192.211.54.156 (Page view botnet hosted by incero.com)

Server:  192.211.54.156
Url locations:  /Programs/links/Maki/, /Programs/links/Angelo/

The malware opens all the pages in each folder, and visits any urls that are contained in them.

Current urls:

<meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com/">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://tf2itemsgenerator.blogspot.com/">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.youtube.com/watch?v=UUTZW2AjhFI">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://youtu.be/AhPTX1n_8p8">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://f65a1cad.yyv.co">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://14b3e31e.linkbucks.com">
<META HTTP-EQUIV="Refresh"
      CONTENT="20; URL=http://www.youtube.com/watch?v=MUqfZPBQscs">
<META HTTP-EQUIV="Refresh"
      CONTENT="5; URL=http://3743af0c.linkbucks.com">
<META HTTP-EQUIV="Refresh"
      CONTENT="15; URL=http://youtu.be/bPbzWuJ7Cmk">
<META HTTP-EQUIV="Refresh"
      CONTENT="5; URL=http://www.youtube.com/watch?v=Jqq7YS_K3Bs">
<META HTTP-EQUIV="Refresh"
      CONTENT="5; URL=http://retardgamers100.com">      

Sample: hxxp://192.211.54.156/Programs/Master/wmdc.exe

Hosting infos: http://whois.domaintools.com/192.211.54.156

Categories: Uncategorized