December 19, 2011

Antihosts.exe trojan

Ended up having to fix a client computer over the weekend, Windows 7 with a failed Messenger and Windows Live problems. The trojan had replaced the "hosts" file and replaced it with this version;

191.164.12.1 zuleica
191.162.91.2 tarantula
19.251.32.13 ariranha
112.158.12.22 leandrino
132.168.7.42 zecurlano
121.91.41.151 cotidiano

121.15.12.137 www.banespa.com.br # GbPluguin
121.15.12.137 banespa.com.br # GbPluguin
121.15.12.137 www.santander.com.br # GbPluguin
121.15.12.137 santander.com.br # GbPluguin
121.15.12.137 caixa.com.br # GbPluguin
121.15.12.137 www.cef.gov.br # GbPluguin
121.15.12.137 cef.gov.br # GbPluguin
121.15.12.137 www.cef.com.br # GbPluguin
121.15.12.137 www.caixa.gov.br # GbPluguin
121.15.12.137 caixa.gov.br # GbPluguin
121.15.12.137 www.caixa.com.br # GbPluguin
209.94.172.28 live.com # GbPluguin
209.94.172.28 www.live.com # GbPluguin
209.94.172.28 www.msn.com # GbPluguin
121.15.12.137 cef.com.br # GbPluguin
121.15.12.137 internetbanking.caixa.gov.br # GbPluguin
121.15.12.137 internetbanking.caixa.com.br # GbPluguin
121.15.12.137 internetbanking.cef.gov.br # GbPluguin
121.15.12.137 internetbanking.cef.com.br # GbPluguin
121.15.12.137 www.e-gold.com.br # GbPluguin
121.15.12.137 e-gold.com.br # GbPluguin
121.15.12.137 www.e-gold.com # GbPluguin
121.15.12.137 e-gold.com # GbPluguin
121.15.12.137 www.bradescoprime.com.br # GbPluguin
121.15.12.137 www.cetelem.com.br # GbPluguin
121.15.12.137 cetelem.com.br # GbPluguin
121.15.12.137 www.cartaoaura.com.br # GbPluguin
209.94.172.28 msn.com # GbPluguin
209.94.172.28 www.msn.com.br # GbPluguin
209.94.172.28 login.live.com # GbPluguin
121.15.12.137 cartaoaura.com.br # GbPluguin
121.15.12.137 bradescoprime.com.br # GbPluguin
121.15.12.137 www.itaupersonnalite.com.br # GbPluguin
121.15.12.137 itaupersonnalite.com.br # GbPluguin
121.15.12.137 americanexpress.com.br # GbPluguin
121.15.12.137 www.sicredi.com.br # GbPluguin
121.15.12.137 sicredi.com.br # GbPluguin
121.15.12.137 portal.sicredi.com.br # GbPluguin
121.15.12.137 www.realsecureweb.com.br # GbPluguin
121.15.12.137 realsecureweb.com.br # GbPluguin
209.94.172.28 www.hotmail.com # GbPluguin
209.94.172.28 hotmail.com # GbPluguin
121.15.12.137 www.americanexpress.com.br # GbPluguin
121.15.12.137 www.americanexpress.com # GbPluguin
121.15.12.137 www.real.com.br # GbPluguin
121.15.12.137 www.bancoreal.com.br # GbPluguin
121.15.12.137 real.com.br # GbPluguin
121.15.12.137 bancoreal.com.br # GbPluguin
209.94.172.28 www.hotmail.com.br # GbPluguin
209.94.172.28 hotmail.com.br # GbPluguin
121.15.12.137 itau.com.br # GbPluguin
121.15.12.137 www.itau.com # GbPluguin
121.15.12.137 itau.com # GbPluguin
121.15.12.137 imagem.caixa.gov.br # GbPluguin
121.15.12.137 imagem.caixa.com.br # GbPluguin
121.15.12.137 imagem.cef.gov.br # GbPluguin
121.15.12.137 imagem.cef.com.br # GbPluguin
121.15.12.137 www.bradesco.com.br # GbPluguin
121.15.12.137 bradesco.com.br # GbPluguin
121.15.12.137 www.bradesco.com # GbPluguin
121.15.12.137 bradesco.com # GbPluguin
121.15.12.137 www.itau.com.br # GbPluguin
121.15.12.137 www.realsecureweb.com.br # GbPluguin
121.15.12.137 santanderempresarial.com.br # GbPluguin
121.15.12.137 www.santanderempresarial.com.br # GbPluguin
121.15.12.137 santanderempresarial.com # GbPluguin
121.15.12.137 www.santanderempresarial.com # GbPluguin
121.15.12.137 www.citibank.com.br # GbPluguin
121.15.12.137 citibank.com.br # GbPluguin
121.15.12.137 www.citibank.com # GbPluguin
121.15.12.137 citibank.com # GbPluguin

32.19.12.1 ezekien.lorena
22.93.11.98 marcos.gladiador
11.12.44.1 zumbi.palmares
81.55.12.4 arthur.erculando

Interesting that some USA Department Of Defense IP addresses are referred to as is a Ford Motor Company one too. The others are in South Korea, France, Australia and China. The trojan is capturing user names and passwords for the above mentioned banks etc.

The infection arrived in a spam email from a known-to-the-user Hotmail email address, probably a compromised account, with a link to a video about pedofilia. Clicking the link caused the trojan to install and make various changes including the above hosts file replacement.
Posted by at
Labels: , , , , , , ,

1 comment:

  1. DiĆ³genesJanuary 5, 2012 at 4:54 PM

    I can tell you by looking into it that they are targeting Brazilian banks. Almost all of them are included.

    ReplyDelete

Subscribe to: Post Comments (Atom)