I checked inbox today and found an interesting email:
From: bwukft zywcboq@163.com
Subject: 中国房市崩盘即将到来
中国房市崩盘即将到来!!!
The message was received from:
Received: from lenovo-2395031b (unknown [218.8.24.24])
218.8.24.24
inetnum: 218.7.0.0 – 218.10.255.255
netname: UNICOM-HL
country: CN
The attachment was a .rar:
VT: 2/41 (4.88%)
MD5: 62d8715bb97a561b2ca11808e549128a
It contained a .scr:
VT: 3/41 (7.32%)
MD5: ce919337d48d89deeee8867b2a0deb62
This dropped an executable:
VT: 2/39 (5.13%)
MD5: 6c327eff51ed352dcd80c55d6b8f7a81
Anubis Analysis Report.
Connections were made to on zaodaowo.gicp.net (125.211.13.70) port 8080.
125.211.13.70
inetnum: 125.211.0.0 – 125.211.255.255
netname: UNICOM-HL
descr: China Unicom Heilongjiang Province Network
descr: China Unicom
country: CN
If you leave it running for a while it starts to send back the list of files contained within directories such as:
C:\
C:\Documents and Settings\
C:\Documents and Settings\*\
C:\Documents and Settings\*\Favorites\
C:\Documents and Settings\*\Documents\
C:\Documents and Settings\*\Cookies
If cookies are present, they get sent to the C&C.
Connections to zaodaowo.gicp.net (125.211.13.70) port 80 show that it is a Windows box running AppServ Open Project – 2.5.9.
The PHP config page contains:
Server Administrator xlkinghan@163.com
That’s all the time I have right now, but thanks for the malware.