Silkut
December 17th, 2009, 14:50
Not Opera ? \0/
EDIT:Wow it is quite nasty... It is detected as Trojan.Win32.Cosmu.faz by KAV, it's in watch list since two days.
Your file is packed with UPX, it contains 18 imports and numerous functions, analysis made the debugger crap its pants and my VM to BSOD..

There is a resident binary called "services" which is also running a child called "jqs", the latter one is dropped in Local Settings\Temp, the first one is detected, not the latter one.
It is dropping some files on system32 and all...
It is querying google.com.br, then happymod.info
On this one it is GETting four files "flexds10.a,house10.a,total10.pmk,view25.a" which are XORed binaries, also packed with UPX. They all seem to contain the same code.
It also query contabilizando.webcindario.com/acesso.php with information about your infected computer (windows version, user name, ip address and port). This PHP code is exploitable btw.
Some
anon example from the root dir list:
Quote:
###WinVista # 8 # 10071677 # ANASALES-PC # # 72.218.XXX.222 # 49X90 # 2009-12-14 # 21:09:04
FF ####WinXP # 6 # 32962726 # MAQUINA09 # # 189.104.X.116 # XXX9 # 2009-12-14 # 21:09:28
###WinVista # 8 # 22852820 # JAQUELINEXXX # # 2XX.144.1X.74 # XX644 # 2009-12-14 # 21:11:57 |
EDIT2:http://www.threatexpert.com/report.aspx?md5=2acca2a8316782af9d0892e679f7594a some additionnal infos for you guys.
This is a courtesy of Brasil =)
Thanks to MAD° guys for the side by side analysis
° http://mad.internetpol.fr/ - [FR]