Author Topic: virut variant  (Read 3623 times)

0 Members and 1 Guest are viewing this topic.

December 15, 2009, 03:50:30 pm
Read 3623 times

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Sample:
hxxp://giopnon.cn/10.exe

Decent detection according to this webiste:
http://mtc.sri.com/live_data/cc_servers/


December 15, 2009, 04:01:32 pm
Reply #1

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Upon a closer look this infection also pulled down this executable code:
hxxp://wws.mobiec.net/zzxx.exe
hxxp://204.27.57.210/p1023/2.0/d.bin?
hxxp://colopin.cn/oc/box.txt
hxxp://maxdomzhit.com/file.exe
hxxp://q.kfgrtjer.cn:88/read.txt
hxxp://www.liagand.cn/img/la.gif

December 15, 2009, 04:33:55 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Upon a closer look this infection also pulled down this executable code:
hxxp://wws.mobiec.net/zzxx.exe
hxxp://204.27.57.210/p1023/2.0/d.bin?
hxxp://colopin.cn/oc/box.txt
hxxp://maxdomzhit.com/file.exe
hxxp://q.kfgrtjer.cn:88/read.txt
hxxp://www.liagand.cn/img/la.gif


I'm interested in more details. Do you have a log file or can I reproduce the download myself.

Is hxxp://giopnon.cn/10.exe the downloader for those files ?
Ruining the bad guy's day