Mr Clean's dirt

[SysAdMini]

Code: [Select]

somefilesportalnow.com/viewtubesoftware.40019.exe
freeportalsoftwarenow.com/viewtubesoftware.40019.exe
sim-softportal.com/viewtubesoftware.40019.exe
dnk-softwares.com/viewtubesoftware.40019.exe
get-softwares.com/viewtubesoftware.40019.exe
glk-softportal.com/viewtubesoftware.40019.exe
glock-softwares.com/viewtubesoftware.40019.exe

[Mr Clean]

Code: [Select]

contr-softportal.com/viewtubesoftware.40019.exe


[Mr Clean]

Code: [Select]

http://zaq-softwares.com/viewtubesoftware.40016.exe


[Mr Clean]

Code: [Select]

http://files.load-pro-as.com/normal/setup_11038_3_1.exe

http://www.virustotal.com/analisis/d18a9838ad447ca5cdfb2ad761929f6d
http://anubis.iseclab.org/?action=result&task_id=164f1f17545de8e640522289457507627
http://www.threatexpert.com/report.aspx?md5=701353926e8d4c3f0d10843c297680fe

http://www.malwaredomainlist.com/mdl.php?search=78.26.179.232&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

hxxp://85.17.238.145/1701/1.php

http://www.virustotal.com/analisis/f0162b1c2188c1335ab6bc2adc94cf68
http://anubis.iseclab.org/?action=result&task_id=193ed14a441ac2ad4d19ed742e2386e5e
http://www.threatexpert.com/report.aspx?md5=62f8dcb15321c33fa999cd087bbef1cf

[SysAdMini]

Code: [Select]

http://files.load-pro-as.com/normal/setup_11038_3_1.exe

http://www.virustotal.com/analisis/d18a9838ad447ca5cdfb2ad761929f6d
http://anubis.iseclab.org/?action=result&task_id=164f1f17545de8e640522289457507627
http://www.threatexpert.com/report.aspx?md5=701353926e8d4c3f0d10843c297680fe

Files have already been modified.

http://www.virustotal.com/analisis/44af4959e7409ddc649e63731075ccfd 2/38
http://www.threatexpert.com/report.aspx?md5=2f9a0708edd929fd76019b86fa45f702

[Mr Clean]

Code: [Select]

hxxp://sendspace-usa.net/sur4you.exe

http://www.virustotal.com/analisis/66933d74a2ca3ffca1742cbcd5c1c08c
http://www.threatexpert.com/report.aspx?md5=295e55e662d21f42596972924a74db37

[SysAdMini]

Code: [Select]

hxxp://sendspace-usa.net/sur4you.exe

http://www.virustotal.com/analisis/66933d74a2ca3ffca1742cbcd5c1c08c
http://www.threatexpert.com/report.aspx?md5=295e55e662d21f42596972924a74db37

Doesn't resolve here. Can you give me the ip ? I'm experiencing dns problems at the moment when I try to resolve .net domains.

[MysteryFCM]

IP was 196.2.198.241 - it's not resolving atm

/edit

Others on the same IP;

Code: [Select]

egns.vg
www.egns.vg
ns1.egns.vg
bankofoscotland.co.uk
thelegion74.com
love-true.com
thronofodin.com
throbilskirnir.com
good1soft.com
great2008x.com
ustechservic.com.cn
vse4you.info
wwwfbcdn.net
cd-soft.net
thefreecompany.net
googgle.su
yanndex.su
sendspace.com.bz
yourbestpartners.biz
Though Domain Tools says there's 65 on there (and the guy that owns sendspace-usa.net apparently owns 63 domains - and I'm betting they're likely on the same IP)

/edit

http://hosts-file.net/misc/hpObserver_-_egns.vg.html

There's also 196.2.198.240, 196.2.198.242, 196.2.198.243 and 196.2.198.252

http://hosts-file.net/?s=196.2.198.242

Related to;

http://www.bobbear.co.uk/delivery-solutions-inc.html

[Mr Clean]

Code: [Select]

hxxp://yourguardpro.cn/installer_90001.exe
http://www.virustotal.com/analisis/0ca99080d7252f55aac81c78f032ee5f
http://www.threatexpert.com/report.aspx?md5=23cb553ce604959f3d39575813d8d48b

http://www.malwaredomainlist.com/mdl.php?search=94.247.2.215&colsearch=All&quantity=50

[Mr Clean]

Code: [Select]

hxxp://ads.belointeractive.com/RealMedia/ads/Creatives/OasDefault/NtlRhapsodyYourDirectMedia001A/NtlRhapsodyYourDirectMedia001A728_031309.sw

redirects to

hxxp://67.215.246.138/aff78.php

resulting in Javascript exploit
http://wepawet.iseclab.org/view.php?hash=90716496443a946525b818ba6cb543b4&t=1238794860&type=js

PDF exploit
http://wepawet.iseclab.org/view.php?hash=165d794ac5138a1b586290f99172a98d&type=js

binary download1
http://www.virustotal.com/analisis/673490b4fcaa59507417b1d2a7d98d72
http://www.threatexpert.com/report.aspx?md5=5bd1e08e230abe020b10f220f8448e61

binary download2
http://www.virustotal.com/analisis/d14457c38b639542a68b256b4abad3da
http://www.threatexpert.com/report.aspx?md5=4c5acab9968bca8e88fb9e193d598a7a

you know, train-wreck.

[sowhat-x]

Code: [Select]

hxxp://find-365.com/pages/make-pictures
hxxp://best-tube-home.com/200073/scan/
hxxp://files.ms-loads-av.com/exe/setup_200073_1_1.exe
hxxp://files.ms-loads-av.com/ -> spawns exe...
hxxp://files.ms-loads-av.com/exe/setup_200073_2_1.exe
hxxp://files.ms-loads-av.com/exe/setup_1_2_1.exe
find-365.com is the most interesting (to me at least),as it's hosted in more than one ip addresses...
http://www.bfk.de/bfk_dnslogger.html?query=find-365.com#result

Code: [Select]

hxxp://mycigarworld.info/in.cgi?16
hxxp://greatvirusscan.com/index.php?affid=10700
hxxp://greatvirusscan.com/download.php?affid=10700  -> spawns exe...

Code: [Select]

hxxp://tds.ibestadult.info/in?4
hxxp://mega-antiviral-ms.com/200073/scan/
hxxp://files.ms-loads-av.com/exe/setup_200073_1_1.exe

Code: [Select]

hxxp://webprotectionscan.com/download.php?affid=00000
hxxp://zoosexvideo.net/movie352.exe

[Mr Clean]

find-365.com is the most interesting (to me at least),as it's hosted in more than one ip addresses...
http://www.bfk.de/bfk_dnslogger.html?query=find-365.com#result

I agree, quite interesting.

61.235.117.88   #       SHENZHEN        CHINA
72.167.121.94   #       LOS ANGELES     UNITED STATES
88.214.200.60   #       -       UNITED KINGDOM
92.62.101.47    #       TALLINN ESTONIA

2 of these IP's have already been reported

http://www.malwaredomainlist.com/mdl.php?search=72.167.121.94&colsearch=All&quantity=50
http://www.malwaredomainlist.com/mdl.php?search=88.214.200.60&colsearch=All&quantity=50

[sowhat-x]

hxxp://ourbestsearch.info/in.cgi?4
hxxp://adult-tube-downloads.net/promo3/?aid=330
hxxp://adult-tube-downloads.net/promo3/get.php?aid=330&vname=protect

http://www.virustotal.com/analisis/5a58f3c0fc68a1a71ced42ac568936e8

[sowhat-x]

hxxp://bestguideinc.net/search.php?qq=    ---> the .js redirector...
hxxp://www.spywareisolator2008.com/landing/?wmid=mirex    ---> spawns fake av exe...

hxxp://antivirus-av-ms-checker.com/200073/scan/
hxxp://files.download-av-ms.com/exe/setup_200073_1_1.exe