Server: 192.211.54.156
Url locations: /Programs/links/Maki/, /Programs/links/Angelo/
The malware opens all the pages in each folder, and visits any urls that are contained in them.
Current urls:
<meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com/"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://tf2itemsgenerator.blogspot.com/"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.youtube.com/watch?v=UUTZW2AjhFI"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://youtu.be/AhPTX1n_8p8"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://f65a1cad.yyv.co"> <meta HTTP-EQUIV="REFRESH" content="0; url=http://14b3e31e.linkbucks.com"> <META HTTP-EQUIV="Refresh" CONTENT="20; URL=http://www.youtube.com/watch?v=MUqfZPBQscs"> <META HTTP-EQUIV="Refresh" CONTENT="5; URL=http://3743af0c.linkbucks.com"> <META HTTP-EQUIV="Refresh" CONTENT="15; URL=http://youtu.be/bPbzWuJ7Cmk"> <META HTTP-EQUIV="Refresh" CONTENT="5; URL=http://www.youtube.com/watch?v=Jqq7YS_K3Bs"> <META HTTP-EQUIV="Refresh" CONTENT="5; URL=http://retardgamers100.com">
Sample: hxxp://192.211.54.156/Programs/Master/wmdc.exe
Hosting infos: http://whois.domaintools.com/192.211.54.156