Msnmsgrs.exe Malware #2 | Joachim De Zutter
URL sent by 194.146.155.19 pointed to http://doiop.com/... (June 3rd, 2011)

http://www.utrace.de/?query=194.146.155.19
Provider: GlobalProof s.a.r.l
Region: Beirut (LB)


http://www.utrace.de/?query=88.191.63.4
Provider: Free SAS
Organisation: Dedibox SAS
Region: Besannçon (FR)


Server sent HTTP 301 Moved Permanently reply to redirect to an *.exe on 50.16.209.191.

http://www.utrace.de/?query=50.16.209.191
Provider: AMAZON.COM
Region: Seattle (US)

Filesize: 68096
MD5: f52fb29e9087e362ad310971a51518e1
SHA1: e181de1d804b2c8807f831916b1af111162b402e
SHA256: 78ade464d5c66764a206d664cd1d2b861a89b4da1455851820b4b889b09cb93d
Copies itself to %APPDATA%\msnmsgrs.exe
Creates a startup key in the registry
Establishes an IRC connection to 208.98.26.140 (stolen.wshells.ws) on TCP port 3211
A reverse DNS lookup of 208.98.26.140 gives The.General.Minister.G0v.Me

http://www.utrace.de/?query=208.98.26.140
Provider: SHARKTECH INTERNET SERVICES
Region: Owings Mills (US)