195.88.191.46

[Malware-Web-Threats]

directs to exploits:

Code: [Select]

kvumurij.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
Wepawet

The site below doesn't seems to work so I will check later if this domain redirects to a new one.

The urls was:

Code: [Select]

ssesodoq.cn/uin/
ssesodoq.cn/uin/whichGoodS.pdf
ssesodoq.cn/uin/searchMakeChunk.swf
ssesodoq.cn/uin/update.php?id=5
ssesodoq.cn/uin/update.php?id=6
Wepawet

also work:

Code: [Select]

ssesodoq.cn/uin/update.exe

VirusTotal - 8/41 (19.51%)
Threat Expert

It connect to 91.207.4.250 (see threatexpert) and start spamming

GET spm/get_id.php
GET spm/page.php

Other on this IP:

http://www.malwareurl.com/listing.php?ip=195.88.191.46
http://www.malwaredomainlist.com/mdl.php?search=195.88.191.46&colsearch=All&quantity=50

Anything else?

http://www.bfk.de/bfk_dnslogger.html?query=195.88.191.46

[Malware-Web-Threats]

same as below:

Code: [Select]

ns1.vvukufan.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns1.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
ns2.jagbibiv.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=94f15cbfb2fffd42daa369ad1c85eda7&t=1252247278&type=js
http://wepawet.iseclab.org/view.php?hash=e08d6e782c77ed81f7aa041a0aeadbc0&t=1252247286&type=js
http://wepawet.iseclab.org/view.php?hash=879f28c20c7cef91aaade18e0777f45e&t=1252247298&type=js

[cleanmx]

payload is not in sub-dir /uin but in root....

hxxp://ssesodoq.cn/update.exe

-- gerhard

[Malware-Web-Threats]

Interesting - another MD5

Code: [Select]

kvumurij.cn/update.exe
Wepawet
MD5: 455575b550ae3c6c3d39b44ac5e501c8

Code: [Select]

kvumurij.cn/2cv/update.exe
Wepawet
MD5: 230eb4adb27b2697e2076f34a73cab13

the exploit kit with urls:

Code: [Select]

kvumurij.cn/2cv/
kvumurij.cn/2cv/dontLayoutDont.pdf
kvumurij.cn/2cv/wordA.swf
kvumurij.cn/2cv/update.php
kvumurij.cn/2cv/update.exe
kvumurij.cn/2cv/admin.php
Wepawet
VirusTotal - 4/41 (9.76%)

AVG: Packed.Monder
Kaspersky: Packed.Win32.Krap.x
Microsoft: Spammer:Win32/Tedroo.AA
Rising: Unknown Win32 Virus

[Malware-Web-Threats]

the ThreatExpert report also show a connection to 91.207.6.242

The following GET requests were made:

spm/get_id.php
spm/page.php?id=231828&tick=231828&ver=112&smtp=ok&task=0

Threat Expert

[Serg]

Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee

[SysAdMini]

Under Packed.Win32.Krap.x kaspersky means Email-Worm.Win32.Joleee

I always use the identifier "Tedroo" for this spamming trojan. Many av vendors like Microsoft, Sophos, Bitdefender or Ikarus use this identifier.

[Malware-Web-Threats]

trojan:

Code: [Select]

mcanavib.cn/update.exe
pbigupaz.cn/update.exe
tbegicoz.cn/update.exe
wpupadop.cn/update.exe

redirects to exploits:

Code: [Select]

mcanavib.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
pbigupaz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
tbegicoz.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot
wpupadop.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot


[Malware-Web-Threats]

Redirects to exploits:

Code: [Select]

sexygallets.com/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&antibot_hash=2990857606&ur=1&HTTP_REFERER=


[Malware-Web-Threats]

Exploits:

Code: [Select]

nfovidab.cn/a1/
nfovidab.cn/a1/index_files/x1079.js
nfovidab.cn/stat1/index.php
nfovidab.cn/stat1/overEverIsnt.pdf
nfovidab.cn/stat1/anComes.swf
Wepawet

Trojan Tedroo / Packed Krap:

Code: [Select]

nfovidab.cn/update.exe
VirusTotal - 31/41 (75.61%)
ThreatExpert

Trojan Dropper:

Code: [Select]

nfovidab.cn/stat1/update.php
nfovidab.cn/stat1/update.exe
VirusTotal - 5/41 (12.2%)

[Malware-Web-Threats]

Redirects to exploits:

Code: [Select]

xguxerob.cn/s/in.cgi?3&ab_iframe=0&ab_badtraffic=0&ab_trash=1&antibot_hash=bot

http://wepawet.iseclab.org/view.php?hash=f17c505f84eaebe97f3a5bc1a9fd3359&t=1252877484&type=js

[Malware-Web-Threats]

Exploits:

Code: [Select]

http://kzayopoq.cn/dj/
http://kzayopoq.cn/stat1/
http://kzayopoq.cn/stat2
http://kzayopoq.cn/2cv/
http://kzayopoq.cn/de/
http://kzayopoq.cn/rur/

http://kpizuyuw.cn/dj/
http://kpizuyuw.cn/stat1/
http://kpizuyuw.cn/stat2/
http://kpizuyuw.cn/2cv/
http://kpizuyuw.cn/de/
http://kpizuyuw.cn/rur/

Trojan:

Code: [Select]

http://kzayopoq.cn/update.exe
http://kzayopoq.cn/dj/update.exe
http://kzayopoq.cn/stat1/update.exe
http://kzayopoq.cn/stat2/update.exe
http://kzayopoq.cn/2cv/update.exe
http://kzayopoq.cn/de/update.exe
http://kzayopoq.cn/s/update.exe
http://kzayopoq.cn/rur/update.exe

http://kpizuyuw.cn/update.exe
http://kpizuyuw.cn/dj/update.exe
http://kpizuyuw.cn/stat1/update.exe
http://kpizuyuw.cn/stat2/update.exe
http://kpizuyuw.cn/2cv/update.exe
http://kpizuyuw.cn/de/update.exe
http://kpizuyuw.cn/s/update.exe
http://kpizuyuw.cn/rur/update.exe


[Malware-Web-Threats]

optional control panel (Liberty Exploit Toolkit)

Code: [Select]

http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php


[SysAdMini]

optional control panel (Liberty Exploit Toolkit)

Code: [Select]

http://kpizuyuw.cn/dj/admin.php
http://kzayopoq.cn/dj/admin.php


user,pass works as well and there are alot of referers to check.

[Malware-Web-Threats]

Seems to be always the same pwd.

For the URLs below the update.exe at the root doesn't seems to work.