Malware Domain List

Malware Related => Malicious Domains => Topic started by: hhhobbit on April 20, 2009, 08:00:23 am

Title: education
Post by: hhhobbit on April 20, 2009, 08:00:23 am
It is okay to post http://... here because we know what we are doing and they aren't hot links.  But something like this:

http://antispamfilterblocker.com/2009/03/page/6/
hxxp://claitors.com/gifs/novo.php

IS HOT (I prepended a "hxxp://" to set a good example).  It will give people a VisualBasic Trojan mini-downloader.  So please educate people to replace the "http://" with "hxxp://" or prepend a "hxxp://" to hosts with the just the host name to deaden the link if the links are hot.  I guess it could have been worse in the past but:

http://www.virustotal.com/analisis/7aa53fc0837d918b14f2bddc0d6aa92f

If I had Authentium, ClamAV, eSafe, F-Prot, or Rising I would still be in trouble!  The embedded host is www.agrimat.com.br.  I don't know the rest of the URL.  It responds to an ICMP ping but there seems to be no index.html, at least on port 80.  You will have to disect the file to see what it does with that partial URL:

www.agrimat.com.br
windir
\system32\1046\lsass.exe
/image/barra5.jpg
\system32\1046\spoolsv.exe
/image/barra3.jpg
\system32\1046\ab.exe
/image/barra4.jpg

It is still downloadable - name NovoDocumento1.exe. Long time for me not writing.  Hope to be back soon with goodies.  But beware of Greeks bearing gifts.  Some girls compared me with the Greek God Apollo when I was younger.  I feel more like Sisyphus now ...