CME711 - Its a howl!
Storm/CME711 is back to a 'funny greeting card' page.
(Note the "copyright error" in the image)
Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?
It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.
A few MD5's for the binaries are:
(Note the "copyright error" in the image)- The file postcard.exe is offered by clicking on the image.
- The file ecard.exe is offered when waiting 5 seconds.
- The file e-card.exe is offered when clicking the 'click here' link.
Many people already watch for *card.exe with their IDS. I don't expect this to last long. Perhaps the next will be related to the anticipated U.S. Economic Stimulus Package --- or maybe Easter?
It appears this latest run drops the peers list to c:\windows\system32\diperto.ini.
A few MD5's for the binaries are:
11b9d46c4b3e2059361a9ca3d85ddf82
399c189575547593a5b1f0dcab23cf67
4291a354788c2e4100ff7286c03536e2
47336a1cc00f028abbd75fc44ac51b75
51730a17b5dbfb4d508ac9c6c9b3a574
73b17235901ecbb04ec5e1984df89b4d
76e8e63915ec5c44f62e1bbd91b47522
dea1a23e7561e0326edc0e1b487b07dd
e65359a96fb163553f4e5516ac150d1f
e68e331c3e4fd2c1e6a5eaa233cd8554
Labels: CME711, p2p botnet, peacomm, peed, postcard, Stormworm, Zhelatin
posted by Nicholas at
04:49
0 Comments:
Post a Comment
<< Home