I have been monitoring what appears to be a custom IRC based bot infection for several weeks. The current executable has an MD5 5663af5192f2963093b489c1eff171c3. The executable is a VB6 P-Code project that wraps the real payload in the VB virtual machine. Basically they create a packer using VB.
The bot calls itself Plague Bot and C&C is readily seen by network traffic analysis – though it does has some limited antidebugging anti-wireshark techniques. It grabs files from hxxp://www.hentaimoviez.com/ct/ Pound.exe (formerly grabbed Weed.exe). The current IP is 174.132.234.74. The IRC C&C is running at: 174.133.63.91.
The binary was first submitted to VirusTotal on 1/12/2010 and also submitted to various AV vendors. Here’s today’s result on VirusTotal:
Please visit Adam’s Blog at the Cover of Night for much further analysis.