endellion.me.uk
kangozip.com
The executable has a name made up from seven random letters. All of them bring along iaxcfg.dll -- I get the impression that this is not randomly made up. The thing runs from the System32 directory.
It listens on ports 9849 TCP and 11075 UDP.
And it does very strange DNS requests. Here is a small selection with duplicates pruned.
121 10:55:00.601908 Standard query A gmesxwrxpa.kangozip.com
129 10:55:02.966353 Standard query A gmesxwrxpa.ikcharhrzksikbchlqef.com
130 10:55:02.966386 Standard query A azskifnhom.kangozip.com
224 11:15:00.453596 Standard query A azskifnhom.ikcharhrzksikbchlqef.com
308 11:35:01.022981 Standard query A mcnpznnijd.kangozip.com
314 11:35:01.424633 Standard query A mcnpznnijd.ikcharhrzksikbchlqef.com
403 11:55:01.743224 Standard query A csipqcvwam.kangozip.com
409 11:55:02.280471 Standard query A csipqcvwam.ikcharhrzksikbchlqef.com
493 12:15:02.740396 Standard query A atbioosgnd.kangozip.com
501 12:15:04.444407 Standard query A atbioosgnd.ikcharhrzksikbchlqef.com
597 12:35:05.700195 Standard query A kujzbknbfk.kangozip.com
603 12:35:06.348892 Standard query A kujzbknbfk.ikcharhrzksikbchlqef.com
703 12:55:06.642058 Standard query A eidmryojkn.kangozip.com
735 12:55:23.615874 Standard query A eidmryojkn.ikcharhrzksikbchlqef.com
799 13:15:24.884872 Standard query A clisnadmyo.kangozip.com
810 13:15:28.315194 Standard query A clisnadmyo.ikcharhrzksikbchlqef.com
893 13:35:28.768889 Standard query A kzbolkyele.kangozip.com
897 13:35:29.357181 Standard query A kzbolkyele.ikcharhrzksikbchlqef.com
1019 13:55:29.736036 Standard query A trabejvjbs.kangozip.com
1029 13:55:46.788346 Standard query A trabejvjbs.ikcharhrzksikbchlqef.com
1096 14:15:48.110853 Standard query A srizesgoih.kangozip.com
1104 14:15:50.618757 Standard query A srizesgoih.ikcharhrzksikbchlqef.com
1203 14:35:51.900275 Standard query A fajwxocyxk.kangozip.com
1208 14:35:52.574607 Standard query A fajwxocyxk.ikcharhrzksikbchlqef.com
1318 14:55:52.978277 Standard query A qrnmyxabqh.kangozip.com
1331 14:56:09.979102 Standard query A qrnmyxabqh.ikcharhrzksikbchlqef.com
1426 15:16:11.227272 Standard query A qmkmqfuqjl.kangozip.com
1434 15:16:12.846151 Standard query A qmkmqfuqjl.ikcharhrzksikbchlqef.com
The ones that end in kangozip.com actually resolve to an IP address (68.213.254.139), the others don't.
As soon as this IP is given, a UDP packet with 50 bytes goes out to it from port 11075 to 48742. This always reversely resolves at gmesxwrxpa.kangozip.com
Whois on kangozip:
Domain Name.......... kangozip.com
Creation Date........ 2006-08-29 01:13:51
Registration Date.... 2006-08-29 01:13:51
Expiry Date.......... 2007-08-29 01:13:51
Organisation Name.... cheng li
Organisation Address. shang xi
Organisation Address.
Organisation Address. shang xi
Organisation Address. 345678
Organisation Address. LN
Organisation Address. CN
Admin Name........... cheng li
Admin Address........ shang xi
Admin Address........
Admin Address........ shang xi
Admin Address........ 345678
Admin Address........ LN
Admin Address........ CN
Admin Email..........
Admin Phone.......... +86.2123456789
Admin Fax............ +86.2112345678
Tech Name............ cheng li
Tech Address......... shang xi
Tech Address.........
Tech Address......... shang xi
Tech Address......... 345678
Tech Address......... LN
Tech Address......... CN
Tech Email...........
Tech Phone........... +86.2123456789
Tech Fax............. +86.2112345678
Bill Name............ cheng li
Bill Address......... shang xi
Bill Address.........
Bill Address......... shang xi
Bill Address......... 345678
Bill Address......... LN
Bill Address......... CN
Bill Email...........
Bill Phone........... +86.2123456789
Bill Fax............. +86.2112345678
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
and the IP address:
[bored@Fedora httpd]# whois 68.213.254.139
[Querying whois.arin.net]
[Redirected to rwhois.eng.bellsouth.net]
[Querying rwhois.eng.bellsouth.net]
[Unable to connect to remote host]
Temporary glitch no doubt.
kangozip.com (24.122.0.161)
[bored@thor 13aprilvirus]# whois 24.122.0.161
[Querying whois.arin.net]
[whois.arin.net]
COGECO Cable Canada Inc. RAPIDUS-02 (NET-24-122-0-0-1)
24.122.0.0 - 24.122.255.255
COGECO Cable Canada Inc. COQB-TR04 (NET-24-122-0-0-2)
24.122.0.0 - 24.122.63.255
# ARIN WHOIS database, last updated 2007-04-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
| Win-Trojan/Agent.19476 | |||||||||||
| Different name | Trojan-Downloader.Win32.Agent.bft, Generic.Malware.SWYdld.87D41066 | Risk | Loftiness | ||||||||
| Diffusion risk | Lowness | Currently diffusion | Lowness | ||||||||
| Type | With [thu] ear E | Infection form | Execution file | ||||||||
| Infection OS | Window | Infection course | File execution, different malignant cord | ||||||||
| Me it is not small | Domestic discovery one | 2007-02-02 | |||||||||
| Prosecuting attorney | Y | Treatment | Y | ||||||||
| Treatment engine | 2007.02.03.00 | Specific activity one | Specific one activity nil | ||||||||
|
|||||||||||