Author Topic: Weird domain hosting malware...  (Read 9805 times)

0 Members and 1 Guest are viewing this topic.

September 30, 2007, 06:20:17 am
Read 9805 times


  • Guest always,take your precaution measures...
rewrite URI from hxxp to http...


Would be nice if someone could upload this stuff in VirusTotal and see results...
I'm quite much out of time the latest days to check on it,
and also,gonna be missing on trip during this week,probably not being able to reply...
I can see quite a few of php backdoors there...what in the world is this domain...
only to be used with remote file inclusions and xss or something?
Because I see that the main form one dir above seems to be public,
meaning that anyone can upload files through it...  ???

October 29, 2007, 01:35:42 am
Reply #1

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
I re-post after my message missing for server problems
This is virustotal report about site 

Complete scanning result of "xkvsi809.txt", processed in VirusTotal at 10/28/2007 11:21:46 (CET).

[ file data ]
* name: xkvsi809.txt
* size: 5451
* md5.: 2d8d503e2b3eb93bad88b1a6a5aa302b
* sha1: c6d0fb1c34fd6bd3be9c6ca0f91547482373282a

[ scan result ]
 AhnLab-V3 2007.10.27.0/20071026 found nothing
AntiVir found [EXP/Psyme.T.1]
Authentium 4.93.8/20071026 found [VBS/Psyme.BT]
Avast 4.7.1074.0/20071027 found nothing
AVG found [Exploit]
BitDefender 7.2/20071028 found [Exploit.ADODB.Stream.BR]
CAT-QuickHeal 9.00/20071026 found [EXP_JS/ADODBStream.E]
ClamAV 0.91.2/20071028 found [trojan.Downloader.JS.ADODBStream]
DrWeb found [VBS.Psyme.239]
eSafe found [VBS.Phel.a]
eTrust-Vet 31.2.5244/20071026 found [VBS/MS06-014!exploit]
Ewido 4.0/20071028 found [Not-A-Virus.Exploit.JS.ADODB.Stream.e]
F-Prot found nothing
F-Secure 6.70.13030.0/20071027 found [Exploit.JS.ADODB.Stream.e]
FileAdvisor 1/20071028 found nothing
Fortinet found [VBS/Psyme.R!tr.dldr]
Ikarus T3.1.1.12/20071027 found [Exploit.JS.ADODB.Stream]
Kaspersky found [Exploit.JS.ADODB.Stream.e]
McAfee 5150/20071026 found [Exploit-MS06-014]
Microsoft 1.2908/20071028 found [Exploit:JS/MS06014]
NOD32v2 2621/20071028 found [JS/Exploit.ADODB.Stream.NAP]
Norman 5.80.02/20071026 found [VBS/Psyme.AE]
Panda found nothing
Prevx1 V2/20071028 found nothing
Rising found [trojan.DL.VBS.Agent.t]
Sophos 4.23.0/20071028 found [Mal/Psyme-B]
Sunbelt 2.2.907.0/20071027 found nothing
Symantec 10/20071028 found [Downloader.Exploit.64]
TheHacker found nothing
VBA32 found nothing
VirusBuster 4.3.26:9/20071027 found [VBS.Psyme.BZ]

xkvsi809. is the source code page and also have into vbscript with exploit.

Edgar from Bangkok  :)