ZeuS? - wertupwan.com avalanche-digital.com copiluminune.com gurguroblakc.com

[eoin.miller]

Found a bunch of different domains of what appears to be an infected client checking in once a day.

wertupwan.com
avalanche-digital.com
copiluminune.com
gurguroblakc.com
zdrasticeluka.com

All of these domains are hit with the following url appended:

/sox/exe.php?v=sox2b&sox=<10 digits>



To pull down some chunk of binary data, do this:
http://wertupwan.com/sox/exe.php

To pull down the potential config file or some sort of check in? Do this:
http://wertupwan.com/sox/exe.php?v=sox2b&sox=1359868210

[SysAdMini]

Definitely not Zeus.

Any ideas what it is ?

xor doesn't give any useful result.

[SysAdMini]

I got all those links from followers on Twitter. Thanks!

Unfortunately we still don't know the malware family.

http://www.threatexpert.com/report.aspx?md5=ed3a31b189c633007a7adb0cb1909811

http://74.125.47.132/search?oe=UTF-8&hl=en&q=cache%3Ao20BXcDZ608J%3Aautovin.pandasecurity.my%2F%3Fp%3D3460

https://anubis.iseclab.org/index.php?action=result&task_id=1c4d57c172d8018248d9e7f3141cc737b&format=html


VT report found by MD5 hash : http://www.virustotal.com/analisis/81767081bb42672dae27c800c82a5af04375da6c91e0bae263429c8af51a561f-1267628278

[CkreM]

I got all those links from followers on Twitter. Thanks!

Unfortunately we still don't know the malware family.

http://www.threatexpert.com/report.aspx?md5=ed3a31b189c633007a7adb0cb1909811

http://74.125.47.132/search?oe=UTF-8&hl=en&q=cache%3Ao20BXcDZ608J%3Aautovin.pandasecurity.my%2F%3Fp%3D3460

https://anubis.iseclab.org/index.php?action=result&task_id=1c4d57c172d8018248d9e7f3141cc737b&format=html


VT report found by MD5 hash : http://www.virustotal.com/analisis/81767081bb42672dae27c800c82a5af04375da6c91e0bae263429c8af51a561f-1267628278

This Trojan works like Zeus in any way?