203.135.164.79 – Malware Domain

June 6, 2011 by NightWatcher
Filed under: Malware Domain 
: Solved!

Fix it immediately:

The site 203.135.164.79 is used to spread malware. Protect your computer against this site: 203.135.164.79.
Delete the lines including203.135.164.79 from the %SysDir%\drivers\etc\hosts file.

Removed all rows with “203.135.164.79″ from “%SysDir%\drivers\etc\hosts” file

Executed Malware: jorge.exe

—————————————————————————————————————————-
How to quickly detect malware presence?

Files modified:
C:\WINDOWS\system32\drivers\etc\hosts

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.06.01 -
Kaspersky 9.0.0.837 2011.06.01 Trojan.Win32.Hosts2.gen
Microsoft 1.6903 2011.06.01 TrojanDownloader:Win32/Delf.MU
NOD32 6171 2011.06.01 a variant of Win32/Qhost.OGZ

—————————————————————————————————————————-

MD5 60fc10743906fb9fab1e40c682bc728b

SHA1 287f4345e0d2fb06c98c81937112a32986b877db

SHA256 887842fa47dac95635e77aea89554ca7ccf697127790394ac986890b9780cd1a

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Files [attributes?] modified:1
———————————-
C:\WINDOWS\system32\drivers\etc\hosts

———————————-
Total changes:1
———————————-

The HOSTS file contains:
—————————————————————————————————————————-
194.168.33.110 atletico
11.11.1.98 america
12.44.11.1 flamengo
110.200.1.4 palmeras
98.12.32.31 corithians
112.168.252.10 botafogo
19.23.11.30 vasco
18.12.34.42 cruzeiro

211.227.233.242 www.banespa.com.br # GbPluguin
211.227.233.242 banespa.com.br # GbPluguin
211.227.233.242 www.santander.com.br # GbPluguin
211.227.233.242 santander.com.br # GbPluguin
216.250.215.158 caixa.com.br # GbPluguin
216.250.215.158 www.cef.gov.br # GbPluguin
216.250.215.158 cef.gov.br # GbPluguin
216.250.215.158 www.cef.com.br # GbPluguin
216.250.215.158 www.caixa.gov.br # GbPluguin
216.250.215.158 caixa.gov.br # GbPluguin
216.250.215.158 www.caixa.com.br # GbPluguin
203.135.164.79 live.com # GbPluguin
203.135.164.79 www.live.com # GbPluguin
203.135.164.79 www.msn.com # GbPluguin
216.250.215.158 cef.com.br # GbPluguin
216.250.215.158 internetbanking.caixa.gov.br # GbPluguin
216.250.215.158 internetbanking.caixa.com.br # GbPluguin
216.250.215.158 internetbanking.cef.gov.br # GbPluguin

216.250.215.158 internetbanking.cef.com.br # GbPluguin
211.227.233.242 www.e-gold.com.br # GbPluguin
211.227.233.242 e-gold.com.br # GbPluguin
211.227.233.242 www.e-gold.com # GbPluguin
211.227.233.242 e-gold.com # GbPluguin
216.250.215.158 www.bradescoprime.com.br # GbPluguin
216.250.215.158 www.cetelem.com.br # GbPluguin
216.250.215.158 cetelem.com.br # GbPluguin
216.250.215.158 www.cartaoaura.com.br # GbPluguin
203.135.164.79 msn.com # GbPluguin
203.135.164.79 www.msn.com.br # GbPluguin
203.135.164.79 login.live.com # GbPluguin
216.250.215.158 cartaoaura.com.br # GbPluguin
216.250.215.158 bradescoprime.com.br # GbPluguin
216.250.215.158 www.itaupersonnalite.com.br # GbPluguin
216.250.215.158 itaupersonnalite.com.br # GbPluguin
211.227.233.242 americanexpress.com.br # GbPluguin
211.227.233.242 www.sicredi.com.br # GbPluguin
216.250.215.158 sicredi.com.br # GbPluguin
216.250.215.158 portal.sicredi.com.br # GbPluguin
211.227.233.242 www.realsecureweb.com.br # GbPluguin
211.227.233.242 realsecureweb.com.br # GbPluguin
203.135.164.79 www.hotmail.com # GbPluguin
203.135.164.79 hotmail.com # GbPluguin
211.227.233.242 www.americanexpress.com.br # GbPluguin
211.227.233.242 www.americanexpress.com # GbPluguin
211.227.233.242 www.real.com.br # GbPluguin
211.227.233.242 www.bancoreal.com.br # GbPluguin
211.227.233.242 real.com.br # GbPluguin
211.227.233.242 bancoreal.com.br # GbPluguin
203.135.164.79 www.hotmail.com.br # GbPluguin
203.135.164.79 hotmail.com.br # GbPluguin
216.250.215.158 itau.com.br # GbPluguin
216.250.215.158 www.itau.com # GbPluguin
216.250.215.158 itau.com # GbPluguin
211.227.233.242 imagem.caixa.gov.br # GbPluguin
211.227.233.242 imagem.caixa.com.br # GbPluguin
211.227.233.242 imagem.cef.gov.br # GbPluguin
211.227.233.242 imagem.cef.com.br # GbPluguin
216.250.215.158 www.bradesco.com.br # GbPluguin
216.250.215.158 bradesco.com.br # GbPluguin
216.250.215.158 www.bradesco.com # GbPluguin
216.250.215.158 bradesco.com # GbPluguin
216.250.215.158 www.itau.com.br # GbPluguin
211.227.233.242 www.realsecureweb.com.br # GbPluguin
211.227.233.242 wws.realsecureweb.com.br # GbPluguin
211.227.233.242 wwws.realsecureweb.com.br # GbPluguin
211.227.233.242 realsecureweb.com.br # GbPluguin
211.227.233.242 realveringsize.com.br # GbPluguin

191.168.33.110 internacional
12.11.1.98 gremio
12.44.11.1 pontepreta
120.200.1.4 sao.paulo

—————————————————————————————————————————-

WHOIS informations:
—————————————————————————————————————————-
inetnum: 203.135.160.0 – 203.135.175.255
netname: CNCITYNET
descr: Beijing Kuanjie Net communication technology Ltd
descr: 420, administration Mansion,
descr: No.83 FuXing Road, Beijing
country: CN
admin-c: QB26-AP
tech-c: QB26-AP
mnt-by: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
changed: 20050519
source: APNIC

person: Qiang Bai
nic-hdl: QB26-AP
e-mail:
address: 420, administration Mansion, No.83 FuXing Road, Beijing
phone: +86-10-66706522
fax-no: +86-10-58858011
country: CN
changed: 20050511
mnt-by: MAINT-NEW
source: APNIC
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: 203.135.164.79, Malware Domain

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.