Another Set of Malicious Domains
Zlob Trojan Distributing Sites:
Site Name: Tuvcompany.com
IP address: 85.255.120.106
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.tuvcompany.com [85.255.120.106]
ns2.tuvcompany.com [85.255.120.107]
Site Name: Garfirm.com
IP address: 85.255.118.179
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.garfirm.com [85.255.118.179
ns2.garfirm.com [85.255.118.180]
The installers from these two sites were scanned and here are the results:
Site Name: Tuvcompany.com
IP address: 85.255.120.106
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.tuvcompany.com [85.255.120.106]
ns2.tuvcompany.com [85.255.120.107]
Site Name: Garfirm.com
IP address: 85.255.118.179
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.garfirm.com [85.255.118.179
ns2.garfirm.com [85.255.118.180]
The installers from these two sites were scanned and here are the results:
Virustotal Scan Result: 6/32 (18.75%)
AVG 7.5.0.516 2008.01.22 Downloader.Zlob.RN
BitDefender 7.2 2008.01.22 DeepScan:Generic.Zlob.7.883E035E
ClamAV 0.91.2 2008.01.22 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.01.22 Trojan.Popuper.origin
F-Prot 4.4.2.54 2008.01.22 W32/Zlob.I.gen!Eldorado
Microsoft 1.3109 2008.01.22 TrojanDownloader:Win32/Zlob.gen!AL
The component sites associated with Zlob Trojan:
Scam Internet Security Page:
Site Name: Allsecuritypage.com
IP Address: 85.255.116.210
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.allsecuritypage.com [85.255.116.210
ns2.allsecuritypage.com [85.255.116.211]
This site promotes well documented Rogue Security applications.
404Errorpage Scam:
Site Name: Errorbrowser.com
IP Address: 85.255.118.246
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.errorbrowser.com [85.255.118.246]
ns2.errorbrowser.com [85.255.118.242]
This is a 404errorpage scam advertising AntiSpywareSuite a well documented Rogue security application.
Security Guide Scam Page:
Site Name: Protectionstack.com
IP Address: 85.255.118.212
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.protectionstack.com [85.255.118.212]
ns2.protectionstack.com [85.255.118.213]
AdServer-Gate Pages:
Site Name: Gatehe.com
IP Address: 85.255.118.214
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatehe.com [85.255.118.214]
ns2.gatehe.com [85.255.118.34]
Site Name: Gatepo.com
IP address: 85.255.118.34
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatepo.com [85.255.118.34]
ns2.gatepo.com [85.255.118.35]
Protection Center Scam Page:
Site Name: Asafetyalways.com
IP address: 85.255.118.213
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.asafetyalways.com [85.255.118.213]
ns2.asafetyalways.com [85.255.118.214]
AVG 7.5.0.516 2008.01.22 Downloader.Zlob.RN
BitDefender 7.2 2008.01.22 DeepScan:Generic.Zlob.7.883E035E
ClamAV 0.91.2 2008.01.22 Trojan.Dropper-2529
DrWeb 4.44.0.09170 2008.01.22 Trojan.Popuper.origin
F-Prot 4.4.2.54 2008.01.22 W32/Zlob.I.gen!Eldorado
Microsoft 1.3109 2008.01.22 TrojanDownloader:Win32/Zlob.gen!AL
The component sites associated with Zlob Trojan:
Scam Internet Security Page:
Site Name: Allsecuritypage.com
IP Address: 85.255.116.210
Registrar: ESTDOMAINS, INC
Name Servers:
ns1.allsecuritypage.com [85.255.116.210
ns2.allsecuritypage.com [85.255.116.211]
This site promotes well documented Rogue Security applications.
404Errorpage Scam:
Site Name: Errorbrowser.com
IP Address: 85.255.118.246
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.errorbrowser.com [85.255.118.246]
ns2.errorbrowser.com [85.255.118.242]
This is a 404errorpage scam advertising AntiSpywareSuite a well documented Rogue security application.
Security Guide Scam Page:
Site Name: Protectionstack.com
IP Address: 85.255.118.212
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.protectionstack.com [85.255.118.212]
ns2.protectionstack.com [85.255.118.213]
AdServer-Gate Pages:
Site Name: Gatehe.com
IP Address: 85.255.118.214
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatehe.com [85.255.118.214]
ns2.gatehe.com [85.255.118.34]
Site Name: Gatepo.com
IP address: 85.255.118.34
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.gatepo.com [85.255.118.34]
ns2.gatepo.com [85.255.118.35]
Protection Center Scam Page:
Site Name: Asafetyalways.com
IP address: 85.255.118.213
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.asafetyalways.com [85.255.118.213]
ns2.asafetyalways.com [85.255.118.214]
Other Malicious domain:
Site Name: Websoft-b.com
IP Address: 202.71.102.101
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.websoft-b.com [202.71.102.101]
ns2.websoft-b.com [202.71.102.101]
The installer from the site was scanned and here are the results:
Virustotal Scan Result: 6/32 (18.75%)
Authentium 4.93.8 2008.01.22 is a security risk or a \"backdoor\" program
Avast 4.7.1098.0 2008.01.22 -
AVG 7.5.0.516 2008.01.22 Downloader.Zlob.TQU
ClamAV 0.91.2 2008.01.22 Trojan.Zlob-961
F-Prot 4.4.2.54 2008.01.22 W32/ZlobN.J.gen
Microsoft 1.3109 2008.01.22 TrojanDropper:Win32/Zlob.gen!A
VBA32 3.12.2.5 2008.01.21 MalwareScope.Worm.Nuwar-Glowa.1
DNS Changer Trojan Distributing Site:
Site Name: Hqcodecvip.com
IP Address: 64.28.184.172
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.hqcodecvip.com [64.28.184.162]
ns2.hqcodecvip.com [64.28.184.168]
Stay away from these sites.
Bharath M N
Site Name: Hqcodecvip.com
IP Address: 64.28.184.172
Registrar: ESTDOMAINS, INC.
Name Servers:
ns1.hqcodecvip.com [64.28.184.162]
ns2.hqcodecvip.com [64.28.184.168]
Stay away from these sites.
Bharath M N
Special Thanks to Patrick Jordan
