[nsp-sec] new storm campagn

Par Osterberg Medina par.osterberg at sitic.se
Tue Feb 12 07:49:42 EST 2008 

Hello Jose,

I will proxy this information to the following ASN;

39651   | 83.250.1.46      | 31739           | COMHEM-SWEDEN Com Hem Sweden
1257    | 213.100.19.180   | 3780            | TELE2
3301    | 217.211.224.20   | 11856           | TELIANET-SWEDEN TeliaNet 
Sweden
3301    | 213.65.201.12    | 10908           | TELIANET-SWEDEN TeliaNet
Sweden
3301    | 78.69.119.89     | 10136           | TELIANET-SWEDEN TeliaNet 
Sweden
6830    | 86.101.64.234    | 7524            | UPC UPC Broadband

All the best
Pär Österberg Medina - Sitic


Jose Nazario wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> new storm campaign, basic website with "valentine.exe" meta-refresh and 
> link.
> 
> sample i analyzed;
> 
> MD5: 69bc930b30ef8f0bd11de13d5a6458af
> SHA1: 5d5955402cafd21fcebe45d510d43e7216652065
> File type: MS Windows PE
> File size: 128000 bytes
> 
> peerlist decoded and ASN resolved (ip, asn, port, netname) attached.
> 
> New Files
> 
> C:\WINDOWS\system32\diperto.ini
> C:\WINDOWS\system32\diperto7701-7a5c.sys
> 
> Open Service Manager - Name: "SCM"
> 
> Create Service - Name: (diperto7701-7a5c) Display Name: 
> (diperto7701-7a5c) File Name: (C:\WINDOWS\system32\diperto7701-7a5c.sys) 
> Control: () Start Type: (SERVICE_AUTO_START)
> 
> Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: () 
> Control: () Start Type: ()
> 
> Load Driver - Name: 
> (\Registry\Machine\System\CurrentControlSet\Services\diperto7701-7a5c) 
> File Name: ()
> 
> heads up ...
> 
> -------------------------------------------------------------
> jose nazario, ph.d.     <jose at arbor.net>
> security researcher, office of the CTO,  arbor networks
> v: (734) 821 1427           http://asert.arbornetworks.com/
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list