Malware Database » Codec

Multiple domains targeting pornographic videos distributing malware codec

djpnuemo — Thu, 09 Jul 2009 02:01:02 +0000

Found these sites today while browsing on Google Video. This redirection is triggered from having a video.google.com referrer and pushes the user through a few domains to redirect and download content. It may be triggered by other video sites as well. This is offering an HD codec for flash player and features a cute installation process when you visit the site.

hxxp://best.viralprn.net
Redirects to
hxxp://only.hdpornr.net
Loads files from
hxxp://tvcodec.net

Whois entry for viralprn.net 88.80.19.191

Whois entry for hdpornr.net 195.95.151.178

Whois entry for tvcodec.net 91.194.10.60
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Whois entry for hdenabled.com 213.163.66.241

Flash.Player.HD.v10.0.exe
Result: 12/41 (29.27%)
MD5: 947828203c38f7cc2e98277076b747a0
VirusTotal
ThreatExpert Analysis
hxxp://hdenabled.com/download/5a6a576343673d3d050cf77920090701/

New malware domain: exe-site.com

djpnuemo — Wed, 08 Jul 2009 14:34:22 +0000

hxxp://go-go-tube.com/xplays.php?id=40069

Whois entry for exe-site.com exe-site.com
Queenie Ziegler (queeziegl@gmail.com)
4806 Green Avenue
Fremont
California,94536
US
Tel. +001.34980976583

streamviewer.40069.exe
Result: 0/40 (0%)
MD5: 7f14d9626761ac467f85b542028259e3
VirusTotal
ThreatExpert Analysis
hxxp://exe-site.com/

Fake codec website: update-adobe.fdns.net

djpnuemo — Tue, 23 Jun 2009 15:27:02 +0000

hxxp://nevvsvine.com/go.php?sid=6
Redirects to
hxxp://q5.awardspace.com/

awardspace.com and fdns.net are legimate hosts with accounts that are being used to host and redirect to malware.

codec.exe
Result: 30/41 (73.17%)
MD5: d44b9453d4aca0a4e309fb5708b107d0
VirusTotal
ThreatExpert Analysis
hxxp://update-adobe.fdns.net/codec/

New malware domain: exe-center.com

djpnuemo — Thu, 18 Jun 2009 15:16:09 +0000

http://tubes-portal.com/xplays.php?id=40014&name=The+Ultimate+Fighter+S09E12+HDTV+-aAF

Whois entry for exe-center.com 64.20.38.171
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note – All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

streamviewer.40014.exe
Result: 2/41 (4.88%)
MD5: 717d8bd4b640554b83735c41f32178cd
VirusTotal
ThreatExpert Analysis
hxxp://exe-center.com/

Database Update: 11 files (Low/Moderate Detection)

djpnuemo — Mon, 15 Jun 2009 02:08:34 +0000

Files added to our database today.

WARNING: URL’s still may be active. Proceed at your own risk.

load.exe
Result: 16/40 (35%)
MD5: 9b8b5fe782fa05bcfc5e4a181935b776
VirusTotal
ThreatExpert Analysis
hxxp://playslotbet.cn:8080/load.php

remtool_conf.exe
Result: 14/40 (35%)
MD5: 4cf579669a74db8eee1b83568ec10132
VirusTotal
ThreatExpert Analysis
hxxp://windowsupdate.microsoft.com.ssl.newmail.ru/updates=removalid928hduwuHDDIEop/cookiesession0-conflicker-downad/

webexplorer.exe
Result: 4/40 (10.00%)
MD5: ba3355a73d69027d6fff6472a2a59ff3
VirusTotal
ThreatExpert Analysis

streamviewer.40014.exe
Result: 17/40 (42.5%)
MD5: 1660088c2b0e7e024404c6638c2b357a
VirusTotal
ThreatExpert Analysis

load.exe
Result: 1/39 (2.57%)
MD5: 21bc40db23465c8bb8655b3074514562
VirusTotal
ThreatExpert Analysis
hxxp://filmoflife.cn:8080/load.php

update.exe or svchost.exe
Result: 3/40 (7.5%)
MD5: 6d4349e2c1379d05369e5b50e1d5a74e
VirusTotal
ThreatExpert Analysis
hxxp://naf77.biz/myy/load.php?id=0

update_901.pdf
Result: 7/40 (17.5%)
MD5: 62a0403b9acddd38ab47a003fa47288c
VirusTotal
Wepawet Analysis
hxxp://naf77.biz/myy/pdf.php

installer_70141.exe
Result: 13/40 (32.5%)
MD5: 543538619b77c28791e8092a737b2237
VirusTotal
ThreatExpert Analysis
hxxp://gojaxty.cn/

svchost.exe or dop.exe
Result: 15/40 (37.5%)
MD5: 6cf16e07d49dd0a8bff0c847d640dba5
VirusTotal
ThreatExpert Analysis
hxxp://antivirusplusnow.com/

antivirus.exe or rundll32.exe
Result: 10/39 (25.65%)
MD5: d2d54a283f593c7a2d25be9de58592a3
VirusTotal
ThreatExpert Analysis
hxxp://antivirusplusnow.com/install/

InternetExplorer.dll
Result: 12/40 (30%)
MD5: 669a64b42a4d9d90b4eadc35000f8656
VirusTotal
ThreatExpert Analysis
hxxp://antivirusplusnow.com/install/

New malware domain: last-exe-portal.com

djpnuemo — Sat, 13 Jun 2009 16:21:59 +0000

Whois entry for last-exe-portal.com 64.20.38.171
Leota Allison (leotallison@gmail.com)
340 Wood Street
Saginaw
Michigan,48607
US
Tel. +001.97094875848

go-exe-go.com
gruzzilla.com
super-exe-home.com

streamviewer.40014.exe
Result: 12/40 (30%)
MD5: 1660088c2b0e7e024404c6638c2b357a
VirusTotal
ThreatExpert Analysis
hxxp://last-exe-portal.com/

New malware domain: my-exe-work.com

djpnuemo — Thu, 11 Jun 2009 21:27:24 +0000

This was found from a known malware codec website.

http://hi-my-tube.com/xplays.php?id=40014&name=david+carradine

Whois entry for my-exe-work.com 66.197.171.6
Scott Bradford (scttbrdfrd08@gmail.com)
4921 Oakridge Lane
Macon
Guam,31206
US
Tel. +001.97094875848

streamviewer.40014.exe
Result: 5/40 (22.5%)
MD5: 7dafe64e443f60b9f512cd9d1526a595
VirusTotal
ThreatExpert Analysis
hxxp://my-exe-work.com/streamviewer.40014.exe

New codec domains: exe-file-boom.com & hi-my-tube.com

djpnuemo — Wed, 10 Jun 2009 20:28:03 +0000

Found these domains spreading a fake codec today. Bother were registered today.

Whois entry for exe-file-boom.com 66.197.171.6
Isaac Donnelly (isaacdonn@gmail.com)
3711 Eastland Avenue
Hattiesburg
Mississippi,39402
US
Tel. +001.88795890983

exe-file-boom.com
my-exe-profile.com
web-exe-depositary.com
mp3downloadablesongs.com

Whois entry for hi-my-tube.com 216.240.143.7
Stephine Smith (stsmisss@gmail.com)
2810 Kovar Road
Westboro
Maine,01581
US
Tel. +001.76778989543

*.best-crystal-tube.com
*.big-tube-list.com
*.champtube2009.com
*.chipeztube2009.com
*.get-mega-tube.com
*.happy-tube-video.com
*.my-flare-tube.com
*.my-tube-zone.com
*.powerful-tube.com
*.tubecollection2009.com
*.video-tube-dot.com
*.wondertubes2009.com
better-tube-show.com
big-tube-list.com
fllcorp.com
get-mega-tube.com
megacooltubes2009.com
ns2.best-crystal-tube.com
ns2.big-tube-list.com
ns2.champtube2009.com
ns2.chipeztube2009.com
ns2.get-mega-tube.com
ns2.happy-tube-video.com
ns2.megaporntubes09.com
ns2.my-flare-tube.com
ns2.my-tube-zone.com
ns2.powerful-tube.com
ns2.tall-tubex.com
ns2.tube-xxx-tv2009.com
ns2.tubecollection2009.com
ns2.video-tube-dot.com
ns2.wondertubes2009.com
premier-tube-site.com
sunny-tube-house.com
www.best-crystal-tube.com
www.big-tube-list.com
www.champtube2009.com
www.chipeztube2009.com
www.get-mega-tube.com
www.my-tube-zone.com

streamviewer.40014.exe
Result: 9/40 (22.5%)
MD5: 78a3631fbc7d93ce07c33233416a2176
VirusTotal
ThreatExpert Analysis
hxxp://exe-file-boom.com/streamviewer.40014.exe

a.exe
Result: 11/39 (28.21%)
MD5: 2e326fd4048bdf28308a9bb5ced08ed7
VirusTotal
ThreatExpert Analysis
hxxp://thenewpic.com/item/a5acc232141aba8b24603e1b24eb084d0e020a6c16c76e38e6582142a6c4df427ca48b89cc4e0cf0a/4400d031142/titem.gif

b.exe or msa.exe
Result: 5/39 (12.83%)
MD5: c665052347ce07a9626c6cdcdb0e56d8
VirusTotal
ThreatExpert Analysis
hxxp://theimagesphoto.com/werber/04d04071f42/217.gif

New rogue domain: mybest-xxx.com

djpnuemo — Sun, 07 Jun 2009 20:59:53 +0000

This is another domain spreading malware in codecs and rogue installers. This is on a known malware IP address.

/promo1/ Fake Adult-archive.net website
/promo2/ Fake porntube.com website
/promo3/ Fake scanning page
/promo4/ Fake sextube website

Whois entry for mybest-xxx.com 78.129.166.166
Contact: info@rustelekom.biz
Domain name: mybest-xxx.com
Registrant Contact:
Vasilij Lanus ()
Fax:
Prospekt Mira 2.3.4
Moscow, 112111
RU

Malware codec website: tvtube.myphotos.cc

djpnuemo — Thu, 04 Jun 2009 17:44:06 +0000

Found this website distributing a malware codec that will install a rogue security program. The myphotos.cc domain is a dymanic DNS service.

The referrer that brought us to tvtube.myphotos.cc was olimpians.ru. This domain contained a php file that had the following line to direct us to the codec website.

window.location=”http://”+”tvtube”+”.myphotos.cc”+”/”;

Whois entry for olimpians.ru 77.221.130.29

codec.exe (PC Defender)
Result: 19/39 (48.72%)
MD5: 675777f309675e1fa7455c5ca4303ff6
VirusTotal
ThreatExpert Analysis