[nsp-sec] CC at 207.218.241.138 (and 70.85.198.194)

Stephen Gill gillsr at cymru.com
Wed Feb 6 15:15:39 EST 2008 

Hi Team,

These feeds are your friends:

https://www.cymru.com/nsp-sec/httpcnc/
https://www.cymru.com/nsp-sec/malwareflow/

> I received a similar report today from an infected customer.  (They
> believe it's a variant of Trojan Proxy.AFV -
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2
> EAFV&VSect=P) 

avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | AVIR | Troj/AgentM-Fam
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | AVST | Win32:Agent-GPS
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | BITD |
Trojan.Dropper.Agent.TJM
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | FSEC |
Backdoor.Win32.Agent.ctf
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | IKAR |
Backdoor.Win32.Agent.aju
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | KASP |
Backdoor.Win32.Agent.ctf
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | ND32 | a variant of
Win32/Agent.NEQ
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | VBA3 | Trojan-PSW.Pinch.12
(paranoid heuristics)
avlist.2008-01-09.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7342739 | VIRB | Trojan.Ntos.Gen
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | AVST | Win32:Agent-GPS [Trj]
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | BITD |
Trojan.Dropper.Agent.TJM
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | ESAF | Trojan/Worm
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | ESCA |
Backdoor.Win32.Agent.ctf
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | FSEC |
Backdoor.Win32.Agent.ctf
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | KASP |
Backdoor.Win32.Agent.ctf
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | MCFE | Proxy-Agent.af.gen
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | ND32 | Win32/Agent.NEQ
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | SOPH | Troj/AgentM-Fam
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | VEXI | Trojan.Ntos.Gen
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | VIRB | Trojan.Ntos.Gen
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7356215 | WEBW |
Win32.ModifiedUPX.gen!90
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | AVST | Win32:Agent-GPS
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | BITD |
Trojan.Dropper.Agent.TJM
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | ESAF | suspicious
Trojan/Worm
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | FSEC |
Backdoor.Win32.Agent.ctf
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | IKAR |
Backdoor.Win32.Agent.aju
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | KASP |
Backdoor.Win32.Agent.ctf
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | MCFE | Proxy-Agent.af.gen
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | MSFT |
Backdoor:Win32/Agent.ACG
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | ND32 | Win32/Agent.NEQ
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | SOPH | Troj/AgentM-Fam
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | VBA3 | Trojan-PSW.Pinch.12
()
avlist.2008-01-10.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7359982 | VIRB | Trojan.Ntos.Gen
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | ARCA | Trojan.Agent.Ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | AVIR | BDS/Agent.ctf.15
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | AVST | Win32:Agent-GPS [Trj]
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | AVG1 | BackDoor.Agent.QCC
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | BITD |
Trojan.Dropper.Agent.TJM
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | CPSC |
BackDoor.W32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | ESAF | Win32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | ESCA |
Backdoor.Win32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | ETRV | Win32/SillyProxy.BP
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | FPRT | W32/Backdoor2.FQN
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | FSEC |
Backdoor.Win32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | KASP |
Backdoor.Win32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | MCFE | Proxy-Agent.af.gen
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | ND32 | Win32/Agent.NEQ
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | NORM | W32/Agent.DTDY
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | QUIC | Backdoor.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | SOPH | Troj/AgentM-Fam
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | SYMC | Trojan.Asprox
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | THEH | Backdoor/Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | TRND | BKDR_ASPROX.B
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | VBA3 |
Backdoor.Win32.Agent.ctf
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | VEXI | Trojan.Ntos.Gen
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | VIRB | Trojan.Ntos.Gen
avlist.2008-01-19.txt:e66d77d6ef22848f5c81eccdd9cb9bb7775b95ba |
1fbee2a1a34b14e43be7a524ecf86edd |    7571170 | WEBW |
Trojan.Backdoor.Agent.ctf.15

> 
> 
> My customer also provided IP 70.85.198.194.
> 
> AS      | IP               | AS Name
> 21844   | 70.85.198.194    | THEPLANET-AS - THE PLANET
> 
> I get a 403 trying to connect to 70.85.198.194 over port 80, but after
> reading the Trend Micro info, when I attempt to use '/forum.php' I see:

 155ede2bf01f9b0a42ef13c60b132f78efab1afd | 609c55a0b1557daf83bdfcad7aa5843d
|         9 | 5809418 | 2008-01-18 18:03:22 | http://70.85.198.194/forum.php
| 70.85.198.194 | 70.85.198.194 | http_po
st | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322) | 21844 | US
 155ede2bf01f9b0a42ef13c60b132f78efab1afd | 609c55a0b1557daf83bdfcad7aa5843d
|         9 | 5809418 | 2008-01-18 18:03:22 | http://70.85.198.194/forum.php
| 70.85.198.194 | 70.85.198.194 | http_po
st | Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322) | 21844 | US

Voila! :D

Cheers,
Steve, Team Cymru.

> 
> 
> 
> 
> 
> ----------- nsp-security Confidential --------
> 
> Hello
> 
> AS      | IP               | AS Name
> 13749   | 207.218.241.138  | EVERYONES-INTERNET - Everyones Internet
> 
> 
> POST http://207.218.241.138:80/forum.php
> 
> Starts sending Mail claiming to originate from Microsoft.
> 
> Cheers
> Serge

-- 
Stephen Gill, Chief Scientist, Team Cymru
http://www.cymru.com | +1 312 924 4023 | gillsr at cymru.com

More information about the nsp-security mailing list