For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html user@host:~$ wget -S -v --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 3.5.30729)" --referer="http://www.google.ch/search?hl=de&q=intranetberater+de+Infopool&aq=f&aqi=g10&aql=&oq=" http://intranetberater.de/index.php/downloadbereich/Infopool/E-Book-Intranet-Checklisten-zur-Optimierung-des-Intranets/ -O intranetberater.de --10:59:04-- http://intranetberater.de/index.php/downloadbereich/Infopool/E-Book-Intranet-Checklisten-zur-Optimierung-des-Intranets/ => `intranetberater.de' Resolving intranetberater.de... 94.249.155.2 Connecting to intranetberater.de|94.249.155.2|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Date: Tue, 19 Jul 2011 08:59:04 GMT Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Set-Cookie: xccgtswgokoe=1; path=/; domain=intranetberater.de; expires=Tue, 26-Jul-2011 08:59:04 GMT Location: http://earlyanswered.com/cgi-bin/r.cgi?p=10003&i=207c0222&j=332&m=27d68cdd46edf4a2a40ebcd09bb94dd9&h=intranetberater.de&u=/index.php/downloadbereich/Infopool/E-Book-Intranet-Checklisten-zur-Optimierung-des-Intranets/&q=&t=20110719105904 Vary: Accept-Encoding Content-Length: 448 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Location: http://earlyanswered.com/cgi-bin/r.cgi?p=10003&i=207c0222&j=332&m=27d68cdd46edf4a2a40ebcd09bb94dd9&h=intranetberater.de&u=/index.php/downloadbereich/Infopool/E-Book-Intranet-Checklisten-zur-Optimierung-des-Intranets/&q=&t=20110719105904 [following] --10:59:04-- http://earlyanswered.com/cgi-bin/r.cgi?p=10003&i=207c0222&j=332&m=27d68cdd46edf4a2a40ebcd09bb94dd9&h=intranetberater.de&u=/index.php/downloadbereich/Infopool/E-Book-Intranet-Checklisten-zur-Optimierung-des-Intranets/&q=&t=20110719105904 => `intranetberater.de' Resolving earlyanswered.com... 95.168.177.141 Connecting to earlyanswered.com|95.168.177.141|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: Apache/1.3.42 Date: Tue, 19 Jul 2011 08:59:05 GMT Connection: close Location: http://reasonable6.therealityglove.com/se/3da19bea8f9c06bc3f9b18c08d9ce5a38d7616acf8113f96cfd9659ae07c70722e9ae771dc5ef4ca31ba548b2273ec7f4a193ca6ea7a2717c1c9e0a9d0dba6328110af646c99/6ff6afd0/intranetberater_de_Infopool.com Location: http://reasonable6.therealityglove.com/se/3da19bea8f9c06bc3f9b18c08d9ce5a38d7616acf8113f96cfd9659ae07c70722e9ae771dc5ef4ca31ba548b2273ec7f4a193ca6ea7a2717c1c9e0a9d0dba6328110af646c99/6ff6afd0/intranetberater_de_Infopool.com [following] --10:59:05-- http://reasonable6.therealityglove.com/se/3da19bea8f9c06bc3f9b18c08d9ce5a38d7616acf8113f96cfd9659ae07c70722e9ae771dc5ef4ca31ba548b2273ec7f4a193ca6ea7a2717c1c9e0a9d0dba6328110af646c99/6ff6afd0/intranetberater_de_Infopool.com => `intranetberater.de' Resolving reasonable6.therealityglove.com... 95.168.177.142 Connecting to reasonable6.therealityglove.com|95.168.177.142|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Tue, 19 Jul 2011 08:59:06 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="intranetberater_de_Infopool.com" Content-Length: 221620 Content-Transfer-Encoding: binary Accept-Ranges: none Length: 221,620 (216K) [application/x-msdownload] 100%[==================================================================================================================>] 221,620 987.65K/s 10:59:06 (985.12 KB/s) - `intranetberater.de' saved [221620/221620] user@host:~$ mv intranetberater.de intranetberater_de_Infopool.com user@host:~$ ls -l intranetberater_de_Infopool.com -rw-r--r-- 1 user user 221620 2011-07-19 10:59 intranetberater_de_Infopool.com user@host:~$ file intranetberater_de_Infopool.com intranetberater_de_Infopool.com: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit user@host:~$ md5sum intranetberater_de_Infopool.com 85a47236712ec8c974656f6510969c37 intranetberater_de_Infopool.com https://www.virustotal.com/file-scan/report.html?id=258e38148f9cba86e61291b6c25d5b8745e341c7d3362adfeba5118c9821c617-1311066261 File name: intranetberater_de_Infopool.com Submission date: 2011-07-19 09:04:21 (UTC) Result: 9/ 43 (20.9%) AntiVir 7.11.11.207 2011.07.19 TR/Dropper.Gen BitDefender 7.2 2011.07.19 Gen:Trojan.Heur.RP.nq1@auvLlZci Emsisoft 5.1.0.8 2011.07.19 Trojan.Win32.Jorik!IK F-Secure 9.0.16440.0 2011.07.19 Gen:Trojan.Heur.RP.nq1@auvLlZci GData 22 2011.07.19 Gen:Trojan.Heur.RP.nq1@auvLlZci Ikarus T3.1.1.104.0 2011.07.19 Trojan.Win32.Jorik Jiangmin 13.0.900 2011.07.18 Trojan/Generic.hxys McAfee-GW-Edition 2010.1D 2011.07.19 Heuristic.LooksLike.Trojan.Dropper.B Norman 6.07.10 2011.07.18 W32/Obfuscated.L MD5 : 85a47236712ec8c974656f6510969c37 SHA1 : db3ab8857f12c9871b5048da33a07218898df193 SHA256: 258e38148f9cba86e61291b6c25d5b8745e341c7d3362adfeba5118c9821c617 ssdeep: 3072:7V4yoHFSNRc5i48J/vpdwPtHOT07ULlrLxvANUudQJN/ehdpeL0TK3lHX:7uJU2Y/DwV8VLlANZQJN2B0Y6 File size : 221620 bytes First seen: 2011-07-19 09:04:21 Last seen : 2011-07-19 09:04:21 TrID: Win32 Executable MS Visual C++ (generic) (62.9%) Win32 Executable Generic (14.2%) Win32 Dynamic Link Library (generic) (12.6%) Win16/32 Executable Delphi generic (3.4%) Generic Win/DOS Executable (3.3%) sigcheck: publisher....: Nkyqorles Xkfglskvznl copyright....: (c) Gfyoinmcy Oopbmbpxsfh. All rights reserved. product......: Xveuvwsdl_ Shyikot_ Bejacktmg Rgkbkh description..: Windows IPsec SPD Client DLL original name: winipsec.dll internal name: winipsec.dll file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840) comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x137E timedatestamp....: 0x0 (Thu Jan 01 00:00:00 1970) machinetype......: 0x14c (I386) [[ 4 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x3DB8, 0x3E00, 6.65, b14b5bc14c039a4204f330c862b18c17 .rdata, 0x5000, 0x30DDA, 0x30E00, 7.99, 0358f97ecae7c8700770b9f000c4145b .data, 0x36000, 0x838, 0xA00, 0.99, 9e807877545137076d400f62e59bc6ab .rsrc, 0x37000, 0x410, 0x600, 2.54, 1f55962addcc9479cf0c19e74b542c71 [[ 1 import(s) ]] KERNEL32.dll: GetCommandLineA, VirtualAlloc, ExitProcess, RtlUnwind, GetModuleHandleA, GetStartupInfoA, GetVersionExA, InterlockedExchange, VirtualQuery, GetProcAddress, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, LoadLibraryA, GetACP, GetOEMCP, GetCPInfo, HeapAlloc, HeapReAlloc, HeapSize, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo