Malware Domain List

Malware Related => Malicious Domains => Topic started by: dobedobedew on March 12, 2010, 08:37:40 pm

Title: anysandra.com URL serving drive-by
Post by: dobedobedew on March 12, 2010, 08:37:40 pm
Hello,

I found this site by using a google search for narkyl.com which turned out to be listed as hosting zeus/wsnpoem v2.  I found the narkyl.com access in my proxy log coming from one pc in the building.  After doing some digging I found the site where the PC actually received the payload.  It is currently not in the full list.

The URL is "hxxp://anysandra.com/suspended/error.php?i=5".  anysandra.com resolves to 172.201.96.128, reverse dns is p3nlhg48c089.shr.prod.phx3.secureserver.net.

It appears to be currently hosting Virus.Win32.VBInject AKA Trojan.Dropper.Gen which is different than the payload the PC initially received.

Thanks for this wonderful resource.

(EDIT)

Sorry I forgot the virustotal link.

VT 8/42
http://www.virustotal.com/analisis/2f9ee15aa8c4b240f52392084be5fbd45234e938d8715a05a2c18207b4ea945f-1268423786
Title: Re: anysandra.com URL serving drive-by
Post by: SysAdMini on March 12, 2010, 08:46:59 pm
Thanks for submission and welcome to MDL.

I have checked the url, but I don't see a redirection .
Title: Re: anysandra.com URL serving drive-by
Post by: dobedobedew on March 12, 2010, 08:58:19 pm
My apologies if I am not using the correct terminology here.
When I used that URL in IE6 on XP it installed the payload. 
Also, using wget in linux with that url resulted in a download of type application/octet-stream.  This is what was sent to virustotal.
I'm sorry if I did not explain properly.
Title: Re: anysandra.com URL serving drive-by
Post by: SysAdMini on March 12, 2010, 09:01:42 pm
The url
Code: [Select]
anysandra.com/suspended/error.php?i=5
loops to itself here.