Do not go here: Trojan-Downloader.Win32.Mutant.idj - zeus bot install

Hi malware fighters,

Do not go here, also as adult content sites form an added malware risk:
Trojan-Downloader.Win32.Mutant.idj - 1 result(s): zeus bot install: https://zeustracker.abuse.ch/monitor.php?host=[b]sexypypsik*ru[/b]

URL status

Active Malware It is also a zeus bot domain:
2010/05/02_10:41 sexypypsikru/exe/1.exe 173.212.221.160 173-212-221-160.hostnoc.net. zeus v2 trojan support at sexypypsik.ru 21788
2010/05/02_10:41 sexypypsik
ru/exe/gopstop.exe 173.212.221.160 173-212-221-160.hostnoc.net. zeus v2 trojan support at sexypypsikru 21788
2010/05/02_10:41 sexypypsik
ru/zzz/up.php 173.212.221.160 173-212-221-160.hostnoc.net. zeus v2 drop zone support at sexypypsik.ru 21788
2010/05/02_07:29 sexypypsikru/zzz/ava.jpg 173.212.221.160 173-212-221-160.hostnoc.net. zeus v2 config file support at sexypypsik.ru 21788
2010/05/02_07:29 sexypypsik
ru/zzz/ya_ebal.exe 173.212.221.160 173-212-221-160.hostnoc.net. zeus v2 trojan support at sexypypsik.ru 21788

MBL#

144566

Malware found

Trojan-Downloader.Win32.Mutant.idj

Insertion date

08:11:07 02/05/2010 UTC

URL

hxtp://sexypypsik.ru/zzz/

Host/Domain

sexypypsik*ru

Protocol

http

Extension

exe

Malware MD5

d6a08c3ac55979085a84c172b6a46837

Malware SHA1

73403f0ee761ce05bc74200a4ea577604be1832d

General Info
Web Site Location United States of America

Norton Safe Web has analyzed sexypypsik*ru for safety and security problems. Below is a sample of the threats that were found.

sexypypsik*ru
Threat Report

Total threats found: 2

Small-whitebg-red Virus

Threats found: 2
Here is a complete list:
Threat Name: Bloodhound.PDF.9
Location: hxtp://sexypypsik.ru/yes2.0/include/spl.php?do=foxit&stat=Windows%20XP%7cInternet%20Explorer%207.0%7cES%7cInternet%20Explorer

Threat Name: Bloodhound.Exploit.196
Location: hxtp://sexypypsik.ru/yes2.0/include/spl.php?stat=Windows%20XP%7cInternet%20Explorer%207.0%7cES%7cInternet%20Explorer
Also see here: hxtp://support.clean-mx.de/clean-mx/viruses.php?sub=sub8&sort=first%20desc
(do not click anything inside the above link given because live links may lead to malcode)

Unmasked parasites give it clean…How is that possible? For missed items, see:
http://forum.avast.com/index.php?topic=57773.msg499189#msg499189

polonus

VirusTotal - 1.exe - 18/41
http://www.virustotal.com/analisis/3df9f9e4ed90e81a0e06dc3bc45948b87c5ab83fe05596c9aa511230bd65fa40-1272834709

VirusTotal - gopstop.exe - 27/41
http://www.virustotal.com/analisis/ed22894f75f9bfe7da29410f6df60d1d3c7e1fde8b6a0e3dd43dfcc8ef835ab5-1272834769

VirusTotal - ya_ebal.exe - 17/41
http://www.virustotal.com/analisis/cb29f9593184dc0f2b0f4dc9bdbb355950af7a6948c8e0091e9ef7b709cc46af-1272834778

VirusTotal - c14m_2.pdf - 25/41
http://www.virustotal.com/analisis/b81081f5c4aba134e651840afa12724053020a1858a02938b4303d36434a86e0-1272834817

VirusTotal - n81d.pdf - 24/41
http://www.virustotal.com/analisis/c306f3e68ec5637a8951c8f465cee6533d60c16d2bb6498359220272ac9478f1-1272835792

Hi Pondus,

1.exe was not detected by avast,

pol

I will send it… :wink:

Hi malware fighters,

Another zeus bot site, while to locate it: http://www.geobytes.com/IpLocator.htm?
http://www.urlvoid.com/scan/iesahnaepi.ru
Zeus drop zone see: http://www.malwaredomainlist.com/mdl.php?search=iesahnaepi.ru
iesahnaepi.ru is on SURBL lists: PH WS
In the latest added list here: http://www.malwaredomains.com/wordpress/?p=1044
and here: iesahnaepi.ru fastflux atlas.arbor.net/summary/fastflux 20100615
in this list: http://dns-bh.sagadc.org/updates/20100615.txt (couple of days ago)
Additionally read this on the zeus bot threat:
http://securitywatch.eweek.com/exploits_and_attacks/understanding_man-in-the-browser_attacks.html

polonus

Hi malware fighters,

A Dutch zeusbot site found: http://www.robtex.com/ip/95.211.128.13.html

2010-06-21 22:38:03 (GMT 1)
Website smokyegg.ru
Domain Hash dba63d31663c8919d48b82e7583669a5
IP Address 95.211.128.13
IP Hostname -
IP Country NL (Netherlands)
AS Number 16265
AS Name LEASEWEB LEASEWEB AS
Detections 4 / 19 (21 %)
Status DANGEROUS

See: http://support.clean-mx.de/clean-mx/viruses.php?review=95.211.128.13&sort=first%20desc
In combined blacklists:
http://rbls.org/95.211.128.13
On the same domain:
2010-06-12 04:12:31 (GMT 1)
Website guygun.ru
Domain Hash 7a6f064f46b700b1835732ea7e45d5d7
IP Address 95.211.128.13
IP Hostname -
IP Country NL (Netherlands)
AS Number 16265
AS Name LEASEWEB LEASEWEB AS
Detections 4 / 20 (20 %)
Status DANGEROUS

Scanning site with: BrowserDefender CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor CLEAN
Scanning site with: McAfee Trusted Source DETECTED
Scanning site with: MyWOT DETECTED
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: Project Honey Pot CLEAN
Scanning site with: SpamCop CLEAN
Scanning site with: Spamhaus CLEAN
Scanning site with: SURBL DETECTED
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation DETECTED
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard CLEAN
Scanning site with: ZeuS Tracker CLEAN

On the reputation of Leaseweb Amsterdam: http://www.martinsecurity.net/2008/12/11/sources-of-badness-leaseweb/

So you better block access to it, some block the whole IP range…
Another one of these is SINGLEHOP, see: http://google.com/safebrowsing/diagnostic?site=AS:32475&hl=en

polonus