tag:blogger.com,1999:blog-7885177434994542510.post6460497792782820023..comments2024-02-18T03:42:38.869-05:00Comments on contagio: Nov 2012 - Backdoor.W32.Makadocs SampleMilahttp://www.blogger.com/profile/09472209631979859691noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-7885177434994542510.post-25005769341400832402012-12-21T00:13:31.386-05:002012-12-21T00:13:31.386-05:00Hi Mila
Also connects to www.msupdatecdn.com for ...Hi Mila<br /><br />Also connects to www.msupdatecdn.com for proxying, <br />Not sure if it uses these also... but decodes it in memory. <br />www.stocksengine.net<br />cdn.akamaihub.com:443<br />83.222.226.158 which is the current resolved IP for akamai above. <br /><br />Also, the command it executes above has a spello<br />net.exe group "Admins. do Domfnio" /domain<br /><br />Interested to know how it is taking control and injecting into IE, I did not note the inject memory however, I did notice IE being launched to call out though, how ? I am unsure at this stage.SteveKnoreply@blogger.com