Worm Porphiex

Domains used by the worm :

“tuhocphp.net”
“milomaine.org”
“milwaukeearmedforcesweek.org”
“millplainlibrary.org”
“mimemoria.org”
“militarytrial.org”
“milesbuckinghamlaw.org”
“millcreek-construction.org”
“milpitasvoter.org”
“milkingshadows.org”
“millionairemakers.org”
“millgroup.org”
“mimedrive.org”
“millriverwatershed.org”
“minaple.org”
“millercountyga.org”
“milwaukeelandmarks.org”
“milyonbabies.org”
“military-law.org”
“mindfullife.org”

Servers used by the worm :

“220.181.87.80:5050”
“112.78.4.160:80”
“213.186.33.5:25”
“82.165.73.126:25”
“199.34.228.68:25”
“81.169.145.84:25”
“184.168.221.20:25”
“82.165.100.254:25”
“92.61.157.100:25”
“184.168.221.53:25”
“173.255.220.88:25”
“82.165.100.228:25”
“184.168.221.76:25”
“198.11.204.78:25”
“143.95.43.78:25”
“104.25.88.29:25”
“74.208.60.100:25”
“66.39.35.237:25”
“50.63.202.34:25”
“50.63.202.18:25”

Downloaded files :

“GET /wp-admin/css/2060.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tuhocphp.net
Connection: Keep-Alive”

Shell command :

“cmd /c “”%TEMP%tszhqerhfa.bat”

Sample here : hxxp://cycadia.com/w.exe

Categories: Uncategorized