Thursday, February 16, 2012

And another one: booking.com

In the same fashion, I got an e-mail today allegedly from booking.com to give me some information about a reservation I have done. Or so is it written.

Again, a zip file is attached, that contains an executable. Here are the md5 hash values:


46ea3e441be4ba82fa2d059a5ca45f23  Booking-Com-Reservation.exe
e877998eef741bc7ed688584ed7595b6  Booking-Reservation-Details-NUM930833336.zip

It uses the same host (yerurr.com).

Interestingly enough, there is either a timer or a wait for the next reboot: after a reboot and having waited for a while, there was some activity to a site in Germany (www.floodwave.de) to get /services/images/servicesa.exe (md5sum: 8d39f983e08f68ca4ccb3a92f5e4a7ac). This file is not recognized as malware by any antivirus (VirusTotal Report)

When rebooted one more time, the machine followed the same cycle: request to Google, resolution of yerurr.com, POST /was/tnk.php. I stopped there, but I suspect that the machine would probably do something after a time, which I will try this week-end.