daily something......

[Malware-Web-Threats]

redirects:

Code: [Select]

hxxp://tvnameshop.cn:8080/ts/in.cgi?pepsi19
exploits:

Code: [Select]

hxxp://litetopseeksite.cn:8080/index.php
Wepawet
pdf:

Code: [Select]

hxxp://litetopseeksite.cn:8080/cache/readme.pdf
VirusTotal - 10/40 (25.00%)
Wepawet
flash:

Code: [Select]

hxxp://litetopseeksite.cn:8080/cache/flash.swf
VirusTotal - 11/39 (28.21%)
exe:

Code: [Select]

hxxp://litetopseeksite.cn:8080/load.php
VirusTotal - 2/39 (5.13%)

Registrant: Scott Bell / ScottKBell@ missiongossip.com
Registrant: Michelle Rea / rea@ cybernauttech.com

[CkreM]

few trojans:

Code: [Select]

contempt.fileave.com/update.exehttp://www.virustotal.com/analisis/a9611719a2debd0ce94827725344b924b59a7dceb3b88a5a7373e63b21ea3a4a-1243232016

Code: [Select]

contempt.fileave.com/install_flash_player.exehttp://www.virustotal.com/analisis/7a0c6497ed0fedc5eb92b63f7c79d9f6fddaf93d6dcc92bb8c869bc9da354aa9-1243232028

Code: [Select]

contempt.fileave.com/update!!.exehttp://www.virustotal.com/analisis/eb6312bd3a633c4dc29bd3c6a8ed818034da1f9b619ef71e0beb549c4560dea8-1243232049

Code: [Select]

ebnetwork.biz/bot.exehttp://www.virustotal.com/analisis/36e867e35665340c782c1d029d4f812e78a2c1b9b06c8f65e11aa4ecf249efc2-1243232229

Koobface:

Code: [Select]

82.120.80.136/setup.exe
72.26.145.118/setup.exe
Exploit/trojan Murlo:

Code: [Select]

usrvzi.ruhttp://wepawet.iseclab.org/view.php?hash=07cb0602a03e0538ce9e630d5881e8d2&t=1243233325&type=js

Fake AV loader:

Code: [Select]

stroika2009.ru/porn-tube.avi.exe
http://www.virustotal.com/analisis/15d4ed789d3872463614ff54804ddebc07ae67ea6ab44efd80937ede4f33191d-1243233171

Fake AV:

Code: [Select]

pornotubeonline10.com/scan/Fake payment site:

Code: [Select]

2payon.com/pp/?id=356

[CkreM]

Trojan Emold:

Code: [Select]

interepass.com/ldr/main.exehttp://www.virustotal.com/analisis/49925c768805484b4fcd2eb62d0d72765b7b40c62cbe6cceaad4d2187eaac444-1243317300
Trojan:

Code: [Select]

89.149.242.25/cc/rf5.exehttp://www.virustotal.com/analisis/6626bc1283eb86b9afdf73ee4a24be67734fb0be1c81dda3e7d3731f77064c30-1243311118
Trojan:

Code: [Select]

us18.ru/d/1.exehttp://www.virustotal.com/analisis/21c89616b4b86dff6e1edf71c301a516b0dd477811bf7398a38743868a24e7db-1243311158
Trojan

Code: [Select]

pizdhelp.com/codec.exe
loyalbox.biz/codec.exehttp://www.virustotal.com/analisis/3f952397ee3a0fab7f828977e96d278be7e60f43de6f495c1fb7e7579cfcf616-1243317473

Fake av scan:

Code: [Select]

porno-online-tube.com/scan/
note4scan.info
greattoolset.com
Fake AV:

Code: [Select]

dwnld.showpromo-offer.com/secure/069d079c64e0350e7ba812895655fbf0/4a1b65bd/srm/srm_free_setup.exehttp://www.virustotal.com/analisis/af072ce2b07e627e27035e85bfd0ab74ac9de16b8166ef40d4b11455ecbe1b7e-1243317795
Redirects to fake AV:

Code: [Select]

trafdriver.com/in.cgi?10
Exploit/trojan:

Code: [Select]

freehostwap.com/in.phphttp://wepawet.iseclab.org/view.php?hash=d89affb2687f08a4310d2e29a79d0b0f&t=1243320248&type=js

[sursmurf]

PDF:

Code: [Select]

http://92.60.176.45/s/getfile.php?f=pdf
[5/39]
http://www.virustotal.com/analisis/c958c661bc404cd8f82ccad7143b82937eeebafd27226e80feef3b5ddd92ec99-1243341305

Trojan/dropper:

Code: [Select]

http://92.60.176.45/s/getexe.php?h=1
[7/39]
http://www.virustotal.com/analisis/e1b5d1b5c13891d274ec6fe17a405ec234a2368b2ee5720c4d53a508ff359465-1243341362

[sparsha]

Rogue Application related domains:

Code: [Select]

Angantivirus09.com
Ang-antivirus09.com
Angantivirus09.info


best-protect-av1.info
download.best-protect-av1.info


securityonlinesite.com/hitin.php?land=20&affid=20100


[CkreM]

Exploit/trojan:

Code: [Select]

leosex.org/nn/index.phphttp://wepawet.cs.ucsb.edu/view.php?hash=eb94cbec20844957ee85c8e95f272dfc&t=1243391424&type=js
Trojan(seemed like virut to me)

Code: [Select]

ileron.cn/dll/abb.txthttp://www.virustotal.com/analisis/452e31c95952af674501a0519e63741568a1a3ba6267abc559b461812d761b70-1243392178
Trojan:

Code: [Select]

ileron.cn/dll/em.txthttp://www.virustotal.com/analisis/9b9871886640affa7fa13ebcb404540b10c862c9bf88372b184060f8eb2d1c37-1243392469

[CkreM]

Fake AV:

Code: [Select]

truesafetyweb.com
securityonlinesite.com

[Malware-Web-Threats]

70.85.142.250 - fa.8e.5546.static.theplanet.com

redirects:

Code: [Select]

thefilmmusic.cn:8080/ts/in.cgi?pepsi16
mynewnameshop.cn:8080/ts/in.cgi?pepsi25
usednamestore.cn:8080/ts/in.cgi?pepsi23
namebuyfilmlife.cn:8080/ts/in.cgi?pepsi23
mediahomenameshoppicture.cn:8080/ts/in.cgi?pepsi17
homenameworld.cn:8080/ts/in.cgi?pepsi17
technologybigtop.cn:8080/ts/in.cgi?pepsi17

exploits / trojan:

Code: [Select]

litetopdiscoversite.cn:8080/index.php
litetopdiscoversite.cn:8080/load.php
litetopfinddirect.cn:8080/index.php
litetopfinddirect.cn:8080/load.php


[CkreM]

PDF exploit:

Code: [Select]

cutlot.cn/cache/readme.pdfhttp://wepawet.iseclab.org/view.php?hash=175471e264f45086cc76d243f2d434da&t=1243755537&type=js
Flash exploit:

Code: [Select]

cutlot.cn/cache/flash.swfhttp://wepawet.iseclab.org/view.php?hash=b3b47f2539fcd19831f1b69463f463aa&type=swf
the downloaded trojan(0 detection on VT)

Code: [Select]

bestlitediscover.cn:8080/landig.php?id=8http://www.virustotal.com/analisis/cbdc2ddd3d050e55863f645efe12a3b55abec042a8d4f638788669e6431683b3-1243839114
communicates with

Code: [Select]

78.109.29.116/new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=606178701&rnd=981633 (on MDL)

Code: [Select]

www.zbbey.com/n/http://wepawet.iseclab.org/view.php?hash=47f6d25611621daf759de1bf372b9633&t=1243757577&type=js
PDF exploit:

Code: [Select]

www.zbbey.com/n/spl/pdf.pdfhttp://wepawet.cs.ucsb.edu/view.php?type=js&hash=15b110fd28204a9b64716abda5cd6db5&t=1243757463
the downloaded trojan:

Code: [Select]

zbbey.com/n/exe.phphttp://www.virustotal.com/analisis/11d539235f368547b20854cbbcfadee90c4c71d4c8a9e78fa6f6011b30f3f423-1243850579


Few trojans:

Code: [Select]

www.mcdonaldsuck.com/e/eg.exehttp://www.virustotal.com/analisis/6471bb8364de0ffc7775daa615631d226030280bcd4b8da40cb6ad8058e7b8b2-1243840368

Code: [Select]

www.mcdonaldsuck.com/e/sb.exehttp://www.virustotal.com/analisis/6ab0ac53f3c91abe493b9423fe71bb6f57ba728a9dd7f888d85ed117c4fe78ca-1243840496

Code: [Select]

www.mcdonaldsuck.com/e/238.exehttp://www.virustotal.com/analisis/097d7a0907216b6395f4e88a3b847cb15a17f4166367a7c2b42518dd3a4c8836-1243840661

Code: [Select]

www.mcdonaldsuck.com/e/ick.exehttp://www.virustotal.com/analisis/51f7ed9fa7f032ab1fd3acf7fc2eef55c62b15128b46d697405d67778093286a-1243840855

Code: [Select]

www.mcdonaldsuck.com/e/lich.exehttp://www.virustotal.com/analisis/ac62cbe52183d6f60f683548dde10dd1ba814fcab8ccc6aa3beadfb646c46bb7-1243841074

Code: [Select]

sotana.su/1.exehttp://www.virustotal.com/analisis/cb70d5e0ba1425ca49142a598528617846834aab9129677060d3568485d69080-1243841368

Code: [Select]

sexiland.ru/1.exehttp://www.virustotal.com/analisis/2a6c671dad587a06a18e751a3f22a0eb1659f73f915ec307dd65e2d59a5ae3c2-1243841184

Code: [Select]

sexiland.ru/bot.exehttp://www.virustotal.com/analisis/dc9913c8a788ce33a063de0f8d73c0e214eef3c6e63fc7a99fb8eff007f0cf06-1243841240

Code: [Select]

claremontfinance.org/voland.exehttp://www.virustotal.com/analisis/fc2c189b3242075ee4944afd6f4b60b7852dd73eea412ee20366cb082b16340d-1243841664

Code: [Select]

business-networks.info/data/images/ftp.exehttp://www.virustotal.com/analisis/eaa2a177b4e1b711b536a965bdf4bb1ba1eead4fca275dce6b124d5b87e9b824-1243841813

Code: [Select]

89.149.242.25/ededed3.exehttp://www.virustotal.com/analisis/76ef1bbe110c8ff041db0c67895d551769e9b85f08780c1242c6a2cc4026cdce-1243839486

Redirects to fake AV:

Code: [Select]

unmarine.info
powerball.3june2009.comFake AV:

Code: [Select]

counteringate.com/scan
loved-online-tube.com/scan/
first-antispyware.com/promo3/
the-best-antispyware.com/promo3/

[CkreM]

Exploits:

Code: [Select]

search-adverts.net/forum/index.phphttp://wepawet.iseclab.org/view.php?hash=f2974b1a652fd3bc3fac456d5175e1ab&t=1243847198&type=js
PDF:

Code: [Select]

search-adverts.net/forum/cache/readme.pdfFlash:

Code: [Select]

search-adverts.net/forum/cache/flash.swfKoobface:

Code: [Select]

search-adverts.net/forum/load.php?id=4http://www.virustotal.com/analisis/199690f5a30c1d9ff7d267cce6f7bab4b98195bdc8963a40c03f5146163a96a9-1243504185

[CkreM]

Rogue:

Code: [Select]

clean-windows-vista.com
registry-cleaner-2009.com/Setup.exe
Internet-explorer-cleaner.com/Setup.exe
registrycleanerpro.org/Setup.exehttp://www.virustotal.com/analisis/fa7bcca65a1c661f93a0a2d1031162e12a4c27d86f49686e65a02d40762f74f8-1243909438 (1/40)
The payment site(site seems legit and just offer it services):

Code: [Select]

plimus.com/jsp/buynow.jsp?contractId=2261798&templateId=678656

[CkreM]

Few Trojans:

Code: [Select]

avhtm.8866.org/files/av.exehttp://www.virustotal.com/analisis/969c0f517f279dd68898eea50bb9ce51092acc3eca79fe963500b82f5c0d222a-1243923005

Code: [Select]

091809.ru/bot.exehttp://www.virustotal.com/analisis/eabf8925b5e73d4a8c1ef091108c2144a506f953c2e392588d2b5c05189dc698-1243924307
Trojan Koobface:

Code: [Select]

videofx4you1.com/software/019d135faa/10180/1/Setup.exehttp://www.virustotal.com/analisis/e585df3a2b91e56951ecd6a03c73fd7b45b02e0ca2278130438b6467e823e202-1243924387

Code: [Select]

ultraphobia.com/ppcfile/godsname.exehttp://www.virustotal.com/analisis/8018cf6b613911e75f0a9f326bb4d18b86f3543cab781b21fa49893483c37804-1243924788

Code: [Select]

ultraphobia.com/ppcfile/freeserfer.exehttp://www.virustotal.com/analisis/da4177f7cec2b60dae6e7d67944b5ff54273c6d70549d63c4c6de584abece4a6-1243924927
Trojan Pinch:

Code: [Select]

treelives.cn/pnc/pexe.exehttp://www.virustotal.com/analisis/c0deb27bd735c3936bd84bd67d60b3c5450bffb6f051eb170370afb965a0dad1-1243925125

Exploits:

Code: [Select]

s76z.cn/data/http://wepawet.iseclab.org/view.php?hash=7bb7e6ca87c21a4310f276e54db9e102&t=1243847990&type=js
PDF:

Code: [Select]

s76z.cn/data/spl/pdf.pdfTrojan Oficla:

Code: [Select]

s76z.cn/data/exe.phphttp://www.virustotal.com/analisis/02c22fc3cd292700557f0a125a544225a51839754f3ad886ba38788f8e5aaa3f-1243815948

Exploits:

Code: [Select]

treelives.cn/ru/index.phphttp://wepawet.iseclab.org/view.php?hash=db13b96a3f07c2433da03c406fa21000&t=1243849201&type=js
PDF:

Code: [Select]

treelives.cn/ru/iepdf.php?f=newTrojan oficla:

Code: [Select]

treelives.cn/ru/load.phphttp://www.virustotal.com/analisis/bcb7eb7c10a161a08a16249e653bfcd0c26ac97941ac5760525c27edadf383d8-1243796149

[SysAdMini]

iframe directs to pfre.php

Code: [Select]

lgmin.com/image/index.php
pdf exploit

Code: [Select]

lgmin.com/image/pfre.php
payload is

Code: [Select]

http://lgmin.com/image/ouet.phphttp://www.virustotal.com/analisis/27b6a8bd0b5ccdd6d621cec888108f6c4f6f809319fad724f5c6f1aa94124a39-1243963662 3/40
CAT-QuickHeal   10.00   2009.06.02   (Suspicious) - DNAScan
Microsoft   1.4701   2009.06.02   VirTool:Win32/Obfuscator.FH
Symantec   1.4.4.12   2009.06.02   Suspicious.MH690.A
http://www.threatexpert.com/report.aspx?md5=995a4928b9d1da62bcda2c1db6dd4898

AdPack cpanel is

Code: [Select]

lgmin.com/image/admin.php
same kind of stuff can be found at fastinate.com/image/...

[sparsha]

Sites related Rogue Security Application

Code: [Select]

http://deluxe-protector.com/setup.exe
http://softwaredownloadcentercom.com/xpdel.exe

http://liveicqnetwork.cn/go.php?id=2018&key=56d5f0bd3&p=1
http://pricelessfinish.cn/go.php?id=2018-04&key=56d5f0bd3&p=1

http://pro-antivirus-scannerv2.com/1/?id=2018&smersh=c144eb244&back==TQ0yzz5McQNMI=M

http://safetywww.com/hitin.php?land=20&affid=20100
http://personal-antivirus-software.com/promo3/?aid=851


[SysAdMini]

directs to "Messenger Infium" (trojan)

Code: [Select]

msnm.3eu.ru

Code: [Select]

albatros.ee/uploades/scr_dn/MInfium2009Final.exehttp://www.virustotal.com/analisis/9075621fd2b778431b576b9fef8ece2af86ff98f2f1516b62078f26b700f17c2-1244062941 2/40
K7AntiVirus   7.10.752   2009.06.02   Trojan.Win32.Malware.1
TheHacker   6.3.4.3.338   2009.06.03   Trojan/Agent.cikm