Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Malware hosted on AGAIN! - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware hosted on AGAIN!

If you google for you will find LOTS of “script” links to:

http://l61DOT3322DOTorg/eDOTjs. That first letter is an L not a 1.

Be careful that java script attempts to exploit vulnerabilities in some browsers.

Fellow Handler BojanZ stated this about that malicious piece of java:

“The attached JS file calls other JS files (from various servers). At
least one of them tries to exploit an old vulnerability (MS06-014 -
Microsoft Data Access Components (MDAC)). Other JS files redirect the
browser to different sites:
(these are click through affiliate web sites)” has hosted malware several times in the past including a element of the zero day word exploit that was reported in 05-2005

It was also used as the ftp download site for a SAV based worm 12-2005.

Thanks Bryan and Evan for bringing this to our attention.
I recommend you monitor your IDS, firewall and other logs for access to l61DOT3322DOTORG if you see any access you should check the systems that accessed it for malware. You may decide to block that site within your enterprise. Many enterprise and educational networks did block during the word zero day exploit in 2005.


206 Posts
Aug 15th 2007

Sign Up for Free or Log In to start participating in the conversation!