Archive for the Mebroot Category

har5launo.com/cgi-bin/index.cgi?dx

Posted in Mebroot on January 8, 2009 by s3cu

URL contains malicious javascript which eventually links to Mebroot trojan.
[VT results=4/38]

cbp7t.cn

Posted in Mebroot, sql injection on October 21, 2008 by s3cu

this sql-injected domain retrieves iframe from http://www.jmlrmg.com/index.htm

The malicious iframe exploits a number of typical vulnerabilities.

The VT analysis of the malicious file http://www.jmlrmg.com/chanm/yahoo.exe is here. ThreatExpert here.

Other domains sharing the same IP are jsani.cn, woshow11.cn

cdm1djeni.com/cgi-bin/index.cgi?dx

Posted in Mebroot on September 1, 2008 by s3cu

after a series of obfuscated JS, the final decoded content as follows:
Continue reading