Malware hosted on AGAIN!

Published: 2007-08-15
Last Updated: 2007-08-15 21:07:56 UTC
by donald smith (Version: 2)
0 comment(s)

If you google for you will find LOTS of “script” links to:

http://l61DOT3322DOTorg/eDOTjs. That first letter is a lower case L not a 1.

Be careful that java script attempts to exploit vulnerabilities in some browsers.

Fellow Handler BojanZ stated this about that malicious piece of java:

“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:


(these are click through affiliate web sites)” is a dynamic dns provider and has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005

It was also used as the ftp download site for a SAV based worm 12-2005.

Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block during the word zero day exploit in 2005.

UPDATE: Jose Nazario @ arbor networks provided the following analysis:
“e.js fetches http://161dot3322dotorg/hxw/wmm.htm which has iframes pointing to and http://l61dot332dotorg/hxw/IE.htm

0614.HTM exploits ADOB.Stream()

IE.HTM exploits the following:
ExploitedSoftware  CVE ID (none listed means no cve match was found)
RDS.Dataspace MS06-014  CVE-2006-0003
Microsoft WMIScriptUtils.WMIObjectBroker  CVE-2006-4704
Outlook Data Object 
Business Object Factory 

After exploiting those vulnerabilities they BOTH download and run http://l61dot3322dot/hxw/qq.exe
That downloads two more files.
AV vendors that did not detect these are not listed.
AV engine                  Country      Signature
Avira (antivir)                 DE     HEUR/Crypted
ClamAV                                 Trojan.Crypted-4
F-Secure                        FI     Hupigon.gen130
Ikarus                          AT     Backdoor.VB.EV

Norman                          NO     Hupigon.gen130
Securecomputing (webwasher)     US     Heuristic.Crypted
Sunbelt                         US     VIPRE.Suspicious

Aladdin (esafe)                 IL     Suspicious Trojan/Worm
Avira (antivir)                 DE     TR/Dldr.Delf.ALF.2
BitDefender                     RO     Trojan.Downloader.Delf.ALF
CAT (quickheal)                 IN     TrojanDownloader.Delf.bfu
Eset (nod32)                    US     Win32/TrojanDownloader.Delf
Fortinet                        US     W32/Delf.ALF!tr.dldr
F-Secure                        FI     Trojan-Downloader.Win32.Delf.bfu
Ikarus                          AT     Trojan-Downloader.Delf.ALF
Kaspersky                       RU     Trojan-Downloader.Win32.Delf.bfu
Panda                           ES     Trj/Downloader.PAG
Prevx                           GB     Trojan.DownZero
Securecomputing (webwasher)     US     Win32.ModifiedUPX.gen!90 (suspicious)
Sophos                          GB     Mal/Basine-C
VirusBlokAda (vba32)            BY     Trojan-PSW.Game.63 ()

0 comment(s)


Diary Archives