==================================================================================================== user@localhost:~$ wget -Sv --keep-session-cookies --save-cookies cookies --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NE CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)" --referer="http://www.google.ch/search?hl=de&source=hp&q=sandmeier+k%C3%B6lliken&gbv=2&oq=sandmeier&aq=0&aqi=g10&aql=&gs_sm=1&gs_upl=356590l359554l0l361426l9l9l0l2l2l0l125l812l1.6l7l0" http://www.metzgerei-sandmeier.ch/ -O www.metzgerei-sandmeier.ch --2012-03-07 14:05:42-- http://www.metzgerei-sandmeier.ch/ Resolving www.metzgerei-sandmeier.ch... 80.74.132.218 Connecting to www.metzgerei-sandmeier.ch|80.74.132.218|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Wed, 07 Mar 2012 13:06:05 GMT Server: Apache Set-Cookie: Coj=67; path=/; domain=www.metzgerei-sandmeier.ch; expires=Thu, 15-Mar-2012 16:53:05 GMT Location: http://34107.vicandbarbs.net/url?sa=X&source=web&cd=27&ved=0BjZV2arM&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m Vary: Accept-Encoding Content-Length: 482 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://34107.vicandbarbs.net/url?sa=X&source=web&cd=27&ved=0BjZV2arM&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m [following] --2012-03-07 14:06:04-- http://34107.vicandbarbs.net/url?sa=X&source=web&cd=27&ved=0BjZV2arM&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m Resolving 34107.vicandbarbs.net... 178.211.33.203 Connecting to 34107.vicandbarbs.net|178.211.33.203|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: nginx/1.1.4 Date: Wed, 07 Mar 2012 13:06:05 GMT Content-Type: text/html Content-Length: 160 Connection: close Location: http://www.google.ch.redirect.2350283972.bankingonbankers.com/url?sa=X&source=web&cd=365&ved=81ebe&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m Location: http://www.google.ch.redirect.2350283972.bankingonbankers.com/url?sa=X&source=web&cd=365&ved=81ebe&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m [following] --2012-03-07 14:06:04-- http://www.google.ch.redirect.2350283972.bankingonbankers.com/url?sa=X&source=web&cd=365&ved=81ebe&url=http://www.metzgerei-sandmeier.ch/&ei=2ZItfKzI4KaxqI2PzVcx95e1pw==&usg=72JlytMapg6AuIbvPFMMga&sig2=VMW5sSdqITCRwjBXHCwD1m Resolving www.google.ch.redirect.2350283972.bankingonbankers.com... 109.236.80.151 Connecting to www.google.ch.redirect.2350283972.bankingonbankers.com|109.236.80.151|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/1.1.4 Date: Wed, 07 Mar 2012 13:06:06 GMT Content-Type: application/octet-stream Content-Length: 339456 Last-Modified: Wed, 07 Mar 2012 09:01:13 GMT Connection: close Set-Cookie: PHPSESSID=3nf19esu3as9herfisduk8k0b4; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: post-check=0, pre-check=0 Accept-Ranges: none Content-Disposition: attachment; filename="google_sandmeier_kölliken.exe" Length: 339456 (332K) [application/octet-stream] Saving to: "www.metzgerei-sandmeier.ch" 100%[=================================>] 339,456 1.53M/s in 0.2s 2012-03-07 14:06:04 (1.53 MB/s) - "www.metzgerei-sandmeier.ch" saved [339456/339456] user@localhost:~$ mv www.metzgerei-sandmeier.ch google_query_words.exe user@localhost:~$ file google_query_words.exe google_query_words.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit user@localhost:~$ md5sum google_query_words.exe ae89045e3448df19de679988e6e6600d google_query_words.exe user@localhost:~$ ls -l google_query_words.exe -rw-r--r-- 1 user group 339456 Mar 7 10:01 google_query_words.exe Malware domains / IPs: 34107.vicandbarbs.net 178.211.33.203 www.google.ch.redirect.2350283972.bankingonbankers.com 109.236.80.151 http://www.robtex.com/ip/178.211.33.203.html#ip *.extensionbay.com *.vicandbarbs.net http://www.robtex.com/ip/109.236.80.151.html#ip (109.236.80.0/20 WORLDSTREAM-BLK-109.236.80.0 AS49981) *.bankingonbankers.com *.2350283972.bankingonbankers.com ==================================================================================================== https://www.virustotal.com/file/4d5dce9508dbf97d205ca1d0ceb464157be05a4f94d486ae498be317b89b7653/analysis/ SHA256: 4d5dce9508dbf97d205ca1d0ceb464157be05a4f94d486ae498be317b89b7653 SHA1: 68297c3704e8fbbe4d95a837d7746a8100692021 MD5: ae89045e3448df19de679988e6e6600d File size: 331.5 KB ( 339456 bytes ) File name: 4d5dce9508dbf97d205ca1d0ceb464157be05a4f94d486ae498be317b89b7653 File type: Win32 EXE Detection ratio: 7 / 43 Analysis date: 2012-03-07 12:08:21 UTC ( 1 hour, 54 minutes ago ) Emsisoft Trojan.Win32.Pirminay!IK 20120307 Ikarus Trojan.Win32.Pirminay 20120307 Kaspersky HEUR:Trojan.Win32.Generic 20120307 McAfee Generic Malware.ms 20120307 McAfee-GW-Edition Generic Malware.ms 20120307 NOD32 a variant of Win32/Kryptik.AAKJ 20120307 Norman W32/Kryptik.AIF 20120304 ==================================================================================================== https://www.virustotal.com/file/4d5dce9508dbf97d205ca1d0ceb464157be05a4f94d486ae498be317b89b7653/analysis/1331128973/ SHA256: 4d5dce9508dbf97d205ca1d0ceb464157be05a4f94d486ae498be317b89b7653 SHA1: 68297c3704e8fbbe4d95a837d7746a8100692021 MD5: ae89045e3448df19de679988e6e6600d File size: 331.5 KB ( 339456 bytes ) File name: google_query_words.exe File type: Win32 EXE Detection ratio: 10 / 43 Analysis date: 2012-03-07 14:02:53 UTC ( 0 minutes ago ) AVG Generic27.AJZC 20120307 BitDefender Trojan.Generic.KDV.557196 20120307 Emsisoft Trojan.Win32.Pirminay!IK 20120307 F-Secure Trojan.Generic.KDV.557196 20120307 Ikarus Trojan.Win32.Pirminay 20120307 Kaspersky HEUR:Trojan.Win32.Generic 20120307 McAfee Generic Malware.ms 20120307 McAfee-GW-Edition Generic Malware.ms 20120307 NOD32 a variant of Win32/Kryptik.AAKJ 20120307 Norman W32/Kryptik.AIF 20120304 ==================================================================================================== GFI Sandbox Analysis extract: Analysis Summary Submitted File: google_query_words.exe MD5: ae89045e3448df19de679988e6e6600d File Size: 339456 File Type: PE32 executable for MS Windows (GUI) Intel 80386 3 Analysis Time: 2012-03-07 09:04:39 Start Reason: AnalysisTarget Termination Reason: TerminatedBySelf Start Time: Wed, 07 Mar 2012 14:05:18 +0000 Termination Time: Wed, 07 Mar 2012 14:06:18 +0000 Analysis Time: 2012-03-07 09:04:39 Sandbox: XPSP3 - 00-0C-29-5E-B4-D8 Total Processes: 5 Stored Modified Files [process 1] C:\WINDOWS\system32\napipsecd.exe [process 1] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~unins223.bat [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@alpha00001[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@alpha00001[2].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@alpha00001[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@su600[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@advertstream[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@advertstream[2].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@advertstream[1].txt Deleted Files [process 3] C:\google_query_words.exe [process 3] C:\GOOGLE~1.EXE [process 3] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~unins223.bat [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@alpha00001[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@alpha00001[2].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@advertstream[1].txt [process 5] C:\Documents and Settings\Administrator\Cookies\administrator@advertstream[2].txt [process 1] Key Name: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Value: QOMCYZAJOE [process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\MNWYQKAAQR Value: Hy [process 1] Key Name: \REGISTRY\MACHINE\Software\MNWYQKAAQR Value: Hy [process 1] Key Name: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Value: QOMCYZAJOE [process 1] Key Name: \REGISTRY\USER\S-1-5-21-299502267-926492609-1801674531-500\Software\Microsoft\Windows\Curr entVersion\Internet Settings Value: 6 [process 1] Key Name: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Value: 6 DNS Requests Request Result somethingclosely.com 230.2.177.239 ads.alpha00001.com 94.23.12.70 94.23.19.9 94.23.28.195 188.165.209.133 188.165.219.81 188.165.231.87 188.165.236.39 188.165.239.67 su600.com 188.165.33.5 87.98.135.156 188.165.32.93 l.advertstream.com 87.98.138.127 188.165.32.91 188.165.33.6 www.les-malins-du-jour.com 188.165.46.136 Network Events Remote IP Local IP HTTP Command [process 1] 77.79.11.29 10.20.25.247 GET /tg.aspx [process 1] 77.79.11.29 10.20.25.247 GET /tg.aspx [process 5] 127.0.0.1 0.0.0.0 none [process 5] 94.23.12.70 10.20.25.247 GET /cgi-bin/advert/getads?did=1077 [process 5] 127.0.0.1 127.0.0.1 none [process 5] 94.23.12.70 10.20.25.247 GET /cgi-bin/advert/getads?x_dp_id=43&frame=false&pdid =1077&ppid=8112 [process 5] 188.165.33.5 10.20.25.247 GET /publicite/com/zone.php?zone=25824&rnd=1331129163 [process 5] 188.165.33.5 10.20.25.247 GET /a/adjs2.php?zoneid=25824 [process 5] 87.98.138.127 10.20.25.247 GET /?npyLlpCRwp6ZmZacl56YmtmdnpGRmo2Wm8LKys3Pydmck5aa kYuWm8LOysvHztmFkJGalpvCzcrHzcvZnpmZlpOWnoualpvCzs 3Ox8/Zi4aPmqCdnpGRlpqNmsLI2YyQio2cmsLZkaCWm5qRi5aZ lpyei5aQkcLNysfNy8nIys7MzcjLzMvKytmWj8LIzdHJy9HOy8 nRzs7N2ZCJmo2TnobCz9mcj5Kaws3Kz8/Zi4aPmqCcnpKPwryv stmPnoaMwqqs2ZOekZiKmsK6sdmTkJiMipmWh5rC2Y+NkJmWk7 abws7GycrI2Zydws2azMbLzcmZmcrMm5vJzcjLy5qZxpmax57K yMbOm8nI2Y2am5aNmpyLwpeLi4/azL7azbnazbmT0Z6biZqNi4 yLjZqektGckJLazbme2s25npuck5aclNGPl4/azLmRoJyTlpza zLvNysfNy87HzsbPysnIysnPxsnazcmcj5Ka2sy7oKickcm6rL TGqpa2lbiMh7q6loe9z6bazcmdnpGRmo2Wm9rMu8rKzc/J2s3J hZCRmpab2sy7zcrHzcvazcmTkJjazLuRkNrNyZuajIvazLuXi4 uP2s3KzL7azcrNudrNys25jIrJz8/RnJCS2s3KzbmN0Y+Xj9rN ysy5m5qMi9rNysy7l4uLj9rNys3KzL7azcrNys252s3KzcrNuY iIiNGTmozSkp6TlpGM0puK0pWQio3RnJCS2s3KzcrNuZOekZuW kZiPnpia2s3KzcrNuY2Qi56LlpCRoIyehtGPl48 [process 5] 87.98.138.127 10.20.25.247 GET /a/adclick.php?n_clic=258241819056756096&cpme=_Wcn 6ESK9UiIjGsxEEixB0Y&bannerid=55206&zoneid=25824&lo g=no&dest=http%3A%2F%2Fsu600.com%2Fr.php%3Fdest%3D http%253A%252F%252Fwww.les-malins-du-jour.com%252F landingpage%252Frotation_say.php [process 5] 188.165.33.5 10.20.25.247 GET /r.php?dest=http%3A%2F%2Fwww.les-malins-du-jour.co m%2Flandingpage%2Frotation_say.php [process 5] 188.165.46.136 10.20.25.247 none Virus Total Results Last Scanned: 2012-03-07 14:02:53 nProtect: Not Detected CAT-QuickHeal: Not Detected McAfee: Generic Malware.ms TheHacker: Not Detected K7AntiVirus: Not Detected VirusBuster: Not Detected NOD32: a variant of Win32/Kryptik.AAKJ F-Prot: Not Detected Symantec: Not Detected Norman: W32/Kryptik.AIF ByteHero: Not Detected TrendMicro-HouseCall: Not Detected Avast: Not Detected eSafe: Not Detected ClamAV: Not Detected Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Trojan.Generic.KDV.557196 ViRobot: Not Detected Emsisoft: Trojan.Win32.Pirminay!IK Comodo: Not Detected F-Secure: Trojan.Generic.KDV.557196 DrWeb: Not Detected VIPRE: Not Detected AntiVir: Not Detected TrendMicro: Not Detected McAfee-GW-Edition: Generic Malware.ms Sophos: Not Detected eTrust-Vet: Not Detected Jiangmin: Not Detected Antiy-AVL: Not Detected Microsoft: Not Detected SUPERAntiSpyware: Not Detected Prevx: Not Detected GData: Not Detected Commtouch: Not Detected AhnLab-V3: Not Detected VBA32: Not Detected PCTools: Not Detected Rising: Not Detected Ikarus: Trojan.Win32.Pirminay Fortinet: Not Detected AVG: Generic27.AJZC Panda: Not Detected ==================================================================================================== ====================================================================================================