[AusNOG] Anyone seeing a new(ish) Warezov/Straiton seed happening? (AUSCERT#200765c5c)

matthew at auscert.org.au matthew at auscert.org.au
Thu Jul 19 15:51:12 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G'day all,

Amongst all the Storm seeding we saw a small run for what seems to be
Warezov/Straiton (apologies if this is old news or has been already
discussed).  Domains of interest:

  pozaseruiasterduin .com
  baseruikintunasterdan .com
  polonyinhdefunastertyun .com
  xasedriwasderios .com

So would be worth looking for connections to these as could indicate
infection.  Initial spam looks like:

- --BEGIN SAMPLE--
  Subject: Hi, you.ve just received a postcard.
  From: david <davidrxjva at tjh.com>
  Date: Fri, 13 Jul 2007 16:05:41 +0900
  To: auscert at auscert.org.au
  
  Hi, you.ve just received a postcard.
  
  For: 
  
  auscert at auscert.org.au
  
  From:
  ---
  
  Text:
  
  Let's go to a party!
  
  Postcard:
  
  Click on attachment to view a postcard.
  
  
  ----
  Pre-holidays Postcards.
  http://postcards.wired2000.net/
  
  <Postcard.exe>
- --END SAMPLE--

The attached exe seems to go to:

hxxp://pozaseruiasterduin .com/drt32 .exe

which also hosts jde32.exe msmsgr.exe skp32.exe and mhl.exe.

and also:

hxxp://baseruikintunasterdan .com/
hxxp://polonyinhdefunastertyun .com/

and seems to register infections at:

hxxp://xasedriwasderios .com/ chr/ 1113/ e/ t0003?...

So we have:

hxxp://pozaseruiasterduin .com/jde32 .exe
hxxp://pozaseruiasterduin .com/msmsgr .exe
hxxp://pozaseruiasterduin .com/drt32 .exe
hxxp://pozaseruiasterduin .com/skp32 .exe
hxxp://pozaseruiasterduin .com/mhl .exe
hxxp://baseruikintunasterdan .com/jde32 .exe
hxxp://baseruikintunasterdan .com/msmsgr .exe
hxxp://baseruikintunasterdan .com/drt32 .exe
hxxp://baseruikintunasterdan .com/skp32 .exe
hxxp://baseruikintunasterdan .com/mhl .exe
hxxp://polonyinhdefunastertyun .com/jde32 .exe
hxxp://polonyinhdefunastertyun .com/msmsgr .exe
hxxp://polonyinhdefunastertyun .com/drt32 .exe
hxxp://polonyinhdefunastertyun .com/skp32 .exe
hxxp://polonyinhdefunastertyun .com/mhl .exe
hxxp://xasedriwasderios .com/ chr/ 1113/ e/ t0003?...

Would be worth looking for connections to these.  

Any feedback appreciated of course.

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRp77zyh9+71yA2DNAQJFlwP/cKBjUECo11nPLA26qsiV/q0DFvLufGHq
6naLIkF84AjwiakvzdrxTo3n2a9vOO9HrsIJqyeW5S1saaB8/pQC4iwlQV9m8wgY
Ws5ehttPWkLChgwPLBGhbn+pBt6CFEk7WYtXcfhtxt4y9ZMrB4dD8P3PYOilx4D2
XCWZmYX56vA=
=wdAT
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list