| View previous topic :: View next topic |
| Author |
Message |
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3979
|
 Posted: Wed Apr 09, 2008 10:07 pm Post subject: Not so complex |
|
|
http://www.complex-programming.biz/st/
_________________
"For evil to triumph utterly, it is only necessary that good men do nothing."
|
|
| Back to top |
|
 |
philipp2
Trooper
Joined: Apr 11, 2008
Posts: 22
Location: Germany
|
| Posted: Fri Apr 11, 2008 12:58 pm Post subject: |
|
|
hi,
i did a little research on this:
when visting this website, an exploit is being launched depending on the browser config.
after infection a http connection is established to 5pro.biz/report/ind.php with the following parameters (in my case), probably to 'register as a new bot' at the webserver:
$p=35212356
$uid=172817084033
$aid=32
the answer includes the link http://5pro.biz/rally.exe, which in return is being downloaded and executed.
afterwards the victim host communicates with another host 208.72.169.148 on port 4099 over http, sending and receiving encrypted data packets.
well, and then the infected host starts to send mass spam mails: mostly for www.meds75.com.
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5870
|
| Posted: Sat Apr 12, 2008 3:27 pm Post subject: |
|
|
Various exploits on the site.
Tries to download and run | Code: | | http://www.complex-programming.biz/st/exe/sysvx.exe |
There's also
| Code: | | http://www.complex-programming.biz/st/dat/count.jar |
which is Trojan:Java/Classloader (Microsoft)
I'll add the new malware samples to the malware listserv.
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
