Hi,
We're starting to make some progress on this virus. We've monitored it in a sandbox and redirect DNS for the already mentioned domains to a honeypot webserver running a PHP script that dumps the POST variables. This will allow us to see what clients are infected.
It seems to be uploading a base64 string, of which we don't know the contents. McAfee's Threat Advisroy on BackDoor-FHI also notes this behaviour.
The latest DATs (6811) seem to be picking up the thumbs and lnk files etc but this is not the point of entry for the virus. On the infected client machines we are starting to see a pattern of Java class files and tmp.exe files being detected:
/appdata/locallow/sun/java/deployment/cache/6.0/32/4e7ceca0-21a6fae3/Photo.class
(McAfee DAT - Generic Exploit!ksf & Generic Exploit!kql, Stinger - no detection, Kaspersky - Exploit.Java.CVE-2011-3544.ht & Exploit.Java.CVE-2011-3544.io)
E9E3.tmp.exe
(McAfee DAT - BackDoor-FHI, Stinger - FakeAlert-SecurityTool.fg, Kaspersky - Trojan-Dropper.Win32.Dycler.dl)
E36D.tmp.exe
(Looks suspicious but not being flagged up yet - sample sent to McAfee Labs)
We have already updated Java/Flash/Adobe Reader as soon as the virus hit, but this seems to be pointing at initial entry via Java.
I advise everyone to deploy the latest Java updates, and please post here if you are seeing anything similar.
