Took a look at the mortgage-e.biz redirection URL that I blogged about (earlier) today. I found a few of the domains hosting malicious binaries and have included the information below. All of the files I collected have been uploaded to the Malware Database under /Malware/lithium-malware.
URL: hxxp://www.winxp-antivirus.com (redirected)
In charge of redirection: hxxp://mortgage-e.biz/in.cgi
GET /in.cgi?19 HTTP/1.1
Host: mortgage-e.biz“”
</html>
</head>
</meta http-equiv=”REFRESH” content=”1; URL=’hxxp://mortgage-e.biz/in.cgi?2′”>
</head>
</body>
document moved <a href=”hxxp://mortgage-e.biz/in.cgi?2″>here</a>
</body>
</html>
Some of the domains currently redirected by mortgage-e.biz: **Proceed at your own risk**
hxxp://online-xpcleaner.com/1/_freescan.php?aid=880153
hxxp://mustseethatvid.com/str/?id=3913517
hxxp://cruisesex.net/babbe/295742566/1/player.php?m=MS5tcGc=&id=3000&tpl=a
hxxp://www.adultarchivez.info/movie/black/27500/21/FREE%20VIDEO%20SERVICE
hxxp://www.handmadeclips.com/m5/index.php?id=1608&n=mainstream&a=usagi&v=309466.88888889
hxxp://www.releasedvideo.com/download.php?id=1608
hxxp://www.rockingmovs.com/m5/index.php?id=1608&l=np&n=mainstream&a=budda9&v=362897.25&preview=www.watchnenjoy.com%2Fst%2Fthumbs%2F036%2F3509064689.jpg
hxxp://neverseenclips.com/movie1.php?id=1608
hxxp://porntubj.com/?id=3331
hxxp://brakecodec.net/download/brakecodec.v3.331.exe
hxxp://bestporntgp.org/tube/?id=0&uid=343
hxxp://codecsystem.com/Packages/Setup_v.2.343.exe
hxxp://www.avxp-08.com/sysscan/642b2d7e977c8f3d2d68a28d54481432/1/
hxxp://teens.rashagirls.com/index.php <–access code generator
hxxp://thebigstars-08.com/index.php?aff=1607&saff=0
hxxp://ruspornportal.com/join.php?sid=16&pid=93?=0&ref=Noref
Files found:
f5fe27c2e234a61b3b01155a05c843cf *brakecodec.v.3.000.exe
a7bea8bbabf240db6b43dd8130491aaa *brakecodec.v3.331.exe
4c459eb43a291cb4c8baf8eec40dc209 *PrivateContent.exe
153015b1bd0a90bac345bad4bab66649 *scan.exe
520bab360ec2fe533d08bf8c0e3a008a *setup.exe
d8f545756cb8062cfda65684a1712155 *Setup_v.2.343.exe
1b04a21330012967bbd760b1dbe27906 *wmcodec_update.exe
42790510f42333a263dd618b63da6116 *XPcleaner_v880153.exe
Some of the screen shots:
This site had us download an “Access Code Generator” to view the content.
4c459eb43a291cb4c8baf8eec40dc209
0 Responses to “investigated #winxp-antivirus.com #mortgage-e.biz”
Leave a Reply
You must login to post a comment.