Windows 'IptabLeX Botnet Ddoser'

As discovered last week, a variant of the original is now infecting Windows machines. The CNC is on another site which is hosting a http:/..../getsetup.exe and then this spawns 2 versions of getsetup.exe

The site mentioned in the Anubis report is carrying the payload and delivering a executable which then installs the 2 windows services.

It's worth mentioning at this point that the CNC and domains are all listed here are present in the Windows version too, an initial query to the following is made, i did not observe any further operations.

Anubis report mentions in detail the actions carried out & the researchers over at Malware Must die have today confirmed this here & here

Here is my Cuckoo analysis - which shows the infection.

Thanks to @malwaremustdie for their original investigations on the Linux variant.