daily something......

[CkreM]

Koobface:

Code: [Select]

70.105.181.119/setup.exe
98.228.135.203/setup.exe
129.119.193.233/setup.exehttp://www.virustotal.com/analisis/89e1b7e8bf4f2be5773a1000a8dd3817

[CkreM]

Koobface:

Code: [Select]

86.121.7.57/setup.exe
69.247.67.92/setup.exeTrojan:

Code: [Select]

greatjobdealuk.info/isp/upload/socksbot.exe http://www.virustotal.com/analisis/ef89795fe5c6a42f855e37216328e0cb

[Malware-Web-Threats]

216.240.143.7
Fake codec page:

Code: [Select]

hxxp://better-tube-show.com/xxplay.php?id=40009
Registrant: Bobby Macleod (bobbym806@ gmail.com)

216.240.148.9
Returns malware urls:

Code: [Select]

hxxp://hjtktyjyhhn.com/fff9999.php?aid=0&uid=00cd1a40d41d8cd98f00b204e9800998ecf8427e&os=512
Registrant: Jameson Jack (cyber38462@ hotmail.com)

hxxp://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg hxxp://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
hxxp://pictureswall.com/werber/b0f/216.jpg
hxxp://sdfv-programs.com/file.exe

ThreatExpert

70.86.3.198 [c6.3.5646.static.theplanet.com]
Trojan Clicker:

Code: [Select]

hxxp://jump1.info/xxx.exe
hxxp://xxx.host800.com/xxx.exe
VirusTotal - 24/40 (60.00%)
Registrant: yong wang (edizhu@ hotmail.com)
Registrant: youguang wang (edisoho@ hotmail.com)

Trojan GameThief OnLineGames:
61.174.68.24

Code: [Select]

hxxp://www.361safae.cn/img/sri1.gif
hxxp://www.361safae.cn/img/sri2.gif
hxxp://www.361safae.cn/img/sri3.gif
hxxp://www.361safae.cn/img/sri4.gif
hxxp://www.361safae.cn/img/sri5.gif
hxxp://www.361safae.cn/img/sri6.gif
hxxp://www.361safae.cn/img/sri7.gif
hxxp://www.361safae.cn/img/sri8.gif
hxxp://www.361safae.cn/img/sri9.gif
Registrant: Xie Yang (ylaoda88@ 163.com)
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal
VirusTotal

60.173.10.53

Code: [Select]

hxxp://ipshougou.com/down/qqma.exe
Registrant: phyto, phyto  (support@ tongyong.net)
VirusTotal

[CM_MWR]

Drivebys

Code: [Select]

http://sdfv-programs.com/file.exe
http://wtopcompany.ru/cms/load.php
http://bdsm-movies.info/33/load.php
http://p0rn-movies.com/77/load.php
http://clicks100.ru/cms/index.php
http://clicks100.ru/cms/load.php?id=0
http://clicks100.ru/tmp/in.php?i=20661JNE1C4793&o=2
http://clicks100.ru/top100/iframe.php
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://dastrealworld.ru/dance.html
http://dastrealworld.ru/denunreal.html
http://dastrealworld.ru/maufeorl.html
http://dastrealworld.ru/ne/in.php
http://dwnld.offer-provider.com/secure/bec4d39b22049ff339f0b9e576c5299f/4a054ac1/vsm/vsm_free_setup.exe
http://dwnld.offer-provider.com/secure/ef6ca9ceb9b5bd94db5fa8bdd7889251/4a054035/vsm/vsm_free_setup.exe
http://internetnamestore.cn/cache/flash.swf
http://internetnamestore.cn/cache/readme.pdf
http://internetnamestore.cn/in.cgi?income23
http://internetnamestore.cn/in.cgi?income27
http://internetnamestore.cn/index.php
http://internetnamestore.cn/load.php?id=0
http://internetnamestore.cn/load.php?id=8
http://operative.cc/liveinternet/index.php
http://operative.cc/liveinternet/load.php?id=4679
http://operative.cc/liveinternet/pdf.php?id=4679
http://teyrebuf.cn/nuc/%E0%AC%8B%E0%AC%8BAAAAAAAAAAAAAAAAAAAAAAAAA
http://teyrebuf.cn/nuc/exe.php
http://teyrebuf.cn/nuc/index.php
http://teyrebuf.cn/nuc/spl/pdf.pdf
http://teyrebuf.cn/s/in.cgi?10
http://updateserver.info/cmp/controller.php?&ver=8&uid=dc2335ef&aid=astakiller&adm=adm&inst=1&br=IEXPLORE.EXE&os=XPSP2
http://updateserver.info/loads/astakiller.dll
http://zone2tech.info/skp66.exe
Mebroot

Code: [Select]

http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe
Misc

Code: [Select]

http://www.dofulfill.info/Packer.dll
http://www.dofulfill.info/TRSOCR.dat
http://www.dofulfill.info/TRSOCR.ini
http://www.dofulfill.info/TRSOCR.dll
http://www.dofulfill.info/AdvOcr.dll
http://www.casadosrelojoeiros.com.br/Imagens/lo.jpg
http://www.onlyfreegames.net/screen41.jpg
http://www.onlyfreegames.net/screen42.jpg
http://61.19.252.95/apaches.gif
http://61.19.252.95/apachew.gif
http://866muma.3322.org/csru.exe
http://866muma.3322.org/csrb.exe
http://866muma.3322.org/csrx.exe
http://866muma.3322.org/csrp.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/kill.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/1.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/2.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/3.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/4.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/5.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/6.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/7.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/8.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/9.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/10.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/11.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/12.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/13.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/14.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/15.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/16.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/17.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/18.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/19.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/20.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/21.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/22.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/23.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/24.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/25.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/26.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/27.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/28.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/29.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/30.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/31.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/32.exe
http://61.147.120.58/fuckq1q1q1q1q1q1q1q1/33.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/b.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/c.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/d.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/e.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/f.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/g.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/h.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/45.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/46.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/47.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/48.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/49.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/a.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/51.dll
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/i.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/j.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/k.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/cap.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/m.exe
http://122.224.48.228/fuckq1q1q1q1q1q1q1q1/hun.dll
http://down.aqbo.cn/soft/tool/%E5%AE%A2%E6%88%B7%E7%AB%AF%E4%B8%8B%E8%BD%BD13354.exe
http://f1.hf3y5.com/1/AcX.exe
http://f1.hf3y5.com/9/AcX.exe
http://d1.hf3y5.com/1/AcX.exe
http://h1.dgfg4.com/01/AeX.exe
http://h1.dgfg4.com/02/AeX.exe
http://h1.dgfg4.com/03/AeX.exe
http://h1.dgfg4.com/04/AeX.exe
http://h1.dgfg4.com/06/AeX.exe
http://h1.dgfg4.com/07/AeX.exe
http://h1.dgfg4.com/08/AeX.exe
http://h1.dgfg4.com/09/AeX.exe
http://h1.dgfg4.com/10/AeX.exe
http://h1.dgfg4.com/11/AeX.exe
http://h1.dgfg4.com/12/AeX.exe
http://h1.dgfg4.com/13/AeX.exe
http://h1.dgfg4.com/14/AeX.exe
http://h1.dgfg4.com/15/AeX.exe
http://h1.dgfg4.com/16/AeX.exe
http://h1.dgfg4.com/17/AeX.exe
http://h1.dgfg4.com/18/AeX.exe
http://h1.dgfg4.com/20/AeX.exe
http://h1.dgfg4.com/21/AeX.exe
http://www.ppggg.com.cn/www.exe
http://www.ppppg.com.cn/www.exe
http://www.pppph.com.cn/www.exe
http://www.ppppj.com.cn/www.exe
http://exe316.com/xiao/111.exe
http://exe316.com/xiao/aa14.exe
http://exe316.com/xiao/aa18.exe
http://exe316.com/xiao/aa28.exe
http://exe316.com/xiao/aa33.exe
http://gm.adsl8899.cn/nl34.exe
http://gm.adsl8899.cn/nl37.exe
http://gm.adsl8899.cn/nl38.exe
http://gm.adsl8899.cn/nl40.exe
http://up.cj-vv.cn:889/up1/up.exe
http://u2.ovfr6.com/lmm/S15.exe
http://u2.ovfr6.com/lmm/S16.exe
http://u2.ovfr6.com/lmm/S21.exe
http://u2.ovfr6.com/lmm/S01.exe
http://u3.ovfr6.com/lmm/M33.exe
http://u3.ovfr6.com/lmm/M37.exe
http://u3.ovfr6.com/lmm/M15.exe
http://u3.ovfr6.com/lmm/M24.exe
http://u3.ovfr6.com/lmm/M02.exe
http://u2.ovfr6.com/lmm/S13.exe
http://u2.ovfr6.com/lmm/S17.exe
http://u2.ovfr6.com/lmm/S20.exe
http://u2.ovfr6.com/lmm/S11.exe
http://u2.ovfr6.com/lmm/S02.exe
http://u9.ovfr6.com/cjj/a1.exe
http://u9.ovfr6.com/cjj/a2.exe
http://u9.ovfr6.com/cjj/a8.exe
http://u9.ovfr6.com/cjj/a6.exe
http://u9.ovfr6.com/cjj/a9.exe
http://u9.ovfr6.com/cjj/a10.exe
http://u9.ovfr6.com/cjj/sb.exe
http://u9.ovfr6.com/ttt/01/01.exe
http://adimsceibh.com/progs/royyl/lvreefo.php
http://bddanhdnfl.net/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bddanhdnfl.net/progs/royyl/yhrrrrsfob
http://aaqkweoslz.com/progs/royyl/clmvviwj.php
http://aaqkweoslz.com/progs/royyl/cyiivvvjjw.php
http://aaqkweoslz.com/progs/royyl/ggcqqdde.php
http://aaqkweoslz.com/progs/royyl/kqddj.php
http://aaqkweoslz.com/progs/royyl/lvreefo.php
http://aaqkweoslz.com/progs/royyl/wspcpq.php
http://aaqkweoslz.com/progs/royyl/yhrrrrsfob
http://adimsceibh.com/progs/royyl/clmvviwj.php
http://adimsceibh.com/progs/royyl/cyiivvvjjw.php
http://adimsceibh.com/progs/royyl/ggcqqdde.php
http://adimsceibh.com/progs/royyl/kqddj.php
http://adimsceibh.com/progs/royyl/lvreefo.php
http://adimsceibh.com/progs/royyl/wspcpq.php
http://adimsceibh.com/progs/royyl/yhrrrrsfob
http://bazrvxedfe.net/aasuper0.php
http://bazrvxedfe.net/aasuper1.php
http://bazrvxedfe.net/aasuper2.php
http://bazrvxedfe.net/aasuper3.php
http://bddanhdnfl.net/aasuper0.php
http://bddanhdnfl.net/aasuper1.php
http://bddanhdnfl.net/aasuper2.php
http://bddanhdnfl.net/aasuper3.php
http://bhlmxnopqc.net/loaderadv563.exe
http://beelposttraning.ru/s/default.cgi
http://beelposttraning.ru/s/in.cgi?3
http://aksajans.com/1/6244.exe
http://aksajans.com/1/nfr.exe
http://aksajans.com/1/pp.06.exe
http://www.361safae.cn/img/sri1.gif
http://www.361safae.cn/img/sri2.gif
http://www.361safae.cn/img/sri3.gif
http://www.361safae.cn/img/sri4.gif
http://www.361safae.cn/img/sri5.gif
http://www.361safae.cn/img/sri6.gif
http://www.361safae.cn/img/sri7.gif
http://www.361safae.cn/img/sri8.gif
http://www.361safae.cn/img/sri9.gif
http://jump1.info/xxx.exe
http://xxx.host800.com/xxx.exe
http://imageempires.com/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg http://picturesoffline.com/item/60b08c6de14a64b07d04519db83c3dc948ef80e0bbf2e054ae09d830c0194928cecc8fb814f2678e0/b01/item.gif
http://pictureswall.com/werber/b0f/216.jpg
http://89.149.227.200/item/1090.exe
http://89.149.227.200/item/1091.exe
http://89.149.227.200/item/1092.exe
http://89.149.227.200/item/1093.exe
http://89.149.227.200/item/1094.exe
http://89.149.227.200/item/1095.exe
http://89.149.227.200/item/1096.exe
http://89.149.227.200/item/1097.exe
http://89.149.227.200/item/1098.exe
http://89.149.227.200/item/1099.exe


[CkreM]

Mebroot

Code: [Select]

http://ijpabevvif.com/ld/gnh_2/gnh2.exe
http://ijpabevvif.com/ld/gnh_3/gnh3.exe
http://ijpabevvif.com/ld/gnh_4/gnh4.exe
http://ijpabevvif.com/ld/gnh_5/gnh5.exe
http://ijpabevvif.com/ld/gnh_7/gnh7.exe
http://ijpabevvif.com/ld/gnh_8/gnh8.exe
http://ijpabevvif.com/ld/gnh_9/gnh9.exe
http://ijpabevvif.com/ld/grg/grg.exe

hamm,they changed thier way of infection again?

[sursmurf]

Code: [Select]

hXXp://hugetopnano.cn:8080/index.php
downloads

flash.swf
http://www.virustotal.com/analisis/6a7c462458c96cc099cfb7e340e15562

readme.pdf
http://www.virustotal.com/analisis/cfc979bd7744a91c5f444c8f4c0375e2



 

[CkreM]

KoobFace:

Code: [Select]

71.202.219.18/setup.exe
208.97.2.97/setup.exeTrojan:

Code: [Select]

yourelitehosting.ru/taskmgr.exehttp://www.virustotal.com/analisis/4b38b6888024000227a834d65b612365
Trojan:

Code: [Select]

5file.ru/vkphoto.exe http://www.virustotal.com/analisis/b4c968b1eb1f4fa95fa9eca46b09adeb
Trojan:

Code: [Select]

bureau.co.il/web/system.exehttp://www.virustotal.com/analisis/31e365b7f7c555b50d752a9eb118ce1a

Fake AV:

Code: [Select]

adware-help.com/promo/anti-virus-1.php?uid=70e191e0aaeac213213a62e4c05c9977the downloaded file:

Code: [Select]

installz.cn/stubfiles/70e19.exehttp://www.virustotal.com/analisis/b18edcbad2b207e305d789afb32cd4e6

[CM_MWR]

hamm,they changed thier way of infection again?

Is strange yes, not sure what to make of it , see the iframes launch but nothing happens, then I can fetch binary locally using a direct link.

Maybe they know who i am by now. 

[CkreM]

redirects to rogue:

Code: [Select]

gorankscan.com
Fake AV:

Code: [Select]

scanlux4.info
pornproductions09.com/scan/?id=268
and the d/l file:
pornproductions09.net/codec.exehttp://www.virustotal.com/analisis/51f9f528c0444f84faa229177660ed09

Mebroot:

Code: [Select]

hiyuxngvif.com/cgi-bin/index.cgi?dxhttp://wepawet.cs.ucsb.edu/view.php?hash=8cadb9cae57538f219069c6cb2d44555&t=1242183318&type=js

[michajp]

While checking some old LuckySploit URL, the following popped up instead:

Code: [Select]

hxxp://addobeflashplayer.net/update/?promoid=FbU9dTs
hxxp://addobeflashplayer.net/update/?promoid=Ve8Tnv4

With installer at:

Code: [Select]

hxxp://addobeflashplayer.net/get/flashplayer/current/install_flash_player.exe
http://www.virustotal.com/analisis/3185d068ff2871765328dcdc86d7affc

[CkreM]

Koobface:

Code: [Select]

75.137.70.87/setup.exe
174.0.8.174/setup.exehttp://www.virustotal.com/analisis/06202d4e1ceb674f95435d05bcc6149f

Exploit/trojan:

Code: [Select]

luks5.cn/index.phphttp://wepawet.iseclab.org/view.php?hash=c7a0e50c37e35c290324455c17b4b27e&t=1241763932&type=js

Exploit/trojan( wepawet gives invalid hostname)

Code: [Select]

usacaaugb.cn/life/index.phpPDF anlysis: http://wepawet.iseclab.org/view.php?hash=711a0cc4d481aa078c161179779310f1&type=js

[SysAdMini]

exploits

Code: [Select]

rogkadej.cn/nuc/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=76a617d6921697f36d5d08f5fe163908&t=1242296838&type=js

trojan

Code: [Select]

rogkadej.cn/nuc/exe.phphttp://www.virustotal.com/analisis/be735f15770e8e06ebac50ec1bfafd40 7/40

[SysAdMini]

redirect to exploits

Code: [Select]

bigbestfind.cn:8080/ts/in.cgi?pepsi4
hugepremium.cn:8080/ts/in.cgi?pepsi5
thebestyoucanfind.cn:8080/ts/in.cgi?pepsi3http://wepawet.cs.ucsb.edu/view.php?hash=e95003549c9b2d9c5cc9388f2056d9bc&t=1242302241&type=js
http://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850
http://wepawet.iseclab.org/view.php?hash=8e897a5695627f956885238acabfff04&t=1242296961&type=js

exploit

Code: [Select]

bigtopcabaret.cn:8080/index.phphttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=53ddc7d15d0b2c2083c09c15aff3593a&t=1242284850

redirects to the already known autobestwestern.cn
formerly hosted at Zlkon and Eurohost LLC

Code: [Select]

autobestwestern.cn:8080/load.php?id=8http://www.virustotal.com/analisis/77e676047adcaeeb5b32187f346de431 9/41

[sparsha]

Code: [Select]

http://internetsecuritymetrics.com/hitin.php?land=30&affid=01986
http://videoporntrue.net/pcdef.exe


[SysAdMini]

Code: [Select]

www.loshaqe.com/sb.exehttp://www.virustotal.com/analisis/75e4162cf4b32e95418e9c9cb087f647 5/40
http://www.threatexpert.com/report.aspx?md5=3f451779cfd0dc44f54b8b10b658749f

Code: [Select]

www.loshaqe.com/ret.exehttp://www.virustotal.com/analisis/bea1ceb55fc01d3abc1c206f7aae4a31 14/39

downloader for DarkGT/IframeDollar

Code: [Select]

www.loshaqe.com/ins.exe
http://www.virustotal.com/analisis/26120869a3d862b46bf64e769f0fc32b 25/40

Code: [Select]

www.loshaqe.com/eg.exe
http://www.virustotal.com/analisis/a05691e95c2b074300ca8e075a69853b 11/40