Last Updated: 2007-08-15 21:07:56 UTC
by donald smith (Version: 2)
If you google for l61.3322.org you will find LOTS of “script” links to:
http://l61DOT3322DOTorg/eDOTjs. That first letter is a lower case L not a 1.
Be careful that java script attempts to exploit vulnerabilities in some browsers.
Fellow Handler BojanZ stated this about that malicious piece of java:
“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
(these are click through affiliate web sites)”
3322.org is a dynamic dns provider and has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005 It was also used as the ftp download site for a SAV based worm 12-2005.
It was also used as the ftp download site for a SAV based worm 12-2005.
Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block 3322.org during the word zero day exploit in 2005.
UPDATE: Jose Nazario @ arbor networks provided the following analysis:
“e.js fetches http://161dot3322dotorg/hxw/wmm.htm which has iframes pointing to
http://l61dot3322.org/hxw/0614.htm and http://l61dot332dotorg/hxw/IE.htm
0614.HTM exploits ADOB.Stream()
IE.HTM exploits the following:
ExploitedSoftware CVE ID (none listed means no cve match was found)
RDS.Dataspace MS06-014 CVE-2006-0003
Microsoft WMIScriptUtils.WMIObjectBroker CVE-2006-4704
Outlook Data Object
Business Object Factory
After exploiting those vulnerabilities they BOTH download and run http://l61dot3322dot/hxw/qq.exe
That downloads two more files.
AV vendors that did not detect these are not listed.
AV engine Country Signature
Avira (antivir) DE HEUR/Crypted
F-Secure FI Hupigon.gen130
Ikarus AT Backdoor.VB.EV
Securecomputing (webwasher) US Heuristic.Crypted
Aladdin (esafe) IL Suspicious Trojan/Worm
Avira (antivir) DE TR/Dldr.Delf.ALF.2
BitDefender RO Trojan.Downloader.Delf.ALF
CAT (quickheal) IN TrojanDownloader.Delf.bfu
Eset (nod32) US Win32/TrojanDownloader.Delf
Fortinet US W32/Delf.ALF!tr.dldr
F-Secure FI Trojan-Downloader.Win32.Delf.bfu
Ikarus AT Trojan-Downloader.Delf.ALF
Kaspersky RU Trojan-Downloader.Win32.Delf.bfu
Panda ES Trj/Downloader.PAG
Prevx GB Trojan.DownZero
Securecomputing (webwasher) US Win32.ModifiedUPX.gen!90 (suspicious)
Sophos GB Mal/Basine-C
VirusBlokAda (vba32) BY Trojan-PSW.Game.63 ()