Infected Site (dropper)

system · December 6, 2011, 2:21pm

hxxp://onekong.osa.pl/showthread.php?t=12510010

GET /showthread.php?t=3 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_27
Host: onekong.osa.pl
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Dec 2011 13:20:24 GMT
Content-Type: application/octet-stream
Connection: keep-alive
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=n3thcapetc4fgnp9mqkqaq90l1; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Content-Length: 19968
Content-Disposition: inline; filename=setup.exe

polonus · December 6, 2011, 2:39pm

Hi razoreqx,

Apparently your find, well done!: http://www.virustotal.com/file-scan/report.html?id=38adefa9bdccd96a1170ba1088f4e0812e7f8ddd67ac6c5830a06ab464e787b2-1323178591
and
http://www.virustotal.com/url-scan/report.html?id=89022a9d502268987b6949c0e4f62ee0-1323177722
Avast detects as Win32:Downloader-LRM [Trj]

But apparently the malware was taken down or migrated ( at 91.208.142.55 mdl_Blackhole exploit = dead) at 184.107.53.150 various unknown_html_RFI_php found, some live - most dead (according to
a domain search at clean-mx)

polonus

Infected Site (dropper)

Announcements