CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Rouge Anti-Malware in iframe for 89.149.243.202/t

 
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
scholar01

Cadet
Cadet


Joined: Nov 27, 2007
Posts: 2
Location: USA
PostPosted: Wed Mar 05, 2008 7:06 pm    Post subject: Rouge Anti-Malware in iframe for 89.149.243.202/t
Reply with quote

limany . org/article_2006_01_7_5139.html points to

89.149.243.202/t which javascripts to

hxxp://bestsexworld . info/soft.php?aid=0064&d=3&product=XPA

which forwards to

xpantivirus2008 . com/2008/3/freescan.php\?aid\=880064

which javascripts a "you are infected" warning and links to

xpdownloadings . com/2008/download/ XPantivirus2008_v880064.exe
Back to top
View users profile Send private message
scholar01

Cadet
Cadet


Joined: Nov 27, 2007
Posts: 2
Location: USA
PostPosted: Wed Mar 05, 2008 7:08 pm    Post subject:
Reply with quote

AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
28753 | 89.149.243.202 | 89.149.192.0/18 | DE | ripencc | 2006-02-23 | NETDIRECT AS NETDIRECT Frankfurt, DE

No BL history for the last 8 months, but was flagged as open recursive as of Aug. 2007.
Back to top
View users profile Send private message
maliciousbrains

Sergeant
Sergeant
Premium Member

Joined: Feb 23, 2008
Posts: 103

Premium

PostPosted: Wed Mar 05, 2008 7:35 pm    Post subject:
Reply with quote

Rogue spyware application @ hxxp://xpantivirus2008.com
It has a link saying

"Find out right now with our
FREE SPYWARE SCAN
The whole process takes less than
5 minutes and is FREE of all charge"
"
Links url: hxxp://xpantivirus2008.com/download.php?id=

downloads: XPantivirus2008_v880011.exe

Also has Google Analytics tracker Script to monitor users:
http://www.google-analytics.com/urchin.js <-- Non Malicious Tracking Script

Additional file information:
File size: 41472 bytes
MD5: 4edf998086a9a3327256bc9ca1581228
SHA1: ffe4489828e7bce26f7125f73c2c99b5ccc48959
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CDB50E2B002DEBA0A22300F15DBBFB00EA9EFD40

File XPantivirus2008_v880011.exe

Result: 12/32 (37.5%)


Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.05 -
AntiVir 7.6.0.73 2008.03.05 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.03.04 -
Avast 4.7.1098.0 2008.03.05 -
AVG 7.5.0.516 2008.03.05 Win32/PolyCrypt
BitDefender 7.2 2008.03.05 -
CAT-QuickHeal 9.50 2008.03.05 -
ClamAV 0.92.1 2008.03.05 -
DrWeb 4.44.0.09170 2008.03.05 Trojan.Fakealert.446
eSafe 7.0.15.0 2008.02.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5590 2008.03.05 -
Ewido 4.0 2008.03.05 -
FileAdvisor 1 2008.03.05 -
Fortinet 3.14.0.0 2008.03.05 -
F-Prot 4.4.2.54 2008.03.04 -
F-Secure 6.70.13260.0 2008.03.05 W32/Smalltroj.CYTS
Ikarus T3.1.1.20 2008.03.05 Trojan.Crypt.ULPM
Kaspersky 7.0.0.125 2008.03.05 -
McAfee 5245 2008.03.05 -
Microsoft 1.3301 2008.03.05 Trojan:Win32/Vxidl.gen!B
NOD32v2 2924 2008.03.05 -
Norman 5.80.02 2008.03.05 W32/Smalltroj.CYTS
Panda 9.0.0.4 2008.03.05 Suspicious file
Prevx1 V2 2008.03.05 Heuristic: Suspicious Self Modifying EXE
Rising 20.34.22.00 2008.03.05 -
Sophos 4.27.0 2008.03.05 Mal/HckPk-A
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.05 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.05 -
Webwasher-Gateway 6.6.2 2008.03.05 Trojan.Crypt.ULPM.Gen

File added to ListServ:
CastleCops Link/p1062573-MD5_4edf998086a9a3327256bc9ca1581228.html#1062573
Back to top
View users profile Send private message Visit posters website
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> Web Malware Links All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
156ppm 0.185s (0.035s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer