apocsvr.info (Andromeda http malware hosted by vHostLayer.com)

Server: apocsvr.info
Gate file: /andro/image.php

This is just the standard cracked andro, but I noticed something interesting about it.
The domain is whoisguard protected, which is often used by skids who don’t want to spend 30 seconds making up fake info for the whois. However I noticed something in the assembly info of the sample:

InternalName.............: MickNoses.exe
ProductVersion...........: 4.120.0.0
FileDescription..........: Mick Noses Utility
OSVersion................: 4.0
OriginalFilename.........: MickNoses.exe
LegalCopyright...........: Copyright   2012 Mick Noses, LLC.  All rights reserved.
MachineType..............: Intel 386 or later, and compatibles
CompanyName..............: Mick Noses, LLC

Hmm, where have I seen a name like that before? Switch the M and N around and it becomes Nick Moses.
What a clever guy, implanting a mildly disguised version of his name into the malware he spreads. I’m sure he’ll go far.

Hosting infos: http://whois.domaintools.com/37.221.163.131

3 Comments

Anonymous - November 24, 2012 at 1:51 am

Here is a thread of him talking about Blackhole exploit pack and saying it's getting bad rates: http://www.hackforums.net/showthread.php?tid=3026238

Maybe if you search a bit harder you might end up finding where it's hosted. Also it seems he said goodbye to spreading on 4chan.

What a shame.

Nick Moses - November 29, 2012 at 10:36 am

Sup guys. Why you no leave me alone?

-Nick

Anonymous - January 8, 2013 at 5:37 am

This has been removed, In the Future please report this to abuse@vhostlayer.com

shinyhosting.ws.gy(Andromeda Bot hosted in United States Amsterdam Hosting Servers)

xylox.su (Betabot and Andromeda http botnets hosted by Panamaserver.com)

scum1904life.com (Andromeda http botnet hosted by 2×4.ru)

3 Comments

Anonymous - November 24, 2012 at 1:51 am

Nick Moses - November 29, 2012 at 10:36 am

Anonymous - January 8, 2013 at 5:37 am

Comments are closed