Without mysteries, it can not survive
Archive for April 2010
The bot will send the request(bot basic infos):
1~!KY-DEBUG~!Windows XP Service Pack 3~!194844166~!0~!1~!0
Server will response the external ip add and SMTP server list:
[bot ip]~![bot ip addr]~!0~!195.242.208.40~!209.85.218.15
Server will send the email template&keywords:
Accidentally, I found another botnet-like malware spread FakeAv.
—————————————–
Quick Analysis.
There are 5 mains threads.
1. “GET /httpss/ldr12.php?….” It tried 8 times/steps, server responses “401″ error.
2. “GET /httpss/setup.php?…..” It acts different actions, no response from the server.
3. “GET /getfile.php?….”. Download other malware, fakeav in this case. This process is controlled by “CMultiLoader“.
4. “POST /log3/log.php?…”. Report FakeAV info back to server.
5. “POST /log2/log.php?…”. Report CMultiLoader info back to server.
fakeav download commands: