Java/Dldr.Treams.CP / Trojan.Win32.Jorik.Nrgbot.agp (aka Win32.Dorkbot.A) | Joachim De Zutter
August 2012

URLs to a malicious HTML page attempting a drive-by download containing the title "Please wait while the Webcam is loading..." are spread by 118.99.67.155, 62.84.86.118 and 94.187.48.54

http://www.utrace.de/?query=118.99.67.155
Provider: Biznet ISP, Region: Jakarta (Indonesia)

http://www.utrace.de/?query=62.84.86.118
Provider: FiberLink Networks

http://www.utrace.de/?query=94.187.48.54
Provider: Libantelecom, (Midan Az Zir, Lebanon)
Filename: __REG__.jar 
Filesize: 2556
MD5: 907b898814b149112df3cd3c2c8c51bc
SHA1: 981bdf8ea4ecbee0d5a45e27490e44a017380956
SHA256: 5589bdf42bb280403930abbc27e2083a2c1c6293ce7f0d102f989dff72d56c21
Contains:
Filename: __AsD__.class
Filesize: 1695
MD5: a11b124c58a1658a8c3ec30df0450f93
SHA1: 4027831243a5a12a2f238ff1861602848f20457f
SHA256: fc657447336f82a1aa784e04d7d73d43cdd6663e673e1568044b819782ba6e1e
Identified by Avira AntiVir as Java/Dldr.Treams.CP and by TrendMicro-HouseCall as TROJ_GEN.F47V0726

https://www.virustotal.com/file/5589bdf42bb280403930abbc27e2083a2c1c6293ce7f0d102f989dff72d56c21/analysis/

Parameter was a URL pointing to a suspicious executable file:
Filename: rundll.exe
Filesize: 66048
MD5: ce0b0bffa11223ba428e2e2a2905791f
SHA1: 9f49d06012f723fb271404fc899f5c4752a35769
SHA256: 7e4d77e70befba114c0b909cbc39bc7a6d677bf0c8f330e72989ebb9af35e07a
https://www.virustotal.com/file/7e4d77e70befba114c0b909cbc39bc7a6d677bf0c8f330e72989ebb9af35e07a/analysis/
or
Filename: rundll.exe
Filesize: 205824
MD5: 26ee8269381d8e60eed974128f2b1217
SHA1: 66e74d37de10838f435d3a0e765f6660de8ecafd
SHA256: 6461f6b6fb80ceb559b1b80c762c31885c5c19196999c3791c73ab3e1b51eccb
https://www.virustotal.com/file/6461f6b6fb80ceb559b1b80c762c31885c5c19196999c3791c73ab3e1b51eccb/analysis/
or
Filename: rundll.exe
Filesize: 129720
MD5: 86801c1e8a80ec823cb4736d6cdee362
SHA1: d85693180524b4ffa2425dd3c04b82f867dc7dee
SHA256: d2c7560721381d9179809dd4a7a03cead6465daa3d3c61350494833f223eb58d
Contains base64 encoded data.
or
Filename: rundll.exe
Filesize: 210432
MD5: a2978e923d680667f10a8914f701ff25
SHA1: b941cea8931692ad1a8b6ec5d45354234b288a1a
SHA256: 638b9c129040eb68ab9a95b704d00952d49bb4e7cbaa4329c328860756643499
https://www.virustotal.com/file/638b9c129040eb68ab9a95b704d00952d49bb4e7cbaa4329c328860756643499/analysis/
or
Filename: rundll.exe
Filesize: 210432
MD5: 4a1b1649c58f4dee9ae199d052f24e9b
SHA1: 0dd8930c69ce61e517a60bfeed7b179d849c0c26
SHA256: c0e7e3f8e91860e0380ddd621cf15764f260cc10e8f4eaeafb5ec53b77450b27
Identified by AVG as Generic29.AUNN or
Filename: rundll.exe
Filesize: 218624
MD5: a5f2774483b70e9bd65680a51d60c464
SHA1: 148b454b6c435e841018c1e1da4db7a04bfd7451
SHA256: 7dfc6ba9f0529944b2682762f317eec07414e4299c0d7f538833fcc0fa61e14e
Identified by AVG as Generic29.BWNG
The rundll.exe files could only be downloaded from the HTTP server when the user agent header field matched.

In september 2012, other variations could be found with a search engine:
Filename: java.jar
Filesize: 2676
MD5: 90e0ec88012a4e1ba0ff58a4533720d3
SHA1: 09e0ace1a91d6551e6ed850a15f1df67e85ff166
SHA256: 53b7566f470199907eb680465a34be2133f11bdb871887bbf67826ea0e907092
https://www.virustotal.com/file/53b7566f470199907eb680465a34be2133f11bdb871887bbf67826ea0e907092/analysis/

Filename: ls4724.jar
Filesize: 2482
MD5: 0fc99434af75e6de11cf722b8a573c6c
SHA1: 5268457648e8b092ef2d76f6de4465bdea6833d2
SHA256: 6eddd3122a8ee148c27b6a576c2c4e51792724bb4c331a9431d5d3de8f2021d3

Filename: "Install (1).exe"
Filesize: 2238464
MD5: 02874c6ed73136766f97a686a7d98daf
SHA1: 65771be9d4af3f7f0ccd9375142563ece6b9d919
SHA256: 59834a7d5903ebc6b8309eb97aa716aef59c9ad42ba77d1aba0312f00c15d32a
Identified by AVG as PSW.Generic9.AAPA

Filename: Install.exe
Filesize: 1724416
MD5: 8bfe8c8729179e9c2b96d003ed9aea32
SHA1: dcd140249d1ad6b227fee1beda8580d655b52d55
SHA256: efb551321011fddcb7b6a413639a91d4cf5380d37223a2c1c3df7fcf7f3e6a30

Filename: Client.jar
Filesize: 3626
MD5: 0521c911e442cd9eec927d8439731a76
SHA1: 93c6dc46956f17ad71380cc9685c7b8bd167cce7
SHA256: 35970e91c4d3364f8b05f5b40d892224084c7fc207af4db8165ebf6ca9bd5357
https://www.virustotal.com/file/35970e91c4d3364f8b05f5b40d892224084c7fc207af4db8165ebf6ca9bd5357/analysis/

Filename: Pictures.exe
Filesize: 1335980
MD5: 97cb02395905bd53f1b6c930a2a4c4bb
SHA1: e494c5add4df34b128c73504cf6d9042c14ca7bc
SHA256: 09001dcb082d86f281a94b77f39fbe333b04a5f4b7073106fea6675263417132
https://www.virustotal.com/file/09001dcb082d86f281a94b77f39fbe333b04a5f4b7073106fea6675263417132/analysis/

Filename: MB08V.jar
Filesize: 3573
MD5: 62ce7b3d39f06660996761797af153d0
SHA1: badeb2374b0d44ff2668d45050832e2f52cd8e6b
SHA256: c42839209dd2cb3a2130bf3655e3fc84ff8ace39a505f4f877fa4ed7ae4a4163