Autorun Post-Infection Indicators

Indicators for various autorun malwares like virut, sality, etc.

HTTP Request Method = GET
HTTP URI Strings

/spm/s_task.php?id=
/spm/s_alive.php?id=
/spm/s_get_host.php?ver=

Example: https://www.virustotal.com/file/deb834ac55eae1cb224983370ce85792119fb186f4e1a6b916abf5041267614c/analysis/

HTTP Request Method = GET
Regex HTTP URI for “\?[a-f0-9]{5,}=[0-9]{6,}$”

Examples:

asps.co.in/logo.gif?1b8e8=677232
allahabadyellowpages.net/logo.gif?17cd2=389960
earnestbiz.com/img/logof.gif?1b595=784147
4-educationtech.com/s.jpg?154c3=697880
noray.com.mx/images/xs.jpg?15744=439380

See examples on UrlQuery.net

Comments are closed.