Author Topic: unknown malware  (Read 3453 times)

0 Members and 1 Guest are viewing this topic.

July 30, 2009, 05:52:28 pm
Read 3453 times

crunchtime

  • Special Access
  • Full Member

  • Offline
  • *

  • 54
Not sure what this one accomplishes but its something nasty:
hxxp://cbbugltjud.com/progs/xfcgtyylqd/iejwn

The domains IP points to some additional domains that just scream sketchy:
cbbugltjud.com    A    195.2.253.240
www.cbbugltjud.com    A    195.2.253.240
cabkyykbbg.com    A    195.2.253.240
ccmguyldmn.com    A    195.2.253.240
cddcrjuwwz.com    A    195.2.253.240

MysteryFCM: Defanged www. domain ....

July 30, 2009, 09:37:28 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
URL leads to an executable ........ looks like a rootkit infection according to the VT results;

http://www.virustotal.com/analisis/1803bca1ce2f4480746eeb6f6fca22623c226d14e92185f5caf529189656f2e4-1248990199
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

July 30, 2009, 09:44:57 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 01, 2009, 12:29:53 am
Reply #3

ocean

  • Special Access
  • Full Member

  • Offline
  • *

  • 49
    • ocean's Inseclab
from a quick analysis: it decrypts (TEA) a downloader in memory, uses an "internal PE loader" (that's why it uses kernel32.dll i think) and call the downloader. that download other executables from some online location (there are two locations possible haven't checked how it chooses one of these).

Code: [Select]
cbbugltjud.com
dbicrgzykf.net

which are known malware domains.

generate id and p as post parameters to uniq.php page but i haven't got an executble so far.

regards
ocean