Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Christmas . exe is making the rounds SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Christmas . exe is making the rounds
Obviously at any holiday-ish time of the year the malware writers out there are going to package their warez in an appropriately named file.  This time it's Christmas.e x e...

A reader wrote in and pointed us to an article over on f-secure.  Check it out.

A nice quote from the article.

"We've just received a sample of something that's called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at and As a decoy, it shows this Christmas-themed image... Obviously, a gift that keeps on giving. To be avoided."

It would pretty easy to write a Snort rule to catch these.  You could do it one of many ways..  Look for the DNS request, look for the GET, so...  have fun with those.  If you'd like to write in with a couple examples, feel free.

Happy Holidays all!

/** Joel Esler **/

454 Posts
Dec 23rd 2006

Sign Up for Free or Log In to start participating in the conversation!