
NCSU Libraries - lib.ncsu.edu - 372,000 pages
FullDownloads.us - fulldownloads.us - 13,000 pages
Central Statistics Office Ireland - cso.ie - 10,300 pages
DBLife Frontpage - dblife.cs.wisc.edu - 1,130 pages
School of Mathematics and Statistics - www-history.mcs.st-andrews.ac.uk - 1040 pages
eHawaii Portal - ehawaii.gov - 992 pages
The World Clock - timeanddate.com - 944 pages
Boise State University - boisestate.edu - 471 pages
The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages
Gustavus Adolphus College - gustavus.edu - 312 pages
Internet Archive - archive.org - 261 pages
Stanford Business School Alumni Association - gsbapps.stanford.edu - 157 pages
BushTorrent - bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages
Medicare.gov - medicare.gov - 12 pages
USAMRIID - usamriid.army.mil - 3 pages

kbst.info
sezejc.infomloqrd.info
mqghrd.infoymrxwd.info
fsqpsm.infohaxkwd.info
aagpcw.infozdksgj.info
cgjttz.infohkedny.info
kbsxet.infowapdjw.info
kbsxet.infotdwham.info
mqghrd.infodhqjdz.info
bhrsaa.infojramae.info
wmtwes.infotacpmh.info
qwhhxq.infogmjett.info
hkedny.inforerkqz.info
bhrsaa.info
txmwxb.infobhrsaa.info
psyckr.info
jramae.infonhwdrh.info
cqqxkh.infostysqf.info
tgzyqz.infokbsxet.info
cgjttz.infotazbhk.info
kbsxet.infoEach of the these is loading a secondary domain, which is then taking us to two more before finally reaching the Zlob variant. In this case it's radt.info (75.125.208.243) with several campaigns currently up and running, pointing to the same fake codec. And the samples redirects upon visiting these as follows :
seivomerutam.info/Free-Paris-Hilton-Nude-Pics/
seivomerutam.info/spam/
all of which ultimately redirect to :
porn-popular.com (64.28.185.78) where the Zlob variant in the face of a fake codec, is downloaded from democodec.com/download/ democodec1292.exe (64.28.184.168) via an Active X object.

File Name : democodec1292.exe
File Size : 74823 byteMD5 : 30965fdbd893990dd24abda2285d9edc
SHA1 : 53eacbb9cdf42394bd455d9bd2275f05730332f7Downloader.Zlob.ZV; Trojan-Downloader.Win32.Zlob.eie; TrojanDownloader.Zlob.epx
"This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121. If you use a static IP address, CA AntiSpyware will set your DNS server to 198.6.1.1 to prevent your DNS queries from continuing to go through the rogue DNS servers. Please change your DNS server to the DNS server provided by your IP or Network Administrator."

0 Comments:
Post a Comment