[nsp-sec] Ddos controller - caatadgouk.com

Fri Jun 27 13:36:47 EDT 2008

On Fri, 27 Jun 2008, Stephen Gill wrote:

> Is there a well known name for this malware family?

pretty non-descript via VT (at least of one sample):

Complete scanning result of "276847", processed in VirusTotal at 
06/27/2008 19:31:23 (CET).

[ file data ]
* name..: 276847
* size..: 4096
* md5...: 0d770b9be2e5946b5889718249b4d5c6
* sha1..: c5c97cf0ba3dc9c3afb7a6ab7d0edba20184fb7a
* peid..: -

[ scan result ]
AhnLab-V3	2008.6.27.1/20080627	found 
[Win-Trojan/Downloader.4096.MC]
AntiVir	7.8.0.59/20080627	found [TR/Crypt.XPACK.Gen]
Authentium	5.1.0.4/20080627	found [W32/Downldr2.CBJR]
Avast	4.8.1195.0/20080627	found [Win32:Trojan-gen {Other}]
AVG	7.5.0.516/20080627	found [Downloader.Small.CRD]
BitDefender	7.2/20080627	found nothing
CAT-QuickHeal	9.50/20080626	found [TrojanDownloader.Small.vzm]
ClamAV	0.93.1/20080627	found [Trojan.Downloader-43209]
DrWeb	4.44.0.09170/20080627	found nothing
eSafe	7.0.17.0/20080626	found nothing
eTrust-Vet	31.6.5911/20080627	found [Win32/VMalum.DGGI]
Ewido	4.0/20080627	found nothing
F-Prot	4.4.4.56/20080627	found [W32/Downldr2.CBJR]
F-Secure	7.60.13501.0/20080626	found 
[Trojan-Downloader.Win32.Small.vzm]
Fortinet	3.14.0.0/20080627	found [W32/Small.VZM!tr.dldr]
GData	2.0.7306.1023/20080627	found [Trojan-Downloader.Win32.Small.vzm]
Ikarus	T3.1.1.26.0/20080627	found [Trojan.Crypt.XPACK]
Kaspersky	7.0.0.125/20080627	found 
[Trojan-Downloader.Win32.Small.vzm]
McAfee	5327/20080627	found nothing
Microsoft	1.3704/20080627	found [TrojanDownloader:Win32/Harnig]
NOD32v2	3224/20080627	found [Win32/TrojanDownloader.Small.OBQ]
Norman	5.80.02/20080626	found [W32/DLoader.HIMT]
Panda	9.0.0.4/20080626	found [Trj/Downloader.MDW]
Prevx1	V2/20080627	found [Malware Downloader]
Rising	20.50.42.00/20080627	found [Trojan.DL.Win32.Undef.om]
Sophos	4.30.0/20080627	found [Mal/EncPk-DB]
Sunbelt	3.0.1176.1/20080626	found [Trojan-Downloader.Win32.Small.vzm]
Symantec	10/20080627	found nothing
TheHacker	6.2.96.362/20080627	found 
[Trojan/Downloader.Small.vzm]
TrendMicro	8.700.0.1004/20080627	found [PAK_Generic.001]
VBA32	3.12.6.8/20080627	found [Trojan-Downloader.Win32.Small.vzm]
VirusBuster	4.5.11.0/20080623	found nothing
Webwasher-Gateway	6.6.2/20080627	found [Trojan.Crypt.XPACK.Gen]

looking at other samples implicated here it looks like it may also have 
some proxying going on.

-------------------------------------------------------------
jose nazario, ph.d.     <jose at arbor.net>
security researcher, office of the CTO,  arbor networks
v: (734) 821 1427 	      http://asert.arbornetworks.com/