Home > malware > Malware Report: 06d828730fbd992bf88cf22f348eee0b66ba82a5

Malware Report: 06d828730fbd992bf88cf22f348eee0b66ba82a5

November 9th, 2009 xandora Leave a comment Go to comments

File SHA1: 06d828730fbd992bf88cf22f348eee0b66ba82a5
File MD5 : 731fab5b5e04afbe3fec996dbb7b1e8f
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Date: Mon Nov 9 18:16:25 MYT 2009
Possible Malware: YES

#– Files Created: –

/WINDOWS/system32/CatRoot2/tmp.edb

#– Registry Created: –

[SOFTWARE]
+ [software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[SYSTEM]
[SECURITIES]
[DEFAULT]
[NTUSER]
+ [NTUSER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

#– Malware Traffic – DNS: –

01.mx.mail-scanner.eu
163.com
ASPMX.L.GOOGLE.COM
MX-HOST.DOT.tk
abhh.dk
acgnet.com
adelphia.net
agnshipleys.com
airwaves.org
aksiuchenka.com
aladvisors.com
angelamaxwell.com
antispam.kfupm.edu.sa
arcom.com
aries.shipleys.co.uk
aspmx.l.google.com
audiomix.tv
automobile.com
av.com
av1-mrin.yahoo.com
awwwsome.com
axo.it
axs.com
ayto-almansa.es
bartbaggett.com
bbfv.com
bct-technology.com
bctastaro.bct-technology.com
beaney.net
beanfeast.com
beaniebestbuy.com
beankinney.com
beansboats.com
beanteam.com
beantown.org
beantownmaine.com
bearchive.com
bearclan.com
bearclaws.net
bearcom.se
bearcountryuk.com
bearcreek.com
bearcreekinc.com
bearcreekmfg.com
beard.ch
beardavies.com
beardies.net
bearding.com
beardmarine.com
beardmorechevy.com
beardowadams.com
beardsalls.com
beardsley.org
beardstown.com
beardstownfsb.com
beardstownfsb.com.s6a1.psmtp.com
beares.com
beareware.com
bearfilms.com
bearimages.com
bedo-clan.de
bfr.com
bhsjymca.org
block.nl
bodaciousbabette.com
bostonproper.com
bradyplc.com
buryatzoloto.ru
businessnet.de
caddmicro.com
caddmicro.com.s8a1.psmtp.com
cairnsolutions.co.uk
caller.com
catchamail.com
ccvlp.com
cdptpa-smtpin01.mail.rr.com
cgs4u.com
cgs4u.com.s8a1.psmtp.com
chemisol.com
chickswhofish.com
chol.com
chsd.org
cimbria.com
cinead.com
clas.net
cls.org.uk
cluster9.us.messagelabs.com
cn.ibm.com
cofradex.com
colocationfrance.fr
colourstone.co.uk
cosmomail.cosmotronic.com
cosmotronic.com
crgevents.com.s8a1.psmtp.com
crgnet.com
cronborg.yandex.ru
crosslaw.com
cust5831-1.in.mailcontrol.com
cuttingtoolsinc.net
cuttingtoolsinc.net.mail1.psmtp.com
dauber.sonic.net
deanstatham.co.uk
deloitte.com
deloitte.com.s5a1.psmtp.com
deviz.com
diaperedparis.com
dns1.kdpine.com
dubaitourism.co.ae
e28-mx1.in.ibm.com
eforwardct.name-services.com
eforwardct2.name-services.com
eforwardct3.name-services.com
eisenring-lyss.ch
emailchoice.com
eoleres.com
evh.tk
exchangetrade.com
eyedeasolutions.com
farmerstel.com
femail.com.au
filmjerk.com
freescale.com
frontend01a.mailsafe.dk
fwcardio.com
g.mx.mail.yahoo.com
giftvouchers.com
giganews.com
giganews.com.s5a1.psmtp.com
gmail-smtp-in.l.google.com
gmail.com
goldsearching.com
gwp.com
herza.net
hinet.net
hixson-inc.com
home.nl
hongkong-com.mr.outblaze.com
hongkong.com
hospsc.org
hospsc.org.mail9.psmtp.com
hotmail.com
hq.bfr.com
hrvatskamail.com
iberescudo.herza.net
imsmx1.netvigator.com
ironmail01.omdx.uprr.com
iwon.net
jager.cc
jdconsulting.net
kao.com
kec-m.com
keithlywilliams.com
kfupm.edu.sa
lawyer.com
lineone.net
lio.com
louismichael.com
m1.dnsix.com
mail.activemailserver.com
mail.automobile.com
mail.barnsley-chronicle.co.uk
mail.beansboats.com
mail.bearcreekmfg.com
mail.beardmarine.com
mail.beardowadams.com
mail.beardstown.com
mail.bedo-clan.de
mail.bhsjymca.org
mail.block.nl
mail.bytenet.net
mail.cinead.com
mail.cls.org.uk
mail.cofradex.com
mail.com
mail.diaperedparis.com
mail.filmjerk.com
mail.giftvouchers.com
mail.global.frontbridge.com
mail.global.sprint.com
mail.keithlywilliams.com
mail.med-web.com
mail.netian.com
mail.rrmortgages.com
mail.uilcem.it
mail.uk2.net
mail.unisoluser.com
mail.yandex.ru
mail01.fabrictechnologies.com
mail1.bearclan.com
mail2.nicholsmedia.com
mail2composer.com
mail2world.com
mailcity.com
mailfrontier.chsd.org
mailhub.chollian.net
mailin.sonic.net
mailwash11.pair.com
mailx.tcommerce.de
message.bearnet.nu
money.net
mountainmax.net
mountainmax.net.inbound10.mxlogic.net
ms11.hinet.net
ms11a.hinet.net
msa-mx13.hinet.net
msa.hinet.net
mtain-mmc.gmtain-mmc.mx.aol.com
mx-ha01.web.de
mx.beaney.net.cust.a.hostedemail.com
mx.beankinney.com
mx.gmde.net
mx.kao.co.jp
mx.louismichael.com
mx.noos.fr
mx.pochta.ru
mx.svc.telus.net
mx.ziggo.nl
mx0.qq.com
mx01.mep.pandasecurity.com
mx01.windstream.net
mx1.mail.eu.yahoo.com
mx1.mindspring.com
mx1.popmail.com
mx1.spray.mail2world.com
mx1.wachovia.com.gslb.pphosted.com
mx10.idnet.net
mx2.daemonmail.net
mx2.lodhosting.com
mx2.vtx.ch
mx3.hotmail.com
mx4.uk.tiscali.com
mx42.die.net
mxin.mxes.net
mxmta.sympatico.ca
mxnew-a.163.com
mxpool01.netaddress.usa.net
netian.com
netnews.hinet.net
netpipe.com
netpipe.com.s6a1.psmtp.com
netvigator.com
nicholsmedia.com
nm.ru
no-email-here.tnl-online.com
noos.fr
normantang.com
northstate.net
nospam.wpia.net
ns.buryatzoloto.ru
nullmx.catchamail.com
nullmx.umailme.com
nullmx.usmail.com
obninsk.net
oscarfaber.com
p.nsm.ctmail.com
plastixvision.com
pop2.itt24.com
popmail.com
power.net
proof-3.suremessage.co.uk
publicms1.mail2world.com
publicms2.mail2world.com
qq.com
qzp.com
rayfix.com
relay.star.co.uk
revlon.com
revlon.com.1.arsmtp.com
rmail.lycosmail.lycos.com
rrmortgages.com
sbinfra.com
scanner1.virus112.com
sed.unisoluser.com
server43.appriver.com
server534.appriver.com
server71.appriver.com
shentel.net
sitemail.everyone.net
ski-allenheads.co.uk
smtp-sl.vtext.com
smtp.femail.com.au
smtp.secureserver.net
smtp02.nexanet.ch
smtp1.cairnleck.co.uk
smtp10.intermedia.net
smtp10.redprotect.co.uk
smtp2.trueband.net
smtp4.hrvatskamail.com
spam.kec-m.com
spray.se
state.pa.us
state.pa.us.s7a1.psmtp.com
stylefine.co.uk
sunhospital.com
svp1.bigrivertel.net
sympatico.ca
tbltyto.die.net
telusplanet.net
tetrafish.shentel.net
thebuzz.airwaves.org
theonramp.net
tmg-mail.bostonproper.com
tnl-online.com
ttlc.net
ttlc.net.s5a1.psmtp.com
txk.net
uilcem.it
umailme.com
unisys.com
up.com
usa.net
usbb-lacimss1.unisys.com
usefulinc.com
usmail.com
vmx.northstate.net.redcondor.net
vpopmx.shasta.com
vsb.com
vtext.com
wachovia.com
wawasan2020.com
web.de
whmagazines.co.uk
wpia.net
yahoo.co.uk
yahoo.com
zoomnet.net

#– Malware Traffic – Connections: –

12.29.140.66.25
121.125.79.61.25
122.248.162.1.25
130.94.187.6.25
165.212.8.32.25
166.102.165.121.25
166.102.210.169.25
167.132.251.193.25
168.95.195.16.25
168.95.5.11.25
168.95.6.204.25
192.63.108.51.25
193.128.89.178.25
193.158.123.94.25
193.164.120.120.25
193.173.24.140.25
193.192.58.2.25
195.157.49.58.25
195.188.225.220.25
199.185.220.200.25
202.86.119.120.25
203.252.3.229.25
203.86.167.206.25
204.111.1.229.25
204.200.196.164.25
204.212.170.66.25
205.188.157.18.25
205.231.92.9.25
205.234.236.82.25
206.221.191.248.25
207.182.147.199.25
207.234.135.242.25
207.69.189.217.25
208.116.51.234.25
208.21.39.3.25
208.53.201.124.25
208.65.144.2.25
208.67.207.15.25
208.67.228.194.25
208.69.121.33.25
208.70.131.50.25
208.84.65.92.25
209.181.247.105.25
209.202.254.41.25
209.85.210.63.25
209.85.210.68.25
209.85.211.85.25
209.85.223.16.25
210.254.138.163.25
211.51.64.121.25
212.125.75.19.25
212.147.0.41.25
212.26.1.124.25
212.54.42.8.25
212.69.36.17.25
212.74.100.150.25
213.195.75.166.25
213.233.20.142.25
216.104.161.5.25
216.145.48.106.25
216.163.120.178.25
216.163.188.54.25
216.163.188.58.25
216.17.105.107.25
216.199.153.74.25
216.200.145.235.25
216.237.221.34.25
216.240.187.128.25
216.241.36.26.25
216.32.180.22.25
216.40.42.4.25
216.69.186.201.25
216.75.44.103.25
216.82.254.51.25
216.86.168.64.25
216.9.160.11.25
217.12.11.35.25
217.72.192.149.25
218.102.23.148.25
220.181.12.72.25
24.176.93.104.25
61.250.81.20.25
62.253.252.252.25
63.117.139.131.25
63.240.145.34.25
64.12.139.249.25
64.142.100.48.25
64.169.251.194.25
64.18.4.10.25
64.18.5.10.25
64.18.6.14.25
64.18.7.10.25
64.182.7.44.25
64.186.39.12.25
64.191.223.39.25
64.191.223.42.25
64.244.143.34.25
64.71.138.53.25
64.78.17.119.25
64.82.228.13.25
65.18.170.205.25
65.38.168.164.25
65.54.188.126.25
65.55.88.22.25
65.74.168.215.25
65.74.168.218.25
65.99.213.94.25
66.11.225.136.25
66.180.193.210.25
66.39.2.11.25
66.96.142.50.25
67.15.56.46.25
67.210.123.115.25
67.69.240.17.25
69.10.137.218.25
69.20.116.115.25
69.20.116.85.25
69.78.67.53.25
70.164.96.150.25
70.85.138.18.25
72.32.252.25.25
72.32.252.82.25
72.84.250.19.25
74.52.75.2.25
74.53.81.185.25
74.81.89.30.25
75.180.132.243.25
76.12.82.156.25
80.252.223.213.25
82.108.50.180.25
82.204.219.220.25
82.216.111.1.25
83.170.81.167.25
85.115.16.13.25
85.115.62.190.25
85.234.157.142.25
85.92.73.149.25
87.127.31.213.25
87.226.228.198.25
87.236.241.195.25
87.237.59.121.25
89.104.217.10.25
89.96.209.3.25
90.184.217.253.25
91.102.95.30.25
91.207.7.234.80
93.158.156.15.25
93.174.186.66.25
93.186.178.81.25
96.56.114.26.25
98.137.54.238.25

#– Malware Traffic – www: –

91.207.7.234/spm/get_id.php
91.207.7.234/spm/page.php?id=625753&tick=55218&ver=400&smtp=ok&task=0
91.207.7.234/spm/page.php?id=625753&tick=184875&ver=400&smtp=ok&task=35&errors[0]=12&errors[702]=6&errors[703]=1&errors[710]=22&errors[715]=1&errors[716]=5&errors[719]=47&errors[724]=6

#– Screenshots: –

Screen After 90 Seconds

Categories: malware Tags:
  1. No comments yet.
  1. No trackbacks yet.