loads.cc vs. CWSandbox
Wednesday, March 12. 2008
Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:
The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:
http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe
This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?
More complete info: cwsandbox.org.
The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:
http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe
This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?
More complete info: cwsandbox.org.
".
