Author Topic: ZeuS? -  (Read 4832 times)

0 Members and 1 Guest are viewing this topic.

March 24, 2010, 04:35:39 pm
Read 4832 times


  • Sr. Member

  • Offline
  • ****

  • 179
Found a bunch of different domains of what appears to be an infected client checking in once a day.

All of these domains are hit with the following url appended:

/sox/exe.php?v=sox2b&sox=<10 digits>

To pull down some chunk of binary data, do this:

To pull down the potential config file or some sort of check in? Do this:

March 24, 2010, 07:41:33 pm
Reply #1


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Definitely not Zeus.

Any ideas what it is ?

xor doesn't give any useful result.
Ruining the bad guy's day