daily something......

[jackberri]

IP Location: Brazil - ZIPNET BR AS
IP  200.147.33.21
[200-147-33-21.static.uol.com.br]
AS7162
Registrant/Email Registrant: Contato Administrativo - UOL/l-registrobr-uol@corp.uol.com.br/

Code: [Select]

hxxp://joalcom.sites.uol.com.br/1andro.gif      md5sum ===> 71af93d0da34fc259aa5fc73e8b9903bhttp://www.virustotal.com/file-scan/report.html?id=488a4157d73a6418da7daee59aeff228dd1b540246b2ffdb8ac71ac70e570457-1321870989
VT 23/42 (54.8%)

IP Location:  Romania - PADICOM SOLUTIONS SRL
IP 89.46.251.160
[89-46-251-160.unassigned.class-it.ro]
AS34201
Name Server: NS5.DYNDNS.ORG  | NS3.DYNDNS.ORG  | NS1.DYNDNS.ORG  | NS2.DYNDNS.ORG  | NS4.DYNDNS.ORG

Code: [Select]

hxxp://cximqjqq.dyndns-ip.com/isuspm.exe        md5sum ===> b11c28a4752b5ed1d500489a272d2a0chttp://www.virustotal.com/file-scan/report.html?id=6c006b8c1b28677765c5947047700fe8c1c60aacd8360882dc8568f481a7fe9a-1322236062
VT 9/40 (22.5%)

IP Location:  Turkey - Radore Hosting Telekomunikasyon
[server-46.45.164.164.as42926.net]
AS42926

Code: [Select]

hxxp://46.45.164.164/bb.exe        md5sum ===> 8639abc370f8ad58845083672679deb3http://www.virustotal.com/file-scan/report.html?id=77900796878747b9d2b8bc94df1bb3c3e00324c79756297758087c85d510ec7d-1322104306
VT 35/43 (81.4%)

Code: [Select]

hxxp://hotfile.com/dl/135879883/fa2041b/hl.exe        md5sum ===> 0adf754e1458feb7c23ee26c2c0b0c0chttp://www.virustotal.com/file-scan/report.html?id=cf3eec96e6087c06b52f1d2ec12faf6a863a2ab72fe8c20dc8d56be74755e4da-1322238134
VT 13/43 (30.2%)

[jackberri]

IP Location:  United States - SOFTLAYER
IP 50.22.91.2
[taro.websitewelcome.com]
AS36351
Name Server: NS1351.WEBSITEWELCOME.COM  | NS1352.WEBSITEWELCOME.COM
Registrant/Email Registrant: Neiv Bar/dbar@abestenergy.com

Code: [Select]

hxxp://solarelectricinstaller.com/Gallery-Images/1.exe         md5sum ===> 047e727e60decb6bdc043d2a3d2339b8
hxxp://solarelectricinstaller.com/Gallery-Images/dd.exe        md5sum ===> 2dce98d0497b2e05bdeed5835a42af43
hxxp://solarelectricinstaller.com/Gallery-Images/sp.exe        md5sum ===> 3ad45683537cb6373e1ca32f94a8f46a
hxxp://solarelectricinstaller.com/Gallery-Images/x.exe         md5sum ===> 2bd4273fc6979219eb8ed822519193cfhttp://www.virustotal.com/file-scan/report.html?id=34a9ec931a64174025d96b1c89a55d8c0b50bd56f292e9ea4f3c0988aa7152d9-1322242736
VT 7/43 (16.3%)
http://www.virustotal.com/file-scan/report.html?id=bbd8b4194361f8b6d0366240f8138db7e8c5cea8f26340666c40efd8ef35c085-1322243714
VT 24/43 (55.8%)
http://www.virustotal.com/file-scan/report.html?id=6e342aa4750078ee4510b67271486ed8a674d48e1e1899aabe11e8be4c33562b-1322243695
VT 23/43 (53.5%)
http://www.virustotal.com/file-scan/report.html?id=9902e63c20ba4e25cbe063ad0a503bc4c6e7a27af14c59f1ea635eb66a77343a-1322243986
VT 8/43 (18.6%)

[handball10]

xttp://www.mediabarrage.com/forum/images/cms/images.php

--> leads with iframes to Blackhole
xttp://facebook-images.net/main.php

and

xttp://www.mediabarrage.com/forum/images/cms/img.php

--> http://www.virustotal.com/file-scan/report.html?id=47250cf9776fd898e566a21ce9c258899e3a789fcb8c6d47e3962b55b7f5e8f6-1323101862
VT 2/43 (4.7%)

[boston]

xttp://95.168.187.207/weblogs35/es.php?i=8
http://www.virustotal.com/file-scan/report.html?id=06e4a9f675129fd002f44913675f74fda097639582e712ab3bb6e47758f84dab-1323210900

[jackberri]

IP Location:  United States - Comcast Cable Communications Inc
[c-76-97-34-25.hsd1.ga.comcast.net]
AS7725

Code: [Select]

hxxp://76.97.34.25/qkosta1.exe        md5sum ===> 0b3a8c03ec6e5f0e0a6eb19764339911http://www.virustotal.com/file-scan/report.html?id=3d53e7732f830f7edc9c687a5a5eca13fed4543208d22e5f4b81e1a34555504f-1323285555
VT 4/43 (9.3%)

[jackberri]

IP Location: Brazil - ZIPNET BR AS
IP  200.147.33.17
[200-147-33-17.static.uol.com.br]
AS7162
Registrant/Email Registrant: Contato Administrativo - UOL/l-registrobr-uol@corp.uol.com.br/

Code: [Select]

hxxp://bonoso.sites.uol.com.br/yrieryriueyriewyrieyr.tmp         md5sum ===> d49410fbbe6916f07932e1288899834c
hxxp://bonoso.sites.uol.com.br/notepad_protected.tmp             md5sum ===> 30260845295de1147902e3497ce1a105
hxxp://sinhorelliamaral.sites.uol.com.br/7protecao.tmp           md5sum ===> 0c64bc2a1c9496181e79c3aa75445b41
hxxp://antonioaaalmeida.sites.uol.com.br/carly/moduloa.htm       md5sum ===> 33d25b016095377841097e162e11bc5abhttp://www.virustotal.com/file-scan/report.html?id=9c6c158f237d107e392d9f602e315f48ef35b1405a60b004eec473e4d8599852-1323365958
VT 28/43 (65.1%)
http://www.virustotal.com/file-scan/report.html?id=e17c878a779a582de83277aaf212058ccf03c5d2de065ddc75f27f7a2fc0fb5b-1323366248
VT 25/43 (58.1%)
http://www.virustotal.com/file-scan/report.html?id=5b210b801613f51262f0d2fcefdb5bfa57515b4b30cdced418eaf54a49c781d9-1323366224
VT 26/43 (60.5%)
http://www.virustotal.com/file-scan/report.html?id=15bc9efd4712fbdd2175c9af54f616b0663f92a69ff75382d0d6260a6424837c-1323366556
VT 37/41 (90.2%)

[handball10]

Amazon-Phishing page - well designed, very good German.

Phishing page spreads via Email:

Subject: "Ihr Amazon Kundenkonto wurde eingeschr�nkt!";

Code: [Select]

Sehr geehrte Frau *************,

Unser Sicherheitssystem hat einen Fremdzugriff oder eine Adressänderung in Ihrem Account festgestellt.
Da unser System stets auf die Kundensicherheit bedacht ist, wurde Ihr Account zeitweise eingeschränkt.
Dies sind Sicherheitsmaßnahmen um fremde Bestellungen vorzubeugen.
Sie können Ihren Account wieder aktivieren, dazu ist eine kurze Verifizierung Ihrer Daten erforderlich.
Hierfür ist lediglich ein Login unter:

Hier klicken

nötig, um Ihren Amazon Account zu reaktivieren.
Bitte haben Sie Verständnis dafür, dass es aufgrund erhöhter Sicherheitsmaßnahmen derzeit zu Einschränkungen kommen kann.

Sollten Sie noch Fragen haben kontaktieren sie unseren Support.
Wir bitten um Ihr Verständnis und bedanken uns für Ihr Vertrauen.

Mit freundlichen Grüßen,
Heike Landwehr
Amazon Support Team
The Button "Hier Klicken" leads to hxxp://218.94.61.109/amazon/

[Xylitol]

Code: [Select]

http://ritzcamera.in/in.cgi?2tds lead to bh landing

[Xylitol]

Code: [Select]

http://multypro.ru/soft.exehttp://www.virustotal.com/file-scan/report.html?id=65b9074da3493dc9ff784b797c646873a2f71dcdde96632c05da1f01eab8cd5e-1324302174

[.b]

Various "Key.bin" requests:

Code: [Select]

novolym.info/key.bin
ryhabov.info/key.bin
puvabog.info/key.bin
sirabow.info/key.bin
vicugaf.info/key.bin
qegilup.info/key.bin
jeceryn.info/key.bin
xuhufox.info/key.bin
dogonaz.info/key.bin
keretuj.info/key.bin
goxonas.info/key.bin
lygetur.info/key.bin
bowygam.info/key.bin
rycizuv.info/key.bin
zurufor.info/key.bin
qexyhep.info/key.bin
ciqapif.info/key.bin
pufuxuq.info/key.bin
hawonab.info/key.bin
xuxetux.info/key.bin
nagygak.info/key.bin
tuwizug.info/key.bin
dixuxiz.info/key.bin
weqyhev.info/key.bin
jefomej.info/key.bin
gaducib.info/key.bin
zuqiqex.info/key.bin
rydeheg.info/key.bin
foquxis.info/key.bin
vofapim.info/key.bin
mamasot.info/key.bin
nozapik.info/key.bin
puzejeq.info/key.bin
boniwyk.info/key.bin
rylodog.info/key.bin
qedosov.info/key.bin
dosejys.info/key.bin
kemycor.info/key.bin
simejyz.info/key.bin
viliqym.info/key.bin
jelucoj.info/key.bin
lysyvox.info/key.bin
golekyb.info/key.bin
xukyvad.info/key.bin
pupodal.info/key.bin
jepalur.info/key.bin
dikofas.info/key.bin
cinyvam.info/key.bin
qekuwuv.info/key.bin
hanakuh.info/key.bin
nasuwut.info/key.bin
tunodoq.info/key.bin
xudiqyd.info/key.bin
lyzomer.info/key.bin
gaherys.info/key.bin
marilyk.info/key.bin
fotyryz.info/key.bin
fotyryz.info/faq.php


[Arkonen]

Code: [Select]

hxxp://thatsmytopper.com/upd[.]exe
md5: 3e0700ca1a0d95cd09b95638f033c7ed
IP Address:   207.32.186.68
IP Country: United States
AS Number: 36444
AS Name:   NEXCESS-NET - NEXCESS.NET L.L.C.

Zbot found in logs.

Virustotal:
http://www.virustotal.com/file-scan/report.html?id=3514fbaca5e6cc0c2f2e7c2838857adc0cc2c9b104600625c57ca0f2f887090a-1324692327
34/ 43 (79.1%)

[Xylitol]

FakeAV

Code: [Select]

http://menstro.in/l.exe?rwmid=1&wmid=284
http://rainbol.in/l.exe?rwmid=1&wmid=284
http://sealove.in/l.exe?rwmid=1&wmid=284
http://mikeller.in/l.exe?rwmid=1&wmid=284
http://intodub.in/l.exe?rwmid=1&wmid=284
http://aliento.in/l.exe?rwmid=1&wmid=284
http://abedaso.in/l.exe?rwmid=1&wmid=284
http://brostuk.co.in/l.exe?rwmid=1&wmid=284
http://poruble.co.in/l.exe?rwmid=1&wmid=284
http://peantos.in/l.exe?rwmid=1&wmid=284
http://neutone.in/l.exe?rwmid=1&wmid=284
http://pustell.co.in/l.exe?rwmid=1&wmid=284
http://egorest.co.in/l.exe?rwmid=1&wmid=284
http://mumvron.in/l.exe?rwmid=1&wmid=284
http://urdolast.in/l.exe?rwmid=1&wmid=284
http://boragore.in/l.exe?rwmid=1&wmid=284
http://nuowello.in/l.exe?rwmid=1&wmid=284
http://psesinda.in/l.exe?rwmid=1&wmid=284
http://rostets.in/l.exe?rwmid=1&wmid=284
http://foreston.in/l.exe?rwmid=1&wmid=284
http://astinkol.in/l.exe?rwmid=1&wmid=284
http://piesdool.in/l.exe?rwmid=1&wmid=284
http://krundse.in/l.exe?rwmid=1&wmid=284
http://pelosko.in/l.exe?rwmid=1&wmid=284
http://mendaly.in/l.exe?rwmid=1&wmid=284
http://flyakke.in/l.exe?rwmid=1&wmid=284
http://wsiteed.in/l.exe?rwmid=1&wmid=284
http://irvengo.in/l.exe?rwmid=1&wmid=284
http://ferdesa.in/l.exe?rwmid=1&wmid=284
http://gototrop.co.in/l.exe?rwmid=1&wmid=284

[boston]

xttp://geepera.co.in/ leads to fake av
https://www.virustotal.com/file/d79db02296c3e385a45acdeae2634716634a09ce42e756a99166d68ac1e1c7cb/analysis/1326815152/

[boston]

xttp://fourplix.in leads to fake av
http://r.virscan.org/report/6ee2a9e4f9e6fe3cfd6d38039203e307.html

[boston]

xttp://changedivstyle.ru/vis/index.php leads to fake av
http://r.virscan.org/report/a07e2b84983101f5a8ec51915bd6bba4.html