[Jaxryley]

Can't seem to get this one to run here?

Code: Select all

hxxp://root.denirulz.org/~denirulz/xd/m.exe

m.exe - Result: 3/42 (7.15%) - MD5...: a25c9ba77d6a1de04a895bfb340aa3d2
http://www.virustotal.com/analisis/dd6c ... 1278938534

m.rar

Pass:
infected
(55.83 KiB) Downloaded 53 times

[EP_X0FF]

It's requires NET Framework 2.0 installed. Otherwise it won't start ;)

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as

Windows System Guard dependency c:\documents and settings\user\application data\msdn.exe

Adds itself to Windows firewall

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Contains a lot of funny strings.

Code: Select all

olhar para esta foto :D %s
se p
dette bildet :D %s
bekijk deze foto :D %s
schau mal das foto an :D %s
look at this picture :D %s
mira esta fotograf
a :D %s
regardez cette photo :D %s
guardare quest'immagine :D %s
pod
vejte se na mou fotku :D %s
ser p
dette billede :D %s
zd meg a k
pet :D %s
spojrzec na to zdjecie :D %s
bu resmi bakmak :D %s
katso t
kuvaa :D %s
uita-te la aceasta fotografie :D %s
pozrite sa na t
to fotografiu :D %s
titta p
denna bild :D %s
poglej to fotografijo :D %s
pogledaj to slike :D %s
seen this?? :D %s

Keep connection with 93.174.94.86 (http://www.malwareurl.com/listing.php?ip=93.174.94.86)

[markusg]

http://www.virustotal.com/file-scan/rep ... 1293629348

[meeee2]

It cannot be run, since it prompts you for a password. Do you have the password for the file?

[markusg]

you mean the .rar file.
its infected.

[EP_X0FF]

Looks like DDoS bot. For proper work it needs config file stored on disk as .scr file (should be located together with main executable and equally named).

C:\Users\Be\AppData\Local\Temp\DDOS.vbp