Friday, February 17, 2012

And another one:

In the same fashion, I got an e-mail today allegedly from to give me some information about a reservation I have done. Or so is it written.

Again, a zip file is attached, that contains an executable. Here are the md5 hash values:

46ea3e441be4ba82fa2d059a5ca45f23  Booking-Com-Reservation.exe

It uses the same host (

Interestingly enough, there is either a timer or a wait for the next reboot: after a reboot and having waited for a while, there was some activity to a site in Germany ( to get /services/images/servicesa.exe (md5sum: 8d39f983e08f68ca4ccb3a92f5e4a7ac). This file is not recognized as malware by any antivirus (VirusTotal Report)

When rebooted one more time, the machine followed the same cycle: request to Google, resolution of, POST /was/tnk.php. I stopped there, but I suspect that the machine would probably do something after a time, which I will try this week-end.

No comments:

Post a Comment