I found this recently and though it was interesting enough to post.
It’s a http controlled botnet used to scan for voip servers.
Tells the C&C server it has installed
Requests an ip segement to scan
Downloads and installs python (Needed for the scanner)
IP range to be scanned is confirmed
Unrar utility is downloaded
Scanner is downloaded
The malware extracts the scanning scripts and starts scanning the ip range.
Discovered voip servers are then reported back to the C&C server.
The scanner is an open source python script https://code.google.com/p/sipvicious/
The malware is unencrypted and some info can be found from strings in it.
H:Program Files (x86)Microsoft Visual StudioVB98Sip Scannersip_scanner.vbp
Hosting infos: http://whois.domaintools.com/220.127.116.11