Trojan VBS/Bicololo at infected WordPress

#MalwareMustDie! Trojan VBS/Bicololo at infected WordPress..
====================================================
SHA256: 3ee1ee6a1a725769f066d4ccd272663558dd8786525cc7a0aedeb33a95b6f1d9
SHA1: f05b0a6734391f19838bdcb41d29d173a1d45b02
MD5: f54715875c3327953965072927e86bd0
File size: 179.9 KB ( 184243 bytes )
File name: GOLAYA-BABE・exe
File type: Win32 EXE
Tags: peexe bobsoft
Detection ratio: 11 / 44
Analysis date: 2013-01-11 12:51:39 UTC ( 5 minutes ago )
URL --->>[VirusTotal] https://www.virustotal.com/latest-scan/3ee1ee6a1a725769f066d4ccd272663558dd8786525cc7a0aedeb33a95b6f1d9

GData                    : VBS:Bicololo-BG
TrendMicro-HouseCall     : TROJ_GEN.F47V0111
Avast                    : VBS:Bicololo-BG [Trj]
Kaspersky                : UDS:DangerousObject.Multi.Generic
Jiangmin                 : Trojan/StartPage.bim
Malwarebytes             : Trojan.StartPage.ooo
Panda                    : Trj/Qhost.MR
Ikarus                   : Trojan.Win32.Qhosts
Kingsoft                 : Win32.Troj.Undef.(kcloud)
TheHacker                : Trojan/Bicololo.a
Microsoft                : Trojan:Win32/QHosts.BF
Drops temporary files here:
C:\DOCUME~1\~1\LOCALS~1\Temp\$inst\temp_0.tmp
C:\DOCUME~1\~1\LOCALS~1\Temp\$inst\2.tmp
Drops the malicious data here...
C:\Program Files\LuaZ\PTka\kroka.txt
C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat
C:\Program Files\LuaZ\PTka\nasdfsfgdfsdfgkrasit(.)vbs
C:\Program Files\LuaZ\PTka\i1_r2123r23r23r234at(.)vbs
Rewrite your hosts file...
C:\WINDOWS\System32\drivers\etc\hosts
Activating the below the internet settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProxyBypass
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\IntranetName
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\UNCAsIntranet
HKU\..\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
Register to run the Windows Script Engine & execution of BAT file
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\WINDOWS\System32\WScript・exe
  --> With value: Microsoft (R) Windows Based Script Host
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\(.)vbs\OpenWithProgids\VBSFile
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\(null)\C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat
  --> With value: _nekjg_jdkgsfkj
Then we'll see these processes start:
C:\Program Files\LuaZ\PTka\_nekjg_jdkgsfkj(.)bat
C:\WINDOWS\System32\WScript・exe C:\WINDOWS\System32\WScript・exe" "C:\Program Files\LuaZ\PTka\nasdfsfgdfsdfgkrasit(.)vbs"
C:\WINDOWS\System32\WScript・exe C:\WINDOWS\System32\WScript・exe" "C:\Program Files\LuaZ\PTka\i1_r2123r23r23r234at(.)vbs"
Network activity
GET access to 199.241.191.138:1115/stat/tuk/189 was detected:
Connecting to 199.241.191.138:1115... seconds 0.00, connected.
GET /stat/tuk/189 HTTP/1.0
Host: 199.241.191.138:1115
  :
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx/1.2.6
Date: Fri, 11 Jan 2013 12:26:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.10
Set-Cookie: ci_session=lNb4MOHKeePb113cZmW1LPvsBDZB6QAZgOsKFsyAkJfB2pG01hSIDsiLZ
u2YSAbZolV3GxA9ioFoe66yUnzxOJTJiKAahUI3Uox10uBHN515h0I8TIOXKoFcpsb%2FmK6FgAj800S
wH2eBJaZvqBi1FNzXarlSEOEw5fGW9JseV6hpLg42b5JPEARB6FUAX6grZJrArggr1XK%2FY%2FsOR3d
nzhBfOYS4o%2Fy37GpS7mq%2FuOXEaZkU5vftqHLQxYldFYDakC7lQGMRNiQKiDi2ot2qgJDG0fUm8l0
5pkjQELLzaj6NkTPUeyXHeRMG1nbIxvZnhFHjGQ%2FSko6g20y0ZTn%2F5776nJdK1CiMAxw3wTwXXfW
Xx0RCrspbjB9WEoIL%2FbZe; path=/
  :
200 OK
  :
Stored cookie 199.241.191.138 1115 /   [expiry none] ci_sessi
on lNb4MOHKeePb113cZmW1LPvsBDZB6QAZgOsKFsyAkJfB2pG01hSIDsiLZu2YSAbZolV3GxA9ioFoe
66yUnzxOJTJiKAahUI3Uox10uBHN515h0I8TIOXKoFcpsb%2FmK6FgAj800SwH2eBJaZvqBi1FNzXarl
SEOEw5fGW9JseV6hpLg42b5JPEARB6FUAX6grZJrArggr1XK%2FY%2FsOR3dnzhBfOYS4o%2Fy37GpS7
mq%2FuOXEaZkU5vftqHLQxYldFYDakC7lQGMRNiQKiDi2ot2qgJDG0fUm8l05pkjQELLzaj6NkTPUeyX
HeRMG1nbIxvZnhFHjGQ%2FSko6g20y0ZTn%2F5776nJdK1CiMAxw3wTwXXfWXx0RCrspbjB9WEoIL%2F
bZe
Response was "OK" (at first attempt) or "ne_unik" on the next attempts..

----
#MalwareMustDie