Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3

[Axel Pettinger <api () epost de>]

"Humes, David G." wrote:
> Starting around July 8th we noticed workstations trying to access
> 67.109.249.3 on port 80 and do a
>
> GET /download/IEService215.chm HTTP/1.1
>
> Analysis of the users' browsing activity did not reveal any pattern 
> that would suggest that the activity was user-initiated.  We suspect 
> that this is something trying to "phone home", but not sure quite 
> what.  A reverse lookup of the IP just returns 
> 67.109.249.3.ptr.us.xo.net, and whois just tells me that it belongs to 
> XO.  Has anyone else seen this and know what it is?

The CHM file is according to Kaspersky a trojan downloader called
"TrojanDownloader.VBS.Psyme.ak". It makes use of IE's ADODB problem to
download and execute a trojan called "Trojan.Win32.StartPage.kf".
Detection added last Saturday.

The funny thing is that NAI's virus research lab (APAC) decided to call
the "StartPage trojan" (only) a "potentially unwanted application" named
"FindFast" ... Detection via "extra.dat" at the moment, probably later
today in their DailyDAT files.

BTW, is the patch for MS04-013 installed on the workstations you
mentioned?

Regards,
Axel Pettinger