Server: 192.211.54.156
Url locations: /Programs/links/Maki/, /Programs/links/Angelo/
The malware opens all the pages in each folder, and visits any urls that are contained in them.
Current urls:
<meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com/">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://tf2itemsgenerator.blogspot.com/">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.youtube.com/watch?v=UUTZW2AjhFI">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://minecraftadminhack.blogspot.com">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://youtu.be/AhPTX1n_8p8">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://f65a1cad.yyv.co">
<meta HTTP-EQUIV="REFRESH" content="0; url=http://14b3e31e.linkbucks.com">
<META HTTP-EQUIV="Refresh"
CONTENT="20; URL=http://www.youtube.com/watch?v=MUqfZPBQscs">
<META HTTP-EQUIV="Refresh"
CONTENT="5; URL=http://3743af0c.linkbucks.com">
<META HTTP-EQUIV="Refresh"
CONTENT="15; URL=http://youtu.be/bPbzWuJ7Cmk">
<META HTTP-EQUIV="Refresh"
CONTENT="5; URL=http://www.youtube.com/watch?v=Jqq7YS_K3Bs">
<META HTTP-EQUIV="Refresh"
CONTENT="5; URL=http://retardgamers100.com">
Sample: hxxp://192.211.54.156/Programs/Master/wmdc.exe
Hosting infos: http://whois.domaintools.com/192.211.54.156