Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..
> Among other things (password stealer), this BHO has backdoor and
> "botnet" capabilities, implementing several remote commands:
> + upload
> + run
> + update
> ...
Yeah, I love the KILLWINANDREBOOT command, which will basically delete
NTLDR and NTDETECT.COM before rebooting Windows ...
> Watch out for unexpected http traffic containing
> commandack.php,mailwab.php..
Embedded URLs are :
http://58.65.234.73/~mjakson
http://58.65.234.73/~mjakson/mail.php
http://58.65.234.73/~mjakson/newuser.php
http://58.65.234.73/~mjakson/commandack.php
http://58.65.234.73/~mjakson/mailwab.php
http://58.65.234.73/~mjakson/command.php
http://58.65.234.73/~mjakson/upload.php
You can also easily guess the following URL :
http://58.65.234.73/~mjakson/admin.php
Best course of action for sysadmins would be to block at least this IP.
The site seems to be hosted in a server farm near Hong Kong.
On March, 14th at 20:00 GMT the site was still up and running.
Very nice piece of malware indeed ...
Regards,
- Nicolas RUFF