Sunday, August 28, 2011

Agent/Clicker/Delf

This multifaceted threat is clearly of Chinese origin with a starting MD5: 39CDF84761FF16D6532484327FCF4112
It downloads five components making a startup entry in the local Registry for;
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International] ->W2KLpk

This threat is a tracking tool that can be started with a single click from any of the following 22 Internet addresses;
113.108.239.107 [Agent/Clicker/Delf.from-m.weather.com.cn;Beijing]
119.42.148.252 [Agent/Clicker/Delf.from-www.wa300.com;San_Po_Kong]
121.10.132.235 [Agent/Clicker/Delf.from-s84.cnzz.com;Zhanjiang]
123.125.114.140 [Agent/Clicker/Delf.from-search.hao123.com;Beijing]
183.60.136.65 [Agent/Clicker/Delf.from-s14.cnzz.com;Guangzhou]
183.61.3.25 [Agent/Clicker/Delf.from-www.xx-ie.com;Guangzhou]
219.232.241.248 [Agent/Clicker/Delf.from-zs17.cnzz.com;Beijing]
61.4.185.35 [Agent/Clicker/Delf.from-www.weather.com.cn;Beijing]
61.4.185.48 [Agent/Clicker/Delf.from-cnnic.cn;Beijing]
m.weather.com.cn [Agent/Clicker/Delf.from-113.108.239.107;Beijing]
s14.cnzz.com [Agent/Clicker/Delf.from-183.60.136.65;Guangzhou]
s17.cnzz.com [Agent/Clicker/Delf.from-183.60.136.65;Guangzhou]
...

No comments:

Post a Comment