Author Topic: Trojan Ransom  (Read 407477 times)

0 Members and 1 Guest are viewing this topic.

August 17, 2011, 02:07:26 pm
Reply #105

mc0blck

  • Jr. Member

  • Offline
  • **

  • 14
Redirector
Quote
hxxp://1triret.ru/dehehdsv.cgi?11
hxxp://1triret.ru/dehehdsv.cgi?12
hxxp://1triret.ru/dehehdsv.cgi?17

Redirectors were taken down.

August 17, 2011, 02:32:54 pm
Reply #106

EP_X0FF

  • Guest
they already spawned new

redirectors
Quote
hxxp://2domnat.ru/ddfwefwg.cgi?11
hxxp://2domnat.ru/ddfwefwg.cgi?12
hxxp://2domnat.ru/ddfwefwg.cgi?17

pornorolik ransom (aka Trojan:Win32/Ransom.DN)

update 95.57.120.140 (where all randomized domains hosted) is off. Redirectors are pointing to nowhere (at the moment of post).

Quote
hxxp://m0repornoxxx.ru/s11l/video/videos11.avi.exe
hxxp://m0repornoxxx.ru/s12o/video/videos12.avi.exe
hxxp://m0repornoxxx.ru/s17v/video/videos17.avi.exe

all repacked and new

LockEmAll (aka Trojan:Win32/Ransom.DF)

Quote
hxxp://91.228.133.72/d.php?f=155&e=2
hxxp://91.228.133.72/d.php?f=348&e=2
hxxp://91.228.133.72/d.php?f=349&e=2
hxxp://91.228.133.72/d.php?f=350&e=2

August 19, 2011, 03:04:54 am
Reply #107

EP_X0FF

  • Guest
Pornorolik (moved to new host 91.220.90.30)

Quote
hxxp://tolkonewpornru.ru/s11l/video/videos11.avi.exe
hxxp://tolkonewpornru.ru/s12o/video/videos12.avi.exe
hxxp://tolkonewpornru.ru/s17v/video/videos17.avi.exe

Redirector path
Quote
hxxp://3nimnas.ru/dfgherh.cgi?12 (88.208.33.154) -> hxxp://newxxxsexru.ru/s12o/vu-index.html (91.220.90.30) -> hxxp://newxxxsexru.ru/s12o/video/videos12.avi.exe (91.220.90.30)

LockEmAll path
Quote
hxxp://ookokdporn.ru/in.cgi?2 (91.221.99.241) -> hxxp://ololosadasas.ru/in.cgi?15 (91.221.99.241) -> hxxp://zw5porn3.ru/74/ (91.220.0.66) -> hxxp://zw5porn3.ru/74/xxx_video.exe (91.220.0.66)

list is partially courtesy of mc0blck :)

LockEmAll more

Quote
hxxp://91.228.133.72/d.php?f=353&e=2
hxxp://91.228.133.72/d.php?f=354&e=2
hxxp://91.228.133.72/d.php?f=355&e=2
hxxp://91.228.133.72/d.php?f=356&e=2
hxxp://91.228.133.72/d.php?f=358&e=2
hxxp://91.228.133.72/d.php?f=359&e=2
hxxp://91.228.133.72/d.php?f=360&e=2

August 19, 2011, 01:35:40 pm
Reply #108

EP_X0FF

  • Guest
Pornorolik moved again (109.127.8.249)

Quote
hxxp://svejeepornoru.ru/s11l/video/videos11.avi.exe
hxxp://svejeepornoru.ru/s12o/video/videos12.avi.exe
hxxp://svejeepornoru.ru/s17v/video/videos17.avi.exe

August 20, 2011, 11:32:12 am
Reply #109

EP_X0FF

  • Guest
Pornorolik

Quote
hxxp://sexvkontaktru.ru/s11l/video/videos11.avi.exe
hxxp://sexvkontaktru.ru/s12o/video/videos12.avi.exe
hxxp://sexvkontaktru.ru/s17v/video/videos17.avi.exe

LockEmAll
Quote
hxxp://91.228.133.72/d.php?f=361&e=2
hxxp://91.228.133.72/d.php?f=362&e=2
hxxp://91.228.133.72/d.php?f=363&e=2
hxxp://91.228.133.72/d.php?f=364&e=2

August 21, 2011, 01:59:08 pm
Reply #110

EP_X0FF

  • Guest
Pornorolik ransom

Quote
hxxp://pornocityru.ru/s11l/video/videos11.avi.exe
hxxp://pornocityru.ru/s17v/video/videos17.avi.exe

LockEmAll ransom

Quote
hxxp://91.228.133.72/d.php?f=365&e=2
hxxp://91.228.133.72/d.php?f=367&e=2

August 21, 2011, 05:22:51 pm
Reply #111

EP_X0FF

  • Guest
Pornorolik redirectors

Quote
hxxp://xxx-pornomovs.ru/nnnclick/in.cgi?26
hxxp://vertol-j.ru/rththtrr.cgi?11
hxxp://vertol-j.ru/rththtrr.cgi?17

Pornorolik ransom
Quote
hxxp://speedporevonow.ru/s11l/video/videos11.avi.exe
hxxp://speedporevonow.ru/s17v/video/videos17.avi.exe

August 22, 2011, 10:06:26 am
Reply #112

EP_X0FF

  • Guest
Pornorolik

Quote
hxxp://gopornogosexxx.ru/s11l/video/videos11.avi.exe
hxxp://gopornogosexxx.ru/s17v/video/videos17.avi.exe
hxxp://sexsexvoolhard.ru/s11l/video/videos11.avi.exe
hxxp://sexsexvoolhard.ru/s17v/video/videos17.avi.exe

LockEmAll (comes without any kind of unblock code, even in case of payment).

Quote
hxxp://91.228.133.72/d.php?f=368&e=2
hxxp://91.228.133.72/d.php?f=369&e=2
hxxp://91.228.133.72/d.php?f=371&e=2
hxxp://91.228.133.72/d.php?f=372&e=2

August 22, 2011, 11:15:49 am
Reply #113

EP_X0FF

  • Guest
Domains used by Pornorolik 22 August

Quote
hxxp://HDKRUTOPORNOSEX.RU/s11l/video/videos11.avi.exe
hxxp://HDKRUTOPORNOSEX.RU/s17v/video/videos17.avi.exe
hxxp://RUSGORODPORNOXXX.RU/s17v/video/videos17.avi.exe
hxxp://RUSGORODPORNOXXX.RU/s11l/video/videos11.avi.exe
hxxp://RUFULLHDPOREVO.RU/s11l/video/videos11.avi.exe
hxxp://RUFULLHDPOREVO.RU/s17v/video/videos17.avi.exe
hxxp://VSEPORNONAODNOMSAITE.RU/s11l/video/videos11.avi.exe
hxxp://VSEPORNONAODNOMSAITE.RU/s17v/video/videos17.avi.exe
hxxp://FULLXXXSEXRU.RU/s11l/video/videos11.avi.exe
hxxp://FULLXXXSEXRU.RU/s17v/video/videos17.avi.exe
hxxp://VISUALPORNOLITE.RU/s11l/video/videos11.avi.exe
hxxp://VISUALPORNOLITE.RU/s17v/video/videos17.avi.exe
hxxp://FULLPORNOVERSION.RU/s11l/video/videos11.avi.exe
hxxp://FULLPORNOVERSION.RU/s17v/video/videos17.avi.exe
hxxp://PORNOVGORODERUS.RU/s11l/video/videos11.avi.exe
hxxp://PORNOVGORODERUS.RU/s17v/video/videos17.avi.exe
hxxp://VERYHARDFILMSSEX.RU/s11l/video/videos11.avi.exe
hxxp://VERYHARDFILMSSEX.RU/s17v/video/videos17.avi.exe
hxxp://SPEEDPOREVONOW.RU/s11l/video/videos11.avi.exe
hxxp://SPEEDPOREVONOW.RU/s17v/video/videos17.avi.exe
hxxp://ODINSAITVSEPOREVO.RU/s11l/video/videos11.avi.exe
hxxp://ODINSAITVSEPOREVO.RU/s17v/video/videos17.avi.exe
hxxp://SEXVKONTAKTESET.RU/s11l/video/videos11.avi.exe
hxxp://SEXVKONTAKTESET.RU/s17v/video/videos17.avi.exe
hxxp://MNOGOKA4ESTVENNOGOPORNO.RU/s11l/video/videos11.avi.exe
hxxp://MNOGOKA4ESTVENNOGOPORNO.RU/s17v/video/videos17.avi.exe
hxxp://KA4AYVKONTAKTEXXPORNO.RU/s11l/video/videos11.avi.exe
hxxp://KA4AYVKONTAKTEXXPORNO.RU/s17v/video/videos17.avi.exe
hxxp://RUSSKOEXXXPORNO.RU/s11l/video/videos11.avi.exe
hxxp://RUSSKOEXXXPORNO.RU/s17v/video/videos17.avi.exe

August 23, 2011, 03:29:21 am
Reply #114

EP_X0FF

  • Guest
Domains used by Pornorolik 23 August
All already operational.

Quote
hxxp://AVIHDPORNOVIDEO.RU/s11l/video/videos11.avi.exe
hxxp://AVIHDPORNOVIDEO.RU/s17v/video/videos17.avi.exe
hxxp://OGROMNIYPORNOARCHIV.RU/s11l/video/videos11.avi.exe
hxxp://OGROMNIYPORNOARCHIV.RU/s17v/video/videos17.avi.exe
hxxp://SOSKIRUTELO4KI.RU/s11l/video/videos11.avi.exe
hxxp://SOSKIRUTELO4KI.RU/s17v/video/videos17.avi.exe
hxxp://NIKITAPORNOCLUB.RU/s11l/video/videos11.avi.exe
hxxp://NIKITAPORNOCLUB.RU/s17v/video/videos17.avi.exe
hxxp://SOSKAVROTPORNO.RU/s11l/video/videos11.avi.exe
hxxp://SOSKAVROTPORNO.RU/s17v/video/videos17.avi.exe
hxxp://NATALIPALKAVROT.RU/s11l/video/videos11.avi.exe
hxxp://NATALIPALKAVROT.RU/s17v/video/videos17.avi.exe
hxxp://SOSETSPERMUKRUTO.RU/s11l/video/videos11.avi.exe
hxxp://SOSETSPERMUKRUTO.RU/s17v/video/videos17.avi.exe
hxxp://MNOGOSPERMINAPISKI.RU/s11l/video/videos11.avi.exe
hxxp://MNOGOSPERMINAPISKI.RU/s17v/video/videos17.avi.exe
hxxp://RUSSKOEPORNOSEX.RU/s11l/video/videos11.avi.exe
hxxp://RUSSKOEPORNOSEX.RU/s17v/video/videos17.avi.exe
hxxp://MNOGORUSSKIXMALOLETOK.RU/s11l/video/videos11.avi.exe
hxxp://MNOGORUSSKIXMALOLETOK.RU/s17v/video/videos17.avi.exe
hxxp://RUSSKAYANADYADAET.RU/s11l/video/videos11.avi.exe
hxxp://RUSSKAYANADYADAET.RU/s17v/video/videos17.avi.exe
hxxp://LENASOSKACOOL.RU/s11l/video/videos11.avi.exe
hxxp://LENASOSKACOOL.RU/s17v/video/videos17.avi.exe
hxxp://PRKAARINASU4KA.RU/s11l/video/videos11.avi.exe
hxxp://PRKAARINASU4KA.RU/s17v/video/videos17.avi.exe
hxxp://XXLPORNORUNOW.RU/s11l/video/videos11.avi.exe
hxxp://XXLPORNORUNOW.RU/s17v/video/videos17.avi.exe
hxxp://INTERNETPORNORU.RU/s11l/video/videos11.avi.exe
hxxp://INTERNETPORNORU.RU/s17v/video/videos17.avi.exe
hxxp://PORNOPLUSFLIRT.RU/s11l/video/videos11.avi.exe
hxxp://PORNOPLUSFLIRT.RU/s17v/video/videos17.avi.exe
hxxp://XLPORNOSITERU.RU/s11l/video/videos11.avi.exe
hxxp://XLPORNOSITERU.RU/s17v/video/videos17.avi.exe
hxxp://FLIRTYOURPORNXXX.RU/s11l/video/videos11.avi.exe
hxxp://FLIRTYOURPORNXXX.RU/s17v/video/videos17.avi.exe
hxxp://POREVOXXLPOPKA.RU/s11l/video/videos11.avi.exe
hxxp://POREVOXXLPOPKA.RU/s17v/video/videos17.avi.exe
hxxp://UKRAINATSELKIXXX.RU/s11l/video/videos11.avi.exe
hxxp://UKRAINATSELKIXXX.RU/s17v/video/videos17.avi.exe

LockEmAll

Quote
hxxp://91.228.133.72/d.php?f=375&e=2
hxxp://91.228.133.72/d.php?f=376&e=2
hxxp://91.228.133.72/d.php?f=377&e=2
hxxp://91.228.133.72/d.php?f=378&e=2

August 24, 2011, 05:23:48 am
Reply #115

EP_X0FF

  • Guest
LockEmAll

Quote
hxxp://91.228.133.72/f.php?f=380&e=2
hxxp://91.228.133.72/f.php?f=381&e=2
hxxp://91.228.133.72/f.php?f=382&e=2
hxxp://91.228.133.72/f.php?f=383&e=2

August 24, 2011, 06:32:43 am
Reply #116

EP_X0FF

  • Guest
Domain names preallocated 23 August to use as LockEmAll/Blackhole dropzones.

Starting from the beginning of July LockEmAll allocated 474 domain names + 75 used for redirectors, Pornorolik allocated 515 domain names + 38 used for redirectors.

The following names will be used by LockEmAll while next week (24 Aug - 01 Sept).

Quote
YQ2PORN3.RU   
EEBVID8.RU   
FEMVIDEO6.RU   
HJJPORN2.RU   
KINVID6.RU   
ORCVID7.RU   
WE5PORN1.RU   
YFVVIDEO3.RU   
CYBVID8.RU   
EWJPORN2.RU   
HGVPORN7.RU   
KIBPORN2.RU   
NUMVID5.RU   
VTVVID4.RU   
XTZVIDEO8.RU   
CFVVID5.RU   
ETCVID6.RU   
HFCVIDEO6.RU   
KGKVIDEO6.RU   
NH2VID7.RU   
QWBVID8.RU   
XR5VID8.RU   
BUNVIDEO7.RU   
EPXVIDEO6.RU   
GYVVID7.RU   
KGBVIDEO6.RU   
MWBVIDEO7.RU   
QR5PORN3.RU   
BEKVIDEO7.RU   
EJKVIDEO6.RU   
GTLPORN5.RU   
JJLVID8.RU   
LY5PORN4.RU   
QEMPORN4.RU   
WRBPORN5.RU   
AYBVID8.RU   
EHJPORN8.RU   
GFLPORN2.RU   
JENPORN4.RU   
LSKVIDEO8.RU   
PSMPORN5.RU   
WHXVIDEO6.RU   
ZOZVID8.RU   
AU5VID5.RU   
EHBVID8.RU   
GF5PORN6.RU   
JDJVIDEO4.RU   
LSJVID7.RU   
PIKVID5.RU   
WGKPORN5.RU
ZA5VID8.RU   
EFVPORN6.RU   
GAXVID4.RU   
HO2VIDEO1.RU   
LDNVID8.RU   
PIJVIDEO1.RU   
WFKVIDEO5.RU

LockEmAll redirectors allocated 6 day ago (always active only one per day, next day it deactivates)

Quote
PARANOYAPORNO.RU (Currently active)
NBYPORNO.RU
MUOPORKKA.RU
LIASHPORNO.RU
BZXPORNO.RU
VINPORJAD.RU
PORNOZPORKKAS.RU
POIUNIKIA.RU (Currently used as second stage redirector)

Second stage redirector always used to point to valid and operational LockEmAll domain.
For example today it looks like this

Quote
hxxp://paranoyaporno.ru/ -> hxxp://paranoyaporno.ru/video.htm -> hxxp://poiunikia.ru/in.cgi?2 -> hxxp://poiunikia.ru/in.cgi?14 -> hxxp://vynvid5.ru/14/ -> hxxp://vynvid5.ru/14/xxx_video.exe)

vynvid5.ru allocated 6 days ago, so it's not in list. Also you may notice that redirector param hxxp://poiunikia.ru/in.cgi?14 (highlighted) used to generate part of address -> hxxp://vynvid5.ru/14/.

August 24, 2011, 11:40:21 am
Reply #117

EP_X0FF

  • Guest
Pornorolik, new domains

Quote
hxxp://davayhardporku.ru/s11l/video/videos11.avi.exe
hxxp://davayhardporku.ru/s17v/video/videos17.avi.exe
hxxp://davayhardporku.ru/s12o/video/videos12.avi.exe
hxxp://hardsexxxporno.ru/s11l/video/videos11.avi.exe
hxxp://hardsexxxporno.ru/s17v/video/videos17.avi.exe
hxxp://hardsexxxporno.ru/s12o/video/videos12.avi.exe
hxxp://sosisuka4len.ru/s11l/video/videos11.avi.exe
hxxp://sosisuka4len.ru/s17v/video/videos17.avi.exe
hxxp://sosisuka4len.ru/s12o/video/videos12.avi.exe

Redirector

Quote
hxxp://9sarkov.ru/in.cgi?11
hxxp://9sarkov.ru/in.cgi?12
hxxp://9sarkov.ru/in.cgi?17

August 25, 2011, 03:34:02 am
Reply #118

EP_X0FF

  • Guest
Pornorolik domains allocated today

Quote
hxxp://HOTPOREVOXXX.RU/s11l/video/videos11.avi.exe
hxxp://HOTPOREVOXXX.RU/s12o/video/videos12.avi.exe
hxxp://HOTPOREVOXXX.RU/s17v/video/videos17.avi.exe
hxxp://RUSPOPKIDAYUTLIZNUT.RU/s11l/video/videos11.avi.exe
hxxp://RUSPOPKIDAYUTLIZNUT.RU/s12o/video/videos12.avi.exe
hxxp://RUSPOPKIDAYUTLIZNUT.RU/s17v/video/videos17.avi.exe
hxxp://PORNOFILMXXXDA.RU/s11l/video/videos11.avi.exe
hxxp://PORNOFILMXXXDA.RU/s12o/video/videos12.avi.exe
hxxp://PORNOFILMXXXDA.RU/s17v/video/videos17.avi.exe
hxxp://DOMENSITESEXRU.RU/s11l/video/videos11.avi.exe
hxxp://DOMENSITESEXRU.RU/s12o/video/videos12.avi.exe
hxxp://DOMENSITESEXRU.RU/s17v/video/videos17.avi.exe
hxxp://PORKATRAXHARDRU.RU/s11l/video/videos11.avi.exe
hxxp://PORKATRAXHARDRU.RU/s12o/video/videos12.avi.exe
hxxp://PORKATRAXHARDRU.RU/s17v/video/videos17.avi.exe
hxxp://DOMENPORNOSEXRU.RU/s11l/video/videos11.avi.exe
hxxp://DOMENPORNOSEXRU.RU/s12o/video/videos12.avi.exe
hxxp://DOMENPORNOSEXRU.RU/s17v/video/videos17.avi.exe
hxxp://POPKIRRRRKRUTO.RU/s11l/video/videos11.avi.exe
hxxp://POPKIRRRRKRUTO.RU/s12o/video/videos12.avi.exe
hxxp://POPKIRRRRKRUTO.RU/s17v/video/videos17.avi.exe
hxxp://PHONEPORNOCLUBBERS.RU/s11l/video/videos11.avi.exe
hxxp://PHONEPORNOCLUBBERS.RU/s12o/video/videos12.avi.exe
hxxp://PHONEPORNOCLUBBERS.RU/s17v/video/videos17.avi.exe
hxxp://VPOPKUPOSPERMERU.RU/s11l/video/videos11.avi.exe
hxxp://VPOPKUPOSPERMERU.RU/s12o/video/videos12.avi.exe
hxxp://VPOPKUPOSPERMERU.RU/s17v/video/videos17.avi.exe
hxxp://MNOGOSOSUTXXX.RU/s11l/video/videos11.avi.exe
hxxp://MNOGOSOSUTXXX.RU/s12o/video/videos12.avi.exe
hxxp://MNOGOSOSUTXXX.RU/s17v/video/videos17.avi.exe
hxxp://VPISUMNOGOSPEMY.RU/s11l/video/videos11.avi.exe
hxxp://VPISUMNOGOSPEMY.RU/s12o/video/videos12.avi.exe
hxxp://VPISUMNOGOSPEMY.RU/s17v/video/videos17.avi.exe
hxxp://KON4AYUTNALIZO.RU/s11l/video/videos11.avi.exe
hxxp://KON4AYUTNALIZO.RU/s12o/video/videos12.avi.exe
hxxp://KON4AYUTNALIZO.RU/s17v/video/videos17.avi.exe
hxxp://KAKMNOGOSEXROLIKOV.RU/s11l/video/videos11.avi.exe
hxxp://KAKMNOGOSEXROLIKOV.RU/s12o/video/videos12.avi.exe
hxxp://KAKMNOGOSEXROLIKOV.RU/s17v/video/videos17.avi.exe
hxxp://SMOTRISKOLKOMNOHOPOREVO.RU/s11l/video/videos11.avi.exe
hxxp://SMOTRISKOLKOMNOHOPOREVO.RU/s12o/video/videos12.avi.exe
hxxp://SMOTRISKOLKOMNOHOPOREVO.RU/s17v/video/videos17.avi.exe

Pornorolik redirector

Quote
hxxp://8piloti.ru/in.cgi?11
hxxp://8piloti.ru/in.cgi?12
hxxp://8piloti.ru/in.cgi?17

LockEmAll from Blackhole

Quote
hxxp://91.228.133.72/z.php?f=384&e=2
hxxp://91.228.133.72/z.php?f=385&e=2

August 25, 2011, 09:11:47 am
Reply #119

mc0blck

  • Jr. Member

  • Offline
  • **

  • 14
Please send an abuse to block the malware (trojan ransom) hosted on IP (46.165.192.161)
hxxp://ujixuwrubvf.com/d.php?f=26&e=2