Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Syrian-martyrs.com website probably compromised by virus - UPDATE

SiNA Rabbani sina at redteam.io
Wed Jan 30 09:05:13 PST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear List,

Here is more details with credit to: Team Cymru:
http://www.team-cymru.org/

> C&C nodes for this version:
> 
> melaniibaby.no-ip.biz  173.0.10.52 ghostsx.8866.org
> 192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz
> 95.170.198.155


> Ah, we've seen this one before!  It first entered our collection on
> 2011-08-03 06:46:09 UTC.
> 
> It's tagged as malware by several AV packages, and some of the 
> malware tags include:
> 
> Win32/Bifrose.ZG VirTool.DelfInject.AF Worm.Rebhip.Gen.2 
> Trojan:W32/Agent.DQKQ [ ... ]
> 
> It reaches out to:
> 
> 37.236.124.197:9999 TCP 173.0.10.52:9999 TCP 188.72.21.34:9999 TCP
> 
> It looks up:
> 
> awrasx10.no-ip.biz
> 
> It installs:
> 
> C:\WINDOWS\SysWOW64\sys\msns.exe 
> C:\Users\Administrator\AppData\Local\Temp\2.exe


All the best,
SiNA



- -- 
?Be the change you want to see in the world.? Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRCVLFAAoJEDxieAEiLOmoT9kQALgwOhmhY81wU5ZMYGlQxOyS
FyB8DCKcoUfsuH27UhL7T22TvBB+GsCROuL/16scrEMaX5fkOAUB63w8cq0LOEZM
ioYsPmAjhPgDefM4UcYkyANQdW3Do0zItXXS/qgOfG1xdcrtlTFb+s40tYF4R+et
CpcDfLRrw3Q6l/586X7M3UvLHWaJUwHRx72KkmWfp7mWxc+AJnw/IiphTCdSOUBP
SmAhKjYfkaKFGqGF0YWJS391qYdXjqU9DZRQpYAQjfoMmI0WNwgZtJP7bJYKaNHJ
JqgWMXeWdHf8MHPy/MsB2zVwCR0igFPBHHlqaNCe9oVcALa4jqhfGrkherwS7L8W
9aPsHxdTWYyPfbH/MSqBu61z0X88BtWZ3Hc+h6J7KHcHErkHESrIBjbfS2jYQ0AP
DBbBszB0sQ4d70HodGX/frK5XjwQjeNt5F0jrbroqPtRP6OTZf+sMF5LLEKaoGDT
tYs+y98zQs8U2E7PuKWS5uxBUD7gYDH8JFtvSKvNqeF79UO8OE4bq4NHdQ9Mup8j
9qAwbD8SZSnBQaU0Z+e6vZZuYTY+p0YkqoJppEz8Q22TqPuUNydao5xYIg/mkF2D
aQ22wgM+wZ0jsfDuZQV4m/K2Nfk8sPfm62fpA1p4eQBnB4c8f2keKskz0qYd6NpM
UPYmowN6QOQ7gwrgvCFL
=wWYW
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list