VIRUS!

Ok, /prog/, let's see if anyone here is any good at all.
Here is a virus (or some sort of other windows exploit, probably to pwn your machine and add it to some asian botnet): http://59.39.66.84/test.exe

My advice would be to not run this, except maybe under vmware or something.
It's recent enough (the PE header says monday the 7th of january 2008, so only a few days old). Thats as far as I could get.. all symbols are stripped, .text section contains only the usual references to kernel32, GetProcAddress and so on. Only kernel32.dll and shell32.dll are imported. Thats about all I could find out (cause I'm a n00b at such stuff).

So, anyone in /prog/ 1337 hax0r or something and able to reverse engineer this thing? I'd love to know what it does :-P

It attempts to register itself with my botnet via the three IP addresses embedded within itself; it does this by injecting a driver into the kernel space (with functions from ntdll, which is inherited from kernel32), and then uses the raw kernelmode functionality to connect over the network.

It then scans the list of running processes (ZwQuerySystemInfo, if you're curious) for IIS or Apache. If it finds either running, it hijacks the pages served by embedding a JavaScript script which takes advantage of this exploit: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx. It's old, but it works. With this, it tricks the clients connecting to it into downloading a modified version of the virus from itself.

This is where the trick comes in. Remember how I said it had 3 IP Addresses? One of these is the address of the parent it spawned from, two of them are other nodes in the net. As the zombie host sends out more copies of the virus, it not only keeps track of it's children, but it arbitrarily changes the two extra IP addresses embedded within the distributed virus, essentially passing out random "known" infected IP addresses.

This has the effect of convoluting the infection graph, adding cycles and destroying the damningly fragile tree structure, giving an extra sense of redundancy.

Don't worry, once I'm done with it I'll trigger the ``extra payload.'' Wouldn't want to do that until I need to though, there's no point in breaking a perfectly good botnet :)