Malware | Joachim De Zutter
3rd of August 2011

The following malware executables all have the same padlock icon ()
Filename: \Users\%USERNAME%\M-1-85-5754-5625-2875\winsvc.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\9060860.exe
Filesize: 147456
MD5: bb6612643bac35802c5ad3c70e102039
SHA1: f08cf6ec59a9c4408f40ba72833d51eedd3d395d
SHA256: 214e864f7d42c0f227144d5093692ef974d1a1ef02e910a272aa93fc8133ac6d

Filename: \Users\%USERNAME%\M-1-86-8105-7321-7424\winsvc.exe
Filesize: 135168
MD5: 89fabb9586f962189ba466029419492b
SHA1: 3dd6e8ce199dd0e1f2a612d4438d06f40de7dfbb
SHA256: 894c7cc73485409f88ec2cabd8b73f77df267b3a30cbad28a4f160ea729cfee2

Filename: \Users\%USERNAME%\AppData\Local\Temp\0913871.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\1029060.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\1293444.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\1840345.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\2077273.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\2747443.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\5788172.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\7571232.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\8720705.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\9034701.exe
Filesize: 143360
MD5: 5c8760235b3da1dcf561ea87835f2d49
SHA1: cd73a717faca1cf6fe0f38d404d23068b8f249b3
SHA256: 7b7395b1cb79d4f00fee3c5048174f53ce83f88199d744cef98c0d3648667dd1

Filename: \Users\%USERNAME%\AppData\Local\Temp\2637037.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\3965982.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\5468939.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\6664393.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\7808790.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\7862841.exe
Filesize: 131072
MD5: e73c7ca40786d9429caa6c882352f1e2
SHA1: ca9f0fd8ede29b8b56ebaf9ce3e682c8ea69560c
SHA256: 4b05316a50cf52d7816629e31e7112f1adda7564d8e2016a25608a9059913ed3

Filename: \Users\%USERNAME%\AppData\Local\Temp\7371238.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\8918589.exe
Filesize: 122880
MD5: a6d058ca70b8bb398e0ce1503a154f3b
SHA1: 7894c729412208a810353472b31f329903571c9e
SHA256: d4582b9ab6b184aaa2cc92001044b5d1e4ecc4fd755f793d1142b6c0db127cbf

Filename: \Users\%USERNAME%\AppData\Local\Temp\7390592.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\8470598.exe
Filesize: 131072
MD5: 239fb5cc2a1e9b07d55a27c028b28e7a
SHA1: 295a9f0433776aac9544e900497ea8ba5ab98195
SHA256: bcff85c10c29be6bbdaa8e1b5666efc88a6f75d3af077907bc4d7516d6e4128e

Filename: \Users\%USERNAME%\AppData\Local\Temp\7718011.exe
Filesize: 122880
MD5: 687ff600e7194a3a0500f8786fb17df9
SHA1: 5fed700134bef2bc8c9e9274641fcd7a6729b6f6
SHA256: f2fccab09e94129822976896628b4bf74a8c1a911c1a75f90d67f9d6828aa40f

Filename: \Users\%USERNAME%\AppData\Local\Temp\9157890.exe
Filesize: 131072
MD5: 2a1ab012d4bec2ade289dd0994e43faf
SHA1: d28e6ee5e80bfa6bed264dcb54f042ad975d3b0b
SHA256: 1ca20f1ba3c9f2542086f39970b1189acef4ad5fc360b60de24c6d2745f8dc96

Files with similar filenames without the padlock icon were also found:
Filename: \Users\%USERNAME%\AppData\Local\Temp\0724403.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\5928442.exe
Filename: \Users\%USERNAME%\AppData\Local\Temp\9009811.exe
Filesize: 129024
MD5: bd86754a2910ea1d078da6a509159566
SHA1: b86b1bacfd753eddadca4f6b4d97537c7132ca8f
SHA256: 56899743e9b269daa56c2c76ff15b1f84842191823088ea68411ed547a59262e

0724403.exe (MD5: bd86754a2910ea1d078da6a509159566)

A DNS query was performed for duemitar.in, which resolved to 78.46.109.174

http://www.utrace.de/?query=78.46.109.174
Hetzner Online AG (Nürnberg, Germany)

A HTTP POST request was performed on 78.46.109.175

A DNS query was performed for aiveoclub.in, which resolved to 64.20.55.244

http://www.utrace.de/?query=64.20.55.244
Interserver, ZarEthernet (Secaucus, United States)

A HTTP POST request was performed on 64.20.55.244

A DNS query was performed for realaiveo.in, which resolved to 98.143.147.237

http://www.utrace.de/?query=98.143.147.237
OC3 Networks & Web Solutions, LLC (Los Angeles, United States)

A HTTP POST request was performed on 98.143.147.237

A DNS query was performed for stellas.in, which resolved to 69.64.58.224

http://www.utrace.de/?query=69.64.58.224
Hosting Solutions International (Saint Louis, United States)

A HTTP POST request was performed on 69.64.58.224

A DNS query was performed for myaitz.com, which resolved to 74.91.28.195

http://www.utrace.de/?query=74.91.28.195
DataShack, LC, Shenmiren Communications (Tanggu,China)

A HTTP POST request was performed on 74.91.28.195