Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Santa IM Worm (bot) update - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Santa IM Worm (bot) update
More details came to us on the Santa IM worm discussed earlier.  We were able to capture and examine the malware and found that 69.56.129.67 is hosting it.  When executed, gift.com resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts connections to tcp/53.  If we discover more details we will issue further updates.

Further info:  gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service "Windows RPC Services".  There is no rootkit built in, it is totally dependant on download instructions from the command and control site.  Rather than calling it a "worm" as was reported in the press, a more accurate description is that it's a bot with replicating capabilities.  Digging a bit deeper into the code, we found that it was also likely compiled/pushed to the distro point on 2005-12-18 18:09:11.000000000 -0500.

Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!