[nsp-sec] ACK: AS52: Re: Clients infected with trojan dropper trying to download Zbot malware
Michael Van Norman
mvn at ucla.edu
Thu Apr 30 10:19:51 EDT 2009
ACK for AS52
/Mike
On 4/30/09 4:41 AM, "Dirk Stander" <dst+nsp-sec at glaskugel.org> wrote:
> there was a Zbot malware binary at <hXXp://crew.abnc-portal.com/tpmgs.exe>.
> Among other infection vectors, this binary is downloaded by a trojan dropper
> using "ie" as User-Agent.
>
> For an unknown reason, the IP address for crew.abnc-portal.com was changed
> to 88.80.216.114 last week.
> 88.80.216.114 is hosting the Swiss security blog 'abuse.ch'.
> This server is not malicious and has not been compromised!
>
> By analyzing the requests for crew.abnc-portal.com/tpmgs.exe with User-Agent
> "ie"
> that hit 88.80.216.114, clients infected with the trojan dropper could be
> identified.
>
> Please find attached a list of the logged requests with IP and timestamp
> (UTC).
More information about the nsp-security
mailing list