httpd.exe

Apache HTTP Server

Apache Software Foundation

The executable httpd.exe has been detected as malware by 11 anti-virus scanners. It runs as a separate (within the context of its own process) windows Service named “Apache2.2”. Infected by an entry-point obscuring polymorphic file infector which will create a peer-to-peer botnet and receives URLs of additional files to download. While running, it connects to the Internet address pages-wildcard.weebly.com on port 80 using the HTTP protocol.
Publisher:
Apache Software Foundation

Product:
Apache HTTP Server

Version:
2.2.11

MD5:
cda425c170a2bc53163ea9f2d41c1d74

SHA-1:
d1de5d35b9327d10752f7623a43aec90dc28312e

SHA-256:
c46241d00e2aaa64449a531155a634c0c26f8186cbb3560406efedd83296fcc0

Scanner detections:
11 / 68

Status:
File is infected by a Virus

Explanation:
The file is infected by a polymorphic file infector virus.

Analysis date:
11/24/2024 1:57:46 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Sality
160216-0

Dr.Web
Win32.Sector.30
9.0.1.05190

Emsisoft Anti-Malware
Win32.Sality
10.0.0.5366

ESET NOD32
Win32/Sality.NBA virus
8.0.319.0

F-Prot
W32/Sality.gen2
4.6.5.141

F-Secure
Win32.Sality.3
5.15.21

Kaspersky
Virus.Win32.Sality
15.0.0.562

McAfee
Virus.W32/Sality.gen.z
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.213.6754.0

Norman
Win32.Sality.3
17.02.2016 05:18:35

Sophos
Virus 'Mal/Sality-D'
5.23

File size:
104.1 KB (106,556 bytes)

Product version:
2.2.11

Copyright:
Copyright 2008 The Apache Software Foundation.

Original file name:
httpd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
12/10/2008 1:10:12 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
6.0

CTPH (ssdeep):
1536:1M3RUVqiG55xFsbzPvWHUs4zrqn9+Eqp4/lxGTpuoJzzIurTQd48mKoKUwZghdwu:LcsbyHUr0EVTJzzIEs48KTwWhEryFQY

Entry address:
0x1ECF

Entry point:
C6, C0, B2, 4F, 88, E3, C6, C1, 14, 0F, AF, C7, 0F, B6, D3, 86, D9, BD, DD, A1, 51, 59, C6, C5, 09, F7, C2, A2, C6, 67, 5B, FF, C9, 81, C7, 0F, A9, 02, 00, F7, C2, 3C, 5B, EA, 10, 81, EF, 36, 03, 02, 00, 81, FB, FF, 51, 85, 0E, 8D, 2D, 7E, 2C, 97, E7, FE, C3, 28, EF, 8D, 05, 53, A5, 3F, DB, F6, C4, 9E, 14, 3C, 0D, 16, 43, E2, 02, E8, 20, 00, 00, 00, 84, DA, 0F, AF, F8, 29, C7, 32, CC, 8D, 3D, ED, 71, 9E, AF, B8, 8B, D6, 00, 00, F6, C4, 7E, F3, 0F, AF, F2, 05, A8, 09, 00, 00, 58, 89, C5, 0A, CB, C6, C5, E2...
 
[+]

Code size:
8 KB (8,192 bytes)

Service
Display name:
Apache2.2

Description:
Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

Type:
Win32OwnProcess

Depends on:
Tcpip Afd


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to pages-wildcard.weebly.com  (199.34.228.59:80)

TCP (HTTP):
Connects to ns65.hostinglotus.net  (119.59.104.18:80)

Remove httpd.exe - Powered by Reason Core Security