This looks like a new version of what was mentioned in "Follow The
Bouncing Malware, Part III"
(http://isc.sans.org/diary.php?date=2004-11-04). The main thing it
installs appears to be the 180solutions spyware.
AnthraX101
On Mon, 15 Nov 2004 13:06:22 -0500, Brandy Simon <[EMAIL PROTECTED]> wrote
file is a MSVB exe, here are some fun strings from the binary...
( spyware, but not a trojan )
http://www.maxmind.com:8010/a?l=PeAyF1sgrZYw&i=\tempf.txt
\usta32.ini
http://mmm.media-motor.net/bundle.php?aff=\affbun.txt
phases
sewers
outers
c:\asdf.txt
randomdll
mydll
randomocx
\regsvr32 /s
anyone familiar with this group (media-motor.net/Roings.com) ? they
seem to be sending downloader.trojan files to unsuspecting people
using everyone.net webmail accounts.
http://mmm.media-motor.net/soft/default.exe
the webmail i discovered it on was from sunguru.com
tries to download that file ever