New List of Malicious Domains
Site Name: xpdownloadings.com
IP Address: 69.50.183.50
The site xpdownloadings.com is a malicious site sharing its IP with xpantiviruspro.com. Both the sites distribute xpantiviruspro Rogue security application.
The installer from xpdownloadings.com was scanned and here are the results:
VirusTotal Scan Result: 5/32 (15.63%)
AVG 7.5.0.516 2008.02.19 Downloader.Purityscan.AA
eSafe 7.0.15.0 2008.02.17 suspicious Trojan/Worm
Kaspersky 7.0.0.125 2008.02.19 Heur.Trojan.Generic
McAfee 5232 2008.02.18 New Malware.bl
Sophos 4.26.0 2008.02.19 Troj/FakeAV-D
Site Name: online-nude-videos.com
IP Address: 74.50.97.51
The site online-nude-videos.com uses a fake warning error message and instructs the user to download a file named “install_player_3xxx3912941.exe” to view the porn online. This site is also belongs to the group which distributes IE-Defender a well documented Rogue Security application.
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 13/32 (40.62%)
AntiVir - - TR/Dldr.Delf.etj
AVG - - Downloader.Zlob
CAT-QuickHeal - - TrojanDownloader.Agent.ium
eSafe - - Suspicious File
eTrust-Vet - - Win32/Burgspill!generic
F-Prot - - W32/Heuristic-MU3!Eldorado
F-Secure - - Trojan-Downloader.Win32.Delf.etj
Kaspersky - - Trojan-Downloader.Win32.Delf.etj
Microsoft - - Trojan:Win32/Delflob.I
Panda - - Suspicious file
Prevx1 - - Generic.Dropper.xCodec
Sophos - - Mal/DelpDldr-E
Webwasher-Gateway - - Trojan.Dldr.Delf.etj
Site Name: Gt-websoftcodec.com
Site Name: Gt-websoft.com
IP Address: 85.255.117.158
The site Gt-websoftcodec.com and Gt-websoft.com delivers Trojan files disguised as codec files. When a user tries to view video files on any of these sites Gt-funny.com, Gt-movies.com, Gt-stars.com the page comes up with a “Video ActiveX Object error” error message and then instructs the user to download the codec to view the video online.
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 11/32 (34.38%)
AntiVir 7.6.0.67 2008.02.19 TR/Crypt.XPACK.Gen
CAT-QuickHeal 9.50 2008.02.18 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.02.19 Trojan.Zlob-1501
eSafe 7.0.15.0 2008.02.17 Suspicious File
Fortinet 3.14.0.0 2008.02.19 W32/Stration!tr.dldr
Ikarus T3.1.1.20 2008.02.19 MalwareScope.Worm.Nuwar-Glowa.1
Microsoft 1.3204 2008.02.19 TrojanDropper:Win32/Nuwar.gen!lds
Sophos 4.26.0 2008.02.19 Mal/EncPk-CG
Sunbelt 3.0.884.0 2008.02.19 VIPRE.Suspicious
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.8
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Crypt.XPACK.Gen
Zlob Trojan distributing sites:
Site Name: viewutility.com
IP Address: 85.255.120.107
Site Name: videoadaptation.com
IP Address: 85.255.118.179
The above mentioned site distributes Zlob Trojans, The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 7/32 (21.88%)
AntiVir 7.6.0.67 2008.02.19 TR/Drop.Fakes.71985
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABKX
ClamAV 0.92.1 2008.02.19 Trojan.Dropper-2529
Microsoft 1.3204 2008.02.19 TrojanDownloader:Win32/Zlob.gen!AL
Panda 9.0.0.4 2008.02.19 Adware/MultiMedia
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.3
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Drop.Fakes.71985
DNS Changer Distributing Site:
Site Name: codecmoon.com
IP Address: 64.28.184.181
The above mentioned site distributes DNS Changer Trojan, The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 7/30 (23.34%)
AntiVir 7.6.0.67 2008.02.19 DR/Dldr.DNSChanger.Gen
Avast 4.7.1098.0 2008.02.18 Win32:DNSChanger-SF
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABLE
eSafe 7.0.15.0 2008.02.17 Suspicious File
F-Secure 6.70.13260.0 2008.02.19 Trojan.Win32.DNSChanger.arn
Sophos 4.26.0 2008.02.19 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Dropper.Dldr.DNSChanger.Gen
Stay away from all the malicious sites listed in the post.
Bharath M N
Site Name: online-nude-videos.com
IP Address: 74.50.97.51
The site online-nude-videos.com uses a fake warning error message and instructs the user to download a file named “install_player_3xxx3912941.exe” to view the porn online. This site is also belongs to the group which distributes IE-Defender a well documented Rogue Security application.
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 13/32 (40.62%)
AntiVir - - TR/Dldr.Delf.etj
AVG - - Downloader.Zlob
CAT-QuickHeal - - TrojanDownloader.Agent.ium
eSafe - - Suspicious File
eTrust-Vet - - Win32/Burgspill!generic
F-Prot - - W32/Heuristic-MU3!Eldorado
F-Secure - - Trojan-Downloader.Win32.Delf.etj
Kaspersky - - Trojan-Downloader.Win32.Delf.etj
Microsoft - - Trojan:Win32/Delflob.I
Panda - - Suspicious file
Prevx1 - - Generic.Dropper.xCodec
Sophos - - Mal/DelpDldr-E
Webwasher-Gateway - - Trojan.Dldr.Delf.etj
Site Name: Gt-websoftcodec.com
Site Name: Gt-websoft.com
IP Address: 85.255.117.158
The site Gt-websoftcodec.com and Gt-websoft.com delivers Trojan files disguised as codec files. When a user tries to view video files on any of these sites Gt-funny.com, Gt-movies.com, Gt-stars.com the page comes up with a “Video ActiveX Object error” error message and then instructs the user to download the codec to view the video online.
The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 11/32 (34.38%)
AntiVir 7.6.0.67 2008.02.19 TR/Crypt.XPACK.Gen
CAT-QuickHeal 9.50 2008.02.18 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.02.19 Trojan.Zlob-1501
eSafe 7.0.15.0 2008.02.17 Suspicious File
Fortinet 3.14.0.0 2008.02.19 W32/Stration!tr.dldr
Ikarus T3.1.1.20 2008.02.19 MalwareScope.Worm.Nuwar-Glowa.1
Microsoft 1.3204 2008.02.19 TrojanDropper:Win32/Nuwar.gen!lds
Sophos 4.26.0 2008.02.19 Mal/EncPk-CG
Sunbelt 3.0.884.0 2008.02.19 VIPRE.Suspicious
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.8
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Crypt.XPACK.Gen
Zlob Trojan distributing sites:
Site Name: viewutility.com
IP Address: 85.255.120.107
Site Name: videoadaptation.com
IP Address: 85.255.118.179
The above mentioned site distributes Zlob Trojans, The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 7/32 (21.88%)
AntiVir 7.6.0.67 2008.02.19 TR/Drop.Fakes.71985
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABKX
ClamAV 0.92.1 2008.02.19 Trojan.Dropper-2529
Microsoft 1.3204 2008.02.19 TrojanDownloader:Win32/Zlob.gen!AL
Panda 9.0.0.4 2008.02.19 Adware/MultiMedia
VBA32 3.12.6.1 2008.02.17 suspected of Downloader.Zlob.3
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Drop.Fakes.71985
DNS Changer Distributing Site:
Site Name: codecmoon.com
IP Address: 64.28.184.181
The above mentioned site distributes DNS Changer Trojan, The installer from the site was scanned and here are the results:
VirusTotal Scan Result: 7/30 (23.34%)
AntiVir 7.6.0.67 2008.02.19 DR/Dldr.DNSChanger.Gen
Avast 4.7.1098.0 2008.02.18 Win32:DNSChanger-SF
BitDefender 7.2 2008.02.19 Trojan.Downloader.Zlob.ABLE
eSafe 7.0.15.0 2008.02.17 Suspicious File
F-Secure 6.70.13260.0 2008.02.19 Trojan.Win32.DNSChanger.arn
Sophos 4.26.0 2008.02.19 Troj/Zlobar-Fam
Webwasher-Gateway 6.6.2 2008.02.19 Trojan.Dropper.Dldr.DNSChanger.Gen
Stay away from all the malicious sites listed in the post.
Bharath M N
