[nsp-sec] new storm campagn

Gabriel Iovino giovino at ren-isac.net
Tue Feb 12 08:36:01 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jose,

I will notify the following:

7377    | 132.239.1.114    | 52371           | UCSD - University of
California at San Diego
11995   | 137.53.25.29     | 7018            | OHSU - Oregon Health &
Science University
6380    | 150.176.238.1    | 16968           | BELLSOUTH-NET-BLK -
BellSouth.net Inc.

Thank you

Gabe

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630

Jose Nazario wrote:
| ----------- nsp-security Confidential --------
|
|
|
| ------------------------------------------------------------------------
|
| new storm campaign, basic website with "valentine.exe" meta-refresh and
| link.
|
| sample i analyzed;
|
| MD5: 69bc930b30ef8f0bd11de13d5a6458af
| SHA1: 5d5955402cafd21fcebe45d510d43e7216652065
| File type: MS Windows PE
| File size: 128000 bytes
|
| peerlist decoded and ASN resolved (ip, asn, port, netname) attached.
|
| New Files
|
| C:\WINDOWS\system32\diperto.ini
| C:\WINDOWS\system32\diperto7701-7a5c.sys
|
| Open Service Manager - Name: "SCM"
|
| Create Service - Name: (diperto7701-7a5c) Display Name:
| (diperto7701-7a5c) File Name: (C:\WINDOWS\system32\diperto7701-7a5c.sys)
| Control: () Start Type: (SERVICE_AUTO_START)
|
| Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: ()
| Control: () Start Type: ()
|
| Load Driver - Name:
| (\Registry\Machine\System\CurrentControlSet\Services\diperto7701-7a5c)
| File Name: ()
|
| heads up ...
|
| -------------------------------------------------------------
| jose nazario, ph.d.     <jose at arbor.net>
| security researcher, office of the CTO,  arbor networks
| v: (734) 821 1427           http://asert.arbornetworks.com/
|
|
| ------------------------------------------------------------------------
|
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet
security counter-measures.
| _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkexoMEACgkQwqygxIz+pTufkwCgnEEs0Mo0w8VSVpSZfkw4tQlN
ktYAn0NSlFPX+xhmaex/ZvDc3j1GKHG6
=qw2s
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list