About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor.
This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red:
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-23 23:14 System policies HKCU\..\policies\system, DisableTaskMgr = 1 HKCU\..\policies\system, DisableRegistryTools = 1 Browser Helper Objects {AFF01325-0FC2-4749-8914-FBF0565AD9CC}, Chrome copyright, jbnmck.dll(file is missing) Registry Startups HKLM\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe Processes (17 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\NOTEPAD.EXE C:\Program\FreeFixer\freefixer.exe C:\WINDOWS\System32\avast!Antivirus.exe C:\Documents and Settings\LocalService\Application Data\1361538659.exe Services (34 whitelisted) avast!Antivirus, , c:\windows\system32\avast!antivirus.exe Recently modified files (1 whitelisted) 16 minutes, c:\Documents and Settings\LocalService\Application Data\1361538659.exe 16 minutes, c:\WINDOWS\system32\jbnmck.dll 16 minutes, c:\WINDOWS\system32\avast!Antivirus.exe 16 minutes, c:\WINDOWS\Temp\wpv521245837260.exe 7 days, c:\Program\FreeFixer\freefixer.exe 36 days, c:\Program\FreeFixer\Uninstall.exe
sshnas21.dll,
monnid32,
wwwpos32.exe,
aqlb.hjo,
incognito.exe,
rarype32.exe,
netuza32.exe,
9fo3ar0j.exe,
kbdsock.dll,
freddy84.exe,
freddy82.exe,
freddy81.exe,
freddy80.exe,
extrac64_cab.exe,
wmpscfgs .exe,
cliconfg64.exe,
winhlp64.exe,
siszyd32.exe,
sshnas.dll,
IS2010.exe,
smss32.exe,
winlogon32.exe,
helper32.dll,
IS15.exe,
richtx64.exe,
settdebugx.exe,
sr882388.exe,
questservice111.exe,
ccdrive32.exe,
av_md.exe,
essledv.exe,
msa.exe,
algqeh32.exe,
ld16.exe,
freddy79.exe,
photo_id.exe,
winupdate86.exe,
kwanzy131.exe,
wind7upd.exe,
mstre26.exe,
winlogon86.exe,
AVR10.exe,
webserver.exe,
ihaupd32.exe,
wyeke.exe,
wyeke.dll,
AdobeARM.exe,
WLIDSVC.EXE,
ssscheduler.exe,
getPlus_Helper.dll,
wscsvc32.exe,
zavupd32.exe,
herss.exe,
ie3sh.exe,
pp14.exe,
zwangi.exe,
msb.exe
filterpipeline..,