Marco wrote his analysis at 1:30 AM his time, due to it being his first free moment to finally take a breath and report the findings that emerged.
This appears to accent the famous "Service 32.exe" infection, otherwise known as Rootkit.DialCall. To see the first analysis of this infection, refer to Marco's analysis published 23 September 2006, and as specified in the report on Service32.exe, the rootkit unloaded the dialer CallSolutions. This particular dialer works exclusively in Italy. In some cases the link that it connected to the page it infects from the Rootkit.DialCall was present in the pages web that they connected also to the server Gromozon. It is interesting to note that, when the Gromozon server was mysteriously offline last Sunday, so also was the server that accommodated the Rootkit.DialCall.
Returning to Gromozon, as Marco indicated that the server was offline on Sunday. However, all the old false pages web that rendezvous to the Gromozon server have resumed their work diverting the visitors - through some situated websites - to one final server. From here, this time, the infections are multiple and vary. As an example from some dialer - obviously for Italian lines - to some Trojan - Trojan.Nitwiz. Currently the infections have had characteristic signs of the infection similar to the old version of Gromozon.
- before reaching the final destination there is a pass through of a server well known and used for CWS (CoolWebSearch), as characterized from some techniques of attack that vaguely resemble the old techniques of the Gromozon;
- one of the dialer that is installed in the system - for means also of some exploit - seems to be calling to CallSolutions. The numbers it calls are obviously always Italian.
Marco also indicated that the characteristics of the Rootkit.DialCall has been modified. Rather than installing only the Service32.exe and the DLL explorre32.exe, it also installs another rootkit kernel mode, known as PE386. This rootkit is used in order to hide an infestation in the PC of Trojan and backdoor called Rustock.