Cheers Tom

1 to add, one to watch, or maybe add anyway:

• This site is NOT currently listed in hpHosts
  Host: fastpyroscan.com
  Current IP*: 207.226.174.20
  IP PTR: 207-226-174-20.pccwglobal.net
  Registrar: ESTDOMAINS, INC.
  Whois Server: whois.estdomains.com
  Referral URL: http://www.estdomains.com
  Name Server: NS1.PYROANTISPY.COM
  Name Server: NS2.PYROANTISPY.COM
  Name Server: NS3.PYROANTISPY.COM
  Status: clientTransferProhibited
  Updated Date: 03-jun-2008
  Creation Date: 03-jun-2008
  Expiration Date: 03-jun-2009
  
  associated with proantyspy.com
  http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-080112-4201-99&tabid=2
• This site is NOT currently listed in hpHosts
  Host: proantispy.com
  Rogue association, suspicious & Webhelper listed
  Registration Service Provided By: VIVIDS MEDIA GMBH
  Contact: +49.3094413291
  Registrant:
  PrivacyProtect.org
  Domain Admin (contact@privacyprotect.org)
  P.O. Box 97
  Note - All Postal Mails Rejected, visit Privacyprotect.org
  Moergestel
  null,5066 ZH
  NL
  Tel. +45.36946676
  
  Creation Date: 02-Jun-2007
  Expiration Date: 02-Jun-2009
  
  Analysis
  http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-080112-4201-99&tabid=2
  
  Suspicious rating @ Trusted Source:
  http://www.trustedsource.org/TS?do=feedback&subdo=query&q=proantispy.com
  
  Listed @ Webhelper
  http://webhelper4u.net/whmembers/siteslists/cwsalphaA.txt

This site is NOT currently listed in hpHosts
Host: theworldnews5.com
Current IP*: 84.16.252.138
IP PTR: 84-16-252-138.internetserviceteam.com
Registrant Contact:
DomainsReg, Inc.
Sergey Astakhov abuse@domainsreg.cn
1-800-716-0023 fax: 1-800-716-0023
Lenin str. 38, 77
Saratov Saratovskaya oblast 150040
cn
DNS:
ns1.mynick.name
ns2.mynick.name
ns3.mynick.name
ns4.mynick.name
Created: 2008-07-30
Expires: 2009-07-30

malicious
http://www.trustedsource.org/TS?do=feedback&subdo=query&q=theworldnews5.com

hxxp://internetprotection2009.com/2009/1/_freescan.php?aid=880253

installs xpantivirus 2009

Below find vURL Online links for details. All sites below wind up installing Power Antivirus 2009.

This site is NOT currently listed in hpHosts
Host: antiware.orgfree.com
Current IP*: 72.232.26.155
IP PTR: ns2.orgfree.com
Registration Service Provided By: NameCheap.com
Contact: support@NameCheap.com
Visit: http://www.namecheap.com/
Name Servers:
ns1.orgfree.com
ns2.orgfree.com
Creation date: 28 Jan 2005 15:25:42
Expiration date: 28 Jan 2010 15:25:42
=======
Page Title: Power Antivirus 2009
http://vurl.mysteryfcm.co.uk/?url=http://imir.info/go.php?sid=6&selUAStr=0
This site is NOT currently listed in hpHosts
Host: imir.info
Current IP*: 209.59.142.226
IP PTR: host.gudzonserver.com
Domain ID:D15787080-LRMS
Domain Name:IMIR.INFO
Created On:20-Dec-2006 16:25:16 UTC
Last Updated On:16-Nov-2007 12:13:21 UTC
Expiration Date:20-Dec-2008 16:25:16 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Name Server:NS1.GUDZONSERVER.COM
Name Server:NS2.GUDZONSERVER.COM
=======
Page Title: Power Antivirus 2009
http://vurl.mysteryfcm.co.uk/?url=http://mytraff.com/in.cgi?17&selUAStr=0 <<<<listed @ MDL
This site is NOT currently listed in hpHosts
Host: mytraff.com
Current IP*: 88.208.30.158
MX records for: mytraff.com
PRI Server IP Hostname
20 69.31.128.188 mail2.mytraff.com
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS5.PUBLIC-NS.COM
Name Server: NS6.PUBLIC-NS.COM
Status: ok
Updated Date: 15-nov-2007
Creation Date: 13-sep-2007
Expiration Date: 13-sep-2008

http://www.trustedsource.org/TS?do=feedback&subdo=query&q=mytraff.com

hxxp://scanner.power-antivirus-2009.com/?aff=1424

hxxp://scanner.power-antivirus-2009.com/setup/Install.exe

Cheers Tom

Just spammed our forum.



I see the following and get a "probably infected with DLOADER.Trojan" from my av.

EMD

one of the fake "avi" files that is going around.. i got the link in an email..

http://www.virustotal.com/analisis/a5116e1d4b262e7481f0ddc17a57fe04

Cheers guys

EMD Candidate:
This site is NOT currently listed in hpHosts
Host: adultsexkey.com
Current IP*: 66.45.226.218
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291
Registrant:
N/A
Kitaesa Kitaesa (pimpmarkets@gmail.com)
Glavnaya ulica, 01
Glavniy Gorod
0,151623
CN
Tel. +235.2352643
Creation Date: 15-Nov-2006
Expiration Date: 15-Nov-2008
Domain servers in listed order:
ns4.xxx-server.biz
ns3.xxx-server.biz
ns.xxx-server.biz

malicious
http://www.trustedsource.org/TS?do=feedback&subdo=query&q=adultsexkey.com

File red-codec.v.1.211.exe

Result: 9/36 (25%)
AntiVir 7.8.1.15 2008.08.04 PCK/NSIS.M
Avast 4.8.1195.0 2008.08.04 Win32:KdCrypt
AVG 8.0.0.156 2008.08.04 Downloader.Tiny.D
Ikarus T3.1.1.34.0 2008.08.04 Win32.Fosforo
Microsoft 1.3807 2008.08.04 Trojan:Win32/Zlob.AS
Norman 5.80.02 2008.08.04 Vundo.gen201.dropper
Rising 20.56.02.00 2008.08.04 Trojan.Win32.DNSChanger.drb
TrendMicro 8.700.0.1004 2008.08.04 TROJ_ZLOB.EIL
Webwasher-Gateway 6.6.2 2008.08.04 Packer.NSIS.M


http://www.virustotal.com/analisis/046da088ce1ce237d6997f0c043c2ed0

Cheers Tom

@Kenny,
That URL has been cleaned up and no longer exists (was likely a hacked server)