Author Topic: Shiz and Rohimafo: Malware Cousins  (Read 2658 times)

0 Members and 1 Guest are viewing this topic.

September 12, 2010, 02:51:25 am
Read 2658 times


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Over the course of the last few weeks, our malware sandboxes have analyzed several interesting specimens with malicious activities that include the making of significant modifications to the routing table on the victim host; the effect of these changes is to essentially null-route a large number of /24 IP blocks, one of which is assigned to the U. S. Department of Justice.

As usual, the malicious activity begins with the running of an initial dropper executable. This dropper immediately copies itself verbatim into the Windows system directory with an (apparently) randomly generated new file name; examples include 5b8388e0.exe, 593a1edf.exe, and d4f11d84.exe.

The malware then adds an entry to the following Registry key to ensure that the installed version of itself is launched each time the machine restarts:

Read more

Steven Burn
I.T. Mate / hpHosts /