Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

Leave a reply

We have received various spam emails that simulate messages from Better Business Bureau (BBB), but in real are used to spread malicious links that leads to Blackhole Exploit Kit. The subject of the emails looks like this:

Your updated information is necessary

A screenshot of the email:

Other details of the emails:

Date: Thu, 26 Jan 2012 22:49:15 +1000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.7) Gecko/20100713 Lightning/1.0b2 Thunderbird/3.1.1
Subject: Your updated information is necessary

The link present in the email:

hxxp://app.alaskaoregonwe sternwashington.bbb.org/sbq

Redirects users to the malicious link:

hxxp://circutor .com/4ethe8ep/index.html

The dumped content of the malicious link is:

<html>
<h1>WAIT PLEASE</h1>
 <h3>Loading...</h3>
 <script type="text/javascript" src="hxxp://diamondservice.com .au/B0bifDVW/js.js"></script>
<script type="text/javascript" src="hxxp://therefugees.altervista .org/wqWcKZ8w/js.js"></script>
<script type="text/javascript" src="hxxp://www.rentacandle.com .au/4SvXUuz4/js.js"></script>
 
</html>

Extracted malicious links (active as of now) that lead to Blackhole Exploit Kit are:

hxxp://diamondservice.com .au/B0bifDVW/js.js
hxxp://www.rentacandle.com .au/4SvXUuz4/js.js

We have analyzed the malicious link with our sandbox, and this is the report:

Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 213.229.188.210 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - circutor .com - /4ethe8ep/index.html
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 203.210.112.33 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - diamondservice .com.au - /B0bifDVW/js.js
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\8YPELNXD\js[1].js - 7A6BC5BCB465D4C54CA3D185FD5D45F0 - 75 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 50.116.33.235 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron .com - /search.php?page=ac2393a35636dfa1
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\VBPHH91D\search[1].htm - D2EE09D5DBE3B22B66CFF67B81999E55 - 2048 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 65.55.13.243 - 80
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - activex.microsoft .com - /objects/ocget.dll
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Adobe\Flash Player\AssetCache\N6MCDZF7
File Modified - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %Temp%\hsperfdata_%UserName%\856 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Sun\Java\Deployment\deployment.properties - 2EDE01E8DF28D3DC2BF961089BC9A241 - 635 bytes - attr: [] - -
Connection Established - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - TCP - 64.4.52.169 - 80
Process Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %ProgramFiles%\Java\jre6\bin\java.exe - Sun Microsystems, Inc. - D600A0D8FACA5158CA8B221006997808 - 144792 bytes
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - POST - codecs.microsoft .com - /isapi/ocget.dll
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %Temp%\hsperfdata_%UserName%\2016 - NOTHING TO HASH - 0 bytes - attr: [] - -
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\LOCALS~1\Temp\java_install_reg.log
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [] - -
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\Q96OL02U\CAWNUS4D.HTM - CE9C2ED4F9D2B2AABE2F39FFBBB4D585 - 1176 bytes - attr: [-normal] - -
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\Sun\Java\Deployment
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\log
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\security
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\ext
Directory Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\cache\6.0\tmp
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - %AppData%\Sun\Java\Deployment\deployment.properties - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - C:\WINDOWS\explorer.exe - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - Microsoft Corporation - 55794B97A7FAABD2910873C85274F409 - 93184 bytes
File Modified - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat
File Created - %ProgramFiles%\Java\jre6\bin\java.exe - C:\WINDOWS\system32\d3d9caps.dat - C9508CA14563A81666441FF191D9BB24 - 664 bytes - attr: [] - -
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012010920120116\
File Deleted - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\index.dat - 32768 bytes
Directory Removed - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012011420120115\
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %History%\History.IE5\MSHist012012012820120129\
Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php
Process Created - C:\WINDOWS\explorer.exe - C:\WINDOWS\system32\verclsid.exe - Microsoft Corporation - 91790D6749EBED90E2C40479C0A91879 - 28672 bytes
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\#SharedObjects\FMGLCCCK
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
Directory Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx - NOTHING TO HASH - 0 bytes - attr: [] - -
Web Request - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - GET - matorbaron.com - /content/field.swf
File Created - %ProgramFiles%\Internet Explorer\IEXPLORE.EXE - %InternetCache%\Content.IE5\G55SBTS1\field[1].swf - 2435793EE73EFDAF79541977B3C08EEB - 1490 bytes - attr: [] - -
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 5152
Connection Established - C:\WINDOWS\explorer.exe - TCP - 127.0.0.1 - 1079
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.12.249 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - www.microsoft .com - /isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Connection Established - C:\WINDOWS\explorer.exe - TCP - 65.55.206.209 - 80
Web Request - C:\WINDOWS\explorer.exe - GET - home.microsoft .com - /
Connection Established - C:\WINDOWS\explorer.exe - TCP - 94.245.115.205 - 80
Connection Established - %ProgramFiles%\Java\jre6\bin\java.exe - TCP - 50.116.33.235 - 80

Malicious urls extracted:

diamondservice .com.au - /B0bifDVW/js.js
matorbaron .com - /search.php?page=ac2393a35636dfa1
kosmovodki .ru - /statnl/image.php
matorbaron .com - /content/field.swf

As we can see, malicious code is injected in the system process wuauclt.exe:

Connection Established - C:\WINDOWS\system32\wuauclt.exe - UDP - 8.8.4.4 - 53
Connection Established - C:\WINDOWS\system32\wuauclt.exe - TCP - 118.212.168.131 - 80
Web Request - C:\WINDOWS\system32\wuauclt.exe - POST - kosmovodki .ru - /statnl/image.php

Blackhole exploit kit requests:

matorbaron .com - /search.php?page=ac2393a35636dfa1
matorbaron .com - /content/field.swf

Download dumped network traffic (password is urlvoid.com):

sniffed.zip / 17 KB

Sandbox: Malicious URLs

Leave a reply

Below there is a list of malicious URLs grabbed from our sandbox that analyzed few recent malware samples, we highly recommend to block these domains with a firewall and with the hosts file (C:\WINDOWS\system32\drivers\etc\hosts).

hxxp://195.189.226.104/ftp/g.php
hxxp://outkxmkcxkxqqmy. org/news/?s=36052
hxxp://poohfsngrxnlnkr. net/news/?s=167574
hxxp://poohfsngrxnlnkr. biz/news/?s=122180
hxxp://oyjqvypmksfasmet. info/news/?s=196250
hxxp://kastakasta. info/job2/fig.bin
hxxp://flowersinamew. com/pof/deq.nk
hxxp://zz.cdbeta. com/
hxxp://vip.cdbeta. com/yzm.asp
hxxp://vip.cdbeta. com/jiancewangluo.asp
hxxp://vip.cdbeta. com/sjy6553-user/dufuwuqipeizhi.asp?yanzheng=73eb6acbc1b8c97bc580c32368731770
hxxp://zz.cdbeta. com/wp-content/themes/g-white/style.css
hxxp://zz.cdbeta. com/wp-content/themes/g-white/js/all.js
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_footer.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_top.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/sprite.gif
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_footer_mid.png
hxxp://zz.cdbeta. com/wp-content/themes/g-white/images/bg_middle.png
hxxp://www.cdbeta. com/gonggao.html
hxxp://www.cdbeta. com/cms.css
hxxp://psfk. com/img/icons/facebook.png?v10=89&tq=gHZutDyMv5rJejXia9nrmsl6giWz%2BJZbVyA%3D
hxxp://resetmymemory. com/blog/images/3521.jpg?v54=14&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917W65rJqlLfgPiWW1cg
hxxp://worldmotoblo. com/blog/images/3521.jpg?v56=94&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917X65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrc%2FR5SOeikL50gGpKl%2F223gX3Hjzh%2B7KtA%2FYYO%2BaO0alxtygbpb6HvnSAOQij%2B8OoYvEaSPT%2BsqlSr%2Fe%2BV5ZuRg%3D%3D
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsS%2FT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrc%2FR5SOeikL50gGpKl%2F223gX3Hjzh%2B7KtA%2FYYO%2BaO0alxtygbpb6HvnSAOQij%2B8yjYvEaSPT%2BsqtSr%2Fe%2BV5ZuRg%3D%3D
hxxp://focotricot.zapto. org/
hxxp://rinaldo.vallecchi.sites.uol. com.br/maria.jpg
hxxp://pathla.notlong. com/
hxxp://dl.dropbox. com/u/44598175/pahtlar.txt
hxxp://greenherbalteaonline. com/images/greenherbalteagirlholdingcup250.gif?v13=47&tq=gHZutDyMv5rJeTfia9nrmsl6giWz%2BJZbVyA%3D
hxxp://wwwmediaportal. com/blog/images/3521.jpg?v83=60&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://wwwmediaportal. com/blog/images/3521.jpg?v16=40&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917X65rJqlLfgPiWW1cg
hxxp://the.veee.googlepages. com/U4z.exe
hxxp://3512456308488421436-a-1802744773732722657-s-sites.googlegroups. com/site/theveee/U4z.exe?attachauth=ANoY7cr7llA_aDedPKvsz2ah8igzqhC_uJrtkJvhS1_bxnUGZgG4vg-wM2FabhS4vnsolOEQ3zFHO23w-bHCqGHgvpznme7oy3DG13WO-F_h0TIggifpkT8TlZmS4qKW4yJOEV72RZo33DbjvD8hgJW2gutMTyesNfYpjWsITlO8c39ufLJIOCTccYUllH1iQjYLcdIndo9s&attredirects=0
hxxp://data.fuskbugg.se/skalman02/4e28ae2064f07_av.txt
hxxp://e3bea872ae.in/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnotgO6UKDmHodcn2lf6x4pry2kovOzB2HgE10hN2gyhH1yJZ+Gra5ZBCj4eOTw==
hxxp://184.171.168.194/click.php?c=f10ca497e80b31c8a19f50625807c1853dd96c7f433afe8ec5d67846ac0985c27346f5786464d3bfe6403e7495c883118fef67336d9f4ce547f87ff76c1e32fbeb93b3e3168edabebfd1fd24989911cae4bcc14cad75fafe32acaa264a71df6cea5da8c9fc5a6f95c118d919e1ea30d4
hxxp://feed.bizzclick. com/click.php?id=qEUD2kYbC0pzF8QVMao-QLDJPn1yKssCozS-Fxxd37iU05DmcESX2b7hYqYgah_j7cGTjDBCdCg3aKaLgPNCMHc%2C
hxxp://74.117.177.149/go.php?uid=56436&suid=3156&data=z0kfwAHNKgOxDneiErCY%2BFnIBubj1MAJCjZnUVtRREjZcpnjQL2NhG9UzUvtI95LGMogaw34AKuTSt1jURkg%2FkRAMdJpHnUlb1RsR4E9yJuk%2BWpyqggq%2FH6lZtc1o%2FqLwQ%2BQKZ7Sh5%2B73AVRLHJ9ecChAGoK7RDENOs3OR%2BIkx1LhEm90r4%2Bfsnao2H8xIF7qjgW4eu3QiUr1cOvNiz3SKSlSsh5M6MK0RYsuIxqY9XFJZn77q2Gt9GtnyZGZxVdRz%2BBjA83RtJcWEAXbuU2s6%2FiAYqGNS4w8Mio3PVxe3N2Z4ddOe3lINFH1%2BYzW3j0aedzY6gnroGgYRvbd4oIIz%2F4fqR%2BrRkIY2JsAZTsffHKcD6epIesh0T9dvWAKvWpCR1YV6yUwRgyDEhOtuWLnX%2B5gemRuQNLqoC9p5EbT7xgj%2F80MJQKaUcjItiTF4bzWYVLSN6xC1uKoH4MJRIJ%2F%2F0O4xCRfEz69KSeKoU4PJhTlaRufQL4u2TF%2BBIV1B%2FkDXXGO%2FendwOGjrQ6Lnn46pZE1kdx9%2BeLAwVDb%2BmXBJOwNC0A84Yp7BssgDU2IDUjm0hlBcm%2FzVLQ0yXxOcBYce%2BgrvL8PElGx8G%2BK%2FXhpuIL%2BqqBM%2FczR9%2FLbFz8XjLP20HUvxiU%2F0y5vhyNJ6aq87XMaRceu5qGVLXbRxfug1M0t8daj8E8LwSfpBSmQRzCajkxdflDQed%2Fi%2BiMffU1M7Zwo9otFHUQdFL%2BtjfNVpYl93eEyoGWAIfUNSFpGUPW0IOiZ8cjPBESUsBy%2B5hIVkU8m8qYTiZc8ZMT1QD8MlPhaABeYg%2BR37TYgSQ96ZoWgyXfWuvdhRY066frqXpSub9Opi6CyeuH4sEKjZTWBy4lxvDynQQYDPEd87jtx6W%2F0Hjyq15TM1Q2%2FV9LYA
hxxp://grupolarepublica.dyndns-pics. com/New.exe
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=13
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=1
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=21
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=4
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=5
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=6
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=7
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=8
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=23
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=24
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=25
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=26
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=27
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d9edc46028415f463&a=11
hxxp://wnejjzzh. cn/bad.php?w=192&fail=0&i=a7157a4db6097a4d9edc46028415f463
hxxp://bentseather.be.funpic. de/azenv.php
hxxp://chillly.ch.ohost. de/aze/azenv.php
hxxp://www.pr0. net/deny2/azenv.php
hxxp://outkxmkcxkxqqmy. org/news/?s=60740
hxxp://nqjmyrrrmvxrunr. info/news/?s=130138
hxxp://nqjmyrrrmvxrunr. com/news/?s=175288
hxxp://tjybqpmnodvvjekq. biz/news/?s=88786
hxxp://freshmediaportal. com/blog/images/3521.jpg?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCxB%2FYpwr7UxUrEgPiWW1cg
hxxp://monochrom. at/polytheism/pictures/TanzenderShiva.jpg?v26=13&tq=gKZEtzyyXciFpAniMqv4Dju6%2FkJI3aOL6nigEp66Q%2BOBuIL%2FVtJ96i8piqu70ZtZSeA3pAgCHol%2Ftg%2Fvmam3X0U9W6xVAtPdFDXlHuDUkhOGPRp6m4ws%2Fgc%2BFe6cCccg8cOzF6L2Oyxg8hzo%2BQOldu%2B0Udxajx8qf0NpMthxth3TbbEAVpoqXnhmuA%2BVKxXDVQ8PDNrMq5GoVEDLULmCVSsd5NKWgmVzG6DtTlSRt%2FHnRmaSi%2Bw3A3JhdO7kMXfBb5KKj6%2FGd9iX4IwaoLuPAef6DL6J3Mb28W5vcWY1j6ACxztuN5IT8QWwTLwL
hxxp://fastblogportal. com/blog/images/3521.jpg?v97=82&tq=gKZEtzyMv5rJqxG1J42pzMffBfQo1%2BjbwvgS917W65rJqlLfgPiWW1cg
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=13
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=1
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=21
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=4
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=5
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=6
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=8
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=23
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=24
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=25
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=26
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=27
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=7
hxxp://wnejjzzh. cn/stat2.php?w=192&i=a7157a4db6097a4d34f79f16e6fa1107&a=11
hxxp://wnejjzzh. cn/bad.php?w=192&fail=0&i=a7157a4db6097a4d34f79f16e6fa1107
hxxp://cns-soares.sites.uol. com.br/maria.jpg
hxxp://coolmediaportal. com/blog/images/3521.jpg?v67=41&tq=gL5HtzyMv5rJsxG1J4Xo2rCyAfEjwr7UxUrEgPiWW1cg
hxxp://nationsautoelectric. com/images/50-217-1_F_1_.jpg?v89=30&tq=gKZEtzyj5KKfVGqGJstjEFFr4GpNm%2F0KcWHH802g%2B%2BiA5HiueDoqF%2Fh5sQc98KvIPyWyw1ephZCJj1TtxddEOhHnA37qd1HwFDDEwR0mqFxjb4EpMhTYnRAc%2BhN7PpEqHzWlEwC%2Bfp42q4%2FK23UPZ5UBu4bZcPudcpW816OaKtfpXdK54HmRrAK%2BWjtrMOMyMONyKXhiy4ukrPueZ5SFlNs6AKLalNoRfIBuMvD9g0tRs2zgh2gUQKAezV9Ox2IgeA6ZBq8TbIkWk6gnYkYlyePR4sKu3w1KQeCbzxTNrcabbE%2FdHsCh
hxxp://coolmediaportal. com/blog/images/3521.jpg?v6=32&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh%2FMe%2BcoJuX%2BSNxVKv975Xlm5G
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh88y%2BcoJtX%2BSNxFKv975Xlm5G
hxxp://3512456308488421436-a-1802744773732722657-s-sites.googlegroups. com/site/theveee/U4z.exe?attachauth=ANoY7crdWvXZF3BRtL76dYyOLwTfyxpIBw3htUrU8RKiNlHNcYF0ApuWgnvav57XY9SvpTgIpgAzpMaijCxELH4QIOHZoRhVT0bwVwzu0Cy9qthcxEIjsGfxmrwjVkKgUiYlELYo1l-zkI1w-AGJPj7uMCzim9KqMfoYBhbxNfIJFYZyYeCESBfNvi1vomhZTQzP0iTtNUhW&attredirects=0
hxxp://e3bea872ae.in/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lOv1rpXwyxV8PzQkTBFxwx93nCNG0zFc8zKN6cZOwpeeEw==
hxxp://150d064880. com/index.html?nhSzgFtkRb5wnohgO6UKDmHodcn2lf6x4pv53kwuNDJ1GQE10hN2gyhH1yJZ+Gra5ZBCj4eOTw==
hxxp://onlineinstitute. com/g7/images/logo3.jpg?v5=60&tq=gJ4WK%2FSUh5TBhRMw9YLJmMSTUivqg4aUzZtEfqHXarVJ%2BQhhYGg%3D
hxxp://calaculat. com/blog/images/3521.jpg?v99=85&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917W65rJqlLfgPiWW1cg
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh88BSr%2Fe%2BV5ZuRg%3D%3D
hxxp://zonedg. com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMf1kX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSvd%2BFuTLiv0agD8mw854mx2XSGGkrhjcLfdYAdTZTuxq00sD0OpLjRqAOhLgjh8sG%2BcoJtX%2BSNx1Kv975Xlm5G
hxxp://file4exchange. com/blog/images/3521.jpg?v32=65&tq=gKZEtzyMv5rJqxG1J42pzMffBvIv3ejbwvgS917X65rJqlLfgPiWW1cg
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=13
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=1
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=21
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=4
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=5
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=6
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=7
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=8
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=23
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=24
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=25
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=26
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=27
hxxp://wnejjzzh. cn/stat2.php?w=143&i=a7157a4db6097a4da3022328093e0123&a=11
hxxp://wnejjzzh. cn/bad.php?w=143&fail=0&i=a7157a4db6097a4da3022328093e0123
hxxp://78.189.218.14/zeus/config.bin
hxxp://28chejil. com/startpage
hxxp://28chejil. com/startpage/
hxxp://28chejil. com/startpage/make_result2.asp
hxxp://28chejil. com/startpage/down/spoolsvc.exe
hxxp://28chejil. com/startpage/getwork1.txt
hxxp://28chejil. com/startpage/getwork2.txt
hxxp://28chejil. com/startpage/getwork3.txt
hxxp://28chejil. com/startpage/make_result.aspPopupType=1&UserData=

Hosts friendly data to insert in the file C:\WINDOWS\system32\drivers\etc\hosts to block the domains:

Insert URL:
 
127.0.0.1 195.189.226.104
127.0.0.1 outkxmkcxkxqqmy.org
127.0.0.1 poohfsngrxnlnkr.net
127.0.0.1 poohfsngrxnlnkr.biz
127.0.0.1 oyjqvypmksfasmet.info
127.0.0.1 kastakasta.info
127.0.0.1 flowersinamew.com
127.0.0.1 zz.cdbeta.com
127.0.0.1 vip.cdbeta.com
127.0.0.1 ajax.googleapis.com
127.0.0.1 www.cdbeta.com
127.0.0.1 psfk.com
127.0.0.1 resetmymemory.com
127.0.0.1 worldmotoblo.com
127.0.0.1 zonedg.com
127.0.0.1 focotricot.zapto.org
127.0.0.1 rinaldo.vallecchi.sites.uol.com.br
127.0.0.1 pathla.notlong.com
127.0.0.1 dl.dropbox.com
127.0.0.1 greenherbalteaonline.com
127.0.0.1 wwwmediaportal.com
127.0.0.1 the.veee.googlepages.com
127.0.0.1 3512456308488421436-a-1802744773732722657-s-sites.googlegroups.com
127.0.0.1 data.fuskbugg.se
127.0.0.1 e3bea872ae.in
127.0.0.1 150d064880.com
127.0.0.1 184.171.168.194
127.0.0.1 feed.bizzclick.com
127.0.0.1 74.117.177.149
127.0.0.1 grupolarepublica.dyndns-pics.com
127.0.0.1 wnejjzzh.cn
127.0.0.1 bentseather.be.funpic.de
127.0.0.1 chillly.ch.ohost.de
127.0.0.1 www.pr0.net
127.0.0.1 nqjmyrrrmvxrunr.info
127.0.0.1 nqjmyrrrmvxrunr.com
127.0.0.1 tjybqpmnodvvjekq.biz
127.0.0.1 freshmediaportal.com
127.0.0.1 monochrom.at
127.0.0.1 fastblogportal.com
127.0.0.1 ns-soares.sites.uol.com.br
127.0.0.1 coolmediaportal.com
127.0.0.1 nationsautoelectric.com
127.0.0.1 onlineinstitute.com
127.0.0.1 calaculat.com
127.0.0.1 file4exchange.com
127.0.0.1 78.189.218.14
127.0.0.1 28chejil.com

URLVoid Reports:

Phishing: Votre carte bancaire est suspendue

Leave a reply

Another email containing malicious URL used for phishing attack against MasterCard and Visa users:

Return-Path: <services@security.com>
Received: from mailrtr1.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr1.deltacom.net (MOS 4.1.10-GA)
From: "visaeurope"<services@security.com>
Subject: Votre carte bancaire est suspendue
Date: Sun, 7 Aug 2011 00:12:08 -0500
To: undisclosed-recipients:;

Email message:

Bonjour clients de visa carte,
 
Votre carte bancaire est suspendue, parce que nous avons rencontre un probleme sur votre diagramme.
Nous avons determine qu'une personne doit peut-etre utiliser votre diagramme sans votre autorisation.
Pour votre protection, nous avons suspendu votre compte bancaire a travers votre carte de credit. Pour soulever cette suspension,
 
Cliquer ici
et suivre le procede indique pour mettre a jour votre compte par la carte de credit.

Malicious URL:

hxxp:// jinwonyc.startlogic. com/vbv/visaeurope.fr/europ-pay/visaeurope/securite/login.aspx/

URLVoid Analysis:

http://www.urlvoid.com/scan/jinwonyc.startlogic.com

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Leave a reply

Phishing attack against eBay users:

Return-Path: <aw-confirm@mail.aby.fr>
Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25])
Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP
Reply-To: <aw-confirm@mail.aby.fr>
From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
To: undisclosed-recipients:;

Email message:

Dear member,
 
eBay member charly1 has left you a message regarding item #14020078062
 
View the dispute thread to respond.

The malicious URL points to:

hxxp:// newcastlelimo .net/ebay-fr/eBayISAPI.dll.htm

Image of the phishing page:

Note that the connection is NOT secure and does not use SSL (HTTPS)…

URLVoid Analysis:

http://www.urlvoid.com/scan/newcastlelimo.net
This entry was posted in Phishing and tagged ebay phishing, phishing, scam, spam on August 6, 2011 by admin.

Phishing: Centre de securite PayPal

Leave a reply

Another email that is used to spread a fake PayPal message containing a malicious link used for phishing attack against PayPal users:

Return-Path: <services@security.com>
Received: from mailrtr4.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr4.deltacom.net (MOS 4.1.10-GA)
From: "PayPal"<services@security.com>
Subject: Centre de securite PayPal
Date: Sat, 6 Aug 2011 00:11:18 -0500
To: undisclosed-recipients:;

Malicious URL:

hxxp://www. mulforddance. com/login/paypal.fr/online-security/submit-loging/paypal.fr/frfr/

URLVoid Analysis:

http://www.urlvoid.com/scan/mulforddance.com

Hidden Iframe in MineCraftForum.Net

Leave a reply

Users have reported us another website infected by an hidden iframe:

hxxp://www.minecraftforum.net/

All web pages are affected!

Here is an image of the hidden iframe at the bottom of the HTML pages:

When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:

C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe

Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN

Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.

Some ASCII strings extracted from the PE file:

Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
 
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
 
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
 
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
 
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName 
 
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
 
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
 
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
 
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
 
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet

URLVoid domain analysis:

http://www.urlvoid.com/scan/minecraftforum.net

16:38PM UPDATE:

The website looks like to be in maintenance now, so probably it will be fixed soon.

Recent Malware URLs captured by NoVirusThanks Sandbox

Leave a reply

These URLs are malicious or related to malware:

hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757
hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046
hxxp://gopersgd09.com/install/?track_id=30046
hxxp://carefinder.com.au/inf.php
hxxp://scr4zy.webcindario.com/2/infects.php
hxxp://elmejorbonche.com/dns
hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://www.easyenco.co.kr/module/program/media_codec.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe
hxxp://c0re.su/panel/config.bin
hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://201.25.28.9/mail/images/info.php
hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://tecnp.h19.ru/in.php
hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1
hxxp://www.cplnn.com/wad/init3.php?build=
hxxp://mmm-2011.co.uk/setup2683.exe
hxxp://mmm-2011.co.uk/ka.exe
hxxp://cekcuc.ru/z/kilka.bin
hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat
hxxp://up1.free-sms.co.kr/main/free07/smsins.exe
hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat
hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe
hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC%
hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe
hxxp://up1.free-sms.co.kr/main/free07/uninst.exe
hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico
hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe
hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi
hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy
hxxp://neframeofwork.com/gud/hig.op
hxxp://ad.ring3.info/Config.asp
hxxp://ad.ring3.info/Count/Count.asp
hxxp://www.bbsv.nl/files/cache/.../contador.php
hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0
hxxp://blognote.by/f/fn.txt
hxxp://www.caesar.sk/downloads/getc/getc.php
hxxp://114.200.199.251/apsuy.php
hxxp://iring4u.co.kr/bcklist.php
hxxp://ad79.co.kr/prex/newb/apsuo.exe
hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1
hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app=
hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/klppp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/sftkxkb.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/cpptuxlpc.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/oyppct.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/obcptx.php?adv=adv401&id=1626783411&c=203332757
hxxp://gamafotolembranca.com.br/masters/byte.gif
hxxp://gamafotolembranca.com.br/masters/mega.gif
hxxp://gamafotolembranca.com.br/masters/tera.gif
hxxp://www.basedeclientes.com.br/versao_px.txt
hxxp://myck.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://celinhaz.sites.uol.com.br/autor2.jpg
hxxp://www.avisosbaladabelemhh.com.br/files/j1/inf/arq.php
hxxp://caperiod.com/pxxko/xxobo.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/pcppgk.php?adv=adv401&id=1626783411&c=203332757
hxxp://webmail.imicro.com.br/SQL/cashkey.gif
hxxp://searcham.org/404.php?type=stats&affid=527&subid=02&iruns
hxxp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B&v=2&t=0,5870172
hxxp://ru.coolnuff.com:2011/myck.jpg?t=0,1209528
hxxp://w.nucleardiscover.com:888/sn.php?c=C1DF13F78111F6528E63540E077DCF0C0&t=0,8235895
hxxp://w.nucleardiscover.com:888/sn.php?c=4D535BBF44D4BC186F82F8A2A1DB468528B&t=0,2664606
hxxp://58.150.174.222/baz001.jpg?t=0,4474756
hxxp://w.nucleardiscover.com:888/sn.php?c=B9A76E8AC252E133E3FEAAF11C54E417E770B&t=0,1963922
hxxp://w.nucleardiscover.com:888/sn.php?c=9D83997D1A8A28FA809D6239A9E1FF0CAB3C0&t=0,1260797
hxxp://searchattention.org/404.php?type=stats&affid=531&subid=01&iruns
hxxp://www.easyenco.co.kr/module/program/nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=nvsvc32.exe
hxxp://caperiod.com/pxxko/jjnaeei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gqquulypp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JNN0&code2=5103
hxxp://www.ilonexs.de/envio/gds32.dll
hxxp://www.familiennavigator.de/components/com_kunena/template/igt.php
hxxp://qd6170.91mt.com/asp/xg.asp
hxxp://qd6170.91mt.com/exe/key2/key_0605.exe
hxxp://key.91mt.com/newkey.php
hxxp://rh508.91mt.com/tj.asp?id=1
hxxp://ups.1gb.ru/services6.exe
hxxp://ekobit.com.pl/cls/Output.exe
hxxp://xn.bisque110.com/yt.php
hxxp://xn.bisque110.com/lf
hxxp://122.770304123.cn/1.gif
hxxp://122.770304123.cn/ue000/38sw.e?uid=162678341112952317322438
hxxp://110.770304123.cn/1.gif
hxxp://110.770304123.cn/player/blog.updata?v=1.1.8.1&r1=0009a83babc21d46591d009e616da91a&tm=2011-06-12%2003:55:28&os=Windows%20XP.2600%20with%20Service%20Pack%202&uid=002678341112952317328300&cht=0
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=GO00&code2=0200&id=102678
hxxp://coursu.com/admin22/server[php]/config.bin
hxxp://ad79.co.kr/fie/sningal.exe
hxxp://114.200.199.251/fie/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/fie/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://iring4u.co.kr/favorbutton.php
hxxp://face-herault.org/images/ads/info.php
hxxp://lkrgn.ivepointedya.com/webyx/settings.cfg?build=501&os=XP
hxxp://network.emloud.com/webyx/iLog.php?dl=5.0&log=Loader%205.0%20~%20Ran
hxxp://consolewaspogad.com/czl/zlo.cl
hxxp://icvaircl.cn/dll/44.dll
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=2
hxxp://icvaircl.cn/update.db
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=4
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=9
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=11
hxxp://xylahavowi.com/1023000112
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOM0&code2=4203
hxxp://jennifermusic.nl/logo2.jpg
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOP0&code2=7203
hxxp://fastsearchportal.org/cfg/miniav.psd
hxxp://fastsearchportal.org/cfg/stopav.psd
hxxp://fastsearchportal.org/cfg/passw.psd
hxxp://fastsearchportal.org/pyvcu.php3
hxxp://fastsearchportal.org/ungtsmsuopstfsjjxaqhpksdi.phtml
hxxp://fastsearchportal.org/mccmkbawzojuijhsyttn.inc
hxxp://fastsearchportal.org/onqyofrbc.phtm
hxxp://myavava.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHyF2e
hxxp://clashjamwallop.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrO
hxxp://adordota.com/bandwidth.bin
hxxp://einemenge.info/webpanel/alive.php?key=grills22&pcuser=%PCUSER%&pcname=%PCNAME%&hwid=%HWID%&country=Italy
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=KOR0&code2=9204
hxxp://JOSEMORAISTA.net/Machine.jpg
hxxp://JOSEMORAISTA.net/andeikyu.jpg
hxxp://mariadacoceicaopraxedes.net/GetString.aspx
hxxp://mariadacoceicaopraxedes.net/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612045029
hxxp://mariadacoceicaopraxedes.net/COMCTL32.OCA.zip
hxxp://s350098374.onlinehome.us/mys.ini
hxxp://rmhpzusmfhtpnt.biz/news/?s=167674
hxxp://axvkxnuutylqdtu.com/news/?s=90742
hxxp://outoszjfvqtyonk.net/news/?s=24872
hxxp://114.200.199.251/vanir.php
hxxp://114.200.199.251/b7ins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&setup=1
hxxp://114.200.199.251/b7liveins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&app=
hxxp://privatesystem-softshieldprotect.com/favicon.ico?0=78&1=4&2=2&3=80&4=i-s
hxxp://212.150.164.204/flash/flashplayer.jpg
hxxp://www.increasingly.kr/Module/gomserv.exe
hxxp://www.increasingly.kr/Module/count.html?exec=gomserv.exe&instFile=gomserv.exe
hxxp://www.increasingly.kr/Module/count_live.html?exec=gomserv.exe
hxxp://windoslive.hotmail.ru/090043043543034877799.exe
hxxp://searchbehind.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://mygateforex.co.za/.sys.php?action=fbgen&v=1
hxxp://richardwiggers.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=0
hxxp://rvl.it/.sys.php?action=fbgen&v=1
hxxp://www.irishpub.fo/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=1
hxxp://slcsc.co.uk/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=2
hxxp://robertjakobsen.com/.sys.php?action=fbgen&v=1
hxxp://crosslinkhk.com/.sys.php?action=fbgen&v=1
hxxp://skybluephoto.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=3
hxxp://www.crabapplesound.com/.sys.php?action=fbgen&v=1
hxxp://www.crabapplesound.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=4
hxxp://kidnet.co.il/.sys.php?action=fbgen&v=1
hxxp://gulko.co.za/.sys.php?action=fbgen&v=1
hxxp://shieldteens.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=5
hxxp://pflco.com/.sys.php?action=fbgen&v=1
hxxp://pflco.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=6
hxxp://my-mobility.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=7
hxxp://emergencyshelter.us/.sys.php?action=fbgen&v=1
hxxp://emergencyshelter.us/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=8
hxxp://www.aandedoorns.co.za/.sys.php?action=fbgen&v=1
hxxp://ad79.co.kr/prex/taurus/taurus.exe
hxxp://ad79.co.kr/dico/sDico.exe
hxxp://ad79.co.kr/prex/taurus/staurus.exe
hxxp://114.200.199.251/version2.php
hxxp://114.200.199.251/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=taurus&install=1
hxxp://iring4u.co.kr/dico/dico.php
hxxp://iring4u.co.kr/dico/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/liveins.php?mac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://iring4u.co.kr/dico/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://pc-guarrantor-utility.com/favicon.ico?0=80&1660=0&2=1&3000=82&4000=i-s
hxxp://key.91mt.com/diykey.php
hxxp://limpidoscomercio.com.br/GetString.aspx
hxxp://limpidoscomercio.com.br/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612141104
hxxp://limpidoscomercio.com.br/COMCTL32.OCA.zip
hxxp://limpidoscomercio.com.br/COMCTL32.OCX.zip
hxxp://petchaburi.kr/kwd/hkwd.php
hxxp://petchaburi.kr/kwd/dkwd.php
hxxp://petchaburi.kr/check/check.php?m=b
hxxp://64.31.58.237/brn.txt
hxxp://64.31.58.237/brn.php
hxxp://key.91mt.com/list/getpmnum.asp?id=f9435d25636a746f
hxxp://key.91mt.com/list/getpmnum2.asp?id=f9435d25636a746f
hxxp://114.200.199.251/ngliveins.php?pmac=0&lmac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://www.hyap98.com/123/mh.txt
hxxp://www.hyap98.com/123/rx.txt
hxxp://www.hyap98.com/123/wc.txt
hxxp://www.hyap98.com/123/wm.txt
hxxp://www.hyap98.com/123/wow.txt
hxxp://w.nucleardiscover.com:888/sn.php?c=DCC228CCD04021858368C8936B1023D74A8&t=9,005374E-02
hxxp://w.nucleardiscover.com:888/sn.php?c=18064AAE3FAF34908C67CC976A11E317&t=0,3627588
hxxp://searcham.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://s350098374.onlinehome.us/update.php
hxxp://key.91mt.com/list/getpmnum.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum2.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/clickpm.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum.asp?id=fa67a8111002230d
hxxp://key.91mt.com/list/getpmnum2.asp?id=fa67a8111002230d
hxxp://98.158.182.229/~milhomem/ver.txt?20110612154053
hxxp://ck3.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://w.nucleardiscover.com:888/sn.php?c=948A7D999D0D9733C5285903F882FB388219AB9DA&t=0,894787
hxxp://w.nucleardiscover.com:888/sn.php?c=E1FF76924BDB00A47B96A8F2F18B995A4AD1A593F&t=0,5531122
hxxp://58.150.174.222/baz001.jpg?t=0,8852045
hxxp://131207db062d.dynazzy.net/get2.php?c=TCBIJIJK&d=26606B67393437333F2F676268307D3F22202323
hxxp://w.nucleardiscover.com:888/sn.php?c=4E5018FC71E12DFFD2CFCA91DB93&t=0,2665522
hxxp://w.nucleardiscover.com:888/sn.php?c=1F01DE3AC95905D70C11B&t=0,5650751
hxxp://ru.coolnuff.com:2011/ck3.jpg?t=0,4463007
hxxp://w.nucleardiscover.com:888/sn.php?c=3B25E90DC1513CEEB45CC6EB96EEC230&t=0,7814447
hxxp://w.nucleardiscover.com:888/sn.php?c=918FA94D78E873A13CD4E5C8502&t=0,8195307
hxxp://ru.coolnuff.com:2011/ck4.jpg?t=0,3862421
hxxp://w.nucleardiscover.com:888/sn.php?c=F8E65FBB45D53793A54EFCA7C5BEEB&t=0,3606684
hxxp://xylahavowi.com/1023000112
hxxp://tekefihamib.com/10230001124255461742
hxxp://tekefihamib.com/buy.html

URLVoid domain analysis:

Malware: United Parcel Service notification #46034

Leave a reply

Suspicious email spreading malware:

Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034

Message:

May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3 
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000

Attached there is a file with ZIP extension:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTED

AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTED

Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

Report created by NoVirusThanks Automated Sandbox:

Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80

URLVoid domain analysis:

http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org

IPVoid ipaddress analysis:

http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34

Phishing: Your Paypal Account Will Be Limited

Leave a reply

New phishing email related to PayPal accounts:

Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;

Message:

Note that the email come from:

From: "Paypal"<servviice@paybal.com>

The domain paybal.com is parked!

Malicious URL that redirects to the phishing PayPal login page:

hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0

URLVoid domain analysis:

http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au

Malware: Your Order No 218538 – Puremobile Inc.

Leave a reply

Suspicious email spreading malware:

Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77]) 
Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua)
From: "Puremobile Inc." <h5923a@ms2.hinet.net>
Subject: Your Order No 218538 - Puremobile Inc.

Message:

Thank you for ordering from Puremobile Inc.
 
This message is to inform you that your order has been received and is currently
being processed.
 
Your order reference is 372662.
 
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
 
You have chosen to pay by credit card.
Your card will be charged for the amount of 045.00 USD and "Puremobile Inc." will
appear next to the charge on your statement.
Your purchase information appears below in the file.

Attached there is a file with ZIP extension:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-zip
File size: 7627 bytes
MD5 hash: d85180f7a74e04c9b9ef6f9bd437194d
SHA1 hash: 79763a8766773bc08f7dd309db2488f46d3f5438
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 01/05/2011 10.0.0.1190 FakeAlert
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-exe
File size: 18432 bytes
MD5 hash: 694a38aa76e06cebe4048260b8f0e4fa
SHA1 hash: 0e698c044e77e11e2c494ad0b2dc002f6d73dabe
Detection rate: 2 on 6 (50%)
Status: INFECTED

Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The malware creates following files:

%AppData%\kdv.exe (BE39D725BDA9A76EAB2E0F1B3FAD8FA3)

Registry entries added:

HKCU\Software\Classes\.exe\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
 
HKCU\Software\Classes\exefile\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"

Network traffic:

GET /0014000126 HTTP/1.1
Host: hahecekis. com
 
GET /pusk.exe HTTP/1.1
Host: variantov. com
 
GET /f/g.php HTTP/1.1
Host: kkojjors. net

URLVoid domain analysis:

http://www.urlvoid.com/scan/hahecekis.net
http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net

URLVoid Blog

Latest news about Internet threats

Spam “Your updated information is necessary” leads to Blackhole Exploit Kit

Sandbox: Malicious URLs

Phishing: Votre carte bancaire est suspendue

Phishing: New Unpaid Item Message from jxavier14: #14027471062

Phishing: Centre de securite PayPal

Hidden Iframe in MineCraftForum.Net

Recent Malware URLs captured by NoVirusThanks Sandbox

Malware: United Parcel Service notification #46034

Phishing: Your Paypal Account Will Be Limited

Malware: Your Order No 218538 – Puremobile Inc.