Is this a Dofoil botnet controller?

Viruses and worms
1

Found IP as Trojan downloader Dofoil.D / Trojan Ransom Dofoil botnet controller AT178.18.244.158 (inline dot de)
See: http://urlquery.net/report.php?id=111646
htxp://gamingofthecentury.net/redeem.php
htxp://gamingofthecentury.net/steps.php
htxp://gamingofthecentury.net/beta.htm
htxp://gamingofthecentury.net
malicious link there: http://fileice.net/gateway/mygate.php?id≈ 45755479416869426d51553d
decodingLevel=0] found JavaScript
error: line:7: TypeError: /^\w+:///?[^/]+/.exec(C) is null from fileice.net/js/LAB.min.js - (contanct module handler code)

polonus

2

Dofoil botnet : central role played this bulletproof server. re: http://www.mywot.com/en/scorecard/ecatel.net
part of the botnet was brought down by authorities. Also see for servers: http://www.malwareurl.com/ns_listing.php?ip=69.25.32.7
IDS rules for this botnet

alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET TROJAN Win32/Dofoil.L Checkin”; flow:to_server,established; uricontent:“/index.php?cmd=”; uricontent:“&login=”; uricontent:“&ver=”; uricontent:“&bits=”; reference:url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:trojan-activity; sid:2013917; rev:4;)

polonus

3

Hi Pol,
Can you give me a MD5 of a Ransomware variant they (used) to serve at this site?Can be anything buy Ransomware!
Thanks in advance.

4

Hi Left123,

Provided you with some MD5 in a PM. By the way avast Web Shield protects us from this malware as JS:ScriptPE-inf[Trj],

polonus