Evil Myspace

This isn't anything new, but I ran across this today and thought I'd share.

I got a friend request on Myspace that actually looked semi-legitimate so I viewed the requester's profile.

If you click ANYWHERE on the page it downloads a file called KB89O831.exe from ftp://microsofpcenter71.cn

202.75.38.139
Registrant Organization: PrivacyProtect.org
netname: TMIDC-MY
descr: TELEKOM MALAYSIA BERHAD,
descr: HOSTING SERVICES, DSD,
descr: MYLOCA, INTERNET DATA CENTRE.
country: MY

person: Azman Ali
address: 20th Floor, Wisma Celcom Semarak
address: Jalan Raja Muda Abdul Aziz
address: 50400 Kuala Lumpur
country: MY

b1cfcf07d3d493f4ff351d9504212b3d

It has a bunch of strings that make it look like an actual windows bin.

Creates c:\windows\system32\winfrun32.bin that is a very small file of unknown contents.

makes a copy of itself in c:\windows\system32\wmsdkns.exe
creates c:\windows\temp\cteng_test.tmp
creates a service called ctasd c:\program files\merak\spam\commtouch\ctasd
spawns and injects hidden iexplore

hits mycashloads.com/newuser.php?saff=373.0 and sets a cookie

uje
ok
mycashloads.com/
1536
1659840512
29936853
644774272
29930793
*

is the cookie contents

starts talking to yahoo.com

could they be IP's in decimal? donno.

1659840512 = 98.239.40.0
644774272 = 38.110.121.128

Anyway, go myspace.

V.