loveryou.com, forum spammer\Estdomains

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

loveryou.com, forum spammer\Estdomains

Postby TICTestBox » Thu Sep 25, 2008 11:29 pm

Ran acorss this site while checking it from a submission of forum spam, lo and behold, it's reg'd w\Estdomains:

File zcodec.0.exe received on 09.26.2008 00:13:48 (CET)
Result: 4/36 (11.11%)

eSafe 7.0.17.0 2008.09.25 Suspicious File
F-Secure 8.0.14332.0 2008.09.25 Suspicious:W32/Puper!Gemini
Prevx1 V2 2008.09.26 Malicious Software
Symantec 10 2008.09.26 Trojan.Zlob

Additional information
File size: 81408 bytes
MD5...: 349b2f9271774c1e7c08c3fa7eb98eb7
SHA1..: 9387f406900678d2abc6eedaaacfd4dec17c20be
SHA256: b6127c0f59506025a49c93485ea0f22a6ac337011208c65515cd0fd42a593215
SHA512: 1c73def9fcfd5b9ea02835778dc68a74164de002da4f63132431c41ee022a5fa
244066b16f913345f0f1f67ab93a0ea03e6b215900a2e92a5f7c530ea9cd678a


http://www.virustotal.com/analisis/5968c56251de183e18ce91f64a8098ba

via:
http://loveryou.net
Host: loveryou.net
Current IP*: 91.203.70.49 (8)>>>http://hosts-file.net/?s=91.203.70.49&sDM=1#matches
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com
Creation Date: 24-Jun-2008
Expiration Date: 24-Jun-2009

redirected to:
http://hot-porntube-08.com/viewmovie.php?id=1086

installed from:
http://codecdownload.softportalforfun08.com/zcodec.1086.exe
This site is NOT currently listed in hpHosts
Host: codecdownload.softportalforfun08.com
Current IP*: 66.232.105.232 (17) >>>>>http://hosts-file.net/?s=66.232.105.232&sDM=1#matches
Name servers:
ns1.softportalforfun08.com (66.232.105.231)
ns2.softportalforfun08.com (66.232.105.232)

That file above dropped the following, which MBAM removed:
Malwarebytes' Anti-Malware 1.28
Database version: 1205
Windows 5.1.2600

9/25/2008 4:00:25 AM
mbam-log-2008-09-25 (04-00-25).txt

Scan type: Quick Scan
Objects scanned: 35701
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Somefox (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\SAV\sav.exe (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav.cpl (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\temp\video1086.cfg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Desktop\System Antivirus 2008.lnk (Rogue.SystemAntivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\temp\video1086.cfg (Trojan.FakeAlert) -> Delete on reboot.

Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest