For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html tom@tom-laptop:~$ wget -S -v --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; YPC 3.2.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" --referer="http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CBgQFjAA&url=http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fwget%2Fmanual%2Fhtml_node%2FHTTP-Options.html&rct=j&q=wget%20user-agent&ei=hRfMTaroDMrXsgbVqe2YAQ&usg=AFQjCNG89vX0Q_ciWYl2N5AJmn7-q4yixA&sig2=vsZtB11yZ7FC946rhJxoSQ&cad=rja" http://www.creditagricolesuisseopengstaad.ch/ --2011-05-12 19:27:32-- http://www.creditagricolesuisseopengstaad.ch/ Resolving www.creditagricolesuisseopengstaad.ch... 213.193.104.126 Connecting to www.creditagricolesuisseopengstaad.ch|213.193.104.126|:80... connected. HTTP request sent, awaiting response... HTTP/1.0 302 Found Date: Thu, 12 May 2011 17:27:37 GMT Server: Apache/2.2.17 (EL) Set-Cookie: xccgtswgokoe=1; path=/; domain=www.creditagricolesuisseopengstaad.ch; expires=Thu, 19-May-2011 17:27:37 GMT Location: http://virtualmapping.org/cgi-bin/r.cgi?p=15003&i=0e991045&j=320&m=ce481f47a3a3064fb0b031bc2c81b7f2&h=www.creditagricolesuisseopengstaad.ch&u=/&q=&t=20110512192737 Content-Length: 375 Connection: close Content-Type: text/html; charset=iso-8859-1 Location: http://virtualmapping.org/cgi-bin/r.cgi?p=15003&i=0e991045&j=320&m=ce481f47a3a3064fb0b031bc2c81b7f2&h=www.creditagricolesuisseopengstaad.ch&u=/&q=&t=20110512192737 [following] --2011-05-12 19:27:38-- http://virtualmapping.org/cgi-bin/r.cgi?p=15003&i=0e991045&j=320&m=ce481f47a3a3064fb0b031bc2c81b7f2&h=www.creditagricolesuisseopengstaad.ch&u=/&q=&t=20110512192737 Resolving virtualmapping.org... 85.17.136.121 Connecting to virtualmapping.org|85.17.136.121|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 12 May 2011 17:27:46 GMT Connection: close Location: http://opinion0.vicrtorytrip.net/se/3da49bea8f9c04e931c119c28b9be5f2df2618a5fd416cc3cadd32cce22924712ac8b2208e58a7c130e05cdd7171e77f4a183ea6f463244bc3d5e0b9dbcab534871cbe256499d1bc54f625a740c7520204c192da9119da51c2/e5dc6eab/wgetuser.com Location: http://opinion0.vicrtorytrip.net/se/3da49bea8f9c04e931c119c28b9be5f2df2618a5fd416cc3cadd32cce22924712ac8b2208e58a7c130e05cdd7171e77f4a183ea6f463244bc3d5e0b9dbcab534871cbe256499d1bc54f625a740c7520204c192da9119da51c2/e5dc6eab/wgetuser.com [following] --2011-05-12 19:27:47-- http://opinion0.vicrtorytrip.net/se/3da49bea8f9c04e931c119c28b9be5f2df2618a5fd416cc3cadd32cce22924712ac8b2208e58a7c130e05cdd7171e77f4a183ea6f463244bc3d5e0b9dbcab534871cbe256499d1bc54f625a740c7520204c192da9119da51c2/e5dc6eab/wgetuser.com Resolving opinion0.vicrtorytrip.net... 85.17.139.67 Connecting to opinion0.vicrtorytrip.net|85.17.139.67|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Thu, 12 May 2011 17:27:51 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="wgetuser.com" Content-Length: 418999 Content-Transfer-Encoding: binary Accept-Ranges: none Length: 418999 (409K) [application/x-msdownload] Saving to: `index.html' 100%[==============================================================>] 418,999 206K/s in 2.0s 2011-05-12 19:27:53 (206 KB/s) - `index.html' saved [418999/418999] tom@tom-laptop:~$ mv index.html r-cgi-download.com tom@tom-laptop:~$ file r-cgi-download.com r-cgi-download.com: PE32 executable for MS Windows (GUI) Intel 80386 32-bit tom@tom-laptop:~$ md5sum r-cgi-download.com 2b44bcd9718ad03d6985ce4187479cae r-cgi-download.com https://www.virustotal.com/file-scan/report.html?id=22e3d32b0407497cb8737bf44bc70a69195ece89cfd98780a6029e6c6831a02a-1305220991 File name: r-cgi-download.com Submission date: 2011-05-12 17:23:11 (UTC) Result: 3/ 42 (7.1%) AntiVir 7.11.7.254 2011.05.12 TR/Pirminay.gvm Ikarus T3.1.1.103.0 2011.05.12 Trojan.Win32.Pirminay NOD32 6116 2011.05.12 a variant of Win32/Kryptik.NDZ MD5 : 2b44bcd9718ad03d6985ce4187479cae SHA1 : 0e6d222e71f334ca7c54e2808a984ca017ad7776 SHA256: 22e3d32b0407497cb8737bf44bc70a69195ece89cfd98780a6029e6c6831a02a tom@tom-laptop:~$ wget -S -v --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; YPC 3.2.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" --referer="http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CBgQFjAA&url=http%3A%2F%2Fwww.gnu.org%2Fsoftware%2Fwget%2Fmanual%2Fhtml_node%2FHTTP-Options.html&rct=j&q=wget%20user-agent&ei=hRfMTaroDMrXsgbVqe2YAQ&usg=AFQjCNG89vX0Q_ciWYl2N5AJmn7-q4yixA&sig2=vsZtB11yZ7FC946rhJxoSQ&cad=rja" http://www.vietnamopentour.com/images/maps/Vietnam_Spectacular/dalat.jpg --2011-05-12 19:54:01-- http://www.vietnamopentour.com/images/maps/Vietnam_Spectacular/dalat.jpg Resolving www.vietnamopentour.com... 173.236.93.242 Connecting to www.vietnamopentour.com|173.236.93.242|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Thu, 12 May 2011 17:54:03 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Set-Cookie: xccgtswgokoe=1; path=/; domain=www.vietnamopentour.com; expires=Thu, 19-May-2011 17:54:03 GMT Location: http://twowayserf.com/cgi-bin/r.cgi?p=10003&i=6dcc0641&j=321&m=2737f27c3827ef8b27abb837aa22f2b0&h=www.vietnamopentour.com&u=/images/maps/Vietnam_Spectacular/dalat.jpg&q=&t=20110512125403 Cache-Control: max-age=315360000 Expires: Sun, 09 May 2021 17:54:03 GMT Content-Length: 590 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://twowayserf.com/cgi-bin/r.cgi?p=10003&i=6dcc0641&j=321&m=2737f27c3827ef8b27abb837aa22f2b0&h=www.vietnamopentour.com&u=/images/maps/Vietnam_Spectacular/dalat.jpg&q=&t=20110512125403 [following] --2011-05-12 19:54:03-- http://twowayserf.com/cgi-bin/r.cgi?p=10003&i=6dcc0641&j=321&m=2737f27c3827ef8b27abb837aa22f2b0&h=www.vietnamopentour.com&u=/images/maps/Vietnam_Spectacular/dalat.jpg&q=&t=20110512125403 Resolving twowayserf.com... 85.17.136.122 Connecting to twowayserf.com|85.17.136.122|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 12 May 2011 17:54:05 GMT Connection: close Location: http://www.vietnamopentour.com/images/maps/Vietnam_Spectacular/dalat.jpg Location: http://www.vietnamopentour.com/images/maps/Vietnam_Spectacular/dalat.jpg [following] --2011-05-12 19:54:05-- http://www.vietnamopentour.com/images/maps/Vietnam_Spectacular/dalat.jpg Reusing existing connection to www.vietnamopentour.com:80. HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Thu, 12 May 2011 17:54:05 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Last-Modified: Thu, 18 Nov 2010 08:12:53 GMT Accept-Ranges: bytes Content-Length: 54205 Cache-Control: max-age=315360000 Expires: Sun, 09 May 2021 17:54:05 GMT Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: image/jpeg Length: 54205 (53K) [image/jpeg] Saving to: `dalat.jpg' 100%[==============================================================>] 54,205 44.2K/s in 1.2s 2011-05-12 19:54:06 (44.2 KB/s) - `dalat.jpg' saved [54205/54205]