GoFuckYourself.com - Adult Webmaster Forum - The trojan guys also submits trojan galleries to your TGP

One of the domains I end up at is party-adult.com which is a fake TGP installing the codec trojan...

Here's a little "report" about it :

64.28.183.0/24 is listed on the Spamhaus Block List (SBL)

11-Apr-2007 09:13 GMT | SR04

MovieCommander DNS hijacking malware rootkit

The McAfee/Avert Labs blog, talks about MovieCommander,
a bit of DNS hijacking malware with rootkit functionality. See:
"MovieCommander! No, it's DNS Changer"
http://www.avertlabs.com/research/blog/?p=236
Monday, April 2nd, 2006

That blog entry in turn refers to:

DNSChanger.f
http://vil.mcafeesecurity.com/vil/content/v_141841.htm
discovered 03/27/2007, description modified 03/29/2007 12:15PM (PT)

If you go to the characteristics tab on the DNSChanger.f page, it mentions:

"Upon installation this trojan changes the DNS server address to
point to its preffered DNS.

"For example the recent variants are observed to point it to
85.255.115.46. A quick "whois" on this IP show this is in Ukraine."

Of course, if you actually check that dotted quad, it is being advertised by AS27595 - Intercage. If you do a traceroute:

10 sfc-b1-00-ve24-ctr-atrivo.wvfiber.net (63.223.30.130) 111.749 ms 111.662 ms 111.662 ms
11 85.255.115.46-xbox.dedi.inhoster.com (85.255.115.46) 111.614 ms 111.628 ms 111.753 ms

Also note that the "Method of Infection" page refers to www.codecaddon.com and that site is at 64.28.181.243 a Cernel dotted quad also advertised by AS27595

See:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL36453

[whois.estdomains.com]
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: CODECADDON.COM

Registrant:
CodecAddon inc
Asteria Villamar (webmaster@codecaddon. com)
349 Swinnerton St
Staten Island
New York,10307-1644
US
Tel. +1.718967098 <-- one digit shy of a phone number, how embarassing...

Creation Date: 19-Feb-2007
Expiration Date: 19-Feb-2008

Domain servers in listed order:
ns1.codecaddon.com <-- 64.28.183.35
ns2.codecaddon.com <-- 64.28.183.36

[etc]

http://www.siteadvisor.com/sites/COD...N.COM/summary/ has a comment that mentions:

Other sites that are clones of this site:

216.255.182.171 tvscodec.com
216.255.182.172 tvs-codec.com
216.255.182.173 tscodec.com

What a surprise, more AS27595 IP's.

Following 64.28.183.35, we see:

ns1.codecaddon.com
ns1.video-access.net
ns2.player-codec.net
ns2.videos-access.com

.34 has:

ns1.player-codec.net
ns1.videos-access.com
ns2.page-tickets.com
ns2.page-tickets.net

.36 has:

ns1.accessclips.com
ns1.codecfeature.com
ns2.codecaddon.com
ns2.video-access.net

.37 has:

ns1.dvd-access.net
ns1.site-pass.net
ns2.accessclips.com
ns2.codecfeature.com'

.38 has:

ns1.codecdvd.net
ns1.sitespass.net
ns2.dvd-access.net
ns2.site-pass.net

.39 has:

ns1.dvdsvideos.net
ns1.sites-pass.com
ns2.codecdvd.net
ns2.sitespass.net

.40 has:

ns1.sites-pass.net
ns2.dvdsvideos.net
ns2.sites-pass.com

.41 has:

ns1.dvdsmovies.net
ns1.moviesdvds.net
ns1.passtosite.com
ns2.sites-pass.net

.42 has:

ns1.dvds-movies.net
ns1.passtosite.net
ns2.dvdsmovies.net
ns2.passtosite.com

.43 has:

ns1.passtosites.com
ns1.tvcodecs.com
ns2.dvds-movies.net
ns2.passtosite.net