[nsp-sec] Zbot | Zues activity on 10-14-2009
Tom Fischer
tfischer at bfk.de
Fri Oct 16 06:11:55 EDT 2009
Hi,
On Thu, Oct 15, 2009 at 08:27:25AM -0400, Shelton, Steve wrote:
> Payload: /service_directory/settings-file.exe
> Ref:
> http://wepawet.iseclab.org/view.php?hash=73d8ed3dad6668d712b5c44049e7f93
> 4&t=1255528127&type=js
this Zeus/Zbot/wsnpoem variant downloads the following config file
hxxp://195.93.208.106/lcc/ip1.gif
--config excerpt--
url_loader (binary download)
http://195.93.208.106/lcc/ip1.exe
end
url_server (dropzone)
http://195.93.208.106/livs/rec.php
end
entry "AdvancedConfigs" (backup config files)
http://dubensk.com/ip/ip1.ord
http://makotoro.com/ip/ip1.ord
http://smotri123.com/ip/ip1.ord
--end of excerpt--
--
Tom Fischer
BFK edv-consulting GmbH tel: +49 721 962 01-1
Kriegsstr. 100, D-76133 Karlsruhe fax: +49 721 962 01-99
More information about the nsp-security
mailing list