Month: April 2009

vn3c.drshells.com

Remote Host=vn3c.drshells.comPort Number=5555 NICK [nLh-VNC]zbvlseUSER yosgo “fo4.net” “rage” :yosgoNICK [nLh-VNC]wszqbcUSER vrjqzjiv “fo0.net” “rage” :vrjqzjiv

northside.servebeer.com

* Connects to “northside.servebeer.com” on port 6667 (TCP). * Connects to IRC server. * IRC: Uses nickname USA|5055. * IRC: Uses username wfkop. * IRC: Joins channel #vnc#. * IRC: Sets the usermode for user USA|5055 to +x. [ Process/window information ] * Creates a mutex sucksucksuck. * Creates process “system32dll.exe”. [ Signature Scanning ]

cod.sohbetodasi.info

[ Changes to filesystem ] * Creates file C:WINDOWSservice.exe. * Creates file C:WINDOWSresimler.zip. * Creates file C:WINDOWSnew.txt. [ Changes to registry ] * Creates value “service”=”service.exe” in key “HKLMSoftwareMicrosoft WindowsCurrentVersionRun”. [ Network services ] * Connects to “cod.sohbetodasi.info” on port 6667 (TCP). * Connects to IRC server. * IRC: Uses nickname [N]izgmiwjh. * IRC: Uses

irc.zief.pl

Resolved : [irc.zief.pl]To [61.160.232.116]Resolved : [irc.zief.pl]To [218.93.205.24]Resolved : [irc.zief.pl]To [221.5.74.39]

massive chinese botnets

Capability to block access to several security-related Web sites by modifying the hosts file.Communication with a remote IRC server.Modifies some system settings that may have negative impact on overall system security state.Installs a default debugger that is injected into the execution sequence of a target application. If a threat is installed as a default debugger,

m.DRD3H.COM

m.DRD3H.COM 76.76.9.3* C&C Server: 76.76.9.3:6668* Server Password:* Username: wvehqmfyb* Nickname: Cbb-991238523* Channel: #dc (Password: dcpass)* Channeltopic: :xvvv asn1smbnt 100 0 0 -b -r -s

irc.highteq.de

* Connects to “irc.highteq.de” on port 6667 (TCP). * Connects to IRC server. * IRC: Uses nickname USA|027018. * IRC: Uses username xcjcok. * IRC: Joins channel #srvsearch with password fook. * IRC: Sets the usermode for user USA|027018 to +n+B. [ Process/window information ] * Creates a mutex N_rul0r. * Creates process “iexplorer.exe”. *

darkace.gotdns.com

NICK [lsass]-607449USER wxfjkzd 0 0 :[lsass]-607449USERHOST [lsass]-607449MODE [lsass]-607449 +BJOIN #lobbyNICK [lsass]-107136USER gxrpwkab 0 0 :[lsass]-107136USERHOST [lsass]-107136MODE [lsass]-107136 +BNICK [lsass]-223789USER nldxck 0 0 :[lsass]-223789USERHOST [lsass]-223789MODE [lsass]-223789 +B Remote Host Port Number darkace.gotdns.com 17001