Author Topic: download-all4free.com  (Read 2941 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2008, 05:16:52 am
Read 2941 times

hhhobbit

  • Special Access
  • Full Member

  • Offline
  • *

  • 54

A new one for you.  Got from the fact that MVPHosts author removed uniqueadult.com and I didn't like it because it was still alive.  I have learned from hard experience that if the host has not been parked or is dead it is usually still dangerous if it was before.  So I pulled that one, then looked at the index.php file and then pulled:

tube-sixnine.com/get.php\?id\=21199\&p\=21
download-all4free.com/FullBSCodecz.21199.exe

The file is partially encrypted, no copyright strings, and only NOD32 and VirusBuster detect it.  I have the results of the scan and the file itself encrypted with password "virus" here:

http://www.securemecca.com/MalwareDomainList/FullBSCodecz.21199.exe.BAD.7z
http://www.securemecca.com/MalwareDomainList/download-all4free.com.pdf

I do what I normally do when I am reasonably sure what I am looking at is bad - tack on a ".BAD" extension since then Windows doesn't know what to do with it.  Until then the extension I tack on is ".ck".  I just bypassed that on this one.  The only reason I am putting this one up there is for a time-stamp comparison in case the EXE changes.  This time I don't think they will do it but you never know.  It is 05:12 15 Dec UTC and I pulled the file down less than 15 minutes ago.


Oh yes - the block of uniqueadult.com continues by me and download-all4free.com has joined it.  I can't remember if I pulled this host from your hosts file I gave you yesterday (I don't think so since I removed only dead and parked hosts and it is neither).  If I did, you may want to put it back in but the infector file really comes from this host and the other hosts that uniqueadult.com points to.

Ciao

December 15, 2008, 11:16:11 am
Reply #1

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
strange enough FullSBZCodecz.0.exe (look at the fake porntubes topic) and  FullSBZCodecz.21199.exe hosted on the same domain are different mw.

maybe it could be interesting brute forcing possibile url combinations to see if there are some more samples

regards
ocean