.xqhgm.com/x.exe
hxxp://5.xqhgm.com/new/2.htm
hxxp://1.xqhgm.com/calc.cab
hxxp://5.xqhgm.com/new/3.htm
hxxp://1.xqhgm.com/1.exe
hxxp://1.xqhgm.com/2.exe
hxxp://1.xqhgm.com/3.exe
hxxp://1.xqhgm.com/4.exe
hxxp://1.xqhgm.com/5.exe
hxxp://1.xqhgm.com/6.exe
hxxp://1.xqhgm.com/7.exe
hxxp://1.xqhgm.com/8.exe
hxxp://1.xqhgm.com/9.exe
hxxp://1.xqhgm.com/10.exe
hxxp://1.xqhgm.com/11.exe
hxxp://1.xqhgm.com/12.exe
hxxp://1.xqhgm.com/13.exe
hxxp://1.xqhgm.com/14.exe
hxxp://1.xqhgm.com/15.exe
hxxp://1.xqhgm.com/16.exe
hxxp://1.xqhgm.com/17.exe
hxxp://1.xqhgm.com/18.exe
hxxp://1.xqhgm.com/19.exe
hxxp://1.xqhgm.com/20.exe
hxxp://1.xqhgm.com/21.exe
hxxp://1.xqhgm.com/22.exe
hxxp://1.xqhgm.com/23.exe
hxxp://1.xqhgm.com/24.exe

[JohnC]

Thanks these will be in the list soon.