One of the things that made me consider this as a blog topic is their apparent inaccessibility to shut down the main domain names. For those who don't know what's going on, the story goes like this:
- thecoolpics.net was ended, after some 6+ months of running the Sohanad.* and win32.VB.* worms
- thecoolpics.com and quicknews.info redirect to a new target as of yesterday, as far as I can tell: http://72.232.123.170/~windy/ auct_photo/temp/ (deliberately put a space between, do NOT visit the website)- The exploit used here is a VB script exploit, which is actually encoded using Javascript
- The exploit downloads YMworm.exe and worm2007.exe which can be found in the same folder the above mentioned link
- YMworm.exe is actually an AutoIt script and gives a bad name to the good folks of that project. worm2007.exe is just a "backup" program as far as I can tell. It connects to thecoolpics.com and tries to download these two programs from there, probably used when the websites, this lamer (langnghe.net owner) hacked and redirects to, go down.
Final comment: They might be cheap & good in sales, but their abuse team doesn't handle reports very well.
Removal tool: Cwean antimalware package
Update: If you try a Google search for the old hacked website, http://horse.he.net/~dynasty/albums/style/, you'll notice a nice warning message ;) I sure hope they applied that in the Web Forgery system implented in Firefox
I did a google search on the IP of the new one, I found another exploit: http://72.232.123.170/~hotcam /AutoVoLam.html (deliberate space added between) - downloads spider.exe from the same directory.
No comments:
Post a Comment