Hey, when they add even your blog to their lists of restricted sites on infected machines, you know that you’re doing something right.
Our talented colleague Sergei Shevchenko noticed a recent ThreatExpert report in which a not-so-well-detected IRCBot variant is adding the ThreatFire blog url to the hosts files of infected machines, mapping it to the localhost ip. You can see the url in a long list of sites by scrolling down beneath “The HOSTS file was updated with the following URL-to-IP mappings”:
This addition to the HOSTS file means that infected users trying to research symptoms of their infected system online won’t be able to browse this blog’s web pages and find out that the current “msnmessage7.7.exe” file in their c:windowssystem32 directory is causing them a headache.
We suspect that this one is spreading as a part of another IM worm as a message attachment named image_10.zip. When this file is unzipped, its extracted contents have names like “Cle-p.exe”.
If you didn’t pick up on it, the title of this post is meant to be sarcastic.