These scan results show up as suspicious:
https://www.virustotal.com/nl/url/dc75b08259f966365f5fa2ac8402d9cdefdd01d55733468b102fe5e77236e87b/analysis/1381492671/
https://www.virustotal.com/nl/file/19507c2cf95219119700610bb410ecf084f55d39c1799f9259e6f484e9fa3af0/analysis/1381418607/ (4 flag)
and IDS alerts here: http://urlquery.net/report.php?id=6606855
Detected and blacklisted: http://trafficlight.bitdefender.com/info?url=http://frbb9.kdsortak.net
http://www.quttera.com/#online url malware scanner gives an unreachable
The download is not flagged by avast, see: http://anubis.iseclab.org/?action=result&task_id=1af329a45a14711e42d91e2906f90dd55&format=html
Infostealer trojan like TrojanGeneric.KD- see hosts as
publicdown.b0.upaiyun dot om
urlico.b0.upaiyun dot com
tongji.lssen dot com
aia.wosign dot com (registrar see: http://www.mywot.com/en/scorecard/wosign.com?utm_source=addon&utm_content=popup-donuts 2 yellow flags - also existing risks of abuse)

polonus

I’ll run this through a Virtual Machine… Avast didn’t say anything for me. Lastest Defs. Avast! may however block it via the shields when being executed.

Let’s do some fighting

I have a pack of malware with 24 files one of them was detected yesterday. And one was blocked by deep screen which was not blocked before. Do you have a 32 or 64 bit vm?

64… I just launched it… The following files are in here

Internet ShortCut
Icon (X3)
Chrome HTML
2 Applications. (Kuplay.exe and Unist.exe.

Running through VT

Note: I’ve checked Tskmngr. No rogue processes under an chinese names. Another note. When launched it comes up with 1 page. I got rid of it. It was a porn page though. If I had to guess Malware infected. Most likely Bots and Ransomware. Didn’t check it.

IE Shortcut site: Down XXX.kuplay.cc

VT scans: https://www.virustotal.com/en/file/1aea1c050dfe6f8be3abc39776d466ce11dc3b86b777b0ffab71aee0d498a16f/analysis/1381496690/

And

https://www.virustotal.com/en/file/8a4ba5b869204082cce6e1cb76c4a7c8d73dce7a01ede38b38c1b4bd598794ac/analysis/1381496697/

I will look at them later. Im writing this via mobile phone.

hxxp://ailiao.liaoban.c0m/xszd/index.html

Another site. It’s definitly malcious. It’s attempting to launch scripts.

MBAM scan log from the VM

hxxp://frbb9.kdsortak .net/a3033_280_7.exe (sha: 95DE3CF9CBB3F82FDFE4A5FEFA3EEB4FC65D46EA268D929918F5F2FB43D7696C) already detected by Evo-gen
hxxp://ailiao.liaoban .com/xszd/index.html is blacklisted
also connects to hxxp://wwwlfyl.liufen .com/x/lb/yx/xiaomini/r/index.html (also blacklisted by avast).
I will continue to analyze, if I find something, I will share:-).
Edit: hxxp://20131011215341286.xyx08 .com/kan/bind/798_bind_4.exe (sha: 07D54A1D3F4CDE347FA50565D5816F17F957BDCCBE9E5958F45B23317CC0A84A) blocked by Network shield.
Now it added 3 addons for IE.
Also, I did not have such a mess in my VM for a long time:-)

MY VM isn’t in too bad of shape. I closed it down to do some more gaming… I’ll take more looks at it later.

Hi alan1998 and HonzaZ,

Right you two are, " this is an unwanted Interwebs’ bus stop": https://www.virustotal.com/nl/ip-address/123.157.215.221/information/
Also see here: https://www.virustotal.com/nl/domain/web.liaoban.com/information/ (low detection rate)
but nothing flagged here: http://quttera.com/detailed_report/web.liaoban.com & http://www.urlvoid.com/scan/web.liaoban.com/

Well these are bad scan results: “custom errors fail”, i.e. the requested URL contains the heading “Server Error in”
etc ->: https://asafaweb.com/Scan?Url=web.liaoban.com
also other insecurities there, that could be exploited/abused (excessive header info spread, clickjacking vulnerability).

polonus

I added some detections for the PE files, as well as blocked some more URLs, just to be sure.

File is alerted by the cloud protection.

And the downloaded file is running just fine.

And its starting to download garbage.

English please.

'Nother site. hXXp://www.kaixin200.com/tid/1/934.html
hxxp://www.kaixin200.com/tid/3/935.html

Add that one too, pleae note the URL is different.

I only have a german ISO for Windows but i will install the english languages in Avast soon.

The last part confirmed. I believe there is a click jacker on the VMware. Saw it somewhere. will re-check

And its opening the browser now…

URL: hxxp://1381507490746.v.ttkanba.com/tuiguang/z001_0305.html?id=5&uid=8153&sid=0&tid=3&rd=1381507490746

Weird processes are running, and Popups appear.

And i have something in the system tray now.

And here are other Popups.

The virus is showing signs or being a hybrid. It was attempting to connect my home network. I’ve wiped it’s existance off my computer. Little to dangerous for me… I don’t have the knowledge you guys posses. Sorry…

Also, Steven, if you’re married. Be careful, there are numerous porn-pop ups that await you…

And the computer accessed the page which alan1998 was talking about.

And this URL opened too: http://www.fuchengyule.com/

And the VM is really slow now.

And here are some interesting Screenshots

I dont have a home network here.