The victims of RPC Trojan Gimmiv were XP boxes in Asia

The RPC Worm Victim List has a list [.txt] of hundreds machines and they are mainly Windows XP machines (MSIE 6.0 or MSIE7.0; Windows NT 5.1 in browser’s user agent).

I made a script to generate WHOIS queries and the results say that the victim machines are located mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam. There are only some machines in France, UK, and USA.

It’s very interesting that there is an IP from Microsoft too – a Wget machine with IP address 64.147.0.80. The Wget version is 1.10.2.

Whois Record

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 131.107.0.0 – 131.107.255.255
CIDR: 131.107.0.0/16
NetName: MICROSOFT

There are several Wget UA’s included, one with the version number Wget/1.8.2 too.

I recommend that Redmon guys patch that machine ASAP ;-)

Share
  • Just Guess

    This could be very well a box used to catch (honeynet) new forms of malware.

    I seen this before being done by other AV companies, and Google also does this as far as I recall (I think I saw a PPT they did).

  • No problem here.. move along…

    Ok, so a researcher at MS used WGET to **safely** grab copies of the compromise site… surely you didn’t think that it was evidence that a computer had been compromised…