[Emerging-Sigs] Signature for Trojan:Win32/Comotor.A!dll

Martin Holste mcholste at gmail.com
Wed Oct 20 14:42:15 EDT 2010


This is an interesting one--visual exam suite appears to be possibly
legit.  It was registered by a Russian back in '03, and the front page
looks reasonably well put together.  I would chalk the hosts file
editing up to unethical anti-piracy efforts if it weren't for the
malware domain check-ins.  The software itself seems to have remote
management capabilities, so maybe it's a trojaned version of what is
otherwise legit software.  Can you disclose how you got a sample?  Was
it a drive-by-download?

On Wed, Oct 20, 2010 at 8:02 AM, evilghost at packetmail.net
<evilghost at packetmail.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Strange trojan, looks like some anti-piracy deal?
>
> 127.0.0.1       thepiratebay.org
> 127.0.0.1       www.thepiratebay.org
> 127.0.0.1       mininova.org
> 127.0.0.1       www.mininova.org
> 127.0.0.1       forum.mininova.org
> 127.0.0.1       blog.mininova.org
> 127.0.0.1       suprbay.org
> 127.0.0.1       www.suprbay.org
>
> - -evilghost
>
> On 10/20/2010 07:55 AM, dave richards wrote:
>> Hi Matt,
>>
>> Please find the signatures for  Trojan:Win32/Comotor.A!dll,
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS
>> Trojan:Win32/Comotor.A!dll Reporting(1)"; flow:to_server,established;
>> content:"GET "; depth:4; uricontent:"/upd/check.php?"; nocase;
>> uricontent:"ver="; nocase; uricontent:"cver="; nocase; uricontent:"id=";
>> nocase;
>> reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b
>> <http://threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b>;
>> reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593
>> <http://microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593>;
>> sid:20101085; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS
>> Trojan:Win32/Comotor.A!dll Reporting(2)"; flow:to_server,established;
>> content:"GET "; depth:4; uricontent:"/cy/dl.php"; nocase;
>> uricontent:"id="; nocase;
>> reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b
>> <http://threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b>;
>> reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593
>> <http://microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593>;
>> sid:20101086; rev:1;)
>>
>> Looking forward for your comments if  any,
>> --
>> Regards,
>> Dave
>>
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJMvuh9AAoJENgimYXu6xOHQAgP/j8fawpsrq5b90lGxyAtvytB
> B2J7GdBkD/BMGwbCM0KPFfPlB1ddMgzmMTl/eOGCt6hLlqAYeXbnE7+3Y3JHIIRh
> TXISDJSd5m+cXzSqeplGl605Q2D7BRTsqdbRcWzPy1ikWAdiXSBdH5nle0BLbXXZ
> 1VHhJBz5NQIotdxsNCdJOZtvBuVdO9Ml8t/lMzoCi39qhKO170gskZinor4QmoHo
> gpGOgrfCBIupfZfF7EZ9h7fytjL8jDj5yYCWGHBA4BCcSUGbJOQoyE3c5ptdu5Cf
> hAdNvkSJsGKURrOrGMwbE8kkS31PR20GUr7VwjVoCX/5lmIuY5yihffB9A5OIvTQ
> 1RJMNvOABxrfNjJx5/Zhxw4HiEhno3TahZ9nIq0klkifNz0DE+0vIx5uEcmXCuRq
> /NrmvWoUz66zvplCqs4AYzepV4L2niDWsfJCshaPaGBWG07mTdEMyZeI7MYzsH82
> rDEDbw8Mr6PJGXZMtMrwX8kTrwyOr7y0NS7NYzukg+FNcmOn/AAun3s5QTr2YWnJ
> u144uFXXd/A2hNq99g0zeldovOx2uY1GUTuOeak4EgaSSdJ5cVg6Wt729liOu6DX
> lio3B0kNem8I4oQBwtRQxOPudZS3MrYiUBDPB898lQIw386GzAk0Bdsfb5zhKIb/
> HnFTu8xtxroLhtpI/1Pf
> =8YsO
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list