Blog for hpHosts, and whatever else I feel like writing about ....

Thursday 25 February 2010

Alert: tracox.pwnz.org, r30686.ovh.net

I was notified earlier about tracox.pwnz.org, which has been reported as a botnet C&C for the Spybot.AVEO infection (Trend Micro has it pegged as WORM_IRCBOT.ABJ). After reading up on this, I'd strongly urge everyone blackhole it asap.

Trend Micro's writeup also has reference to it's contacting r30686.ovh.net (yep, OVH again) which resides at 87.98.173.190, so I'd suggest blackholing that one too. This IP houses;

irc.camelug.it
poker-974.com
r30686.ovh.net
tracox.pwnz.org


Not only does this worm steal gaming related details from the infection computer, it also monitors for specific sites such as banks, PayPal, RapidShare etc, and attempts to spread across network shares.

You can read the full details on this one at;

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=WORM_IRCBOT.ABJ
http://en.securitylab.ru/viruses/391068.php

Finland's CERT also has a writeup (translated) referencing the OVH IP as being part of the "Chuck Norris" infection;

http://www.cert.fi/tietoturvanyt/2010/02/ttn201002231554.html

Incidentally, if anyone has a sample of this, please drop me an e-mail.

No comments: