More IP's serving up the same stuff:
109.232.225.15
109.232.225.18
109.232.225.28
109.232.225.29
109.232.225.31
109.232.225.8
173.212.228.194
188.124.5.150
188.124.5.151
188.124.5.154
188.72.246.99
217.23.10.61
217.23.5.205
94.102.55.10
94.102.55.7
Get is always for randomized php filenames (examples):
1_16a16d.php, 7_780c4b.php, 5_5de2e4.php, 2_252934.php, 3_36ae8d.php, b_bf3f87.php, 0_004a13.php, 2_2a27b8.php, 8_8249dd.php, a_ae50bc.php, e_e2395d.php, e_e43e4d.php, e_ec4f67.php, 1_1af700.php, 8_82255d.php, e_e35625.php, 7_77e376.php, f_f57329.php, 0_04a6ff.php, 2_2503e1.php, 9_95f7f8.php, 3_3ea213.php, a_aa91a9.php, f_ff0c38.php, 2_2e348c.php, 3_321ed0.php, 6_682f42.php, 8_8f118b.php, 9_916d30.php, b_bd2241.php, c_c08284.php, d_dc8120.php, e_efe822.php, f_fe6f6c.php, f_ff6a9f.php, 3_373564.php, 4_4787ec.php, 5_5ceba7.php, c_c9fa27.php, d_d2d46e.php, d_dd1918.php, f_f57a78.php, 0_064307.php, 0_0e3b3f.php, 0_0e3f4b.php, 2_2e2e69.php, 2_2ee665.php, 4_483d69.php, 4_4cd684.php, 5_50ebe9.php, 6_6096a6.php, 6_62f78f.php, 7_72e715.php, 7_78f558.php, 9_985ca2.php, 9_994c5c.php, d_d8d213.php, e_e1813d.php, e_eddb7c.php, f_fcc9cf.php
Always returns back attachment named install.exe:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/octet-stream
Content-Length: 1045504
Content-Disposition: attachment; filename="install.exe"
Content-Transfer-Encoding: binary
Connection: close
Date: Thu, 18 Feb 2010 21:09:40 GMT
Server: lighttpd/1.4.22
MZP@!L!This program cannot be run in DOS mode.
Topic: FakeAV - 89.248.174.62, 89.248.174.94, 89.248.174.95 (Read 7663 times)