Two mildly interesting things with this one. One is that after executing the exe, you actually fo get an rtf file displayed as a hotel booking for some place in greece. It uses the hotels phone numbers and info. So I assume they may be a little confused shortly when people contact them saying they booked no such room.
Secondly, after that rtf file is displayed the virus sleeps for a few minutes and then gets it's payload from http://<site>/hot24/banner.png. It is of course not a png, but an executable. Yet another reason to never trust extensions.
Here are some domains the downloader was reaching out to:
jean-roussel.org
proguardians.net
pensionmagda.cz
pianossimi.fr
furiod.comyr.com
The banner.png (actually an executable) is currently recognized on VirusTotal as a 1/51. Yikes.
https://www.virustotal.com/en/file/148cc3713abba28f4e0aa5c9f3352cabe8f3e257a0325d111ea486661d47aed7/analysis/1398694595/
No comments:
Post a Comment