See: http://zulu.zscaler.com/submission/show/a352d544bd81e7fb43abe2e3bf05fee0-1346356118
See where we found the IDS alerts: http://urlquery.net/report.php?id=151978
Known BBot saved evidence of malcode GIF89aÿÿÿ!ù, Q now no longer responding…
Issues
1.
Flows belonging to different hosts:Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2012-04-30 11:58:43.566 0.064 TCP 88.68.128.202:52333 -> 195.177.255.135:80 6 932 12012-04-30 11:58:43.694 0.704 TCP 208.115.111.73:41379 -> 195.177.254.134:80 13 909 12012-04-30 11:58:43.566 0.320 TCP 193.169.4.3:45853 -> 85.199.168.207:80 22 2058 12012-04-30 11:58:43.694 0.000 TCP 62.216.176.91:80 -> 217.7.17.165:54204 5 1328 12012-04-30 11:58:30.126 16.576 TCP 92.226.74.114:49961 -> 62.216.176.7:80 5 236 12012-04-30 11:58:43.566 3.264 TCP 62.216.176.8:80 -> 89.166.146.69:50138 31 39882 1Quote Data from a Lecture by Sebastian Abt on "Selected Research in Network-based Malwareand Botnet Detection" 2. I get a WebKnight Application Firewall Alert for a look up on http://hosts-file.net/?s=62.216.176.7 IP does not resolve there... 3. See: http://www.scanurls.com/report/12588 (nothing out of the ordinairy given there) 4. Site puts Salfeld's Child Control into the registry as [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ksupmgr] benign as far a I am aware, heuristic finds for this, see: http://r.virscan.org/1a2786a5a4c3c4119c683eb220afdbde
That’s all for what it’s worth,
greets,
polonus