From: "Mike Easter" <MikeE@ster.invalid>

> ~BD~ wrote:
>
>> hxxp://radiolunaser.com/order2/Order.zip?to_client:boab_doc@hotmail.co.uk
>
> The payload is Order.zip.
>
> This is the result of testing that file at VirusTotal
>
> http://www.virustotal.com/file-scan/...f4b-1305032477
>
> The contents are an Order.Doc file which has 5/43 positives
>
> ClamAV Suspect.DoubleExtension-zippwd-12
> Kaspersky Trojan-Spy.Win32.SpyEyes.hdy
> NOD32 a variant of Win32/Kryptik.NON
> Sophos Mal/BredoZp-B
> VIPRE FraudTool.Win32.AVSoft (v)
>
> If you were so inclined, you could carefully examine the .doc.
>

Please stop feeding the BD troll.

You are also wrong. The file is NOT a DOC file it is an EXE file.
Order.Doc_________________________________________ ______________________________.exe

Also in the future, please obfuscate malicious URLs and don't use shortened URLs via
Libya.

This malware copies itself to;
C:\Recycle.Bin\Recycle.Bin.exe
creates;
C:\Recycle.Bin\config.bin

It hooks into many running processes.

It communicates to; csgametome2.com via TCP port 444
as well as uploading encrypted data via; /~a?brvalg/g?ate.php

It creates a Mutex of; 2HiH8UlWBE0Me8DueMgM0VQKflf280p



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp