Jsunpack Recent URLs

Jsunpack URL [malicious] input_upload

Mon, 06 Sep 2010 08:46:36 GMT

A url has been found[malicious:10] input_upload
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 524282 //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536 //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 273933
suspicious: shellcode of length 994/497
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=yasisi.hankooki.com/inc/ftp.exe
info: [0] no JavaScript
info: file: saved input_upload to (original_f58929518a33c5a16467251beebd31442537e8f3)
file: stream_f58929518a33c5a16467251beebd31442537e8f3: 3491 bytes
file: shellcode_a8d9ddeb282694d6a0e01183d01adec67cf9813b: 994 bytes

Jsunpack URL [suspicious] input_script

Mon, 06 Sep 2010 07:39:07 GMT

A url has been found[suspicious:5] input_script
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ; before statement:
error: line:3: 22p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222p22222222pdowQ.222222p22222222p222222
error: line:3: ^
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Length 66216
info: [1] no JavaScript
info: file: saved input_script to (original_1340a7ded71fde284022441cb5cbdf50ea5ea6f9)
file: stream_1340a7ded71fde284022441cb5cbdf50ea5ea6f9: 9881 bytes
file: decoding_88fb6d25a595bb905834701ebd9cb779a14fb076: 408416 bytes

Jsunpack URL [suspicious] xg.st3h.com/a6.htm

Mon, 06 Sep 2010 06:14:30 GMT

A url has been found[suspicious:5] (ipaddr:58.64.149.17) (iframe) xg.st3h.com/a6.htm
status: (referer=xg.st3h.com/small.gif)saved 848 bytes fetch_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [script] xg.st3h.com/ah0.js
info: [script] xg.st3h.com/ah1.js
info: [script] xg.st3h.com/ah2.js
info: [script] xg.st3h.com/ah3.js
info: [decodingLevel=0] found JavaScript
info: file: saved xg.st3h.com/a6.htm to (original_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71)
file: fetch_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71: 848 bytes

Jsunpack URL [malicious] voiptelesat.com/pdhcu.htm

Mon, 06 Sep 2010 04:51:36 GMT

A url has been found[malicious:10] (ipaddr:216.117.163.136) (iframe) voiptelesat.com/pdhcu.htm
status: (referer=voiptelesat.com/)saved 14520 bytes fetch_656fedc4af7ee5c12247ac5c2a036a65378f6a64
info: [decodingLevel=0] found JavaScript
malicious: MSOfficeWebComponents CVE-2009-1136 detected msDataSourceObject OWC10.Spreadsheet
info: [decodingLevel=1] found JavaScript
error: undefined function o1.cloneNode
error: undefined variable o1
malicious: Alert detected //alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 1000 times)
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 521906 //warning CVE-NO-MATCH Shellcode Engine Length 65536 //warning CVE-NO-MATCH Shellcode NOP len 524282 //warning CVE-NO-MATCH Shellcode Engine Binary Threshold
suspicious: shellcode of length 486/317
malicious: shellcode URL=voiptelesat.com/zcv.gi
info: [2] no JavaScript
info: file: saved voiptelesat.com/pdhcu.htm to (original_656fedc4af7ee5c12247ac5c2a036a65378f6a64)
file: fetch_656fedc4af7ee5c12247ac5c2a036a65378f6a64: 14520 bytes
file: decoding_f095c70fee213b58ff2cd5e8b29bb4dc27227784: 7123 bytes
file: decoding_81906f75455de2c0e18e81e5e2408c6921c03225: 64140 bytes
file: shellcode_01ed8e296f4d01296e35314ad7bf16d09cabd4a5: 486 bytes

Jsunpack URL [malicious] input_script

Mon, 06 Sep 2010 04:45:33 GMT

A url has been found[malicious:8] input_script
info: [decodingLevel=0] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 878 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 238/120
malicious: shellcode URL=www.xdxny.com/image/s.exe
info: [1] no JavaScript
info: file: saved input_script to (original_6e2371fcbea60f89275cb8cbecd22ddac03c1c0a)
file: stream_6e2371fcbea60f89275cb8cbecd22ddac03c1c0a: 3906 bytes
file: timeout_9f693b352e067add07a90b1fcd32ac7907236002: 4093 bytes
file: decoding_524059108f98bca05a3c89ee87daee904ff0701d: 878 bytes
file: shellcode_dd26e9d62192edfbe1a67d2a006ce2a38ed80439: 238 bytes

Jsunpack URL [malicious] www.xzjiayuan.com/ad/ad.htm

Mon, 06 Sep 2010 04:37:48 GMT

A url has been found[malicious:10] (ipaddr:202.104.151.139) (iframe) www.xzjiayuan.com/ad/ad.htm
status: (referer=www.google.com/trends/hottrends)saved 6609 bytes fetch_0a34f6ab869db5a08fb7283af54358b1235ead11
info: [decodingLevel=0] found JavaScript
suspicious: shellcode of length 977/489
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=www.exinwl.com/images/s.exe
info: [decodingLevel=1] found JavaScript
info: file: saved www.xzjiayuan.com/ad/ad.htm to (original_0a34f6ab869db5a08fb7283af54358b1235ead11)
file: fetch_0a34f6ab869db5a08fb7283af54358b1235ead11: 6609 bytes
file: decoding_8487e868e1f8c6889811d3135038c1cd90074bbc: 3421 bytes
file: shellcode_7437b1194abb439b8f6ff75202a9b7ca24dfab0b: 977 bytes

Jsunpack URL [malicious] input_upload

Mon, 06 Sep 2010 04:37:48 GMT

A url has been found[nothing detected] input_upload
info: [decodingLevel=0] found JavaScript
info: DecodedIframe detected
info: [iframe] www.xzjiayuan.com/ad/ad.htm
info: [iframe] www.xzjiayuan.com/ad/news.html
info: [iframe] www.xzjiayuan.com/ad/count1.html
info: [decodingLevel=1] found JavaScript
file: stream_36a9e9488c92cbc9dec2624996cb5cf240683e11: 2209 bytes
file: decoding_3dfce4ecdb43c1c487d1e4820f5db35521a5e53a: 2854 bytes

Jsunpack URL [malicious] www.faloge.com/js/news.html

Mon, 06 Sep 2010 04:27:28 GMT

A url has been found[malicious:10] (ipaddr:60.191.134.142) (iframe) www.faloge.com/js/news.html
status: (referer=www.faloge.com/js/yahoo.js)saved 6558 bytes fetch_9f9ca5bde84fb6e7c8030560e87989bc99dd7e0a
info: [img] www.faloge.com/js/XIGUA.GIF
info: [decodingLevel=0] found JavaScript
malicious: Alert detected //alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 199 times)
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Length 65536 //warning CVE-NO-MATCH Shellcode NOP len 9999
info: [1] no JavaScript
info: file: saved www.faloge.com/js/news.html to (original_9f9ca5bde84fb6e7c8030560e87989bc99dd7e0a)
file: fetch_9f9ca5bde84fb6e7c8030560e87989bc99dd7e0a: 6558 bytes
file: decoding_6a140cedf0215bfb597c704fe1ce4141bee9a75c: 13441 bytes

Jsunpack URL [malicious] www.faloge.com/js/ad.htm

Mon, 06 Sep 2010 04:27:28 GMT

A url has been found[malicious:10] (ipaddr:60.191.134.142) (iframe) www.faloge.com/js/ad.htm
status: (referer=www.faloge.com/js/yahoo.js)saved 6609 bytes fetch_0a34f6ab869db5a08fb7283af54358b1235ead11
info: [decodingLevel=0] found JavaScript
suspicious: shellcode of length 977/489
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=www.exinwl.com/images/s.exe
info: [decodingLevel=1] found JavaScript
info: file: saved www.faloge.com/js/ad.htm to (original_0a34f6ab869db5a08fb7283af54358b1235ead11)
file: fetch_0a34f6ab869db5a08fb7283af54358b1235ead11: 6609 bytes
file: decoding_8487e868e1f8c6889811d3135038c1cd90074bbc: 3421 bytes
file: shellcode_7437b1194abb439b8f6ff75202a9b7ca24dfab0b: 977 bytes

Jsunpack URL [malicious] www.exinwl.com/images/s.exe

Mon, 06 Sep 2010 04:27:28 GMT

A url has been found[malicious:10] (ipaddr:117.34.89.190) [MZ] (shellcode) www.exinwl.com/images/s.exe
status: (referer=www.faloge.com/js/ad.htm)saved 41472 bytes fetch_a695ea952aa0db3a0605c9453a588041ed69d23a
info: [0] executable file
malicious: client download shellcode URL (executable) saved (incident_a695ea952aa0db3a0605c9453a588041ed69d23a)
info: file: saved www.exinwl.com/images/s.exe to (original_a695ea952aa0db3a0605c9453a588041ed69d23a)
file: fetch_a695ea952aa0db3a0605c9453a588041ed69d23a: 41472 bytes

Jsunpack URL [malicious] input_script

Mon, 06 Sep 2010 04:24:16 GMT

A url has been found[malicious:10] input_script
info: [decodingLevel=0] found JavaScript
error: undefined function window.location.reload
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 3117 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 986/493
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=diablade.com/order/d.exe
info: [2] no JavaScript
info: file: saved input_script to (original_9485777ec35f2bc60a54f1dbb8fba8481c6be389)
file: stream_9485777ec35f2bc60a54f1dbb8fba8481c6be389: 5870 bytes
file: decoding_02154e24390eac6523b01d91f25a8dd4df5ccd26: 2839 bytes
file: timeout_db7d52779bd6627157878e9c4aad63bfb5f4baca: 3034 bytes
file: decoding_69599dffefa01591caddea7e9e3ffd5e7c20ac88: 3117 bytes
file: shellcode_64e014400b7359f63de89dd22878113edbc5c209: 986 bytes

Jsunpack URL [malicious] input_script

Sun, 05 Sep 2010 21:55:35 GMT

A url has been found[malicious:10] input_script
info: [decodingLevel=0] found JavaScript
error: undefined function window.location.reload
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 3117 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 986/493
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=diablade.com/order/d.exe
info: [2] no JavaScript
info: file: saved input_script to (original_9485777ec35f2bc60a54f1dbb8fba8481c6be389)
file: stream_9485777ec35f2bc60a54f1dbb8fba8481c6be389: 5870 bytes
file: decoding_02154e24390eac6523b01d91f25a8dd4df5ccd26: 2839 bytes
file: timeout_e8f44cf07d9ed05f76c0d35799ef7a1b7706da5c: 3034 bytes
file: decoding_69599dffefa01591caddea7e9e3ffd5e7c20ac88: 3117 bytes
file: shellcode_64e014400b7359f63de89dd22878113edbc5c209: 986 bytes

Jsunpack URL [malicious] diablade.com/order/d.exe

Sun, 05 Sep 2010 21:55:35 GMT

A url has been found[malicious:10] (ipaddr:72.167.48.76) [MZ] (shellcode) diablade.com/order/d.exe
status: (referer=www.google.com/trends/hottrends)saved 64470 bytes fetch_a238bc31bb5f45b6466a7f845a6965eefe9a53e4
info: [0] executable file
malicious: client download shellcode URL (executable) saved (incident_a238bc31bb5f45b6466a7f845a6965eefe9a53e4)
info: file: saved diablade.com/order/d.exe to (original_a238bc31bb5f45b6466a7f845a6965eefe9a53e4)
file: fetch_a238bc31bb5f45b6466a7f845a6965eefe9a53e4: 64470 bytes

Jsunpack URL [malicious] input_script

Sun, 05 Sep 2010 21:27:15 GMT

A url has been found[malicious:10] input_script
info: [script] s4.cnzz.com/stat.php?id=1647759&web_id=1647759
info: [decodingLevel=0] found JavaScript
error: undefined function window.location.reload
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 3147 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 996/498
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=www.robot114.com/cafe/help/box.exe
info: [2] no JavaScript
info: file: saved input_script to (original_45ecb7c78a9a29e3af5e7f6e3f246aac814ae2dd)
file: stream_45ecb7c78a9a29e3af5e7f6e3f246aac814ae2dd: 6014 bytes
file: decoding_4abe50821415d1a2f4156323816a7311d45defc0: 2859 bytes
file: timeout_bebc1c105954bd6aa9be5afea642875ffa48792c: 3054 bytes
file: decoding_f063e8365442e9c35f8d8191031afc1b988dbe46: 3147 bytes
file: shellcode_12d01b6e99b25215d82f19a0ee075bb07a50f62c: 996 bytes

Jsunpack URL [suspicious] input_script

Sun, 05 Sep 2010 21:17:25 GMT

A url has been found[suspicious:5] input_script
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [decodingLevel=0] found JavaScript
error: line:4: SyntaxError: missing ; before statement:
error: line:4: B122746EEA8dbD5C9C9CD879292CACACA93CFD2DFD2C98C8C8993DED2D092DEDCDBD892D5D8D1CD92DFD2C593D8C5D8BDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDBDEAEA") var Carr = new Array(); var it = 0x86000 - lv.length*2; var wflag = "%u0c0c%u0c0c"; var ks = unescape(wflag); whi
error: line:4: ..........................................................................................................................................^
error: line:3: SyntaxError: missing ; before statement:
error: line:3: <button id="mon" onclick="sclick();" STYLE="DISPLAY:NONE"></button> <script language="JavaScript" defer> function cjm(s){ var rstr,n; n=""; for (i=1;i<=s.length ;i++ ) { if ((i % 4)==0) { rstr = "%u"+s.substr(i-2,2)+s.substr(i-4,2); n= n + rstr; } } retur
error: line:3: .....................................................................^
info: file: saved input_script to (original_afba6eb133e07c48f2a0b75ca96a64a8ae227ec0)
file: stream_afba6eb133e07c48f2a0b75ca96a64a8ae227ec0: 2793 bytes

Jsunpack URL [malicious] input_script

Sun, 05 Sep 2010 20:28:32 GMT

A url has been found[malicious:10] input_script
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [decodingLevel=0] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 3147 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 996/498
malicious: XOR key [shellcode]: 189
malicious: shellcode [xor] URL=www.robot114.com/cafe/help/box.exe
info: [1] no JavaScript
info: file: saved input_script to (original_6096a76b2ee141aadff220c030861c027aa8e150)
file: stream_6096a76b2ee141aadff220c030861c027aa8e150: 2878 bytes
file: timeout_1b49bd67043002320dfaf8a3f62dfaca7b6a0860: 3095 bytes
file: decoding_f063e8365442e9c35f8d8191031afc1b988dbe46: 3147 bytes
file: shellcode_12d01b6e99b25215d82f19a0ee075bb07a50f62c: 996 bytes

Jsunpack URL [suspicious] input_upload

Sun, 05 Sep 2010 14:47:48 GMT

A url has been found[suspicious:2] [PDF] input_upload
info: [decodingLevel=0] JavaScript in PDF 24680 bytes, with 28710 bytes headers
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 0 bytes
info: file: saved input_upload to (original_e62b2d039e8dcebe2b2efeacb39b6daba83f20db)
file: stream_e62b2d039e8dcebe2b2efeacb39b6daba83f20db: 19009 bytes
file: decoding_4453bcc855080fe145951bfc2ca758646ab431fe: 53390 bytes
file: timeout_459549d447f8d5029cf77a3e510224d20ca438fc: 53420 bytes

Jsunpack URL [suspicious] audo20s.in/retn/h7238sd0_xvbb/crlfisfz3.php?s=b9f44519b9f0ec7e6ff664cf63dd3570

Sun, 05 Sep 2010 09:42:22 GMT

A url has been found[suspicious:5] (ipaddr:109.196.134.31) audo20s.in/retn/h7238sd0_xvbb/crlfisfz3.php?s=b9f44519b9f0ec7e6ff664cf63dd3570
status: (referer=www.google.com/trends/hottrends)saved 10725 bytes fetch_ebd35132f0cbe33cd6eda047e6780dc7a634681d
info: [decodingLevel=0] found JavaScript
info: DecodedGenericCLSID detected 6e32070a-766d-4ee6-879c-dc1fa91d2fc3 BD96C556-65A3-11D0-983A-00C04FC29E36 06723E09-F4C2-43c8-8358-09FCD1DB0766 BD96C556-65A3-11D0-983A-00C04FC29E30 0006F03A-0000-0000-C000-000000000046 D0C07D56-7C69-43F1-B4A0-25F5A11FAB19 8AD9C840-044E-11D1-B3E9-00805F499D93 6414512B-B978-451D-A0D8-FCFDF33E833C AB9BCEDD-EC7E-47E1-9322-D4A210617116 639F725F-1B2D-4831-A9FD-874847682010 CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA 0006F033-0000-0000-C000-000000000046 7F5B7F63-F06F-4331-8A26-339E03C0AE3D BA018599-1DB3-44f9-83B4-461454C84BF8 E8CCCDDF-CA28-496b-B050-6C07C962476B
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP MSXML2.ServerXMLHTTP
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold
info: [javascript variable] URL=audo20s.in/retn/h7238sd0_xvbb/ldw5nxoc1.php?spl=mdac&fh=
info: [javascript variable] URL=audo20s.in/retn/h7238sd0_xvbb/ldw5nxoc1.php?spl=JDT&fh= -J-jar -J\\\\audo20s.in\\smb\\new1.avi none
info: [open] URL=audo20s.in/retn/h7238sd0_xvbb/ldw5nxoc1.php?spl=mdac&fh=
info: [setAttribute src] URL=audo20s.in/retn/h7238sd0_xvbb/u72e8t1nb.php?fh=
info: [var WQJ3TbNyzw9Nc8] URL=audo20s.in/retn/h7238sd0_xvbb/ldw5nxoc1.php?spl=mdac&fh=
info: [var newurl] URL=audo20s.in/retn/h7238sd0_xvbb/ldw5nxoc1.php?spl=mdac&fh=
info: [decodingLevel=1] found JavaScript
error: undefined variable input
info: [decodingLevel=2] found JavaScript
error: undefined variable rc4Decrypt
error: undefined variable Base64_decode
error: undefined variable privet2
info: [decodingLevel=3] found JavaScript
error: undefined variable fd2sd
info: file: saved audo20s.in/retn/h7238sd0_xvbb/crlfisfz3.php?s=b9f44519b9f0ec7e6ff664cf63dd3570 to (original_ebd35132f0cbe33cd6eda047e6780dc7a634681d)
file: fetch_ebd35132f0cbe33cd6eda047e6780dc7a634681d: 10725 bytes
file: decoding_08b0f6208ce60a9789869a7fa6ac06ae824db592: 14450 bytes
file: decoding_c8b99dccec5b6aac216055f6c13f8080b4db7b09: 2440 bytes
file: decoding_ddeae331cb7b6bc4bf453feb8e7dbdc55556204d: 1980 bytes

Jsunpack URL [suspicious] input_upload

Sun, 05 Sep 2010 05:45:32 GMT

A url has been found[suspicious:5] input_upload
info: [decodingLevel=0] found JavaScript
info: DecodedGenericCLSID detected 6BF52A52-394A-11d3-B153-00C04F79FAA6 BD96C556-65A3-11D0-983A-00C04FC29E36 CA8A9780-280D-11CF-A24D-444553540000
info: DecodedIframe detected
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [javascript variable] URL=http: -J-jar -J\\\\195.5.161.10\\public\\java.jar http://promo-park.ru/grim/exe.php?exp=SMB none
info: [javascript variable] URL=promo-park.ru/grim/builds/exp_files/asx.asx
info: [javascript variable] URL=promo-park.ru/grim/builds/exp_files/hcp.html
info: [var hdf] URL=127.0.0.1/
info: [var code] URL=127.0.0.1/
info: [var antikiss0] URL=127.0.0.1/
info: [var antikiss1] URL=127.0.0.1/
info: [var antikiss2] URL=127.0.0.1/
info: [var antikiss3] URL=127.0.0.1/
info: [var antikiss4] URL=127.0.0.1/
info: [var antikiss5] URL=127.0.0.1/
info: [var antikiss6] URL=127.0.0.1/
info: [var antikiss7] URL=127.0.0.1/
info: [var antikiss8] URL=127.0.0.1/
info: [var antikiss9] URL=127.0.0.1/
info: [var antikiss10] URL=127.0.0.1/
info: [var antikiss11] URL=127.0.0.1/
info: [var antikiss12] URL=127.0.0.1/
info: [var antikiss13] URL=127.0.0.1/
info: [var antikiss14] URL=127.0.0.1/
info: [var antikiss15] URL=127.0.0.1/
info: [var antikiss16] URL=127.0.0.1/
info: [var antikiss17] URL=127.0.0.1/
info: [var antikiss18] URL=127.0.0.1/
info: [var antikiss19] URL=127.0.0.1/
info: [var antikiss20] URL=127.0.0.1/
info: [var antikiss21] URL=127.0.0.1/
info: [var antikiss22] URL=127.0.0.1/
info: [var antikiss23] URL=127.0.0.1/
info: [var antikiss24] URL=127.0.0.1/
info: [var antikiss25] URL=127.0.0.1/
info: [var antikiss26] URL=127.0.0.1/
info: [var antikiss27] URL=127.0.0.1/
info: [var antikiss28] URL=127.0.0.1/
info: [var antikiss29] URL=127.0.0.1/
info: [var antikiss30] URL=127.0.0.1/
info: [var antikiss31] URL=127.0.0.1/
info: [var antikiss32] URL=127.0.0.1/
info: [var antikiss33] URL=127.0.0.1/
info: [var antikiss34] URL=127.0.0.1/
info: [var antikiss35] URL=127.0.0.1/
info: [var antikiss36] URL=127.0.0.1/
info: [var antikiss37] URL=127.0.0.1/
info: [var antikiss38] URL=127.0.0.1/
info: [var antikiss39] URL=127.0.0.1/
info: [var antikiss40] URL=127.0.0.1/
info: [var antikiss41] URL=127.0.0.1/
info: [var antikiss42] URL=127.0.0.1/
info: [var antikiss43] URL=127.0.0.1/
info: [var antikiss44] URL=127.0.0.1/
info: [var antikiss45] URL=127.0.0.1/
info: [var antikiss46] URL=127.0.0.1/
info: [var antikiss47] URL=127.0.0.1/
info: [var antikiss48] URL=127.0.0.1/
info: [var antikiss49] URL=127.0.0.1/
info: [var antikiss50] URL=127.0.0.1/
info: [var antikiss51] URL=127.0.0.1/
info: [var antikiss52] URL=127.0.0.1/
info: [var antikiss53] URL=127.0.0.1/
info: [var antikiss54] URL=127.0.0.1/
info: [var antikiss55] URL=127.0.0.1/
info: [var antikiss56] URL=127.0.0.1/
info: [var antikiss57] URL=127.0.0.1/
info: [var antikiss58] URL=127.0.0.1/
info: [var antikiss59] URL=127.0.0.1/
info: [var antikiss60] URL=127.0.0.1/
info: [var antikiss61] URL=127.0.0.1/
info: [var antikiss62] URL=127.0.0.1/
info: [var antikiss63] URL=127.0.0.1/
info: [var antikiss64] URL=127.0.0.1/
info: [var antikiss65] URL=127.0.0.1/
info: [var antikiss66] URL=127.0.0.1/
info: [var antikiss67] URL=127.0.0.1/
info: [var antikiss68] URL=127.0.0.1/
info: [var antikiss69] URL=127.0.0.1/
info: [var antikiss70] URL=127.0.0.1/
info: [var antikiss71] URL=127.0.0.1/
info: [var antikiss72] URL=127.0.0.1/
info: [var antikiss73] URL=127.0.0.1/
info: [var antikiss74] URL=127.0.0.1/
info: [var antikiss75] URL=127.0.0.1/
info: [var antikiss76] URL=127.0.0.1/
info: [var antikiss77] URL=127.0.0.1/
info: [var antikiss78] URL=127.0.0.1/
info: [var antikiss79] URL=127.0.0.1/
info: [var antikiss80] URL=127.0.0.1/
info: [var antikiss81] URL=127.0.0.1/
info: [var antikiss82] URL=127.0.0.1/
info: [var antikiss83] URL=127.0.0.1/
info: [var antikiss84] URL=127.0.0.1/
info: [var antikiss85] URL=127.0.0.1/
info: [var antikiss86] URL=127.0.0.1/
info: [var antikiss87] URL=127.0.0.1/
info: [var antikiss88] URL=127.0.0.1/
info: [var antikiss89] URL=127.0.0.1/
info: [var antikiss90] URL=127.0.0.1/
info: [var antikiss91] URL=127.0.0.1/
info: [var antikiss92] URL=127.0.0.1/
info: [var antikiss93] URL=127.0.0.1/
info: [var antikiss94] URL=127.0.0.1/
info: [var antikiss95] URL=127.0.0.1/
info: [var antikiss96] URL=127.0.0.1/
info: [var antikiss97] URL=127.0.0.1/
info: [var antikiss98] URL=127.0.0.1/
info: [var antikiss99] URL=127.0.0.1/
info: [var antikiss100] URL=127.0.0.1/
info: [var antikiss101] URL=127.0.0.1/
info: [var antikiss102] URL=127.0.0.1/
info: [var antikiss103] URL=127.0.0.1/
info: [var antikiss104] URL=127.0.0.1/
info: [var antikiss105] URL=127.0.0.1/
info: [var antikiss106] URL=127.0.0.1/
info: [var antikiss107] URL=127.0.0.1/
info: [var antikiss108] URL=127.0.0.1/
info: [var antikiss109] URL=127.0.0.1/
info: [var antikiss110] URL=127.0.0.1/
info: [var antikiss111] URL=127.0.0.1/
info: [var antikiss112] URL=127.0.0.1/
info: [var antikiss113] URL=127.0.0.1/
info: [var antikiss114] URL=127.0.0.1/
info: [var antikiss115] URL=127.0.0.1/
info: [var antikiss116] URL=127.0.0.1/
info: [var antikiss117] URL=127.0.0.1/
info: [var antikiss118] URL=127.0.0.1/
info: [var antikiss119] URL=127.0.0.1/
info: [var antikiss120] URL=127.0.0.1/
info: [var antikiss121] URL=127.0.0.1/
info: [var antikiss122] URL=127.0.0.1/
info: [var antikiss123] URL=127.0.0.1/
info: [var antikiss124] URL=127.0.0.1/
info: [var antikiss125] URL=127.0.0.1/
info: [var antikiss126] URL=127.0.0.1/
info: [var antikiss127] URL=127.0.0.1/
info: [var antikiss128] URL=127.0.0.1/
info: [var antikiss129] URL=127.0.0.1/
info: [var antikiss130] URL=127.0.0.1/
info: [var antikiss131] URL=127.0.0.1/
info: [var antikiss132] URL=127.0.0.1/
info: [var antikiss133] URL=127.0.0.1/
info: [var antikiss134] URL=127.0.0.1/
info: [var antikiss135] URL=127.0.0.1/
info: [var antikiss136] URL=127.0.0.1/
info: [var antikiss137] URL=127.0.0.1/
info: [var antikiss138] URL=127.0.0.1/
info: [var antikiss139] URL=127.0.0.1/
info: [var antikiss140] URL=127.0.0.1/
info: [var antikiss141] URL=127.0.0.1/
info: [var antikiss142] URL=127.0.0.1/
info: [var antikiss143] URL=127.0.0.1/
info: [var antikiss144] URL=127.0.0.1/
info: [var antikiss145] URL=127.0.0.1/
info: [var antikiss146] URL=127.0.0.1/
info: [var antikiss147] URL=127.0.0.1/
info: [var antikiss148] URL=127.0.0.1/
info: [var antikiss149] URL=127.0.0.1/
info: [var antikiss150] URL=127.0.0.1/
info: [var antikiss151] URL=127.0.0.1/
info: [var antikiss152] URL=127.0.0.1/
info: [var antikiss153] URL=127.0.0.1/
info: [var antikiss154] URL=127.0.0.1/
info: [var antikiss155] URL=127.0.0.1/
info: [var antikiss156] URL=127.0.0.1/
info: [var antikiss157] URL=127.0.0.1/
info: [var antikiss158] URL=127.0.0.1/
info: [var antikiss159] URL=127.0.0.1/
info: [var antikiss160] URL=127.0.0.1/
info: [var antikiss161] URL=127.0.0.1/
info: [var antikiss162] URL=127.0.0.1/
info: [var antikiss163] URL=127.0.0.1/
info: [var antikiss164] URL=127.0.0.1/
info: [var antikiss165] URL=127.0.0.1/
info: [var antikiss166] URL=127.0.0.1/
info: [var antikiss167] URL=127.0.0.1/
info: [var antikiss168] URL=127.0.0.1/
info: [var antikiss169] URL=127.0.0.1/
info: [var antikiss170] URL=127.0.0.1/
info: [var antikiss171] URL=127.0.0.1/
info: [var antikiss172] URL=127.0.0.1/
info: [var antikiss173] URL=127.0.0.1/
info: [var antikiss174] URL=127.0.0.1/
info: [var antikiss175] URL=127.0.0.1/
info: [var antikiss176] URL=127.0.0.1/
info: [var antikiss177] URL=127.0.0.1/
info: [var antikiss178] URL=127.0.0.1/
info: [var antikiss179] URL=127.0.0.1/
info: [var antikiss180] URL=127.0.0.1/
info: [var antikiss181] URL=127.0.0.1/
info: [var antikiss182] URL=127.0.0.1/
info: [var antikiss183] URL=127.0.0.1/
info: [var antikiss184] URL=127.0.0.1/
info: [var antikiss185] URL=127.0.0.1/
info: [var antikiss186] URL=127.0.0.1/
info: [var antikiss187] URL=127.0.0.1/
info: [var antikiss188] URL=127.0.0.1/
info: [var antikiss189] URL=127.0.0.1/
info: [var antikiss190] URL=127.0.0.1/
info: [var antikiss191] URL=127.0.0.1/
info: [var antikiss192] URL=127.0.0.1/
info: [var antikiss193] URL=127.0.0.1/
info: [var antikiss194] URL=127.0.0.1/
info: [var antikiss195] URL=127.0.0.1/
info: [var antikiss196] URL=127.0.0.1/
info: [var antikiss197] URL=127.0.0.1/
info: [var antikiss198] URL=127.0.0.1/
info: [var antikiss199] URL=127.0.0.1/
info: [var antikiss200] URL=127.0.0.1/
info: [var antikiss201] URL=127.0.0.1/
info: [var antikiss202] URL=127.0.0.1/
info: [var antikiss203] URL=127.0.0.1/
info: [var antikiss204] URL=127.0.0.1/
info: [var antikiss205] URL=127.0.0.1/
info: [var antikiss206] URL=127.0.0.1/
info: [var antikiss207] URL=127.0.0.1/
info: [var antikiss208] URL=127.0.0.1/
info: [var antikiss209] URL=127.0.0.1/
info: [var antikiss210] URL=127.0.0.1/
info: [var antikiss211] URL=127.0.0.1/
info: [var antikiss212] URL=127.0.0.1/
info: [var antikiss213] URL=127.0.0.1/
info: [var antikiss214] URL=127.0.0.1/
info: [var antikiss215] URL=127.0.0.1/
info: [var antikiss216] URL=127.0.0.1/
info: [var antikiss217] URL=127.0.0.1/
info: [var antikiss218] URL=127.0.0.1/
info: [var antikiss219] URL=127.0.0.1/
info: [var antikiss220] URL=127.0.0.1/
info: [var antikiss221] URL=127.0.0.1/
info: [var antikiss222] URL=127.0.0.1/
info: [var antikiss223] URL=127.0.0.1/
info: [var antikiss224] URL=127.0.0.1/
info: [var antikiss225] URL=127.0.0.1/
info: [var antikiss226] URL=127.0.0.1/
info: [var antikiss227] URL=127.0.0.1/
info: [var antikiss228] URL=127.0.0.1/
info: [var antikiss229] URL=127.0.0.1/
info: [var antikiss230] URL=127.0.0.1/
info: [var antikiss231] URL=127.0.0.1/
info: [var antikiss232] URL=127.0.0.1/
info: [var antikiss233] URL=127.0.0.1/
info: [var antikiss234] URL=127.0.0.1/
info: [var antikiss235] URL=127.0.0.1/
info: [var antikiss236] URL=127.0.0.1/
info: [var antikiss237] URL=127.0.0.1/
info: [var antikiss238] URL=127.0.0.1/
info: [var antikiss239] URL=127.0.0.1/
info: [var antikiss240] URL=127.0.0.1/
info: [var antikiss241] URL=127.0.0.1/
info: [var antikiss242] URL=127.0.0.1/
info: [var antikiss243] URL=127.0.0.1/
info: [var antikiss244] URL=127.0.0.1/
info: [var antikiss245] URL=127.0.0.1/
info: [var antikiss246] URL=127.0.0.1/
info: [var antikiss247] URL=127.0.0.1/
info: [var antikiss248] URL=127.0.0.1/
info: [var antikiss249] URL=127.0.0.1/
info: [var antikiss250] URL=127.0.0.1/
info: [var antikiss251] URL=127.0.0.1/
info: [var antikiss252] URL=127.0.0.1/
info: [var antikiss253] URL=127.0.0.1/
info: [var antikiss254] URL=127.0.0.1/
info: [var antikiss255] URL=127.0.0.1/
info: [var antikiss256] URL=127.0.0.1/
info: [var antikiss257] URL=127.0.0.1/
info: [var antikiss258] URL=127.0.0.1/
info: [var antikiss259] URL=127.0.0.1/
info: [var antikiss260] URL=127.0.0.1/
info: [var antikiss261] URL=127.0.0.1/
info: [var antikiss262] URL=127.0.0.1/
info: [var antikiss263] URL=127.0.0.1/
info: [var antikiss264] URL=127.0.0.1/
info: [var antikiss265] URL=127.0.0.1/
info: [var antikiss266] URL=127.0.0.1/
info: [var antikiss267] URL=127.0.0.1/
info: [var antikiss268] URL=127.0.0.1/
info: [var antikiss269] URL=127.0.0.1/
info: [var antikiss270] URL=127.0.0.1/
info: [var antikiss271] URL=127.0.0.1/
info: [var antikiss272] URL=127.0.0.1/
info: [var antikiss273] URL=127.0.0.1/
info: [var antikiss274] URL=127.0.0.1/
info: [var antikiss275] URL=127.0.0.1/
info: [var antikiss276] URL=127.0.0.1/
info: [var antikiss277] URL=127.0.0.1/
info: [var antikiss278] URL=127.0.0.1/
info: [var antikiss279] URL=127.0.0.1/
info: [var antikiss280] URL=127.0.0.1/
info: [var antikiss281] URL=127.0.0.1/
info: [var antikiss282] URL=127.0.0.1/
info: [var antikiss283] URL=127.0.0.1/
info: [var antikiss284] URL=127.0.0.1/
info: [var antikiss285] URL=127.0.0.1/
info: [var antikiss286] URL=127.0.0.1/
info: [var antikiss287] URL=127.0.0.1/
info: [var antikiss288] URL=127.0.0.1/
info: [var antikiss289] URL=127.0.0.1/
info: [var antikiss290] URL=127.0.0.1/
info: [var antikiss291] URL=127.0.0.1/
info: [var antikiss292] URL=127.0.0.1/
info: [var antikiss293] URL=127.0.0.1/
info: [var antikiss294] URL=127.0.0.1/
info: [var antikiss295] URL=127.0.0.1/
info: [var antikiss296] URL=127.0.0.1/
info: [var antikiss297] URL=127.0.0.1/
info: [var antikiss298] URL=127.0.0.1/
info: [var antikiss299] URL=127.0.0.1/
info: [var antikiss300] URL=127.0.0.1/
info: [var newurl] URL=127.0.0.1/
info: [iframe] 127.0.0.1/
info: [iframe] 127.0.0.1/builds/exp_files/pdf.pdf
info: [decodingLevel=1] found JavaScript
error: line:5486: SyntaxError: missing } after try block:
error: line:5486:
error: line:5486: ^
info: file: saved input_upload to (original_d8dafaab60755e5d636ebd9909f77681ddff164e)
file: stream_d8dafaab60755e5d636ebd9909f77681ddff164e: 25726 bytes
file: decoding_036509b781999efbffdf5a106b5d27581c0d34ed: 1400475 bytes

Jsunpack URL [suspicious] input_upload

Sun, 05 Sep 2010 05:32:53 GMT

Jsunpack URL [suspicious] juju.hani.co.kr/style/2.html

Sun, 05 Sep 2010 05:28:19 GMT

A url has been found[suspicious:5] (ipaddr:218.236.10.10) juju.hani.co.kr/style/2.html
status: (referer=www.google.com/trends/hottrends)saved 1484 bytes fetch_78d8519f5c563149cf6a3be0a35c9a763e27b2f7
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [script] juju.hani.co.kr/style/top.jpg
info: [script] juju.hani.co.kr/style/cook.jpg
info: [script] juju.hani.co.kr/style/cook1.jpg
info: [script] juju.hani.co.kr/style/root.jpg
info: [decodingLevel=0] found JavaScript
error: undefined variable Hide
error: line:11: SyntaxError: missing ; before statement:
error: line:11: <script src="top.jpg"></script>
error: line:11: .^
info: file: saved juju.hani.co.kr/style/2.html to (original_78d8519f5c563149cf6a3be0a35c9a763e27b2f7)
file: fetch_78d8519f5c563149cf6a3be0a35c9a763e27b2f7: 1484 bytes

Jsunpack URL [malicious] info.casadosconcursos.com/simulado/cvct.htm

Sun, 05 Sep 2010 05:25:42 GMT

A url has been found[malicious:10] (ipaddr:74.55.98.50) info.casadosconcursos.com/simulado/cvct.htm
status: (referer=www.google.com/trends/hottrends)saved 14520 bytes fetch_656fedc4af7ee5c12247ac5c2a036a65378f6a64
info: [decodingLevel=0] found JavaScript
malicious: MSOfficeWebComponents CVE-2009-1136 detected msDataSourceObject OWC10.Spreadsheet
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 63763 bytes
malicious: Alert detected //alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called 1000 times)
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
suspicious: shellcode of length 499/320
malicious: shellcode URL=info.casadosconcursos.com/simulado/zcv.gif
info: [2] no JavaScript
info: file: saved info.casadosconcursos.com/simulado/cvct.htm to (original_656fedc4af7ee5c12247ac5c2a036a65378f6a64)
file: fetch_656fedc4af7ee5c12247ac5c2a036a65378f6a64: 14520 bytes
file: decoding_f095c70fee213b58ff2cd5e8b29bb4dc27227784: 7123 bytes
file: timeout_0d9eb796d1d803194060e9f160487ff78273a884: 7326 bytes
file: decoding_5974e69bb32b77f5516abd447ccd186ae1f379f7: 63763 bytes
file: shellcode_27a7a155f9bb0cb7d0dcf37fc99c266793d2ae14: 499 bytes

Jsunpack URL [malicious] info.casadosconcursos.com/simulado/zcv.gif

Sun, 05 Sep 2010 05:25:42 GMT

A url has been found[malicious:10] (ipaddr:74.55.98.50) [MZ] (shellcode) info.casadosconcursos.com/simulado/zcv.gif
status: (referer=info.casadosconcursos.com/simulado/cvct.htm)saved 78336 bytes fetch_b76a94a81aebe736c9023c95ff2a255bcc09bfc3
info: [0] executable file
malicious: client download shellcode URL (executable) saved (incident_b76a94a81aebe736c9023c95ff2a255bcc09bfc3)
info: file: saved info.casadosconcursos.com/simulado/zcv.gif to (original_b76a94a81aebe736c9023c95ff2a255bcc09bfc3)
file: fetch_b76a94a81aebe736c9023c95ff2a255bcc09bfc3: 78336 bytes

Jsunpack URL [suspicious] www.nacta.edu.cn/_layouts/2052/ows.js

Sun, 05 Sep 2010 01:37:20 GMT

A url has been found[suspicious:5] (ipaddr:202.106.151.20) (script) www.nacta.edu.cn/_layouts/2052/ows.js
status: (referer=www.nacta.edu.cn/)saved 482128 bytes fetch_98135d45af3a32890b2fe923146e12436de4a40e
info: [iframe] www.nacta.edu.cn/_layouts/2052/
info: [img] www.nacta.edu.cn/_layouts/2052/
info: [script] www.nacta.edu.cn/_layouts/2052/
info: [decodingLevel=0] found JavaScript
suspicious: shellcode of length 326/170
suspicious: shellcode of length 72/36
suspicious: shellcode of length 132/66
suspicious: shellcode of length 145/119
suspicious: shellcode of length 52/26
suspicious: shellcode of length 51/28
suspicious: shellcode of length 169/114
suspicious: shellcode of length 328/171
suspicious: shellcode of length 202/103
suspicious: shellcode of length 56/28
suspicious: shellcode of length 160/111
suspicious: shellcode of length 81/41
suspicious: shellcode of length 112/87
info: [1] no JavaScript
info: file: saved www.nacta.edu.cn/_layouts/2052/ows.js to (original_98135d45af3a32890b2fe923146e12436de4a40e)
file: fetch_98135d45af3a32890b2fe923146e12436de4a40e: 482128 bytes
file: decoding_6b26ea10fca3ed2a61421ea4189dce98a6653070: 27277 bytes
file: shellcode_48b2f9607977915f3418bbb52daced8d9b9b1fc1: 326 bytes
file: shellcode_f22bc1564d77d7aae28a265ec434fc939a1b32e3: 72 bytes
file: shellcode_9ab6abd3778edb2f6a1cee7f43b5e1fac18ec326: 132 bytes
file: shellcode_55d19f7571fc7a3f7424d8d76764fb62e27681d5: 145 bytes
file: shellcode_f0e6f4f81e34747fd6847c68e12f9d732bde0e60: 52 bytes
file: shellcode_56bce1b447b04491eb0411c2f52abe547f1a63f4: 51 bytes
file: shellcode_99fab05a93adf9f966c51b0dd6773e6d08556bc4: 169 bytes
file: shellcode_078cf28e73774fca71b746c1d19994877040ba6b: 328 bytes
file: shellcode_0523e77f3225f6d7dbf53c358421ac5ba182cbc2: 202 bytes
file: shellcode_6d972b7e121df2ea450fc7b92a5e90c9e5bd7230: 56 bytes
file: shellcode_4e496b94384ddab767b1c187a56f99ded71b4db5: 160 bytes
file: shellcode_f32f24bd1ed19f73ccf2eb5aac2fdc4eaddf5310: 328 bytes
file: shellcode_72faea08b0f8577fe4851b8c4f668762034f2e65: 81 bytes
file: shellcode_045d30708219f0b1afc861a280ea66e2558719c3: 112 bytes

Jsunpack URL [suspicious] 715.st3h.com/715/a6.htm

Sat, 04 Sep 2010 05:41:01 GMT

A url has been found[suspicious:5] (ipaddr:58.64.149.17) (iframe) 715.st3h.com/715/a6.htm
status: (referer=715.st3h.com/715/max.gif)saved 848 bytes fetch_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71
suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
info: [script] 715.st3h.com/715/ah0.js
info: [script] 715.st3h.com/715/ah1.js
info: [script] 715.st3h.com/715/ah2.js
info: [script] 715.st3h.com/715/ah3.js
info: [decodingLevel=0] found JavaScript
info: file: saved 715.st3h.com/715/a6.htm to (original_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71)
file: fetch_436dcc82d16b4f1a9b9ba1d823d2d0e57557dc71: 848 bytes

Jsunpack URL [malicious] input_upload

Sat, 04 Sep 2010 04:38:41 GMT

A url has been found[malicious:10] [PDF] input_upload
info: [decodingLevel=0] JavaScript in PDF 4146 bytes, with 947 bytes headers
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 997 bytes
malicious: mediaNewplayer CVE-2009-4324 detected
malicious: Alert detected //alert CVE-2009-4324 media.newPlayer with NULL parameter
suspicious: Warning detected //warning CVE-2009-4324 printd access //warning CVE-NO-MATCH Shellcode Engine Binary Threshold
malicious: shellcode of length 240/120
info: [decodingLevel=2] found JavaScript
info: file: saved input_upload to (original_2441c7a2594eeb193d25bd0c3d1fbf649fd907f1)
file: stream_2441c7a2594eeb193d25bd0c3d1fbf649fd907f1: 1282132 bytes
file: decoding_7c443fa2f5cc39c5d69bc73bc7828e4a257692c3: 5093 bytes
file: timeout_3beb1056cd92356c51d3ee22f38cd7d7482d8691: 5123 bytes
file: decoding_8e7d7b66148cdb73d6b8f388f518b48ecaf81c37: 997 bytes
file: shellcode_af9664839f4b9a43aa9c4427ed6398fd31753073: 240 bytes

Jsunpack URL [malicious] input_upload

Fri, 03 Sep 2010 10:40:14 GMT

A url has been found[malicious:10] [PDF] input_upload
info: [decodingLevel=0] JavaScript in PDF 3816 bytes, with 87 bytes headers
info: [decodingLevel=1] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 1463 bytes
info: Decoding option app.viewerVersion=, 1275 bytes
info: Decoding option app.viewerVersion=9.1, 1463 bytes
malicious: mediaNewplayer CVE-2009-4324 detected
malicious: Alert detected //alert CVE-2009-4324 media.newPlayer with NULL parameter
suspicious: Warning detected //warning CVE-2009-4324 printd access //warning CVE-NO-MATCH Shellcode Engine Length 65536
info: [decodingLevel=2] found JavaScript
suspicious: script analysis exceeded 30 seconds (incomplete) 188 bytes
info: Decoding option app.viewerVersion=, 0 bytes
info: Decoding option app.viewerVersion=9.1, 188 bytes
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Length 65536 //warning CVE-2009-4324 printd access
info: [3] no JavaScript
info: file: saved input_upload to (original_a9b4687909d3fd1144f1f76a0e428e87e37baa54)
file: stream_a9b4687909d3fd1144f1f76a0e428e87e37baa54: 3627 bytes
file: decoding_715350024cfdecd51cca182c8cbef604518afaa4: 3903 bytes
file: timeout_15a9e0092ef0321e27bef17189a9d673118e7161: 3936 bytes
file: decoding_a10614975a40ff7146175d4fd9490b4ca1da9a5f: 1463 bytes
file: timeout_ae81ce0c6eed3b572c5abba2136f3a6e66d3cbbd: 1583 bytes
file: decoding_b6b7959c20081d43e0c4b9ee6e8411dc226fd9bd: 188 bytes

Jsunpack URL [malicious] input_upload

Fri, 03 Sep 2010 10:37:50 GMT

A url has been found[malicious:10] [PDF] input_upload
info: [decodingLevel=0] JavaScript in PDF 684 bytes, with 219508 bytes headers
info: [decodingLevel=1] found JavaScript
malicious: Utilprintf CVE-2008-2992 detected
malicious: collectEmailInfo CVE-2007-5659 detected
malicious: CollabgetIcon CVE-2009-0927 detected
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode Engine Binary Threshold //warning CVE-NO-MATCH Shellcode Engine Length 65536
info: [decodingLevel=2] found JavaScript
error: undefined variable caDzyc8wlduDEopQE1zB
info: [3] no JavaScript
info: file: saved input_upload to (original_0ca859da531c860e251071a2b34908a21aeafa9b)
file: stream_0ca859da531c860e251071a2b34908a21aeafa9b: 6147 bytes
file: decoding_aa2b0e93a4365d820c09caddf08e110c71f6bc13: 220192 bytes
file: decoding_361f3455b6c7febda06eab34321c24f8011b7f8c: 5129 bytes
file: decoding_cb5cb1d81953e5c8b45bea653da5c9e21afb4219: 188 bytes

Jsunpack URL [suspicious] www.duebiinformatica.it/ScriptResource.axd?d=6yyIwUpM9iBFyQzFdI3oWLPprsOMmPCHGu8bveYb-06hETiBmqkAqYfDpRmkUfB10gaP-6b2lok66caJLekGzScjtblX4HAB0&t=ffffffffedcab5ac

Fri, 03 Sep 2010 09:53:37 GMT

A url has been found[suspicious:5] (ipaddr:62.149.169.89) (script) www.duebiinformatica.it/ScriptResource.axd?d=6yyIwUpM9iBFyQzFdI3oWLPprsOMmPCHGu8bveYb-06hETiBmqkAqYfDpRmkUfB10gaP-6b2lok66caJLekGzScjtblX4HAB0&t=ffffffffedcab5ac
status: (referer=www.duebiinformatica.it/)saved 99917 bytes fetch_9bc290eef33b6ea12cd01673e9e5650e3cddb523
info: [decodingLevel=0] found JavaScript
suspicious: shellcode of length 2273/2272
info: [1] no JavaScript
info: file: saved www.duebiinformatica.it/ScriptResource.axd?d=6yyIwUpM9iBFyQzFdI3oWLPprsOMmPCHGu8bveYb-06hETiBmqkAqYfDpRmkUfB10gaP-6b2lok66caJLekGzScjtblX4HAB0&t=ffffffffedcab5ac to (original_9bc290eef33b6ea12cd01673e9e5650e3cddb523)
file: fetch_9bc290eef33b6ea12cd01673e9e5650e3cddb523: 99917 bytes
file: decoding_48829004c4eff70d7e05f7eaeed379a56bfb6762: 8201 bytes
file: shellcode_7b81092230c13e888a49d34c6f45d8c47177b91c: 2273 bytes

Jsunpack URL [malicious] input_upload

Fri, 03 Sep 2010 07:13:27 GMT

A url has been found[malicious:10] [PDF] input_upload
info: [decodingLevel=0] JavaScript in PDF 1336 bytes, with 47982 bytes headers
info: [decodingLevel=1] found JavaScript
error: line:15: ReferenceError: reference to undefined XML name @var
malicious: Utilprintf CVE-2008-2992 detected
malicious: mediaNewplayer CVE-2009-4324 detected
malicious: collectEmailInfo CVE-2007-5659 detected
malicious: CollabgetIcon CVE-2009-0927 detected
info: [decodingLevel=2] found JavaScript
error: line:18: ReferenceError: reference to undefined XML name @var
info: file: saved input_upload to (original_30da68bb24607f0ed2da84506734a412934245b0)
file: stream_30da68bb24607f0ed2da84506734a412934245b0: 4778 bytes
file: decoding_ebd603c2c174a443b6b85bcb73155a578bc05f62: 49318 bytes
file: decoding_75016b29927ef22360f1b3515e5c1bde6a0cf223: 3328 bytes

Jsunpack Recent URLs

Jsunpack URL [malicious] input_upload

Jsunpack URL [suspicious] input_script

Jsunpack URL [suspicious] xg.st3h.com/a6.htm

Jsunpack URL [malicious] voiptelesat.com/pdhcu.htm

Jsunpack URL [malicious] input_script

Jsunpack URL [malicious] www.xzjiayuan.com/ad/ad.htm

Jsunpack URL [malicious] input_upload

Jsunpack URL [malicious] www.faloge.com/js/news.html

Jsunpack URL [malicious] www.faloge.com/js/ad.htm

Jsunpack URL [malicious] www.exinwl.com/images/s.exe

Jsunpack URL [malicious] input_script

Jsunpack URL [malicious] input_script

Jsunpack URL [malicious] diablade.com/order/d.exe

Jsunpack URL [malicious] input_script

Jsunpack URL [suspicious] input_script

Jsunpack URL [malicious] input_script

Jsunpack URL [suspicious] input_upload

Jsunpack URL [suspicious] audo20s.in/retn/h7238sd0_xvbb/crlfisfz3.php?s=b9f44519b9f0ec7e6ff664cf63dd3570

Jsunpack URL [suspicious] input_upload

Jsunpack URL [suspicious] input_upload

Jsunpack URL [suspicious] juju.hani.co.kr/style/2.html

Jsunpack URL [malicious] info.casadosconcursos.com/simulado/cvct.htm

Jsunpack URL [malicious] info.casadosconcursos.com/simulado/zcv.gif

Jsunpack URL [suspicious] www.nacta.edu.cn/_layouts/2052/ows.js

Jsunpack URL [suspicious] 715.st3h.com/715/a6.htm

Jsunpack URL [malicious] input_upload

Jsunpack URL [malicious] input_upload

Jsunpack URL [malicious] input_upload

Jsunpack URL [suspicious] www.duebiinformatica.it/ScriptResource.axd?d=6yyIwUpM9iBFyQzFdI3oWLPprsOMmPCHGu8bveYb-06hETiBmqkAqYfDpRmkUfB10gaP-6b2lok66caJLekGzScjtblX4HAB0&amp;t=ffffffffedcab5ac

Jsunpack URL [malicious] input_upload

Jsunpack URL [suspicious] www.duebiinformatica.it/ScriptResource.axd?d=6yyIwUpM9iBFyQzFdI3oWLPprsOMmPCHGu8bveYb-06hETiBmqkAqYfDpRmkUfB10gaP-6b2lok66caJLekGzScjtblX4HAB0&t=ffffffffedcab5ac