ANI last entry for Monday
We now have some more details about the payload of this exploit spam run. It downloads a 36k progam called 200.exe. When run, 200.exe writes itself back out as Winlogon.exe, and adds itself to HKCU... CurrentVersion\Run to ensure it gets into the execution cycle on reboot.
When it runs, it emails out to a hotmail account, presumably to announce that the victim has been 0wned, and then calls out to a different server on port 80 every five minutes, presumably looking for commands. In other words, it's a bot / backdoor. Oh, and it's a rootkit.