< NDSS'08 Presentation | SSAC Advisory on Fast Flux Hosting and DNS >

loads.cc vs. CWSandbox

Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.
This entry was posted by Thorsten Holz on Wednesday, March 12. 2008 at 18:00. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.