-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear List,
Here is more details with credit to: Team Cymru: http://www.team-cymru.org/ > C&C nodes for this version: > > melaniibaby.no-ip.biz 173.0.10.52 ghostsx.8866.org > 192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz > 95.170.198.155 > Ah, we've seen this one before! It first entered our collection on > 2011-08-03 06:46:09 UTC. > > It's tagged as malware by several AV packages, and some of the > malware tags include: > > Win32/Bifrose.ZG VirTool.DelfInject.AF Worm.Rebhip.Gen.2 > Trojan:W32/Agent.DQKQ [ ... ] > > It reaches out to: > > 37.236.124.197:9999 TCP 173.0.10.52:9999 TCP 188.72.21.34:9999 TCP > > It looks up: > > awrasx10.no-ip.biz > > It installs: > > C:\WINDOWS\SysWOW64\sys\msns.exe > C:\Users\Administrator\AppData\Local\Temp\2.exe All the best, SiNA - -- ?Be the change you want to see in the world.? Gandhi OTR: i...@jabber.ccc.de a5dae15f45a37e9768f6deae7b54807fc4942ec9 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRCVLFAAoJEDxieAEiLOmoT9kQALgwOhmhY81wU5ZMYGlQxOyS FyB8DCKcoUfsuH27UhL7T22TvBB+GsCROuL/16scrEMaX5fkOAUB63w8cq0LOEZM ioYsPmAjhPgDefM4UcYkyANQdW3Do0zItXXS/qgOfG1xdcrtlTFb+s40tYF4R+et CpcDfLRrw3Q6l/586X7M3UvLHWaJUwHRx72KkmWfp7mWxc+AJnw/IiphTCdSOUBP SmAhKjYfkaKFGqGF0YWJS391qYdXjqU9DZRQpYAQjfoMmI0WNwgZtJP7bJYKaNHJ JqgWMXeWdHf8MHPy/MsB2zVwCR0igFPBHHlqaNCe9oVcALa4jqhfGrkherwS7L8W 9aPsHxdTWYyPfbH/MSqBu61z0X88BtWZ3Hc+h6J7KHcHErkHESrIBjbfS2jYQ0AP DBbBszB0sQ4d70HodGX/frK5XjwQjeNt5F0jrbroqPtRP6OTZf+sMF5LLEKaoGDT tYs+y98zQs8U2E7PuKWS5uxBUD7gYDH8JFtvSKvNqeF79UO8OE4bq4NHdQ9Mup8j 9qAwbD8SZSnBQaU0Z+e6vZZuYTY+p0YkqoJppEz8Q22TqPuUNydao5xYIg/mkF2D aQ22wgM+wZ0jsfDuZQV4m/K2Nfk8sPfm62fpA1p4eQBnB4c8f2keKskz0qYd6NpM UPYmowN6QOQ7gwrgvCFL =wWYW -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech