[nsp-sec] Mayday bot
Lawrence Baldwin
baldwinl at mynetwatchman.com
Mon Feb 18 19:35:27 EST 2008
For those that were asking about Mayday...here's what I posted on it
elsewhere last November when I first discovered it...as you can see it is
quite old.
Lawrence.
-----Original Message-----
From: Behalf Of Lawrence Baldwin
Sent: Friday, November 02, 2007 09:03
To:
Subject: [] Another Spam botnet with P2P C&C? (maydaynet2008.co.uk)
We obtained this malware from a CBL listed host 75.61.210.26. The malware
was NOT sending spam at the time we acquired it, however, we had a second
Seccheck user a few days prior where it WAS generating tcp/25 flows.
Unfortunately, it appears the current malware is partially crippled (some of
the web sites return 404 and 500 errors), however, the main "checkin" is
functioning (see attached)...it returns what appears to be some kind of
"peers" list (ala Storm P2P)...interestingly not only tracks the peers
public IP, but also their internal private IP. Malware then proceeds to
generate ICMP traffic with the payload of "TOBE" (as in "To be" or "Not to
be"?) to all the peers once every 42 seconds.
Anybody else seen this?
Regards,
Lawrence
Antivirus Version Last Update Result
AhnLab-V3 2007.11.1.0 2007.10.31 -
AntiVir 7.6.0.30 2007.10.31 Worm/Agent.AX.1 Authentium 4.93.8 2007.10.31 -
Avast 4.7.1074.0 2007.10.31 - AVG 7.5.0.503 2007.10.31 I-Worm/Generic.CCO
BitDefender 7.2 2007.10.31 Win32.Worm.Agent.PYN CAT-QuickHeal 9.00
2007.10.31 I-Worm.Agent.ax ClamAV 0.91.2 2007.10.31 - DrWeb 4.44.0.09170
2007.10.31 - eSafe 7.0.15.0 2007.10.28 - eTrust-Vet 31.2.5256 2007.10.31 -
Ewido 4.0 2007.10.31 - FileAdvisor 1 2007.10.31 - Fortinet 3.11.0.0
2007.10.19 - F-Prot 4.3.2.48 2007.10.31 - F-Secure 6.70.13030.0 2007.10.31
Email-Worm.Win32.Agent.ax Ikarus T3.1.1.12 2007.10.31
Email-Worm.Win32.Agent.ax Kaspersky 7.0.0.125 2007.10.31
Email-Worm.Win32.Agent.ax McAfee 5152 2007.10.30 - Microsoft 1.2908
2007.10.31 -
NOD32v2 2630 2007.10.31 -
Norman 5.80.02 2007.10.31 -
Panda 9.0.0.4 2007.10.31 -
Prevx1 V2 2007.10.31 Heuristic: Suspicious File With Mass Email Capabilities
Rising 19.47.21.00 2007.10.31 -
Sophos 4.23.0 2007.10.31 -
Sunbelt 2.2.907.0 2007.10.31 -
Symantec 10 2007.10.31 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.31 -
VirusBuster 4.3.26:9 2007.10.31 -
Webwasher-Gateway 6.6.1 2007.10.31 Worm.Agent.AX.1 Additional information
File size: 393216 bytes
MD5: cb4aac8156ad051741a66ff286f63d95
SHA1: 93a2f46ea6790766ba04138ebf66267910dcefe9
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: www.maydaynet2008.co.uk.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080218/929a81d2/attachment-0001.txt>
More information about the nsp-security
mailing list