# MalwareMustDie! @unixfreaxjp /malware]$ date # Sat Mar 16 11:42:00 JST 2013 // The update data of the BHEK domains served PWS Under registrar NAUNET.RU // Case: http://malwaremustdie.blogspot.jp/2013/02/bhek-cridex-combo-with-ransomware.html // Case: http://malwaremustdie.blogspot.com/2013/03/ru8080columnphp-hey-stealer-what-do-you.html // Case: http://unixfreaxjp.blogspot.jp/2013/03/ocjp-094-117104150170-oirase.html // Rgx: http://goo.gl/KvD2q // Status: The CRIME still goes on... // CURRENT "Active" infection source (BHEK2/Cridex PWS Stealer) // under monitoring.. gulivaerinf.ru, 188.165.202.204... // Previous data (Sat Mar 16 00:18:08 JST 2013) gilaogbaos.ru, 213.215.240.24, 50.22.0.2, 188.165.202.204 gimiinfinfal.ru, 213.215.240.24, 50.22.0.2, 188.165.202.204 guioahgl.ru, 213.215.240.24, 50.22.0.2, 188.165.202.204 // Previous data (Thu Mar 14 01:46:10 JST 2013) // same IP == no dismantle effort.. gimiiiank.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 giminaaaao.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 giimiiifo.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 // Previous data (Wed Mar 13 01:22:54 JST 2013) additional IP 213.215.240.24, 93.174.138.48 gimihaloook.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 giminkfjol.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 giliaonso.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 // OLD "ComeBacks" domains infection source (Wed Mar 13 01:22:54 JST 2013) forumny.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 forum-ny.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 forumla.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 forum-la.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 foruminanki.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 forumilllionois.ru, 94.102.14.239, 213.215.240.24, 93.174.138.48 // Previous data (Mon Mar 11 10:10:22 JST 2013) giminkfjol.ru, 66.249.23.64 , 94.102.14.239, 5.9.40.136 giminanvok.ru, 66.249.23.64 , 94.102.14.239, 5.9.40.136 gimikalno.ru, 66.249.23.64 , 94.102.14.239, 5.9.40.136 giliaonso.ru, 5.9.40.136, 66.249.23.64, 94.102.14.239, forum-la.ru,5.9.40.136, 66.249.23.64, 94.102.14.239, forumla.ru,94.102.14.239, 5.9.40.136, 66.249.23.64, forumny.ru,5.9.40.136, 66.249.23.64, 94.102.14.239, forum-ny.ru,94.102.14.239, 5.9.40.136, 66.249.23.64, forumilllionois.ru,5.9.40.136, 66.249.23.64, 94.102.14.239, foruminanki.ru,5.9.40.136, 66.249.23.64, 94.102.14.239, // huge changes in IP (Mon Mar 11 10:10:22 JST 2013) 117.104.150.170 (cleaned up), 41.72.150.100(stopped), 212.180.176.4(stopped) // why stopped? // Previous data (Mon Mar 11 10:10:22 JST 2013) guuderia.ru 117.104.150.170, 41.72.150.100, 212.180.176.4 (a comeback IP) ginagion.ru 117.104.150.170, 41.72.150.100, 212.180.176.4 (a comeback IP) gimilako.ru 117.104.150.170, 41.72.150.100, 212.180.176.4 (a comeback IP) giminalso.ru 117.104.150.170, 41.72.150.100, 212.180.176.4 (a comeback IP) // Previous data (Thu Mar 7 15:10:52 JST 2013) // 212.180.176.4 disappeared gimalayad.ru 117.104.150.170, 41.72.150.100 ginagion.ru 117.104.150.170, 41.72.150.100 giliaonso.ru 117.104.150.170, 41.72.150.100 // additional: PoC at 117.104.150.170 http://unixfreaxjp.blogspot.jp/2013/03/ocjp-094-117104150170-oirase.html // Previous (Tue Mar 5 23:58:48 2013) ginagion.ru, 212.180.176.4, 117.104.150.170, 41.72.150.100 (changed IP addresses detected) gosbfosod.ru, 212.180.176.4, 117.104.150.170, 210.71.250.131 giliaonso.ru, 212.180.176.4, 117.104.150.170, 210.71.250.131 (changed IP addresses detected) // MalwareMustDie shutdown 46.4.77.145, 198.104.62.49 (Tue Mar 5 05:58:48 2013) // Previous (Tue Mar 6 00:46:00 JST 2013) monitoring result: giliaonso.ru, 198.104.62.49, 210.71.250.131, 46.4.77.145 forumkianko.ru, 198.104.62.49, 210.71.250.131, 46.4.77.145 // Previous (Tue Mar 5 15:44:10 JST 2013) monitoring result: // detected 6(six) active domains: forumny.ru, 210.71.250.131, 198.104.62.49, forum-ny.ru, 210.71.250.131, 198.104.62.49, forumla.ru, 210.71.250.131, 198.104.62.49, forum-la.ru, 210.71.250.131, 198.104.62.49, foruminanki.ru, 210.71.250.131, 198.104.62.49, forumilllionois.ru,210.71.250.131, 198.104.62.49, // Previous (Sat Mar 2 17:09:05 JST 2013) monitoring result: foruminanki.ru 210.71.250.131, 50.31.1.104, 66.249.23.64, // peviously detected IP... forumilllionois.ru 50.31.1.104, 66.249.23.64, 210.71.250.131, // peviously detected IP... forumnywrk.ru,, forumligandaz.ru,, forummersedec.ru,, forumkinza.ru,, forummoskowciti.ru,, forumrogario.ru,, forumbmwr.ru,, forumligandaz.ru,, forumvvz.ru,, forumusaaa.ru,, forumny.ru : fzukungda.ru,, famagatra.ru,, fuigadosi.ru,, filialkas.ru,, finalions.ru,, : emmmhhh.ru,, ejjiipprr.ru,, eiiiioovvv.ru,, errriiiijjjj.ru,, : // Current to Historical Infector IP used... 213.215.240.24 50.22.0.2 188.165.202.204 213.215.240.24 (cleaned-up) 93.174.138.48 (cleaned-up) 94.102.14.239 (cleaned-up) 66.249.23.64 (cleaned-up) 5.9.40.136 (cleaned-up) 41.72.150.100, (cleaned) 212.180.176.4, (cleaned) 117.104.150.170, (killed) 46.4.77.145 (killed) 198.104.62.49 (killed) 210.71.250.131 (killed) 50.31.1.104 (killed) 66.249.23.64 (killed) 31.200.240.153 (killed) 83.169.41.58 (killed) 78.158.28.12 (killed) 84.23.66.74 (killed) 122.160.168.219 (killed) 87.120.40.168 (killed) : // Current Status ACTIVE domain registration: // All registration domains released by NAUNET.RU < Utilized? Affiliated? STOP THIS ACT!! @unixfreaxjp ~]$ date Thu Mar 8 02:10:02 JST 2013 guuderia.ru //lookup primary name server = ns1.guuderia.ru responsible mail addr = root.guuderia.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) guuderia.ru internet address = 212.180.176.4 guuderia.ru internet address = 41.72.150.100 guuderia.ru internet address = 117.104.150.170 guuderia.ru nameserver = ns2.guuderia.ru guuderia.ru nameserver = ns5.guuderia.ru guuderia.ru nameserver = ns9.guuderia.ru guuderia.ru nameserver = ns1.guuderia.ru guuderia.ru nameserver = ns6.guuderia.ru guuderia.ru nameserver = ns8.guuderia.ru guuderia.ru nameserver = ns4.guuderia.ru guuderia.ru nameserver = ns3.guuderia.ru guuderia.ru nameserver = ns10.guuderia.ru guuderia.ru nameserver = ns7.guuderia.ru domain: GUUDERIA.RU // whois nserver: ns1.guuderia.ru. 41.168.5.140 nserver: ns2.guuderia.ru. 110.164.58.250 nserver: ns3.guuderia.ru. 210.71.250.131 nserver: ns4.guuderia.ru. 194.249.217.8 nserver: ns5.guuderia.ru. 72.251.206.90 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.03.03 paid-till: 2014.03.03 free-date: 2014.04.03 source: TCI Last updated on 2013.03.07 21:56:36 MSK gimalayad.ru //lookup primary name server = ns1.gimalayad.ru responsible mail addr = root.gimalayad.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) gimalayad.ru nameserver = ns1.gimalayad.ru gimalayad.ru nameserver = ns9.gimalayad.ru gimalayad.ru nameserver = ns3.gimalayad.ru gimalayad.ru nameserver = ns5.gimalayad.ru gimalayad.ru nameserver = ns10.gimalayad.ru gimalayad.ru nameserver = ns4.gimalayad.ru gimalayad.ru nameserver = ns8.gimalayad.ru gimalayad.ru nameserver = ns7.gimalayad.ru gimalayad.ru nameserver = ns2.gimalayad.ru gimalayad.ru nameserver = ns6.gimalayad.ru gimalayad.ru internet address = 41.72.150.100 gimalayad.ru internet address = 117.104.150.170 domain: GIMALAYAD.RU //whois nserver: ns1.gimalayad.ru. 41.168.5.140 nserver: ns2.gimalayad.ru. 110.164.58.250 nserver: ns3.gimalayad.ru. 210.71.250.131 nserver: ns4.gimalayad.ru. 194.249.217.8 nserver: ns5.gimalayad.ru. 72.251.206.90 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.03.03 paid-till: 2014.03.03 free-date: 2014.04.03 source: TCI Last updated on 2013.03.07 10:11:35 MSK ginagion.ru primary name server = ns1.ginagion.ru responsible mail addr = root.ginagion.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) ginagion.ru nameserver = ns1.ginagion.ru ginagion.ru nameserver = ns7.ginagion.ru ginagion.ru nameserver = ns6.ginagion.ru ginagion.ru nameserver = ns4.ginagion.ru ginagion.ru nameserver = ns5.ginagion.ru ginagion.ru nameserver = ns2.ginagion.ru ginagion.ru nameserver = ns9.ginagion.ru ginagion.ru nameserver = ns10.ginagion.ru ginagion.ru nameserver = ns8.ginagion.ru ginagion.ru nameserver = ns3.ginagion.ru domain: GINAGION.RU nserver: ns1.ginagion.ru. 41.168.5.140 nserver: ns2.ginagion.ru. 110.164.58.250 nserver: ns3.ginagion.ru. 210.71.250.131 nserver: ns4.ginagion.ru. 194.249.217.8 nserver: ns5.ginagion.ru. 72.251.206.90 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.03.03 paid-till: 2014.03.03 free-date: 2014.04.03 source: TCI Last updated on 2013.03.06 19:31:39 MSK gosbfosod.ru primary name server = ns1.gosbfosod.ru responsible mail addr = root.gosbfosod.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) gosbfosod.ru nameserver = ns4.gosbfosod.ru gosbfosod.ru nameserver = ns10.gosbfosod.ru gosbfosod.ru nameserver = ns3.gosbfosod.ru gosbfosod.ru nameserver = ns1.gosbfosod.ru gosbfosod.ru nameserver = ns2.gosbfosod.ru gosbfosod.ru nameserver = ns6.gosbfosod.ru gosbfosod.ru nameserver = ns7.gosbfosod.ru gosbfosod.ru nameserver = ns8.gosbfosod.ru gosbfosod.ru nameserver = ns9.gosbfosod.ru gosbfosod.ru nameserver = ns5.gosbfosod.ru gosbfosod.ru internet address = 212.180.176.4 gosbfosod.ru internet address = 117.104.150.170 gosbfosod.ru internet address = 210.71.250.131 domain: GOSBFOSOD.RU nserver: ns1.gosbfosod.ru. 41.168.5.140 nserver: ns2.gosbfosod.ru. 110.164.58.250 nserver: ns3.gosbfosod.ru. 210.71.250.131 nserver: ns4.gosbfosod.ru. 194.249.217.8 nserver: ns5.gosbfosod.ru. 72.251.206.90 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN <============ This registrar keep on allowing new malware domain!!! admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.03.03 paid-till: 2014.03.03 free-date: 2014.04.03 source: TCI Last updated on 2013.03.06 10:06:37 MSK giliaonso.ru primary name server = ns1.giliaonso.ru responsible mail addr = root.giliaonso.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) giliaonso.ru nameserver = ns4.giliaonso.ru giliaonso.ru nameserver = ns3.giliaonso.ru giliaonso.ru nameserver = ns8.giliaonso.ru giliaonso.ru nameserver = ns7.giliaonso.ru giliaonso.ru nameserver = ns5.giliaonso.ru giliaonso.ru nameserver = ns2.giliaonso.ru giliaonso.ru nameserver = ns1.giliaonso.ru giliaonso.ru nameserver = ns10.giliaonso.ru giliaonso.ru nameserver = ns6.giliaonso.ru giliaonso.ru nameserver = ns9.giliaonso.ru giliaonso.ru internet address = 212.180.176.4 giliaonso.ru internet address = 117.104.150.170 giliaonso.ru internet address = 210.71.250.131 domain: GILIAONSO.RU nserver: ns1.giliaonso.ru. 41.168.5.140 nserver: ns2.giliaonso.ru. 110.164.58.250 nserver: ns3.giliaonso.ru. 210.71.250.131 nserver: ns4.giliaonso.ru. 194.249.217.8 nserver: ns5.giliaonso.ru. 72.251.206.90 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN <============ This registrar keep on allowing new malware domain!!! admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.03.03 paid-till: 2014.03.03 free-date: 2014.04.03 source: TCI Last updated on 2013.03.06 10:06:37 MSK // previous records.... forumny.ru primary name server = ns1.forumny.ru responsible mail addr = root.forumny.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) forumny.ru nameserver = ns10.forumny.ru forumny.ru nameserver = ns5.forumny.ru forumny.ru nameserver = ns6.forumny.ru forumny.ru nameserver = ns9.forumny.ru forumny.ru nameserver = ns8.forumny.ru forumny.ru nameserver = ns1.forumny.ru forumny.ru nameserver = ns3.forumny.ru forumny.ru nameserver = ns7.forumny.ru forumny.ru nameserver = ns4.forumny.ru forumny.ru nameserver = ns2.forumny.ru forumny.ru internet address = 198.104.62.49 forumny.ru internet address = 210.71.250.131 domain: FORUMNY.RU nserver: ns1.forumny.ru. 41.168.5.140 nserver: ns2.forumny.ru. 110.164.58.250 nserver: ns3.forumny.ru. 210.71.250.131 nserver: ns4.forumny.ru. 203.171.234.53 nserver: ns5.forumny.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK forum-ny.ru primary name server = ns1.forum-ny.ru responsible mail addr = root.forum-ny.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) forum-ny.ru nameserver = ns1.forum-ny.ru forum-ny.ru nameserver = ns3.forum-ny.ru forum-ny.ru nameserver = ns6.forum-ny.ru forum-ny.ru nameserver = ns8.forum-ny.ru forum-ny.ru nameserver = ns5.forum-ny.ru forum-ny.ru nameserver = ns7.forum-ny.ru forum-ny.ru nameserver = ns2.forum-ny.ru forum-ny.ru nameserver = ns10.forum-ny.ru forum-ny.ru nameserver = ns9.forum-ny.ru forum-ny.ru nameserver = ns4.forum-ny.ru forum-ny.ru internet address = 198.104.62.49 forum-ny.ru internet address = 210.71.250.131 domain: FORUM-NY.RU nserver: ns1.forum-ny.ru. 41.168.5.140 nserver: ns2.forum-ny.ru. 110.164.58.250 nserver: ns3.forum-ny.ru. 210.71.250.131 nserver: ns4.forum-ny.ru. 203.171.234.53 nserver: ns5.forum-ny.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK forumla.ru primary name server = ns1.forumla.ru responsible mail addr = root.forumla.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) forumla.ru nameserver = ns9.forumla.ru forumla.ru nameserver = ns4.forumla.ru forumla.ru nameserver = ns1.forumla.ru forumla.ru nameserver = ns5.forumla.ru forumla.ru nameserver = ns3.forumla.ru forumla.ru nameserver = ns8.forumla.ru forumla.ru nameserver = ns2.forumla.ru forumla.ru nameserver = ns7.forumla.ru forumla.ru nameserver = ns10.forumla.ru forumla.ru nameserver = ns6.forumla.ru forumla.ru internet address = 198.104.62.49 forumla.ru internet address = 210.71.250.131 domain: FORUMLA.RU nserver: ns1.forumla.ru. 41.168.5.140 nserver: ns2.forumla.ru. 110.164.58.250 nserver: ns3.forumla.ru. 210.71.250.131 nserver: ns4.forumla.ru. 203.171.234.53 nserver: ns5.forumla.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK forum-la.ru primary name server = ns1.forum-la.ru responsible mail addr = root.forum-la.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) forum-la.ru nameserver = ns4.forum-la.ru forum-la.ru nameserver = ns3.forum-la.ru forum-la.ru nameserver = ns1.forum-la.ru forum-la.ru nameserver = ns9.forum-la.ru forum-la.ru nameserver = ns10.forum-la.ru forum-la.ru nameserver = ns2.forum-la.ru forum-la.ru nameserver = ns6.forum-la.ru forum-la.ru nameserver = ns5.forum-la.ru forum-la.ru nameserver = ns8.forum-la.ru forum-la.ru nameserver = ns7.forum-la.ru forum-la.ru internet address = 210.71.250.131 forum-la.ru internet address = 198.104.62.49 domain: FORUM-LA.RU nserver: ns1.forum-la.ru. 41.168.5.140 nserver: ns2.forum-la.ru. 110.164.58.250 nserver: ns3.forum-la.ru. 210.71.250.131 nserver: ns4.forum-la.ru. 203.171.234.53 nserver: ns5.forum-la.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK foruminanki.ru primary name server = ns1.foruminanki.ru responsible mail addr = root.foruminanki.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) foruminanki.ru nameserver = ns7.foruminanki.ru foruminanki.ru nameserver = ns5.foruminanki.ru foruminanki.ru nameserver = ns6.foruminanki.ru foruminanki.ru nameserver = ns4.foruminanki.ru foruminanki.ru nameserver = ns3.foruminanki.ru foruminanki.ru nameserver = ns10.foruminanki.ru foruminanki.ru nameserver = ns9.foruminanki.ru foruminanki.ru nameserver = ns8.foruminanki.ru foruminanki.ru nameserver = ns1.foruminanki.ru foruminanki.ru nameserver = ns2.foruminanki.ru foruminanki.ru internet address = 210.71.250.131 foruminanki.ru internet address = 198.104.62.49 domain: FORUMINANKI.RU nserver: ns1.foruminanki.ru. 41.168.5.140 nserver: ns2.foruminanki.ru. 110.164.58.250 nserver: ns3.foruminanki.ru. 210.71.250.131 nserver: ns4.foruminanki.ru. 203.171.234.53 nserver: ns5.foruminanki.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK forumilllionois.ru primary name server = ns1.forumilllionois.ru responsible mail addr = root.forumilllionois.ru serial = 2012010101 refresh = 604800 (7 days) retry = 1800 (30 mins) expire = 1800 (30 mins) default TTL = 60 (1 min) forumilllionois.ru nameserver = ns5.forumilllionois.ru forumilllionois.ru nameserver = ns6.forumilllionois.ru forumilllionois.ru nameserver = ns10.forumilllionois.ru forumilllionois.ru nameserver = ns1.forumilllionois.ru forumilllionois.ru nameserver = ns2.forumilllionois.ru forumilllionois.ru nameserver = ns7.forumilllionois.ru forumilllionois.ru nameserver = ns4.forumilllionois.ru forumilllionois.ru nameserver = ns3.forumilllionois.ru forumilllionois.ru nameserver = ns8.forumilllionois.ru forumilllionois.ru nameserver = ns9.forumilllionois.ru forumilllionois.ru internet address = 198.104.62.49 forumilllionois.ru internet address = 210.71.250.131 domain: FORUMILLLIONOIS.RU nserver: ns1.forumilllionois.ru. 41.168.5.140 nserver: ns2.forumilllionois.ru. 110.164.58.250 nserver: ns3.forumilllionois.ru. 210.71.250.131 nserver: ns4.forumilllionois.ru. 203.171.234.53 nserver: ns5.forumilllionois.ru. 194.249.217.8 state: REGISTERED, DELEGATED, UNVERIFIED person: Private Person registrar: NAUNET-REG-RIPN admin-contact: https://client.naunet.ru/c/whoiscontact created: 2013.02.24 paid-till: 2014.02.24 free-date: 2014.03.27 source: TCI Last updated on 2013.03.05 11:06:36 MSK //ps: rgx: \/[a-z]{4,}\.ru\:[0-9]{4}\/[a-z]{4,}\/[a-z]{4,} ---- #MalwareMustDie!!!