Malware from China; Googkle is gone; IM Worm/Botnet going in circles

Published: 2005-04-30
Last Updated: 2005-05-01 07:29:01 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Chinese malware for Breakfast

The day started with fellow handler Kevin Hong reporting a malware hosting site in China. We've mirrored the contents and have started analysis. Getting to the core of the mess turns out to be quite difficult, as most AV tools and debuggers simply claim that the files are corrupt and refuse to analyze them. If the files really were corrupt, this would be the end of it -- but a doubleclick still launches the evil stuff on XP and 2003. Ugh.

Googkle is no more

Remember the diary four days ago when we were reporting a number of malware sites that were conveniently hosted only a typo away from Yesterday, the DNS hoster ( in Switzerland) has finally taken action and has suspended DNS services for all the malware zones (ghoogle, googkle, etc). Good news for a change.

The freeware site has started a commendable initiative to combat spyware and malware embedded in free software and shareware available through the site. How difficult it is to keep software repositories free of crud was proven today when a reader reported a trojan inside the Bittorrent client "ABC" that he had just retrieved from the mirror. Closer analysis revealed that the package contained an Adware identified as "" as well as a keylogger spyware called "Trojan.Win32.Zapchast". The file has been reported to the abuse department of

New SDBot / Kelvir / Opanki combination making the rounds

A reader reported receiving an email containing a link to a picture that, once downloaded, turned out to be an EXE. The file came from a host within the domain and contained a variant of SDBot. The IRC channel used by the botnet initially instructed all bots to download a copy of W32.Kelvir.AJ. After about an hour, the instructions changed, and a copy of W32.Opanki.A (Symantec: W32.Allim.A) was retrieved. Both of these IM worms are retrieved from a box in the domain. W32.Opanki/Allim is a pretty recent (3 days old) AOL IM worm, which in turn again spreads a copy of SDBot by downloading it from a host in the domain. The hosters of the various components have been contacted, and one of the boxes is offline by now, but the botnet itself is virtually unreachable, hidden behind a bunch of obscure hosters and DNS providers in Germany and Italy.

Daniel Wesemann

EMail: echo "ebojfm/jtdAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
0 comment(s)


Diary Archives