W32/Sality.AO information:
MD5 | fda71acbd508de0285433d14d376cc6a |
SHA-1 | 15a2478a9f524427c6a983f358f9c00935309c7b |
First Received | 2011-07-22 14:36:00 |
Last Received | 2011-07-22 14:36:00 |
Size (bytes) | 67072 |
Weightage | 1074 |
virustotal.com | 0 vendors detected, out of 43 |
As of 1st August, virustotal result. (35/45). Common name, W32/Sality.AO
Generated files captured by xandora
- "/WINDOWS/Temp/dyfr0sqmy.exe"
- "/WINDOWS/Temp/omaj11kq.exe"
- "/WINDOWS/Temp/qtfcyyp.exe"
- "/WINDOWS/Temp/svchost.exe"
- "/WINDOWS/Temp/y5547xsx.exe"
- "/WINDOWS/Temp/~DFB2BE.tmp"
- "/WINDOWS/Temp/~DFE385.tmp"
- "/WINDOWS/system32/31rvuk6.log"
- "/WINDOWS/system32/drivers/359.exe"
- "/WINDOWS/system32/drivers/734.exe"
Statics from network connection
Total of TCP 80 connections: 671
Total of TCP 25 connections: 1018
Total of TCP 25 connections: 1209
From the SMTP traffic dump, there is some ICQ information and email. With this combination, file creator very likely its from Russia.
Most of the email is targeting .ru domain. Such as odin.ru
Lets check the content of the email.
0x02a0: 4943 513a 2034 3938 3530 2d38 3131 380d ICQ:.49850-8118.
0x02b0: 0a45 6d61 696c 3a20 7661 7a65 7061 6d6f .Email:.vazepamo
0x02c0: 6879 7a65 6740 6d61 696c 2e72 750d 0af3 hyzeg@mail.ru...
0x02d0: c1ca d43a 2068 7474 703a 2f2f 7777 772e ...:.http://www.
0x02e0: 7469 6e79 392e 636f 6d2f 752f 3575 6a76 tiny9.com/u/5ujv
0x02f0: 640d 0a0d 0a2e 0d0a d.......
Besides the information, there are also attachment from in the email.
Most of the malware update comes from 7293163855.com. As of now, this is the result from WOT(Web of trust).
During sandboxing xandora recorded there is an access to external IP with TCP 3128. TCP 3128 is being widely used by squid proxy.
Connected to host-static-XXX-116-XXX-250.XXXXXXXcom.md.
Escape character is '^]'.
GET http://www.google.com/ HTTP/1.1
HTTP/1.0 200 OK
YES
Connection closed by foreign host.
Very likely W32/Sality.AO got a list of proxy database to route http.
For full analysis report, please goto xandora.