After a weekend hiatus, I’m back with the next host of interest – ZlKon.
role: ZlKon HostMaster address: Lilijas iela 4-74 address: Riga, LV-1055 address: Latvija phone: +371 26330593 e-mail: hostmaster@zlkon.lv admin-c: AD5952-RIPE tech-c: AD5952-RIPE nic-hdl: ZK508-RIPE mnt-by: ZLKON-MNT changed: hostmaster@zlkon.lv 20081125 source: RIPE abuse-mailbox: abuse@zlkon.lv
Based in Latvia, Zlkon seems to have a high ratio of bad IPs to it’s small
address space. A customer of the larger DATORU EXPRESS SERVISS, Zlkon
has two /24s 94.247.2.0 – 94.247.3.255.
% Information related to '94.247.0.0/21AS12553' route: 94.247.0.0/21 descr: "DATORU EXPRESS SERVISS" Ltd. origin: AS12553 mnt-by: PCEXPRESS-MNT changed: igors@pcexpress.lv 20081121 source: RIPE
94.247.2.11
2008-12-02 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880135.exe
94.247.2.183
2008-12-09
fire-movie.com /download/Keygen.Image.for.DOS.2.08c3098.exe
Win32:Fabot
Trojan:Win32/Alureon.gen!J
Worm/AutoRun.ER
2008-12-02
spacekeys.net /download/windows311megaupload_3019.exe
Same as fire-movie.net above
2008-12-12
moonmovie.net /download/moonmovie.v.3.484.exe
Same as fire-movie.net above
94.247.2.215
2008-11-27 – not accessible
antivirus–plus.com /installer_00004.exe
94.247.2.222
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880147.exe
94.247.3.228
2008-12-02 – not accessible
pro-scanner-online.com/2009/download/trial/A9installer_880473.exe
2008-12-12
get-frsh-files.com /MCLiteodecVer.6.20467.exe
Same as files-upload.21.com below
2008-12-13
files-upload-21.com /MCLiteodecVer.6.20271.exe
TrojanDownloader:Win32/Renos.FH
94.247.2.231
2008-12-03 – not accessible
pro-scanner-online.com /2009/download/trial/A9installer_880147.exe
94.247.3.232
2008-12-14
codecdownload.3d-softwareportal.com /exclusivemovie.1518.exe
TrojanDownloader:Win32/Renos.FU
Trojan.Win32.Undef.uhx
So we’ve got some fake antivirus, Renos, zlob, etc. Nothing overly terrible like a banking trojan or spam bot but who knows what else is being hosted in Zlkon’s address space.
FlashPlayer.v3.181.exe
Do a search for Hunt’s Point within Google video,
and then click on the hit entitled,
Hunts Point Pimps And Hookers @ kooldvd.com
page redirects, foisting fake Flash installer upon.
Reverse traces to Latvia.IP Address: 94.247.2.34
Location: RIGA (56.944N, 24.117E)
Network: 94-RIPE
domain: zlkon.lv
admin-c: 86617-LUMII
tech-c: 86617-LUMII
nserver: ns1.zlkon.lv
nserver: ns2.zlkon.lv
changed: dns-reg@nic.lv 20081121
source: LUMII
person:
address: none
phone: +371 26330593
e-mail: arkadzi.daniyelian@zlkon.lv
nic-hdl: 86617-LUMII
source: LUMII
File Info Description
Report Generated 25.1.2009 at 0.32.30 (GMT 1)
Time for scan: 31 seconds
Filename: FlashPlayer.v3.181.exe
File size: 110 KB
MD5 Hash: D3EE381464C72DA4671C1B8F15A8281B
SHA1 Hash: B48EA7824B3DFC130FBF200BE7AB5D1D7ED96484
CRC32: 3376619150
Application Type: Executable (EXE) 32bit
Scanner results : 22% Scanner(8/37) found malware!
Time : 2009/01/27 12:26:29 (CST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.29 20090127170226 2009-01-27 – 3.033
AhnLab V3 2009.01.27.01 2009.01.27 2009-01-27 – 1.106
AntiVir 7.9.0.60 7.1.1.188 2009-01-27 – 1.883
Antiy 2.0.18 20090118.2063925 2009-01-18 – 0.018
Authentium 5.1.1 200901262001 2009-01-26 – 1.172
AVAST! 3.0.1 090127-0 2009-01-27 – 0.001
AVG 7.5.52.442 270.10.14/1918 2009-01-27 – 1.896
BitDefender 7.81008.2614896 7.23357 2009-01-27 Gen:Trojan.Heur.TDSS.1 2.848
CA (VET) 9.0.0.143 31.6.6329 2009-01-27 – 10.359
ClamAV 0.94.2 8912 2009-01-28 – 0.060
Comodo 3.0 948 2009-01-27 – 0.894
CP Secure 1.1.0.715 2009.01.28 2009-01-28 – 6.971
Dr.Web 4.44.0.9170 2009.01.27 2009-01-27 – 4.011
F-Prot 4.4.4.56 20090126 2009-01-26 – 1.218
F-Secure 5.51.6100 2009.01.27.05 2009-01-27 Packed.Win32.Tdss.a [AVP] 0.600
Fortinet 2.81-3.117 9.972 2009-01-27 W32/AutoTDSS.BNA!worm 0.334
GData 19.2614/19.200 20090127 2009-01-27 Packed.Win32.Tdss.a [Engine:A] 8.087
Ikarus T3.1.01.45 2009.01.27.72218 2009-01-27 – 3.527
JiangMin 11.0.706 2009.01.27 2009-01-27 – 2.568
Kaspersky 5.5.10 2009.01.27 2009-01-27 Packed.Win32.Tdss.a 0.125
KingSoft 2008.9.8.18 2009.1.27.20 2009-01-27 – 0.630
McAfee 5.3.00 5507 2009-01-26 – 2.977
Microsoft 1.4205 2009.01.27 2009-01-27 Trojan:Win32/Alureon.gen!J 13.541
mks_vir 2.01 2009.01.27 2009-01-27 – 4.350
Norman 5.93.01 5.93.00 2009-01-20 – 6.921
nProtect 20090127.02 3071863 2009-01-27 – 12.179
Panda 9.05.01 2009.01.26 2009-01-26 – 10.230
Quick Heal 10.00 2009.01.27 2009-01-27 – 1.201
Rising 20.0 21.13.50.00 2009-01-24 Trojan.Win32.Nodef.aia 2.259
Sophos 2.82.1 4.37 2009-01-28 Mal/FakeVirPk-A 2.530
Sunbelt 4756 4756 2009-01-08 – 0.595
Symantec 1.3.0.24 20090127.004 2009-01-27 – 0.053
The Hacker 6.3.1.5 v00229 2009-01-26 – 0.770
Trend Micro 8.700-1004 5.798.05 2009-01-27 – 0.064
VBA32 3.12.8.11 20090127.0856 2009-01-27 – 2.673
ViRobot 20090123 2009.01.23 2009-01-23 – 0.758
VirusBuster 4.5.11.10 10.100.40/784661 2009-01-27 – 1.153
http://virscan.org/report/601f5b7e549c57fb60063d8a592a84f4.html
By: carey on January 29, 2009
at 2:10 am
Here’s one for you…when I attempt to get on the backend of my wordpress site, hosted on Godaddy, the status bar show 94.247.2.195, which belongs to these jackasses, according to a whois lookup.
I can’t even add content to my site now, this locks Firefox down, then my whole system.
Any suggestions to get rid of this junk?
By: bcarroll on March 24, 2009
at 12:41 am
I am also getting the same issue for my websites. points to 94.247.2.195 in status bar. Upon whois and searches it is listed on malware websites. 2009/04/03_00:00 - 193.200.255.19/~timchenko/cms/index.php s9.x-host.net.ua exploits/trojan -
Any help and quick helps would be appreciated.
By: Ather Khan on April 6, 2009
at 11:40 am