< Honeypot Compromises I | Honeypot Compromises II >

MS06-040 Update

Yesterday I blogged about the recent MS06-040 vulnerability and the malware related to it. As noted by Tom Fischer, the bot-herders also install additional software on the infected machines. They issue a download for http://media.pixpond.com/l9rXXX.jpg (MD5 9bc2f9e15a4802fe5be55a0510f2f0e3 at time of this writing), which is classified by different AV-engines as


AntiVir:

---------



Signature Update:  	 2006-08-13 15:40:06

Product Version:  	 2.1.7-31

Signature Version:  	 6.35.1.85

Result:  	 Trojan/Dldr.Bary.FL.2



Signature Update: 	2006-08-14 09:40:05

Product Version: 	2.1.7-31

Signature Version: 	6.35.1.87

Result: 	Trojan/Proxy.FV



BitDefender:

--------------



Signature Update: 	2006-08-14 00:40:06

Product Version: 	7.0.2492

Signature Version: 	444432

Result: 	Backdoor.Proxy.Piky.B



ClamAV:

---------



Signature Update: 	2006-08-13 21:40:05

Product Version: 	0.88.2

Signature Version: 	1655

Result: 	Trojan.Proxy.Ranky-29


There is also an analysis of this binary from our sandbox (and in XML).

Update: LURHQ has also an update on Mocbot Spam Analysis.
This entry was posted by Thorsten Holz on Tuesday, August 15. 2006 at 17:49. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.