.:Computer Defense:.

So I've done a little playing with this guy... primarily to watch his network behavior.. I'll run a second round with it either tonight or tomorrow and watch the file system and registry changes a little more closely...

After you run the infected file you are greated with a pop-up box that says update applied. A process (t2serv.exe, this will be confirmed on my next round of work), which is hidden from taskman and tasklist seems to carry out the remainder of the process.

From a network point of view, the following occurs.

1. DNS Query - MX Record - yahoo.com
2. DNS Query - A Record - mx1.mail.yahoo.com
3. 4 TCP Packets (SYN) to mx1.mail.yahoo.com (each IP address associated with it)
4. DNS Query - A Record - www4.vertionkdaseliplim.com
5. TCP Request to www4.vertionkdaseliplim.com:80
6. HTTP/1.1 GET Request - /chr/grv/lt.exe
7. DNS Query - MX Record - gmail.com
8. 4 TCP Packets (SYN) to gmail.com MX (each IP)
9. DNS Query - MX Record - hotmail.com
10. 4 TCP Packets (SYN) to hotmail.com MX (each IP)
11. DNS Query - A Record - www3.vertionkdaseliplim.com
12. TCP Request to www3.vertionkdaseliplim.com:80
13. HTTP/1.1 POST - /cgi-bin/pr.cgi - POST Data == Ver=3.01&lid=5A6391F158F84B309FCA&type=s&p=0&r=1&m=2&
14. DNS Query - A Record - www6.vertionkdaseliplim.com
15. TCP Request to www6.vertionkdaseliplim.com:80
16. HTTP/1.1 GET Request - /chr/grv/nt.exe (404 Not Found)
17. DNS Query - A Record - www2.vertionkdaseliplim.com
18. TCP Request to www2.vertionkdaseliplim.com:80
19. HTTP/1.1 POST - /cgi-bin/pr.cgi
20. POST Data == Ver=3.01&lid=5A6391F158F84B309FCA&type=a&n=0&
21. DNS Query - A Record - www2.vertionkdaseliplim.com
22. TCP Request to www2.vertionkdaseliplim.com:80
23. HTTP/1.1 POST - /dsl2 - Post Data = List of harvest addresses (addresses must have been pulled from IE/Firefox cache based on what they were)

Since nt.exe already seems to be gone, I've obtained and stored a copy of lt.exe in case anyone would like a copy. I'll keep everyone in the loop as I dig further into this.

Peace,
HT