<h4></h4>
Drive-by infections, fake online scanners, automated clicking ... just name it ... rotator.adjuggler.com has it all.

While I understand that some web owners need to pay their hosting, I'm starting to really get pissed off when it comes to advertising. I was simply travelling a little bit on the net when suddenly my browser had some trouble to load a page. In the status bar I did notice several URL's flying by. Curiosity picked, I leaned back on my chair and let it roll.

Final score: 3739 URL's visited and the requested page still not loaded.
The initial culprit of my wild ride: rotator.adjuggler.com.

Aside from the usual advertising (zedo, ad.doubleclick) and counters present on all pages visited, some interesting things do show up as seen below.

Affiliate clicking ?

Search engine.

speedclick.biz

Google news.

And of course we bump into rotator.adjuggler.com again which keeps our browser turning in circles.

So what, nothing really interesting ya gonna tell me ? Sure ... but wait because best is yet to come. Among those 3739 URL visited, 2 did catch my lynx eye.

sargatyan.info/[removed]

This page has a "random redirect" (more about that later). At the time of my surf I got redirected to a fake online scanner.

www.avxp08.com/sysscan/61d937f1d48e38ccac27c0478f4c649c/1

Nothing else happend this time. Still it made me wonder if "other bad stuff" could end up on your computer and unfortunately the answer is YES as we will see later on.

<h4></h4>
As promised, first some info about the redirect at sargatyan.info/[removed]. As said earlier, redirects are random and different at this site. At the time of this write up we are redirected to iphone3gline.com instead of to www.avxp08.com. iphone3gline.com isn't a fake online scanner but something way more dangerous.

CODE

GET http://sargatyan.info/[removed]/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: sargatyan.info
Proxy-Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Fri, 25 Jul 2008 22:58:42 GMT
Server: Apache/2.2.9 (FreeBSD) PHP/5.2.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.7e-p1
Location: http://iphone3gline.com
Content-Length: 207
Content-Type: text/html; charset=iso-8859-1
Proxy-connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://iphone3gline.com">here</a>.</p>
</body></html>

We encounter a nice litte obfuscated Java script at iphone3gline.com

CODE

HTTP/1.1 200 OK
Date: Fri, 25 Jul 2008 22:58:42 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Host: p2w1.geo.sp1.yahoo.com
X-INKT-URI: http://www.iphone3gline.com//index.html
X-INKT-SITE: http://www.iphone3gline.com
Last-Modified: Fri, 25 Jul 2008 11:36:24 GMT
Accept-Ranges: bytes
Content-Type: text/html
Content-length: 5352
Proxy-connection: keep-alive

<html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>iPhone 3G</title>
<script language="javascript">eval("\x66\x75\x6e\x63\x74\x69\x6f\x6e\................");</script>
</head>

Which leads to another obfuscated script & page with another script etc ... and we end up with an executable file on our computer.

File details.

Filename: UxJAs.exe

File size: 52224 bytes
MD5...: c90ff869c71c1c3c970cabda760b52df
SHA1..: 1e5d830680fd031a607d3fc28b4cd88bc4fb4bf4
SHA256: 4b46faf1e8523264a3cdc5a6f9930d22eecc722526316d17ef512480f4766870
PEiD..: Microsoft Visual C++ 6.0

QUOTE

File UxJAs.exe received on 07.26.2008 01:15:12 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 TR/Dropper.Gen
Authentium 5.1.0.4 2008.07.25 -
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.25 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.25 -
DrWeb 4.44.0.09170 2008.07.25 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.25 -
Fortinet 3.14.0.0 2008.07.25 -
GData 2.0.7306.1023 2008.07.25 -
Ikarus T3.1.1.34.0 2008.07.25 Trojan-Downloader.Win32.BHO.kn
Kaspersky 7.0.0.125 2008.07.25 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 Trojan:Win32/BHO.F
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 -
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.26 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 -
VBA32 3.12.8.1 2008.07.25 -
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Trojan.Dropper.Gen

Notes.

O2 - BHO: Rmn plugin - {7FED228E-A6F7-49aa-A0BC-76E0A67C53BB} - nod32.dll (file missing)

What did we get in our jackpot this time ? A trojan which will attempt to steal banking information on the infected computer. For those interested, additional details can be found here.
______________________________

sargatyan.info - 82.146.61.11

Website Title: Сайт на модернизации!!!
Links: 1 (Internal: 0, Outbound: 1)

Created: 2008-02-02
Expires: 2009-02-02
Updated: 2008-04-04
Whois Server: whois.afilias.info

Server Type: Apache/2.2.9 (FreeBSD) PHP/5.2.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.7e-p1
IP Location - Russian Federation - Ispsystem At Corbina

Domain ID:D23664023-LRMS
Domain Name:SARGATYAN.INFO
Created On:02-Feb-2008 22:16:33 UTC
Last Updated On:04-Apr-2008 05:29:13 UTC
Expiration Date:02-Feb-2009 22:16:33 UTC
Sponsoring Registrar:Blog.com Digital Communications Inc. (R315-LRMS)
Status:OK
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:PP-SP-001
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:P.O. Box 97
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin Street3:
Admin City:Moergestel
Admin State/Province:
Admin Postal Code:5066 ZH
Admin Country:NL
Admin Phone:+45.36946676
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Billing ID:PP-SP-001
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:P.O. Box 97
Billing Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Billing Street3:
Billing City:Moergestel
Billing State/Province:
Billing Postal Code:5066 ZH
Billing Country:NL
Billing Phone:+45.36946676
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:
Tech ID:PP-SP-001
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:P.O. Box 97
Tech Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Tech Street3:
Tech City:Moergestel
Tech State/Province:
Tech Postal Code:5066 ZH
Tech Country:NL
Tech Phone:+45.36946676
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:
Name Server:NS1.FIRSTVDS.RU
Name Server:NS2.FIRSTVDS.RU

Websites.

1. Anticarding.info
2. Geerdale.com
3. Prosoftsite.info
4. Sargatyan.info
5. Slevon.com
6. Useasymail.info
7. Uslogistic.us

______________________________

iphone3gline.com - 68.180.151.16

Website Title: iPhone 3G
ICANN Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Created: 2008-07-21
Expires: 2009-07-21
Updated: 2008-07-21
Name Server: YNS1.YAHOO.COM (has 2,612,142 domains)
Name Server: YNS2.YAHOO.COM
Whois Server: whois.melbourneit.com

IP Location - California - Sunnyvale - Yahoo
Reverse IP: 46,367 other sites hosted on this server.

Whois Record
Domain Name.......... iphone3gline.com
Creation Date........ 2008-07-22
Registration Date.... 2008-07-22
Expiry Date.......... 2009-07-22
Organisation Name.... Shelly Ferree
Organisation Address. P O Box 99800
Organisation Address.
Organisation Address. EmeryVille
Organisation Address. 94662
Organisation Address. CA
Organisation Address. US

Admin Name........... PrivateRegContact Admin
Admin Address........ P O Box 99800
Admin Address........
Admin Address........ EmeryVille
Admin Address........ 94662
Admin Address........ CA
Admin Address........ US
Admin Email..........
Admin Phone.......... +1.5105952002
Admin Fax............

Tech Name............ PrivateRegContact TECH
Tech Address......... P O Box 99800
Tech Address.........
Tech Address......... EmeryVille
Tech Address......... 94662
Tech Address......... CA
Tech Address......... US
Tech Email...........
Tech Phone........... +1.5105952002
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

<h4></h4>
How does this rotator.adjuggler.com makes you visit so many sites ? The answer is simple, once you hit an URL at their site, it contains a lot of iframes. Some lead to advertising sites which might point back on a rotator.adjuggler.com link while others point to websites with exploits and / or rotator.adjuggler.com links again.

CODE

GET http://rotator.adjuggler.com/servlet/ajrotator/302608/0/vh?z=terp517&dim=300764 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=740;c=42;s=17;d=14;w=728;h=90
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: rotator.adjuggler.com
Proxy-Connection: Keep-Alive

Below are the iframes on that page.

An example of advertising code on www.mostamazingoffers.com

CODE

<div id="skyscraper" style="margin-right: 10px; position: relative;" class="adSkyscraper">
<span class="adText">A D V E R T I S E M E N T</span>
<br />
<iframe width="120" height="600" noresize scrolling=No frameborder=0 marginheight=0 marginwidth=0
src="http://rotator.adjuggler.com/servlet/ajrotator/308867/0/vh?z=terp517&dim=300750&pos=1">
<script language=JavaScript src="http://rotator.adjuggler.com/servlet/ajrotator/308867/0/vj?z=terp517&dim=300750&pos=1&abr=$scriptiniframe"></script>
<noscript><a href="http://rotator.adjuggler.com/servlet/ajrotator/308867/0/cc?z=terp517&pos=1">
<img src="http://rotator.adjuggler.com/servlet/ajrotator/308867/0/vc?z=terp517&dim=300750&pos=1&abr=$imginiframe" width="120" height="600" border="0"></a></noscript></iframe>
</div>

Below are a couple of the files collected during that trip. Do not visit any of those URL unless you know what you are doing. Most of the sites where the files originate from have obfuscated scripts on their pages, I will not detail that code here either, just demonstrate how they arrive on your computer.

<h4></h4>



Filename: XFE.exe

File size: 39424 bytes
MD5...: e31eb45d1ed4def7cf29a650f16717a6
SHA1..: 142e3f195d14d7ec66dd1ed2a4ede58d33cce508
SHA256: 3a906406f01f927b1fbb07e6c73f3f962cbb7d591965a3276a7d3af2ba5c7390
PEiD..: -

QUOTE

File Xfe.exe received on 07.25.2008 20:55:57 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.25 -
Avast 4.8.1195.0 2008.07.25 Win32:Renos-KE
AVG 8.0.0.130 2008.07.25 Downloader.FraudLoad.C
BitDefender 7.2 2008.07.25 -
CAT-QuickHeal 9.50 2008.07.25 Hoax.Renos.vapy (Not a Virus)
ClamAV 0.93.1 2008.07.25 -
DrWeb 4.44.0.09170 2008.07.25 Trojan.Fakealert.1071
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.25 Hoax.Win32.Renos.vapy
Fortinet 3.14.0.0 2008.07.25 PossibleThreat
GData 2.0.7306.1023 2008.07.25 Hoax.Win32.Renos.vapy
Ikarus T3.1.1.34.0 2008.07.25 Virus.Win32.Renos.KE
Kaspersky 7.0.0.125 2008.07.25 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.25 -
NOD32v2 3300 2008.07.25 Win32/Adware.UltimateDefender
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 -
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.25 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.25 Trojan.Virantix.C
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 -
VBA32 3.12.8.1 2008.07.25 Rootkit.Win32.Ogorod
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Win32.Malware.gen (suspicious)

Kaspersky: Hoax.Win32.Renos.vapy

For those interested, additional details can be found here.

<h4></h4>


Look who's here again ...




3044uxvrgpll.exe arrived as msn_0807_upd191536.exe

Filename: msn_0807_upd191536.exe

File size: 115200 bytes
MD5...: 8bf4f904f4faf8e72b583930cbc61c38
SHA1..: 1a7c40b975e2122de0c6a7cd457ae5dc0cb5f35d
SHA256: 54a1c916f20e7ddd5694f31770444ef4e18ee3f02fe0428091da3a522d7f2aa5
PEiD..: -

QUOTE

File msn_0807_upd191536.exe received on 07.24.2008 08:19:43 (CET)
AhnLab-V3 2008.7.24.0 2008.07.23 -
AntiVir 7.8.1.11 2008.07.23 TR/Dropper.Gen
Authentium 5.1.0.4 2008.07.24 -
Avast 4.8.1195.0 2008.07.23 -
AVG 8.0.0.130 2008.07.23 -
BitDefender 7.2 2008.07.24 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.24 -
DrWeb 4.44.0.09170 2008.07.23 -
eSafe 7.0.17.0 2008.07.23 Suspicious File
eTrust-Vet 31.6.5978 2008.07.24 -
Ewido 4.0 2008.07.23 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.24 Trojan.Win32.Pakes.jvm
Fortinet 3.14.0.0 2008.07.24 -
GData 2.0.7306.1023 2008.07.24 Trojan.Win32.Pakes.jvm
Ikarus T3.1.1.34.0 2008.07.24 Trojan-Dropper
Kaspersky 7.0.0.125 2008.07.24 -
McAfee 5345 2008.07.23 -
Microsoft 1.3704 2008.07.24 TrojanDropper:Win32/Boaxxe.D
NOD32v2 3293 2008.07.23 -
Norman 5.80.02 2008.07.23 -
Panda 9.0.0.4 2008.07.24 -
PCTools 4.4.2.0 2008.07.23 -
Prevx1 V2 2008.07.24 -
Rising 20.54.30.00 2008.07.24 -
Sophos 4.31.0 2008.07.24 Mal/Dropper-AC
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.24 -
TheHacker 6.2.96.387 2008.07.23 -
TrendMicro 8.700.0.1004 2008.07.24 PAK_Generic.001
VBA32 3.12.8.1 2008.07.23 -
ViRobot 2008.7.23.1307 2008.07.23 -
VirusBuster 4.5.11.0 2008.07.23 -
Webwasher-Gateway 6.6.2 2008.07.23 Trojan.Dropper.Gen

Kaspersky: Trojan.Win32.Pakes.jvm

For those interested, additional details can be found here.

<h4></h4>

Filename: adof1e.exe

File size: 8192 bytes
MD5...: 1c66f43413ebb430c1f7fd41aaa32aa1
SHA1..: 9a634e13260cb6083c46aebaf733add04c4b220f
SHA256: 2d3581b2f5307741e41d5fa5f1b5e6e38fca3289bfb997bff1ccb3641dd7aac3
PEiD..: -

QUOTE

File adof1e.exe received on 07.26.2008 06:18:13 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.26 -
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.26 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.26 -
DrWeb 4.44.0.09170 2008.07.25 -
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 W32/Zbot.I.gen!Eldorado
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.26 -
Ikarus T3.1.1.34.0 2008.07.26 -
Kaspersky 7.0.0.125 2008.07.26 Trojan.Win32.Inject.efy
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.26 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 Suspicious file
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.26 Suspicious
Rising 20.54.50.00 2008.07.26 -
Sophos 4.31.0 2008.07.26 -
Sunbelt 3.1.1536.1 2008.07.25 Trojan.Win32.Inject.ab
Symantec 10 2008.07.26 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 PAK_Generic.001
VBA32 3.12.8.1 2008.07.25 suspected of Win32 Shadow Socket Open
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Win32.Malware.gen (suspicious)

<h4></h4>
Filename: zoc.exe

File size: 41472 bytes
MD5...: 543e7b720f888da0d9ce4184a798f42b
SHA1..: 84c3148359b3b9a1984f23c44614e0373aae4e45
SHA256: 7c33f52cb885148b07b789675f0d0cbee594abaa4db80e236eac29d5cb438540
PEiD..: -

QUOTE

File zoc.exe received on 07.25.2008 20:47:57 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.25 -
Avast 4.8.1195.0 2008.07.25 Win32:Renos-KE
AVG 8.0.0.130 2008.07.25 Downloader.FraudLoad.C
BitDefender 7.2 2008.07.25 -
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.25 -
DrWeb 4.44.0.09170 2008.07.25 Trojan.Packed.580
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.25 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.25 -
GData 2.0.7306.1023 2008.07.25 Win32:Renos-KE
Ikarus T3.1.1.34.0 2008.07.25 Virus.Win32.Renos.KE
Kaspersky 7.0.0.125 2008.07.25 Hoax.Win32.Renos.varb
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.25 -
NOD32v2 3300 2008.07.25 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 -
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.25 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.25 Trojan.Virantix.C
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 -
VBA32 3.12.8.1 2008.07.25 Rootkit.Win32.Ogorod
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Win32.Malware.gen (suspicious)

For those interested, additional details can be found here.
______________________________

Filename: xav60u.exe

File size: 7680 bytes
MD5...: cc47cff879452f0b09f5693b55945bc1
SHA1..: 8936a93c20d016c1df63730a762f6de20949d3ff
SHA256: e901b791252820dd45462da65579ed3d6de6cf1c8b735c81bce976f09012ec34
PEiD..: -

QUOTE

File xav60u.exe received on 07.25.2008 20:49:56 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.25 -
Avast 4.8.1195.0 2008.07.25 Win32:Trojan-gen {Other}
AVG 8.0.0.130 2008.07.25 -
BitDefender 7.2 2008.07.25 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.25 -
DrWeb 4.44.0.09170 2008.07.25 Trojan.MulDrop.18133
eSafe 7.0.17.0 2008.07.24 -
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 W32/Zbot.I.gen!Eldorado
F-Secure 7.60.13501.0 2008.07.25 Trojan.Win32.Inject.ecg
Fortinet 3.14.0.0 2008.07.25 PossibleThreat
GData 2.0.7306.1023 2008.07.25 Trojan.Win32.Inject.ecg
Ikarus T3.1.1.34.0 2008.07.25 Trojan.Win32.Agent.uzl
Kaspersky 7.0.0.125 2008.07.25 Trojan.Win32.Inject.ecg
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.25 -
NOD32v2 3300 2008.07.25 Win32/TrojanDownloader.Small.ODV
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 Suspicious file
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.25 Suspicious
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 -
Sunbelt 3.1.1536.1 2008.07.18 Trojan.Win32.Inject.ab
Symantec 10 2008.07.25 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 PAK_Generic.001
VBA32 3.12.8.1 2008.07.25 suspected of Win32 Shadow Socket Open
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Win32.Malware.gen (suspicious)

For those interested, additional details can be found here.

Note: After the reboot, chance is very big that it will invite some friends on your computer.
______________________________

Filename: by8.exe

File size: 7890 bytes
MD5...: 80be946c2be1170ab08f84a63df59064
SHA1..: 289ad05fdb82655eb2b75d38ccd46beb94a3f6fb
PEiD..: -

QUOTE

File by8.exe received on 07.25.2008 20:51:16 (CET)
AhnLab-V3 2008.7.26.0 2008.07.25 -
AntiVir 7.8.1.12 2008.07.25 -
Authentium 5.1.0.4 2008.07.25 -
Avast 4.8.1195.0 2008.07.25 -
AVG 8.0.0.130 2008.07.25 Win32/Heur
BitDefender 7.2 2008.07.25 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.25 -
DrWeb 4.44.0.09170 2008.07.25 Trojan.Packed.155
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5981 2008.07.25 -
Ewido 4.0 2008.07.25 -
F-Prot 4.4.4.56 2008.07.25 -
F-Secure 7.60.13501.0 2008.07.25 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.07.25 W32/TibsPak
GData 2.0.7306.1023 2008.07.25 -
Ikarus T3.1.1.34.0 2008.07.25 -
Kaspersky 7.0.0.125 2008.07.25 Heur.Downloader
McAfee 5347 2008.07.25 New Malware.cn
Microsoft 1.3704 2008.07.25 -
NOD32v2 3300 2008.07.25 probably a variant of Win32/TrojanDownloader.Agent.NSP
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.25 Suspicious file
PCTools 4.4.2.0 2008.07.25 -
Prevx1 V2 2008.07.25 -
Rising 20.54.42.00 2008.07.25 -
Sophos 4.31.0 2008.07.25 Mal/TibsPak
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.25 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.25 PAK_Generic.001
VBA32 3.12.8.1 2008.07.25 -
ViRobot 2008.7.25.1310 2008.07.25 -
VirusBuster 4.5.11.0 2008.07.25 -
Webwasher-Gateway 6.6.2 2008.07.25 Win32.Malware.gen (suspicious)

This one is a cutie ... it downloads a nasty rootkit as seen in the TE report.

A small update regarding this issue / case ...
I had a very positive contact with folks from the adjuggler.com support today in order to resolve these issues. As usual I'll keep you all informed.

Client has been informed and according to adjuggler.com support team they made changes to their account. Time for another advertising journey I suppose? What do you think ...

If anyone at any time has similar issues or sees that nothing has been fixed, PM me please. Your contributions in tracking down Internet issues is always welcome and highly appreciated. It's about my and YOUR security guys & gals.