RE: New Trojan

["James C. Slora, Jr." <james.slora () phra com>]

I wrote:
> Downloads:
> http://vvv.goling2003.com:53/stop.bat
> http://vvv.goling2003.com:53/inf.ooo
> ftp.goling2003.com/ap216.exe (different type of log - URL may 
> be incomplete)

After examining source code, the ftp link above is correct.
ftp.goling.com no longer resolves on a lot of networks, which helps
mitigate the risk.

The latest exploit from the Coreflood author delivered two previously
undetected files. New names for these detections are listed below.

filename: inf[1].hta (downloaded as Inf.ooo, name changed in IE cache
due to HTA MIME type declaration from the hostile server)
result: This file is infected with Backdoor.Coreflood.d 
This file is a new version of the Backdoor.Coreflood.dr downloader. It
is a VB Script that downloads stop.bat via HTTP and ap216.exe via FTP. 

filename: ap216.exe (detected as Backdoor.Coreflood)
This file is the installer for Autoproxy and the botnet client. It's
packed with UPX.

filename: stop.bat
result: This file is infected with Trojan.KillAV 
This file attempts to kill a short list of AV and PF product services.

> I DO think that the "goling" and "chinesenaming" strings are 
> persistently relevant, and are not mere one-time distractions. 
>
> Block
> *.goling.com
> *.goling2003.com
> *.chinesenaming.com


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------