Network Shield: blocked access to malicious site apocalypt2.net

The Avast network shield is doing its job. The message shows up intermittently as well as whenever the PC is restarted. I’m running a virus scan now, but I couldn’t find any information on google about what I’m up against. I also don’t know what information it’s trying to send out, so I’ve cliped the CCRC and MD5 fields. I can see it identifying me as W7 with IE8.

18.06.2010 09:09:02 Network Shield: blocked access to malicious site apocalypt2.net/main/gate.php?guid=Daniel!DANIEL-PC!3A529747&ver=10143&stat=ONLINE&cpu=24&ccrc=XXXXXXXXXXXX&md5=xxxxxxxx [ C:\Windows\Explorer.EXE ( 1344 ) ]
18.06.2010 09:39:28 Network Shield: blocked access to malicious site apocalypt2.net/main/gate.php?guid=Daniel!DANIEL-PC!3A529747&ver=10143&stat=ONLINE&ie=8.0.7600.16385&os=6.1.7600&ut=User&cpu=100&ccrc=XXXX&md5=XXXXX[ C:\Windows\Explorer.EXE ( 3544 ) ]

Any assistance would be appreciated.

Sidebar.exe, the W7 desktop gadgets process, and woot.exe, a sale tracking tool, are consuming as much CPU as they can get. They stay dead when I kill them.

Well from what I see there is something on your system, hidden/undetected using explorer.exe to try and connect to the malicious sites. I have explorer.exe blocked from having any internet access in my firewall.

Yes it is possible to type a URL into the windows explorer address window legitimately, it is highly unusual and personally if I needed to do that I would use my browser directly.

So it may be worth scanning with some other tools and see if we can find that:
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

The apocalypt2.net site is considered malicious by more than just avast:
http://www.malwareurl.com/submit.php/listing.php?domain=apocalypt2.net
http://www.mywot.com/en/scorecard/apocalypt2.net
http://www.freepcsecurity.co.uk/2010/01/22/malicious-sites-january-22/

Hi suteneko,

The site is classified as dangerous:

Report 2010-06-18 22:24:17 (GMT 1)
Website apocalypt2.net
Domain Hash c707f7fef6905d189469fbc858e88eca
IP Address 67.215.237.19 [SCAN]
IP Hostname 67.215.237.19.static.quadranet.com
IP Country US (United States)
AS Number 29761
AS Name OC3-NETWORKS-AS-NUMBER - OC3 Networks & Web S…
Detections 4 / 19 (21 %)
Status DANGEROUS

But here is the daily dirt clean out at Malware Domains forum:
http://www.malwaredomainlist.com/forums/index.php?action=search2

polonus

i have the same error when i visit this site http://gf.wiretarget.com/ cant get in :frowning: and im using this site long time so i dont think that there are viruses :slight_smile:

Hi andhrew,

URLVoid gives it as clean here:
Report 2010-05-24 03:52:42 (GMT 1)
Website gf.wiretarget.com
Domain Hash b9e5a380da17a7aa5d7f2b5f74c9dd54
IP Address 85.17.254.171
IP Hostname -
IP Country NL (Netherlands)
AS Number 16265
AS Name LEASEWEB LEASEWEB AS
Detections 0 / 9 (0 %)
Status CLEAN
Here is the robtex info on it: http://www.robtex.com/dns/gf.wiretarget.com.html
I get a <urlopen error (-2, ‘Name or service not known’)> error there

Blacklists

md5:4d236d9a2d102c5fe6ad1c50da4bec50:com
md5:e5bb23797bfea314a3db43d07dbd6a74:gf
md5:0f9fc940c9560382708edc58daf39ed5:gf.wiretarget
md5:b9e5a380da17a7aa5d7f2b5f74c9dd54:gf.wiretarget.com
md5:b339edd6be6d93c84bf68e0340f6eff7:gfwiretarget
md5:af3f33c6911c2649b500e4a110639625:gfwiretargetcom
md5:4fa3f14318cf3b494b0b1516dc677113:wiretarget
md5:9355b07b90d627253f5438c689cedb7e:wiretarget.com
md5:5e8dd3733ff7fead6b399b5e44d8bae9:wiretargetcom

Netshields block the site because of this malware found there:

Threat Name: Backdoor.Graybird
Location: htxp://gf.wiretarget.com/zt/Zoo_Tycoon_Complete_Collection_No-CD_Patch.rar
Name: Backdoor.Graybird BackDoor.Small.4.A AVG
BackDoor.Generic5.CGE AVG
BackDoor.Generic3.HNM AVG
BackDoor.Generic3.LTC AVG
BackDoor.Generic3.LVU AVG
BackDoor.Delf.141 AVG
BackDoor.Graybird.2.T AVG
BackDoor.Generic3.NPU AVG
BackDoor.Delf.BL AVG
Generic.Graybird.76007C40 BitDefender
Packer.Malware.NSAnti.CI BitDefender
Generic.Graybird.855A14A4 BitDefender
Backdoor.Hupigon.AZU BitDefender
Backdoor.Hupigon.CKB BitDefender
Generic.Graybird.52DBC5E9 BitDefender
Backdoor.Hupigon.MX BitDefender
Backdoor.Graybird.ZI BitDefender
Backdoor.Delf.AXH BitDefender
Generic.Graybird.A7544E5C BitDefender
Win32.GrayBird.py eSafe
Win32.GrayBird.bn eSafe
Win32.GrayBird.ma eSafe
Win32.GrayBird.lz eSafe
Win32.GrayBird.c eSafe
Suspicious File eSafe
Win32.GrayBird.dt eSafe
Win32.Delf.axh eSafe
suspicious Trojan/Worm eSafe
Backdoor.Win32.GrayBird.am Kaspersky
Backdoor.Win32.Hupigon.afyj Kaspersky
Backdoor.Win32.GrayBird.bn Kaspersky
Backdoor.Win32.GrayBird.ahn Kaspersky
Backdoor.Win32.GrayBird.lz Kaspersky
Backdoor.Win32.GrayBird.c Kaspersky
Backdoor.Win32.GrayBird.aq Kaspersky
Backdoor.Win32.GrayBird.ds Kaspersky
Backdoor.Win32.Delf.bku Kaspersky
BackDoor-AWQ.b McAfee
Generic.eo McAfee
BackDoor-AWQ McAfee
BackDoor-AUT McAfee
BackDoor-ARR McAfee
Generic BackDoor McAfee
Backdoor:Win32/Hupigon Microsoft
RemoteAccess:Win32/HGZ Microsoft
Win32/GreyBird.PY NOD32
Win32/GrayBird.AM NOD32v2
probably Win32/Hupigon NOD32v2
Win32/Hupigon NOD32v2
Win32/Delf.EB NOD32v2
Win32/GreyBird NOD32v2
probably Win32/Delf NOD32v2
Backdoor Program.AP Panda
Bck/Hupigon.BCV Panda
Bck/Graybird.IO Panda
Bck/Hupigon.XJ Panda
Bck/Hupigon.AJC Panda
Bck/Iroffer.BG Panda
Bck/Graybird.N Panda
Bck/Graybird.L Panda
Trj/Downloader.MDW Panda
Suspicious file Panda
Backdoor.GrayBird!sd5 PCTools
Backdoor.GrayBird.AB PCTools
Backdoor.Graybird Symantec
Backdoor.Graybird!Gen Symantec
Backdoor.Delf Symantec
Backdoor.Trojan Symantec
Backdoor.GrayBird.D Symantec
Trojan Horse Symantec
Mal_HPGN-1 TrendMicro
Description: description
Type: Virus
MD5: 03e22be932c60f836a01593146ad8db9
093e35e96a76123bd23496c89bbb5816
0d2cd6dbfa233b1a664ff2fd84468564
10d2edc5685017e20a37a0e012e56bbf
1cf99ee8813686c43aa6ce9c404cc5ee
2758a4e83ed3d4bb46e8530fbbca9ab5
2cdb19d106db37098ec80bb276fe617d
3b14170c4773c99fb29e7ef74c1b7ec0
3d80f73c7f70f24ec219f7dce5d7764d
5f8c56160714698da9ab396e9d5f43d1
6f351e8c155abce0c2c9be22d1279a30
8bb663fd92a8ee3dc3805de73ca734c0
8d935cc1dd1eaa334c97a0f8dd7a1a21
bcd0775ca686c5aea68ce549022b294a
d4d059742ee19f25521df98f94043c84
da692175cdd8907aaf3cf599eebe5da9
db50567c48687a4ffad887a07f95c6c3
dd18809874748a4fe6b7249cd3567c95
deb72838f690833c7faf56c5061ef229
ec06f7c559f44193519720974dd9a8d4
eda252cb2c5a0356eb79853752b695f4
f4d04ca42e826e0ad71bd7cebbb69ad2
Registry Key(s): SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\RAVMOND
Filename(s): brc_Server.dll
brc_Server.exe
explore.exe
Explorer.exe
GrayPigeon.exe
malware.exe
malware.exe
malware.exe
malware.exe
malware.exe
malware.exe
malware.exe
malware.exe, Hacker.com.cn.exe
malware.exe, Server.exe
malware.exe, Server1.2.exe
malware.exe, VPort1.1.exe
NtServer.exe
prsvr.exe
Server.DLL
services.exe
WINDOWS111.exe
Windows32.dll

polonus

Hi malware fighters,

This is the nine-ball massive attack described here: http://www.letsgowings.com/forums/index.php/topic/63455-for-those-experiencing-malwareattack-site-warnings/

polonus

MBAM found cleansweep. Removing it has stopped the warnings.

A full scan of my hard drives with Avast, Mbam, and SAS hasn’t found the source of the trojan. I’m a bit concerned. I wouldn’t be tricked into running a trojan unless it was packaged with some other software, but AVAST usually catches those. It’s possible that my girlfriend had been tricked, but she’s usually pretty sharp.

What else can I do to ensure my system is safe?

and what should i do with all this cuz i have no idea? ;D

Hi andhrew,

Do not go there, other read our reports here as well, for instance: http://safeweb.norton.com/report/show?url=gf.wiretarget.com&x=13&y=8
Howe can you trust a site with Game Key-generators?
We posted on that issue before, at least YoKenny reported here: http://forum.avast.com/index.php?topic=49572.msg419328#msg419328
There is a virus there as there were threats found: 1

Threat Name: Backdoor.Graybird
Location: htxp://gf.wiretarget.com/zt/Zoo_Tycoon_Complete_Collection_No-CD_Patch.rar

And malicious sublinks found: ads.clicksor.com Malicious software includes 11 exploits, 5 trojans.

This site was hosted on 21 network(s) including AS174 (COGENT), AS26347 (DREAMHOST), AS24940 (HETZNER).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, ads.clicksor.com appeared to function as an intermediary for the infection of 34 sites including rarbg.com/, somaliweyn.com/, filmeaz.com/.

General advice: do not venture out there, as a bonus you will get a video how Backdoor.Graybird is being made, it took them only three minutes:
http://www.youtube.com/watch?v=s9RL2KcaUTE

polonus