Malware Database » djpnuemo

New rogue domain: personalonlinescanv3.com

djpnuemo — Mon, 13 Jul 2009 15:52:29 +0000

Whois entry for personalonlinescanv3.com 83.133.126.155
Name: Yuvaraj K Jothi
Address: 88, Periyar EVR High Road
City: Chennai
Province/state: Chennai
Country: IN
Postal Code: 600007

Setup-fdbd6_02012.exe
Result: 2/41 (4.88%)
MD5: eb0111f5fd11420d70988bc21dcda65a
VirusTotal
ThreatExpert Analysis
hxxp://personalonlinescanv3.com/download/

New malware domain: hotexefiles.com

djpnuemo — Mon, 13 Jul 2009 15:38:52 +0000

hxxp://besttubetech.com/xplays.php?id=40014&name=sahel+kazemi+dui+video&hostingtype=vox&theme=trends&category=hottrends&from=videoplayer

Whois entry for hotexefiles.com 64.20.38.172
Susan Field (susfie16@gmail.com)
1059 Rubaiyat Road
Grand Rapids
Michigan,49503
US
Tel. +001.56578987654

onlinemovies.40014.exe
Result: 8/41 (19.52%)
MD5: 2e02ea10960799a78792e39f5498adb6
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/

onlinemovies.40069.exe
Result: 2/40 (5%)
MD5: 35b979934376577e4429db4317e5184f
VirusTotal
ThreatExpert Analysis
hxxp://hotexefiles.com/

SIDE NOTE: There may be a misconception as to the purpose of these posts. It is not posting a NEW malware variant or NEW malware altogether. These posts are simply to show the new domain it has switched to. I include the the binary downloaded as additional information because we add it to our database. Because the person(s) involved will not respond to my emails, I posted here.

Let’s not make assumptions people.

New malware domain: exe-cosmos.com

djpnuemo — Fri, 10 Jul 2009 15:07:11 +0000

hxxp://tubessite.com/xplays.php?id=40069

Whois entry for exe-cosmos.com 64.20.38.172
Jennifer Ket (jennifket@gmail.com)
1120 Broadway Avenue
Johnson City
Tennessee,37601
US
Tel. +001.43459898760

onlinemovies.40014.exe
Result: 3/41 (7.32%)
MD5: 64a411cce0da8680576a5314eb6ce8e0
VirusTotal
ThreatExpert Analysis
hxxp://exe-cosmos.com/

onlinemovies.40069.exe
Result: 3/41 (7.32%)
MD5: a8148ab3190ae2d5b2765b10ded7228b
VirusTotal
ThreatExpert Analysis
hxxp://exe-cosmos.com/

Database Update: 29 files (Low/Moderate Detection)

djpnuemo — Thu, 09 Jul 2009 16:04:43 +0000

Files added to our database recently.

WARNING: URL’s may still be active. Proceed at your own risk.

Setup-73cb3_02009-1938.exe
Result: 12/41 (29.27%)
MD5: 082c4b1a7b77db893364c3fd3a77b647
VirusTotal
ThreatExpert Analysis
hxxp://secured-virus-scanner.com/download/

id_0122.exe or setup.exe
Result: 13/40 (32.5%)
MD5: 5e6ea7e4f4fbe148e3a06afa58daf581
VirusTotal
ThreatExpert Analysis
hxxp://youtube-adult.name/

pdrv.exe or vcru_1246903147.exe
Result: 12/40 (30%)
MD5: 97207099a118be4091785119b1d9937d
VirusTotal
ThreatExpert Analysis
hxxp://upload.octopus-multimedia.be/1/pdrv.exe

pp.10.exe or pp10.exe
Result: 24/40 (60%)
MD5: 133f989d913fea3e8802282bd37c5927
VirusTotal
ThreatExpert Analysis
hxxp://upload.octopus-multimedia.be/1/pp.10.exe

ld12.exe
Result: 22/41 (53.66%)
MD5: 5c8c37b5ce36b12aaa670b30bd84887a
VirusTotal
ThreatExpert Analysis

install.48322.exe
Result: 17/41 (41.47%)
MD5: 6b8828c90810b4c46eb93bab5976be89
VirusTotal
ThreatExpert Analysis

codec.exe
Result: 19/41 (46.35%)
MD5: 50f81d56bc7e620032d6e87c917aa663
VirusTotal
ThreatExpert Analysis

lol.exe
Result: 5/41 (12.2%)
MD5: ee8171ed76ae49a9c68dd5d33ce74931
VirusTotal
ThreatExpert Analysis

service.exe
Result: 7/41 (17.08%)
MD5: 6e42355db044533bea5f06552065efa3
VirusTotal
ThreatExpert Analysis

391.exe
Result: 8/41 (19.52%)
MD5: 39ef491b937577930f7057f2a7d2e3f4
VirusTotal
ThreatExpert Analysis

setup.exe
Result: 21/41 (51.22%)
MD5: 513ffc855daed8d0889188431add9d34
VirusTotal
ThreatExpert Analysis

FlashPlayer.exe
Result: 18/41 (43.91%)
MD5: 88d88eb7a3941e89c1c9dac8797e7301
VirusTotal
ThreatExpert Analysis
hxxp://healsearcher.com/download/2b58736731513d3d150878b420090701/

.exe
Result: 11/41 (26.83%)
MD5: 174aa8777d77426485747d6de4d0039b
VirusTotal
ThreatExpert Analysis

setup.exe
Result: 20/41 (48.79%)
MD5: e28ecac172dd0b6a178e4abbd6e92af7
VirusTotal
ThreatExpert Analysis

a.exe
Result: 26/41 (63.42%)
MD5: eb4209ac9062804a8c83831ffb0dc6c7
VirusTotal
ThreatExpert Analysis
hxxp://arplgm.cn/

VideoCodec.exe
Result: 14/41 (34.15%)
MD5: 8254d797dc12adaa7e50f30128199b17
VirusTotal
ThreatExpert Analysis
hxxp://healsearcher.com/download/4672366463673d3d0c36c19720090701/

Mediacodec.exe
Result: 16/41 (39.03%)
MD5: 72ede7e934e0777120ec95fa229f0a2a
VirusTotal
ThreatExpert Analysis

win.exe
Result: 23/41 (56.1%)
MD5: b6ebdb9c3e24ef845af65a8ea5d09540
VirusTotal
ThreatExpert Analysis
hxxp://ads.v8dc.com/win/

evilItTheir.pdf
Result: 12/41 (29.27%)
MD5: 3e43e2393e03b76af5f7ff1b30ed83a1
VirusTotal
Wepawet Analysis
hxxp://imagehut3.cn/images/

load.exe
Result: 5/41 (12.2%)
MD5: 55126b500a9cbecb6e3df1a61592fcc7
VirusTotal
ThreatExpert Analysis
hxxp://imagehut3.cn/images/update.php

install_flash_player.exe
Result: 0/41 (0%)
MD5: a51b5d3fee2215f0068fc36174a53513
VirusTotal
ThreatExpert Analysis
hxxp://missing-codecs.net/download/download.php

load.exe or sysguard.exe
Result: 2/40 (5%)
MD5: 507aedd5e26a6bf81635b067b8053ceb
VirusTotal
ThreatExpert Analysis
hxxp://91.212.198.116/lib/update.php

fotos_Album.exe
Result: 21/41 (51.22%)
MD5: af50713e6ff1cfc0e190261a48dc8ee2
VirusTotal
ThreatExpert Analysis

principal.txt or process.exe
Result: 12/40 (30%)
MD5: 097fcf4368c94d83563f205ce335f89b
VirusTotal
ThreatExpert Analysis
hxxp://www.hoje-noticias.pagebr.com/downloads/

TS45.SYS
Result: 2/41 (4.88%)
MD5: aba452fd10f74aabcac36b579046ede8
VirusTotal
ThreatExpert Analysis

plug2.txt or wiskyx.exe
Result: 20/41 (48.79%)
MD5: 6b88ad201100fe58920842be576f5482
VirusTotal
ThreatExpert Analysis
hxxp://www.hoje-noticias.pagebr.com/downloads/

winsex2.txt or winsex2.exe
Result: 11/40 (27.5%)
MD5: 3abb2f2eda63e9ed447aad1e502b5e25
VirusTotal
ThreatExpert Analysis
hxxp://www.hoje-noticias.pagebr.com/downloads/

Setup-27a_02022.exe
Result: 6/41 (14.64%)
MD5: a778ceee0fa0161bf77fa318fa3f1a51
VirusTotal
ThreatExpert Analysis

update.exe
Result: 14/40 (35%)
MD5: 4e37097b45d8885a55ef8bd0a0669446
VirusTotal
ThreatExpert Analysis
hxxp://vikd3jj-2.com/2/index.php

New malware domain: red-exe.com

djpnuemo — Thu, 09 Jul 2009 14:15:56 +0000

hxxp://go-go-tube.com/xplays.php?id=40069

Whois entry for red-exe.com 64.20.38.172
Tasha Chambers (tashcham@gmail.com)
2520 North Street
Kearns
Utah,84118
US
Tel. +001.98985647689

onlinemovies.40069.exe
Result: 0/40 (0%)
MD5: 39c1a48433c6de8c08d75926cb468d20
VirusTotal
ThreatExpert Analysis
hxxp://red-exe.com/

onlinemovies.40014.exe
Result: 0/40 (0%)
MD5: a24bcd49eb5d266d11fb2883a203ef76
VirusTotal
ThreatExpert Analysis
hxxp://red-exe.com/

Rogue domain: securedvirusscan.com

djpnuemo — Thu, 09 Jul 2009 14:10:54 +0000

Whois entry for securedvirusscan.com 69.4.230.205
Privat person
Aleksandr Rozanov adsff@freebbmail.com
+74952783441 fax: +74952783441
ul. Peshkova 29-52
Moskva Moskovskay oblast 126106
ru

Setup-4e45_02022.exe
Result: 0/40 (0%)
MD5: abc17998e1b33fe99f60497010028523
VirusTotal
ThreatExpert Analysis
hxxp://securedvirusscan.com/download/

Multiple domains targeting pornographic videos distributing malware codec

djpnuemo — Thu, 09 Jul 2009 02:01:02 +0000

Found these sites today while browsing on Google Video. This redirection is triggered from having a video.google.com referrer and pushes the user through a few domains to redirect and download content. It may be triggered by other video sites as well. This is offering an HD codec for flash player and features a cute installation process when you visit the site.

hxxp://best.viralprn.net
Redirects to
hxxp://only.hdpornr.net
Loads files from
hxxp://tvcodec.net

Whois entry for viralprn.net 88.80.19.191

Whois entry for hdpornr.net 195.95.151.178

Whois entry for tvcodec.net 91.194.10.60
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Whois entry for hdenabled.com 213.163.66.241

Flash.Player.HD.v10.0.exe
Result: 12/41 (29.27%)
MD5: 947828203c38f7cc2e98277076b747a0
VirusTotal
ThreatExpert Analysis
hxxp://hdenabled.com/download/5a6a576343673d3d050cf77920090701/

New malware domain: exe-site.com

djpnuemo — Wed, 08 Jul 2009 14:34:22 +0000

hxxp://go-go-tube.com/xplays.php?id=40069

Whois entry for exe-site.com exe-site.com
Queenie Ziegler (queeziegl@gmail.com)
4806 Green Avenue
Fremont
California,94536
US
Tel. +001.34980976583

streamviewer.40069.exe
Result: 0/40 (0%)
MD5: 7f14d9626761ac467f85b542028259e3
VirusTotal
ThreatExpert Analysis
hxxp://exe-site.com/

Website selling multiple rogue programs as legitimate-Pt. 2

djpnuemo — Wed, 08 Jul 2009 14:21:57 +0000

hxxp://browsersecurityinfo.com

Redirects to
hxxp://ieprotectionlist.com/2/

Redirects to
hxxp://bennysaintscathedral.com/buy.php?nh=1&id=

Redirects to
hxxp://secure.buysecuritysoftwareonline.com/buy.php?nh=1&id=

Whois entry for browsersecurityinfo.com 83.133.123.113
Name: Gupta C Deepak
Address: 580 Booth
City: Edmonton
Province/state: AB
Country: CA
Postal Code: 787843

Whois entry for ieprotectionlist.com 83.133.123.109
Name: Van M Jane
Address: Rod. 5C 41 – Km. 4,8
City: Santa Catarina
Province/state: Santa Catarina
Country: BR
Postal Code: 88122

Whois entry for bennysaintscathedral.com 83.133.123.113
Name: Gayao M Mel
Address: 16-18 Kingsley Close
City: Melbourne
Province/state: Melbourne
Country: RU
Postal Code: 31781

Whois entry for buysecuritysoftwareonline.com 83.133.123.109
Name: Rauf K Abdur
Address: 79-E, Al-Rehman Chamber
City: Islamabad
Province/state: Islamabad
Country: PK
Postal Code: 53241

New rogue domains associated with known malware distributors-Pt. 2

djpnuemo — Wed, 08 Jul 2009 14:02:29 +0000

Here is a fresh round of domains sent in to MDB linked to known malware distributors. You can click on each domain name to view the whois info. You can see more domains that were sent in in my previous post.

securebrowsingmode.com
internetbrowsersecurity.com
securing-your-browser.com
safe-browsing-network.com
bestringostarr.com
paul-mccartney-site.com
londonweekendtv.com
hawaiian-monarchy.com
countrymusicsrtists.com
2009-wimbledon.com
yorkshire-offroad-club.com
offroaddrivingcentres.com
fastvirusscan3.com
spywarefastscannerv6.com
antivirussecurescannerv3.com
antivirusbestscannerv5.com
manualspywareremoval.com
antivirusfolderscanv5.com
antivirusfolderscannerv5.com
antiviruspcscannerv7.com
antivirusscannerv9.com
antivirusforcomputrerv5.com
antimalwarecheckv6.com
antimalwareproscannerv9.com
antimalwareproscannerv8.com
antimalwarescanv4.com 78.47.172.69
antimalwarescanv7.com 83.133.126.155
dallastopnews.com
gulfbreakingnews.com
dailynatureandscience.com
australiandemocratsorg.com
you-will-be-fine.com
battle-for-europe.com
biofeedbackfoundation.com
bbcnewsstyleguide.com 78.47.91.155
whitelistbrowserpages.com
browserprivacytips.com
webbrowsersecuritysummary.com
securingyourwebbrowser.com 78.47.91.155
web-browser-security.com
securitybugfixserverv9.com
securitybugfixupdatev4.com
securitybugfixserverv1.com
securitybugfixupdate.com
update-my-software.com
latestupdateserver.com
recentupdatesserver.com