testusa.helohmar.com(malware hosted with United States Woodstock Fdcservers.net)

By Pig, November 30, 2010

DNS Lookup
Host Name IP Address
testusa.helohmar.com 76.73.36.42
api.ipinfodb.com 67.212.74.82
www.craigslist.org 208.82.236.208
geo.craigslist.org 208.82.236.208
Download URLs
http://67.212.74.82/v2/ip_query.php?key=4f7c7d0d524a3e9445217575619159f874a734aa16e97b87fc505f49de8e31a1&output=xml (api.ipinfodb.com)
http://208.82.236.208/ (www.craigslist.org)
http://208.82.236.208/ (www.craigslist.org)

Outgoing connection to remote server: testusa.helohmar.com port 8800
Outgoing connection to remote server: testusa.helohmar.com port 8800
Outgoing connection to remote server: testusa.helohmar.com TCP port 8800
Outgoing connection to remote server: api.ipinfodb.com TCP port 80
Outgoing connection to remote server: www.craigslist.org TCP port 80
Outgoing connection to remote server: www.craigslist.org TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Tji771” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Reads HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini
DeviceRasAcd
Opened Files
Deleted Files C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Chronological Order Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Copy File: c:uk.exe to C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Create File: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini
Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

infos about hoster here:
http://whois.domaintools.com/76.73.36.42 United States Woodstock Fdcservers.net
http://whois.domaintools.com/208.82.236.208 United States San Francisco Craigslist Inc
http://whois.domaintools.com/67.212.74.82 Canada Laval Netelligent Hosting Services Inc

Categories: Uncategorized

1 Comment

IPInfoDB - March 11, 2011 at 8:17 am

The IP addresses 67.212.74.82 and 67.212.74.83 belong to our website IPInfoDB.com which provides a free service for IP GeoLocation. Unfortunately, being a free service, anyone can sign up for an account. So this particular account was used by the malware to get GeoLocation info about the infected PC. Upon detecting this abuse, we have blocked his account from accessing our services.

If you need further assistance, please feel free to contact us at support(at)ipinfodb.com

Comments are closed