[nsp-sec] fyi: ogard irc c&c
Beasley, Cam
cam at infosec.utexas.edu
Sun Feb 22 15:48:38 EST 2009
Jose --
i don't have the latest copy of the ogard.exe file itself, but this malcode
is added after the initial compromise:
hxxp://zxvsneverdies.is-the-boss.com/red.exe
http://www.virustotal.com/analisis/c13b1b34737db68c52220b54a9339343
hxxp://zxvsneverdies.is-the-boss.com/yarab.exe
http://www.virustotal.com/analisis/55058657feca733c0dc18a4ffaf0b51c
re: ogard.exe
looks like it drops something in to
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
pointing to c:\system\<some sid>\ogard.exe
some of our desktop support folks are cleaning with the following:
---------------------------------------------
taskkill /FI "imagename eq explorer.exe"
attrib -S -H -R -A /S /D c:\system
rmdir c:\system /S /Q
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Windows
Security Service" /f
shutdown /l
---------------------------------------------
~cam.
On 2/22/09 2:19 PM, "Jose Nazario" <jose at arbor.net> wrote:
> cm
>
> got malcode? how's vtotal/av coverage look?
>
> --
> -------------------------------------------------------------
> jose nazario, ph.d. <jose at arbor.net>
> manager of security research arbor networks
> v: (734) 821 1427 http://asert.arbor.net/
More information about the nsp-security
mailing list