New Zeus server

[jackberri]

IP Location: United Kingdom - VISN Vision Internet Network
IP 193.254.210.167
[amrod.visn.co.uk]
AS31426
Registrant: Patrick Brennan

Code: [Select]

hxxp://a3crg.co.uk/shop/images/attributes/web/config.binmd5sum ===> f43fc79e1bac3b0f866325307e610db7
SHA256 ===> 05bd673470ca985b4e1775f636ddfbb63d988c78a2b835660bbdafec14bf1d97

Code: [Select]

hxxp://a3crg.co.uk/shop/images/attributes/web/gate.php

[jackberri]

IP Location: France - France Telecom - Orange IP Backbone for Enterprise and french consumers
IP 81.252.196.50
[50-196.252-81.static-ip.oleane.fr]
AS3215

Code: [Select]

hxxp://zroot.info.tm/config.binmd5sum ===> b209296b73fecaab1f45ab119138c5b0
SHA256 ===> 6cbe1174aa99eb976f8fd25a169b3795112bcd2bd1068f3a34a3a82b4eae03e6

Code: [Select]

hxxp://zroot.info.tm/gate.php
IP Location: United States - RoadRunner RR-RC-Wholesale Internet, Inc
IP 204.12.250.34
AS32097
Email Registrant: liutoy@gmail.com

Code: [Select]

hxxp://toutube.cn/config.cpmmd5sum ===> d7fb3285cc08384bd949226b2d316b1d
SHA256 ===>  88f0d2ac5b074bedf97713baef082579675fcfaf9892b05911bc1e64d6c87106

Code: [Select]

hxxp://204.12.250.34/config.cpmmd5sum ===> d7fb3285cc08384bd949226b2d316b1d
SHA256 ===>  88f0d2ac5b074bedf97713baef082579675fcfaf9892b05911bc1e64d6c87106

[.b]

Code: [Select]

Domain: ditdum.com
Full Address: ditdum.com/working/gate.php
Full Address: ditdum.com/working/iq/alg.exe (87ebabb14d7aa0e944361d0ad62a0b14)
Full Address: ditdum.com/working/iq/cfg2.bin (0bff590d279bc8918a73387dd5e0feba)


[jackberri]

IP Location: United States - Hosting Solutions International
IP 69.64.62.50
[static-ip-69-64-62-50.inaddr.intergenia.de]
AS30083
Registrant ID:AT_11711862
Registrant/Registrant Email: Kimberly/madonsa77@gmail.com

Code: [Select]

hxxp://boonz.in/vp/config.binmd5sum ===> 5f743c36e5ac8bf43cd478aa811122c9
SHA256 ===>  c5847d162c5cc7cebc15cdad859b96523f904207cb668cb658d23e6dc1161475

Code: [Select]

hxxp://boonz.in/vp/pl.php

Code: [Select]

hxxp://boonz.in/vp/ss.php?m=login

[jackberri]

IP Location: Brazil  - PLUGIN VANET ISP
IP 187.61.16.234
[migreme-web01.dominiotemporarioidc.com]
AS18479
Registrant/Email Registrant: Kingo Labs/Jonny Itaya/kingolabs@kingolabs.com.br

Code: [Select]

hxxp://migre.me/P1r0
redirects to:
IP Location: Ukraine  - AGGREGATE BLOCK FOR UKRTELECOM - UKRTELNET JSC UKRTELECOM
IP 92.112.118.211
[211-118-112-92.pool.ukrtel.net]
AS6849

Code: [Select]

hxxp://declaracion.bde.es.psdrv.ru/atn_www/jsp/descargar/

Code: [Select]

hxxp://declaracion.bde.es.psdrv.ru/atn_www/jsp/descargar/declaracion.exemd5sum ===> 069d2cacf0594f13ab3c575bd3ff4499
SHA256 ===>  ee46f830b11a0b7a30ebc4adfbb9f8a4c70d98d5cb1f00cd61ecdebd1e8f871a
http://www.virustotal.com/es/analisis/ee46f830b11a0b7a30ebc4adfbb9f8a4c70d98d5cb1f00cd61ecdebd1e8f871a-1276597524
VT 2/41 (4.88%)
related (already listed):

Code: [Select]

phaizeipeu.ru/bin/vusogahh.bin

[jackberri]

IP Location: United States - Ann Arbor - Nexcess.net L.l.c
IP 208.69.122.69
[toofast.nexcess.net]
AS36444
Registrant/Registrant Email: RopeofSilicon.com LLC/bradbrevet@ropeofsilicon.com

Code: [Select]

hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/config.binmd5sum ===> ccb45406c0b7b7701aeed1b71819bb26
SHA256 ===>  6aba2245a2311b60ecad7286839e33037ff3453079755c87447fe63a65141546

Code: [Select]

hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/gate.php

Code: [Select]

hxxp://www.ropeofsilicon.com/Images/stories/2010/may/cannes513/software/bot.exemd5sum ===> e5a8a38573413c9052b8586b24928cd9
SHA256 ===>  f530ef0148dbe35fc6cc55f1d027b0feacabd30076a5054ddd7a6bbced92d4c9

[jackberri]

IP Location: United States - QUADRANET
IP 66.63.181.74
AS29761
Registrant ID:CR36973518
Registrant/Registrant Email: Jennifer Obrey/jen@webworksct.com

Code: [Select]

hxxp://militaryseeds.org/kider/appicarchl/pores/flykagageses/cgtvtaloys.php?opludelmd5sum ===> 79ada2ef185941fe1a0dd12baf9eff5d
SHA256 ===>  fba72063371699cf11cede968f4f96a59201c42ca15320d1c27d03477e2239c4

Code: [Select]

hxxp://militaryseeds.org/kider/appicarchl/pores/flykagageses/cgtvtaloys.php

[jackberri]

IP Location: China - Chinanet Hunan Province Network
AS4134

Code: [Select]

hxxp://124.228.136.39/adgjlzcbm/config.binmd5sum ===> e74bd6dc4463de0d4cd12881b5e1bd9f
SHA256 ===> d259ddcac68c1eaa9fc7f48c5fff93b2ef357749613272d2cebb59f1ccab5f2a

Code: [Select]

hxxp://124.228.136.39/adgjlzcbm/bot.exemd5sum ===> 31ee3c91e3648622ec5ee81a9fc1161e
SHA256 ===> 75f0eb813491e5cd7fdfceeb6efd4769304484d14a3cc51b84bc9d4069d5a511
http://www.virustotal.com/es/analisis/75f0eb813491e5cd7fdfceeb6efd4769304484d14a3cc51b84bc9d4069d5a511-1276637010
VT 33/41 (80.5%)

Code: [Select]

hxxp://124.228.136.39/adgjlzcbm/gate.php
related zeusbotnet malware:
IP Location: Russian Federation - MADET-NET - DINET-AS Digital Network JSC
IP 195.2.252.153
[hosted-by.madet.info]
AS12695
Registrant/Email Registrant: Dean Morton/support@ahohonline.com

Code: [Select]

hxxp://afretroactive.com/exe.exemd5sum ===> 0102e0c5db8732d74a2675c05b8dbe04
SHA256 ===> 0dbfef9112191e5e3d7dd651e68f8b1fdb3824f706dfe3ec383f1034eaae7937
http://www.virustotal.com/es/analisis/0dbfef9112191e5e3d7dd651e68f8b1fdb3824f706dfe3ec383f1034eaae7937-1276712805
VT 2/41 (4.88%)
related:

Code: [Select]

hxxp://96.9.182.197/mybackup21.rar
hxxp://96.0.203.114/mybackup21.rar
hxxp://173.208.150.90/mybackup21.rarmd5sum ===> fdc7d559e9db995b22ed3b857dca1b7e
SHA256 ===> 10244db559a020d4a191e790b6ab98576a2e8543b5a827a1fc5fff4e0af53dc9
http://www.virustotal.com/analisis/10244db559a020d4a191e790b6ab98576a2e8543b5a827a1fc5fff4e0af53dc9-1276603299
VT 3/41 (7.32%)

[jackberri]

IP Location: France - France Telecom - Orange IP Backbone for Enterprise and french consumers
IP  81.252.196.50
[50-196.252-81.static-ip.oleane.fr]
AS3215
Registrant/Email Registrant: Ken Foshaug/shubrickqz7en@yahoo.com

Code: [Select]

hxxp://tuxforever.tk/jack/gate.php
other malware:
Trojan Harnig:

Code: [Select]

hxxp://rapidshare.com/files/399415576/ppi1a.exe
hxxp://rs868tl3.rapidshare.com/files/399415576/ppi1a.exe
hxxp://rapidshare.com/files/399415603/ppi1b.exemd5sum ===> 63cf91db63048359f2e0d7fc2db3fca1
SHA256 ===>  25640206d58ec57f437cb91f46fc10548b66956a4cdc8f6347e27e11f6cd039d
http://www.virustotal.com/es/analisis/25640206d58ec57f437cb91f46fc10548b66956a4cdc8f6347e27e11f6cd039d-1276767890
VT 18/41 (43.9%)
TDSS:

Code: [Select]

hxxp://rapidshare.com/files/399798492/ppi21.exemd5sum ===> 88e7bef58e090c7369e44fe9830d2271
SHA256 ===>  81ff39956a45a3da47d3170f9a7495fe8e87f0d26545252dee47c82907279f99
http://www.virustotal.com/es/analisis/81ff39956a45a3da47d3170f9a7495fe8e87f0d26545252dee47c82907279f99-1276767740
VT 7/41 (17.1%)

Code: [Select]

hxxp://rapidshare.com/files/399798632/ppi22.exemd5sum ===> decfa57753b1e7d55984f7bcbe54febd
SHA256 ===>  30f3cab1ec84a97a30596605100960028e1bdb965bf8617c2e8b0b9cfae2b9a9
http://www.virustotal.com/es/analisis/30f3cab1ec84a97a30596605100960028e1bdb965bf8617c2e8b0b9cfae2b9a9-1276767487
VT 7/40 (17.5%)
trojan:

Code: [Select]

hxxp://rapidshare.com/files/399832883/GoldenInstall12.exemd5sum ===> 2fc752f7c64aa55426c70d35be0d4f80
SHA256 ===>  31d39b9d12b82d7bd761b752f934d2884c4a2f2518982988d2900b79919490e9
http://www.virustotal.com/es/analisis/31d39b9d12b82d7bd761b752f934d2884c4a2f2518982988d2900b79919490e9-1276767620
VT 22/41 (53.66%)

[jackberri]

IP Location: China - CHINA-TELECOM
IP  59.53.91.124
AS4134
Email Registrant: contact@privacyprotect.org

Code: [Select]

hxxp://biztoolbar.com/ze/cofag56.binmd5sum ===> 24fbdaaa20b78123ea6c459954ef3476
SHA256 ===>  ef1d167d4c97134e95cd7179737e120df98232b555dccdbd0168e400dae10da1

Code: [Select]

hxxp://biztoolbar.com/ze/botetz.exemd5sum ===> ee5e43ef4386d1e81911bc839c0aa03a
SHA256 ===>  1b327d7a06de60817c89e9a68f9bbe3c456bb4ab08aae55189989edfe8c598ad
http://www.virustotal.com/es/analisis/1b327d7a06de60817c89e9a68f9bbe3c456bb4ab08aae55189989edfe8c598ad-1276795937
VT 20/40 (50%)

Code: [Select]

hxxp://biztoolbar.com/ze/gates5.phpTDSS:

Code: [Select]

hxxp://biztoolbar.com/1272003965.exemd5sum ===> 9df7639728429748939d42671a06c4ab
SHA256 ===>  dba39b8c091becf760d8d68943ba98b308c4d62b2986c135f811445da9229258
http://www.virustotal.com/es/analisis/dba39b8c091becf760d8d68943ba98b308c4d62b2986c135f811445da9229258-1276794565
VT 33/40 (82.50%)
Trojan Dropper:

Code: [Select]

hxxp://biztoolbar.com/agressive.exemd5sum ===> 3315287968320a0dc4d045d3dae935b4
SHA256 ===>  1268d1f0b4fcdeb8953b1d3e7e9b4350660e442ca24f56ee5d2bc1a2e9e3741a
http://www.virustotal.com/es/analisis/1268d1f0b4fcdeb8953b1d3e7e9b4350660e442ca24f56ee5d2bc1a2e9e3741a-1276796369
VT 37/40 (92.5%)

[jackberri]

IP Location: Russian Federation - Volgograd - Pe Bondarenko Dmitriy Vladimirovich
IP  91.213.174.10
AS29106
Registrant/Email Registrant: Dmitriy/bondarenkoip1@gmail.com

Code: [Select]

hxxp://update-windows7.com/go.phpother domains:

Code: [Select]

vvxxn.com
trust-update.com
microsoft-update.name
googie-update.com

[jackberri]

IP Location: United States - THEPLANET-AS2 ThePlanet.com Internet Services, Inc.
IP  174.120.23.124
[7c.17.78ae.static.theplanet.com]
AS21844

Code: [Select]

hxxp://budgetvip.com.vn/apache.jpgmd5sum ===> b5a83846bb7dfb00e27cc977fd42a8fe
SHA256 ===>  40b705a4f3fd2d438be22e40dddd71d0874d4df9980a83fa28b5352225f3e536

Code: [Select]

hxxp://medianservicebz.net/webstate/webstat.phprelated (Rogue-Fake-AV):

Code: [Select]

hxxp://shop.tiredwolfhome.com/main.php?h=budgetvip.com.vn&i=JsWpjdIcr/Oljhj7U8VHy5gXog==&e=4
IP Location: Russian Federation - Volgograd - Pe Bondarenko Dmitriy Vladimirovich
IP  178.208.83.6
[s2.h.mchost.ru]
AS35415
Email Registrant: kitsul71@gmail.com

Code: [Select]

hxxp://sex-gifts.ru/includes/Archive/images/gate.phpTDSS:

Code: [Select]

hxxp://sex-gifts.ru/includes/Archive/1276674934.exemd5sum ===> e43fa8404b4b23e5aeac856858aa98b9
SHA256 ===>  6612c8f4c887e321b016f1b85d8b3498cb20daf835be189f59892fea204b7135
http://www.virustotal.com/es/analisis/6612c8f4c887e321b016f1b85d8b3498cb20daf835be189f59892fea204b7135-1276862623
VT 4/40 (10%)

IP Location: United Kingdom - GOSCOMB-AS Goscomb Technologies Limited Based in the London Docklands
IP  93.89.80.112
[dns1.rx-commission.com]
AS39326
Registrant ID:Edns-r3780905
Registrant/Email Registrant: Tait Chris/pdg@alef.sc

Code: [Select]

hxxp://podgorz.org/zuo/zsweb_cleaned/config.binmd5sum ===> a6714d5eda45a88e611dd41501a93c54
SHA256 ===>  c3db1dccee8f916c54f102647b367a70228d1497f724727b3c34d029acfefabf

Code: [Select]

hxxp://podgorz.org/zuo/zsweb_cleaned/bot.exemd5sum ===> c8105186058fb4e29accdd7d5239994a
SHA256 ===>  3065380250b2b9e55190732068bd883550af42a28decb6df33c381563a73bac9
http://www.virustotal.com/es/analisis/3065380250b2b9e55190732068bd883550af42a28decb6df33c381563a73bac9-1276880758
VT 38/41 (92.69%)

Code: [Select]

hxxp://podgorz.org/zuo/zsweb_cleaned/gate.php

[jackberri]

IP Location: Argentina
IP  186.18.69.201
[cpe-201.69.18.186.in-addr.arpa]
AS27747

Code: [Select]

hxxp://doctornimnul.com/webstat/flash03.binmd5sum ===> acd80ff1a16969811ff29e6731e5f006
SHA256 ===>  fe6e59e2da26754706e05658b3981b626939a2dee68fca7827432f673be95d94

Code: [Select]

hxxp://doctornimnul.com/webstat/getimages.php
IP Location: Ukraine - DATAXATA-AS TOV Data-Xata
AS8870
[hyper-2-pr0tein-1.data-xata.net]

Code: [Select]

hxxp://91.197.131.153/cp/bot.exemd5sum ===> 19362fd0c3527f24379df1fe3ec77794
SHA256 ===>  16b0024a98437d427207c1737245bdf7c45aa41e2af64c193da91d8b42d436c6
http://www.virustotal.com/es/analisis/16b0024a98437d427207c1737245bdf7c45aa41e2af64c193da91d8b42d436c6-1276937190
VT 21/41 (51.22%)

Code: [Select]

hxxp://91.197.131.153/cp/gate.php

[jackberri]

IP Location: Germany - KEYWEB-AS Keyweb AG
IP 87.118.84.17
AS31103
[ns.km13002-05.keymachine.de]
Email Registrant: zond80@gmail.com

Code: [Select]

hxxp://b.chto.su/cfg2.binmd5sum ===> a800bd2edea21d783edfec42ae1dd6d5
SHA256 ===>  b890a8beb9528a741e2f25acda03d72dcad1875792c5bcfb04a53fab88f960f2

Code: [Select]

hxxp://b.chto.su/bot.exemd5sum ===> 985b4dda9cb26ba071609da3caea1833
SHA256 ===>  dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f
http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278
VT 32/41 (78.05%)

Code: [Select]

hxxp://b.chto.su/gate.php
IP Location: Germany
IP 95.169.184.8
AS31103
Registrant/Email Registrant: Washer, Emilie/emwash37@gmail.com

Code: [Select]

hxxp://sekmoon.net/1.php
IP Location: Netherlands - XL-AS XL Network
IP 194.60.207.200
[cp-005.xl-is.net]
AS35470

Code: [Select]

hxxp://hermes1.nl/apache.jpgmd5sum ===> b5a83846bb7dfb00e27cc977fd42a8fe
SHA256 ===>  40b705a4f3fd2d438be22e40dddd71d0874d4df9980a83fa28b5352225f3e536
dropzone:
IP Location: France - PROXAD Free SAS
IP 88.191.38.208
AS12322
[forumcrea.com]
Registrant/Email Registrant: Antoine Porter/wcqewkxc95@gmail.com

Code: [Select]

hxxp://medianservicebz.net/webstate/webstat.php

Code: [Select]

related (already listed): budgetvip.com.vn/apache.jpg

[jackberri]

IP 91.216.122.6
AS49544
Registrant/Email Registrant: Harry Bishop/Harry.PBishop@yahoo.com

Code: [Select]

hxxp://malbobro.org/qwerty/cfg2.binmd5sum ===> febc2ed8f7117e68bbf01dec3c4c6b2c
SHA256 ===>  815132eea433478b1bcfd43094cc31e941956d8aaafaab7b8064e03b41f89d9e

Code: [Select]

hxxp://malbobro.org/qwerty/bot.exemd5sum ===> 95157978d6b7e6e990c6952c097f9506
SHA256 ===>  ae9a1472546e6490f8bd39de3b37bd1889ce00c1fef1165714570646c68ca0ef
http://www.virustotal.com/analisis/dd60c9492c32663fbda93e572b4c01f370a552ff82f06d0fa95179c7955b928f-1275149278
VT 31/41 (75.61%)

Code: [Select]

hxxp://malbobro.org/qwerty/gate.php

Code: [Select]

dropzone for  am-remorquage.fr/alogo.jpg (already listed):
IP Location:  France  - FR-DEDIBOX
IP 88.191.38.208
[forumcrea.com]
AS12322

Code: [Select]

hxxp://www.blogjo.biz/webstate/webstat.php
related (fake av):
IP Location:  Netherlands  - LeaseWeb AS
IP 95.211.131.185
[hosted-by.leaseweb.com]
AS16265

Code: [Select]

hxxp://ns2.kpi-graphics.com/main.php?h=am-remorquage.fr&i=J8mjj9QYr/miihj7U8RPw50Xog==&e=4related:

Code: [Select]

traff.pohuy.ws/
issintm.pohuy.ws/