Skip navigation.

Downloader payload still on the internet.

I was just looking at some older viruses and came across and had a look through it and found a url encoded in it I just put it in wget to see if it was still there and to my surprise it was. Although its not a new virus it wasn't in the database yet.

-------- update --------
Still looking at one of the sister site (the url is the payload executable) I was getting offered a nice file to download cyber.wmf I never revues such a freebie according to Clam this is Exploit.WMF.A. Unfortunately I'm not able to submit it because its not a PE or dll.

Whois and other records concerning the sites point back to the infamous "James Wuster" apperanlty he is in need off extra zombies to do his spamming.

James Wuster

Since you are apparently interested in this guy, you may like to learn a bit more of him:
I'm the author of the article you linked to and did some thorough research on him.

"James Wuster" alias "Vasiliy Pupklindtovich" alias "Evgeniy Lipic" alias "John Smith" alias "DMV" alias "goldfinger" alias "sweater" is in reality a spammer from Saint Petersburg called Vladislav, who's in the malware biz since 2003. His main niche is adult content where he keeps trying to establish himself but eventually fails due to cheating traffic trades with hitbots and repetitive messing with exploits on his sites.

You may have heard of his latest success story in June: Remember the infamous Browsezilla? That was his creation (perhaps with some help from fellow exploiters), also all browsezilla domains were registered by him. I exposed him in an article which he apparently didn't like as after having read it he chose to take down the server from which the software and his pr0n galleries were pulled ;-)