Author Topic: Mr Clean's dirt (Read 173746 times)

Mr Clean · August 02, 2009, 07:53:07 pm

hxxp://online-pro-scan.com/download/Install-27ab1_2001-30.exe

$ dig online-pro-scan.com +short
78.47.172.66
209.44.126.52
88.198.41.170

http://www.virustotal.com/analisis/76e5ed76b5a573cc8fb8f18d8c3b2717916f0d7133cf09154d6299e2da8e0d4b-1249173034 2/41
http://anubis.iseclab.org/?action=result&task_id=1e0beaf59d1b4ba243de3752a514e7168
http://research.sunbelt-software.com/ViewMalware.aspx?id=9821621&cs=4B4540B9C4A6BEC5B4C92BBF50DE63A7

online-pro-scan.com
challenges-cup.com

Mr Clean · August 03, 2009, 12:31:12 am

Code: [Select]

hxxp://212.117.174.14/racing.exe

http://www.virustotal.com/analisis/415c1520662f4bc3291816d6af4469f89df6f0966ac9bdb6f8a1999b27db9953-1249259122 14/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9825512&cs=C597128F2D8896770F01E456644D74E6
http://anubis.iseclab.org/?action=result&task_id=1b38d6578a8c104a4752500ec64c31d2a

Code: [Select]

hxxp://core2623.racingmoney-0110.com/d_program_all.cgi?host=host&id=0

$ dig core2623.racingmoney-0110.com +short
95.169.190.147

http://www.virustotal.com/analisis/828835fb4b8ecc5064a0f6496ba160d37a32022dee7f82a0c8b275d312620b15-1249258832 11/40
http://anubis.iseclab.org/?action=result&task_id=122149ecee9f30814cda563c8e90a21ec
http://research.sunbelt-software.com/ViewMalware.aspx?id=9825487&cs=4F7A583CE43B3220C9E7C292612F9A0B

racingmoney-0110.com

Mr Clean · August 04, 2009, 01:51:21 pm

Code: [Select]

192.168.1.10 - - [ 4/Aug/2009:13:29:39 +0000] "GET http://synthetic-electric.cn/go.php?id=2003-03&key=e20dfa513&p=1 HTTP/1.1" - - "http://whitepg-images.adbureau.net/whitepg/2009-07%20hotel_728x90.swf?clickTag=http://atl.whitepages.com/accipiter/adclick/CID=0000533400000" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"
192.168.1.10 - - [ 4/Aug/2009:13:29:39 +0000] "GET http://onlinesecurityscanv11.com/1/?sess==W219jDwOS0zJmlwPTY1LjEyMy4xOS42MiZ0aW1lPTEyNDMzMkIMNQkO HTTP/1.1" - - "http://whitepg-images.adbureau.net/whitepg/2009-07%20hotel_728x90.swf?clickTag=http://atl.whitepages.com/accipiter/adclick/CID=0000533400000" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"
192.168.1.10 - - [ 4/Aug/2009:13:29:40 +0000] "GET http://onlinesecurityscanv11.com/1/img/jquery.js HTTP/1.1" - - "http://onlinesecurityscanv11.com/1/?sess==W219jDwOS0zJmlwPTY1LjEyMy4xOS42MiZ0aW1lPTEyNDMzMkIMNQkO" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)"

Code: [Select]

hxxp://onlinesecurityscanv11.com/download/Install-0c6_2003-3.exe

$ dig onlinesecurityscanv11.com +short
88.198.41.170
209.44.126.52
78.47.172.66

http://www.virustotal.com/analisis/bd424b5f474ae9ef45daae7cb9064403497c187fc5b168b2fe859b27ac979379-1249393866 7/41

http://research.sunbelt-software.com/ViewMalware.aspx?id=9872536&cs=57BD3287F84998C9C7604E984A6956BF

http://anubis.iseclab.org/?action=result&task_id=11526942bdf3251a4597dd8e67e0cebd9

onlinesecurityscanv11.com
challenges-cup.com
systemupdatesv6.com

Mr Clean · August 05, 2009, 07:33:00 pm

Code: [Select]

hxxp://nucleargaming.net/errorlogs/aleluia.gif

$ file aleluia.gif
aleluia.gif: MS-DOS executable, MZ for MS-DOS

$ dig nucleargaming.net +short
209.25.133.225

http://www.virustotal.com/analisis/7fdadabb4922f008671d7a156acb8f8812814f156b7bffb22a82ef4c7a766ef3-1249424356 16/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9916879&cs=30A50ABCF454C2FE158BBE92ABE6350E

nucleargaming.net
ekeye.com

Mr Clean · August 06, 2009, 03:07:40 pm

Code: [Select]

hxxp://exeeasy.com/flash-plugin.45054.exe

$ dig exeeasy.com +short
95.211.8.20

http://www.virustotal.com/analisis/56c77236208755639cff2d30e2923cace9b578dcb55a9281b2365c79696a5e1e-1249571269 3/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9938576&cs=AC880A64B083A963D87B0F3A8F56DF8B
http://anubis.iseclab.org/?action=result&task_id=1cd8e3c8dc84f3b449912c607698e7cf4

exeeasy.com

Mr Clean · August 06, 2009, 05:24:52 pm

Code: [Select]

hxxp://gofastscanner.com/download/Install-420d_2003-3.exe

$ dig gofastscanner.com +short
88.198.41.170
209.44.126.52
78.47.172.66

http://www.virustotal.com/analisis/27517370ea2e189c619bea5bd11afdacef7f4781b3a00989e598e5e3de39c113-1249577337 2/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=9941812&cs=CA6C79071187BA84AB4E181F5E372678

bitmap files?

Code: [Select]

hxxp://baseprogrammupdatesv5.com/logo.bmp

$ file logo.bmp
logo.bmp: data

Code: [Select]

hxxp://windefenderbaseupdate.com/template.bmp

$ file template.bmp 
template.bmp: data

gofastscanner.com
keyboard-mouse-fun.com
baseprogrammupdatesv5.com
windefenderbaseupdate.com

Mr Clean · August 06, 2009, 06:00:25 pm

Code: [Select]

hxxp://govirusscanner.com/download/Install-1408e_2031.exe

$ dig govirusscanner.com +short
91.212.107.5
94.102.48.29
188.40.61.236
83.133.126.155
94.102.51.26

http://www.virustotal.com/analisis/8cdb3d69147640c82c8b1657ba90c5da3ecb1ee0eec5d6fc6ec23c07953f6f6c-1249581622 0/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9942677&cs=7DCBC5364B93941949240365756C7FFB

govirusscanner.com
june-crossover.com

Mr Clean · August 07, 2009, 02:31:59 pm

I can be just as relentless

Code: [Select]

hxxp://gomalwarescanner.com/download/Install-fa6bb14_2003-3.exe

$ dig gomalwarescanner.com +short
88.198.41.170
78.47.172.66
209.44.126.52

http://www.virustotal.com/analisis/c007ad216705e73b58c260ab049ba00a91745f0b092b1b29db1c8b360874df31-1249652331 2/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=9987227&cs=B9EBAC0B6ECE5BFB9A45F608B027555B

gomalwarescanner.com
keyboard-mouse-fun.com

Mr Clean · August 11, 2009, 02:16:48 pm

Code: [Select]

hxxp://top1959.cn/PC_protect.exe

$ dig top1959.cn +short
211.95.78.98

http://www.virustotal.com/analisis/f9c3f064210f83bc8d240208e12b87ce624d40bc29f7d1e6b9d1de3392c40322-1249994080 27/41
http://www.threatexpert.com/report.aspx?md5=4cabecc7fc8b024b4be8239721a4baec
http://anubis.iseclab.org/?action=result&task_id=1e49cbc6207b52b64859636457ce0f47b&format=html

top1959.cn
rubimbablo.com

Mr Clean · August 11, 2009, 02:52:54 pm

Code: [Select]

hxxp://wfoto.front.ru/fotos.com

$ dig wfoto.front.ru +short
ftp.front.ru.
82.204.219.224

http://www.virustotal.com/analisis/2044851a8ec36f76359fc31233071be8f9d348d91a73a47fddde6a575c4f7246-1250001993 18/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081211&cs=384D6631678577C784F7B7ABCD8BF452
http://anubis.iseclab.org/?action=result&task_id=154ac9b98fc08fa54bddb70df6868e0d8&format=html

Code: [Select]

hxxp://kede.hpg.ig.com.br/ree1.html

$ file ree1.html 
ree1.html: data

hxxp://kede.hpg.ig.com.br/ree2.html

$ file ree2.html 
ree2.html: data

hxxp://kedex02.hpg.ig.com.br/nl2.html

$ file nl2.html 
nl2.html: data

hxxp://kedex02.hpg.ig.com.br/nl3.html

$ file nl3.html 
nl3.html: data

hxxp://kedex02.hpg.ig.com.br/nl5.html

$ file nl5.html 
nl5.html: data

hxxp://kedex02.hpg.ig.com.br/nl6.html

$ file nl6.html 
nl6.html: data

front.ru
kedex02.hpg.ig.com.br
kede.hpg.ig.com.br

Mr Clean · August 11, 2009, 03:33:15 pm

Code: [Select]

hxxp://antispywarelivescanv5.com/download/Install-b85ed90_2015.exe

$ dig antispywarelivescanv5.com +short
83.133.123.174
188.40.61.236
91.212.107.5
94.102.51.26
94.102.48.29
83.133.126.155

http://www.virustotal.com/analisis/75774261b858b5963c8896b7613334ac98a6b2539c72de5babb8be969f7598da-1249982407 7/41

http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081212&cs=7C257D272767FA948E0A9186A93BE6EA

Code: [Select]

hxxp://recentbaseupdatesv6.com/logo.bmp

$ file logo.bmp 
logo.bmp: data

$ dig recentbaseupdatesv6.com +short
84.16.255.108

antispywarelivescanv5.com
recentbaseupdatesv6.com

Mr Clean · August 11, 2009, 05:08:38 pm

Code: [Select]

hxxp://softwareaddonsuploadv3.com/Driver.exe

$ dig softwareaddonsuploadv3.com +short
89.47.237.52

http://www.virustotal.com/analisis/be484ee278ba86af840bbefb4d7d3c76a0091ab06d0f350153c7861732352535-1249979821 4/41
http://anubis.iseclab.org/?action=result&task_id=1f0223f3cacc009d469ff33e4924cea58&format=html

softwareaddonsuploadv3.com

Mr Clean · August 11, 2009, 06:36:04 pm

Code: [Select]

hxxp://antimalwaresecurescanv2.com/download/Install-4a8_2006-39.exe

$ dig antimalwaresecurescanv2.com +short
91.212.107.5
83.133.126.155
83.133.123.174
94.102.48.29
188.40.61.236
94.102.51.26

http://www.virustotal.com/analisis/681a877090b8e2275d781fadd7b9e1fb7700446365cc528db224d67b94cd548a-1250011543 3/41
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=10081224&cs=6545E33A0C238A3850068D1E8B8B5A44

consensualart.cn <- originating domain
antimalwaresecurescanv2.com
june-crossover.com
recentbaseupdatesv6.com

Mr Clean · August 12, 2009, 09:39:01 pm

Code: [Select]

http://spywarescannerv4.com/download/Antivirus-b4ba_2015.exe

$ dig spywarescannerv4.com +short
83.133.123.174
94.102.51.26
94.102.48.29
188.40.61.236
91.212.107.5

http://www.virustotal.com/analisis/2b79674aab8e8faae071e057b9f65f3faac1c75a6453bf9db872d6802ea09f1b-1250110200 0/41
http://research.sunbelt-software.com/ViewMalware.aspx?id=10084941&cs=0604BAB0703FA5D36C0943BD14FA3471

spywarescannerv4.com

MysteryFCM · August 13, 2009, 12:33:34 pm

Just out of interest, have you been continuously monitoring these to see how quickly they're going down again? (last checks I did showed they only stayed online for 12-24 hours)

Author Topic: Mr Clean's dirt (Read 173746 times)

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

Mr Clean

Re: Mr Clean's dirt

MysteryFCM

Re: Mr Clean's dirt