Per the above link, the downloader not only pulls another exe from a site in Germany... but also communicates out to a known botnet on a high number port (TCP:6446):
Finally, our Brothers-In-Arms (the AntiVirus guys), are AWOL... not a single engine detects this file currently:
In summary, check your firewall logs for the IPs referenced above. If you see them, remove the PC from the network... your user most likely downloaded the file via email or webmail. Lastly, call us to identify how you can secure those threat vectors better. :-)
No comments:
Post a Comment