> Among other things (password stealer), this BHO has backdoor and > "botnet" capabilities, implementing several remote commands: > + upload > + run > + update > ... Yeah, I love the KILLWINANDREBOOT command, which will basically delete NTLDR and NTDETECT.COM before rebooting Windows ... > Watch out for unexpected http traffic containing > commandack.php,mailwab.php.. Embedded URLs are : http://58.65.234.73/~mjakson http://58.65.234.73/~mjakson/mail.php http://58.65.234.73/~mjakson/newuser.php http://58.65.234.73/~mjakson/commandack.php http://58.65.234.73/~mjakson/mailwab.php http://58.65.234.73/~mjakson/command.php http://58.65.234.73/~mjakson/upload.php You can also easily guess the following URL : http://58.65.234.73/~mjakson/admin.php Best course of action for sysadmins would be to block at least this IP. The site seems to be hosted in a server farm near Hong Kong. On March, 14th at 20:00 GMT the site was still up and running. Very nice piece of malware indeed ... Regards, - Nicolas RUFF
