[Michael]

UPDATE:

The file is compressed with professional software (Armadillo) making the unpacking process almost impossible.



Once executed, the file uses some in-memory protection by running these two processes.



--------

Fresh from our HoneyPot we discovered a malware site using a typo in its domain name.

The site youtorube.com will push a fake video codec, on what appears to be a YouTube page (in Italian).



The domain is registered to:



Pretty soon after running the fake codec, I observed IRC traffic with the same IP address:



This lets me know that I am part of an IRC channel:



The IRC server's IP (87.98.184.231) has some interesting connections, including a "p0nwed.de" domain. Hmm... ;-)



I attempted to connect to that IRC channel manually, however the channel requires a key... In other words, I am not welcome.



Further analysis of the malware binary may reveal the channel's key hard-coded.

The file itself is detected as:



Our Heuristic engine already detected it as:



However, at that point I have aggregated enough data to determine that this 'codec' actually turns your machine into a Bot, which is not a good thing.

Jerome Segura

Malware ID: f028c315649b7319e8ef2cc22dc67690.zip