Zief[dot]pl and a handful of other domains hosted on the same IP address (61.235.117.71) are currently attempting to distribute Trojan W32/Virut by using various client side exploits. The Trojan W32/Virut family is particularly nasty and  consists of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.

Upon execution Win32/Virut will open a connection with one of the IRC servers over a non standard IRC port. This channel is used for communication allowing the attacker to control the machine or download additional malicious components onto the system.

One example:

Server: proxima.ircgalaxy.pl
Port: 65520
Channel: &virtu

What happened when Google visited this site?

Of the 42 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-30, and the last time suspicious content was found on this site was on 2010-01-30.Malicious software includes 738 exploit(s), 416 virus, 320 scripting exploit(s).

This site was hosted on 3 network(s) including AS4134 (China Telecom backbone), AS9394 (CRNET), AS38356 (TIMENET).

This campaign has been going on for more then 30 days from the same IP address hosted in China (big surprise).

inetnum: 61.235.117.0 – 61.235.117.255
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch
descr: Telecommunication Company
descr: Shenzhen City,Guangdong Province

All activity including timeframe, domains, md5s and IP’s can be found here.

**Update 02/27/2010**
A more detailed analysis of Trojan Virut can be found here. Thanks Nicolas Brulez for bringing this to my attention.

Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.

Example

Subject: UPS Tracking Number 5845190

“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

[attachment UPS_invoice_NR12944.zip"

VirusTotal results for the attachment can be found here. Domains known to be  contacted by Trojan Bredolab listed below.

20091217:http://mmsfoundsystem.ru, 193.104.12.20
20091227:http://preflopp.com, 95.211.8.170
20100105:http://greatmoder.cn, 122.115.63.19
20100108:http://213.108.56.125, 213.108.56.125

BETA can convert raw binary shellcode into text that can be used in exploit source-code. It can convert raw binary data to a large number of encodings. It can also do the reverse: decode encoded data into binary from the same types of encodings. The official page where you can download it can be found here.