Stormworm using Geocities.
The Storm authors have updated their spam templates again. The spam links to several dozen Geocities pages.
Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:
The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.
Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.
Within the Geocities pages is some pretty poorly encoded Javascript. It decodes to:
<script type="text/javascript">
if (top.location != location) {
top.location.href = document.location.href ;
}
window.location = "http:// 58.65.238. 36/ aes/"
</script>
(Spaces added to prevent accidental clicks)
That site opened by the Javascript looks like this:
The links would have you download iPIX-install.exe (md5: d23355080a5c4705300a617c864df35c) which creates and runs the file %system32%\ntos.exe on each reboot.
Anubis is perhaps the best public sandbox system I've seen. Their report on this file can be found here.
Labels: Anubis Sandbox, Fake Codec, javascript, nuwar, peacomm, peed, Storm, targeted malware
posted by Nicholas at
02:29
0 Comments:
Post a Comment
<< Home