Bicololo Post-Infection Indicator

@unixfreakjp had a great writeup a few days ago concerning a wordpress compromise that downloaded Bicololo.

We can detect this on the network as below:

HTTP Request Method = GET
HTTP URI contains /stats/tuk/

Example:

https://www.virustotal.com/file/e4106edcbe7a0284d16bfbf59d140d5f7687173a4dc9dcfac1d82d2e43d00c1b/analysis/
https://www.virustotal.com/file/2b55bcfffd33bd4272369edbf28a603c95dd6a948157996ac83e4bcbaf847617/analysis/

Reference: http://malwaremustdie.blogspot.com/2013/01/double-hit-pc-trojan-w32vbs-bicololo.html
Reference: http://www.nod32.it/threat-center/encyclopedia1.php?id=2834

Comments are closed.