Has been identified a criminal infrastructure of Troyan SpyEye Control Panel prepared to steal confidential data from users of the Balkan republics.
This server is hosted on IP 126.96.36.199 belongs to ZAMANHOST-NET provider of Romania. This IP also resolves fraudulent domains prontomentos.com, soledantos.com, patentpendingnotetaker.net y rontomentos.com
The connection string that infected computers communicate with Troyan Control Panel is:
Trojan Control Panel is accessed via URL:
The “kurcina” Word means “A really big di*k” in Serbian language.
This control panel incorporates 2 new modules in its functionality.
The plugging "E-Mail Grabber":
This module is active from 11/05/2012 and has collected more 159.288 e-mail addresses, most from computer users of Slovenia, Bosnia and Herzegovina and other Balkan republics
The other New plugging is the "FTP Grabber":
If access the statistical panel module can be seen as criminals are primarily interested in collecting private data from email accounts and social networks of users, which means that this panel has been created mainly for the purpose of espionage and intelligence gathering on the profiles and behavior patterns of users of the Balkan republics.