Month: October 2009

Secret.Virus.Gov(ogard from 23k net dci bot)

Remote Host Port Number174.143.212.148 666766.45.237.212 80 * The data identified by the following URL was then requested from the remote web server: o NICK VirUs-oqgsnaxaUSER VirUs “” “mqo” :8Coded8VirUs..JOIN #OgarD3# VirusPRIVMSG #OgarD3# :Success. PASS Virus Registry Modifications * The following Registry Key was created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-AAX2-5657QWE232788} * The newly created Registry Value

Remote Host Port Number61.139.151.20 6697 MODE MetroP-XP820JOIN #putasPONG bitches.teibol.comNICK MetroP-XP820USER USA63600 * 0 :COMPUTERNAME PASS msnfuck Other details * The following port was open in the system: Port Protocol Process1052 TCP iexplore.exe (%System%iexplore.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Internet Explorer = “iexplore.exe” so that iexplore.exe runs every

Unknown ConnectionsHost By Name:Requested Host: home-off-d5f0acResulting Address: Host: sip4.voipkosovasite.comResulting Address: Established: 0Socket: 0Outgoing ConnectionsIRC DataUser Name: XP-5101Host Name: *Server Name: Real Name: HOME-OFF-D5F0ACNick Name: [00|USA|169352]Non RFC Conform: 1ChannelName: #!a!Topic Deleted: :.msn.stop|.msn.msg foto? Message DeletedValue: :d-! PRIVMSG [00|USA|169352] :.login mamajokero -sValue: :d-! PRIVMSG [00|USA|169352] :.r.getfile c:/sd.exe 1 -sNotice Message DeletedValue: NOTICE

Remote Host Port Number92.241.164.197 8877 NICK ENGLISH|COMPUTERNAME|241NICK ENGLISH|COMPUTERNAME|162USER ENGLISH|COMPUTERNAME|162 0 * :Hoooooly 67893PONG 781430258JOIN #freeUSER ENGLISH|COMPUTERNAME|241 0 * :Hoooooly 88723PONG 653356001PING Other details The following ports were open in the system:Port Protocol Process1052 TCP reg32.exe (%System%reg32.exe)1053 TCP reg32.exe (%System%reg32.exe)1054 TCP reg32.exe (%System%reg32.exe Registry Modifications The following Registry Keys were created:HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAYHKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000ControlHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLaySecurityHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayEnumHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAYHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000ControlHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLaySecurityHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayEnumThe newly created Registry Values big botnet)

5.c) windows7addon.exe – Network Activity – DNS Queries: Name Query Type Query Result Successful Protocol DNS_TYPE_A 1 DNS_TYPE_A 1 DNS_TYPE_A 1 – IRC Conversations: Nick: [00_AUT_XP_1270214]Username: SP3-601Joined Channel: #russiChannel Topic for Channel #russi: “.asc -S -s|.http|.asc exp_all 15 5 0 -a -r -e -s|.asc exp_all 20 5 lamer big net)

DNS LookupHost Name IP URLshttp:// ( ( * C&C Server: * Server Password: * Username: SPX * Nickname: N|DEU|0|XP|092652263 * Channel: #mix# (Password: ####) * Channeltopic: :8FEB48668E75185DB32D7D0B65D097F592B1C267FE416DF5E91C4DF84E6F6944306D807B4E8C1F5699261CC7FBCCD9D24E6CFF98134A2134D08B47A87849D7FC0C7B Outgoing connection to remote server: TCP port 80Outgoing connection to remote server: TCP port 80DNS LookupHost Name IP Addressdell-d3e62f7e26

Remote Host Port Number79.125.12.23 6667 NICK |POP|942165|1|en-US|USER |POP|942165|1|en-US| |POP|942165|1|en-US| |POP|942165|1|en-US| |POP|942165|1|en-US|JOIN #archer niggerPING Invisible Users: 489Operators: 13 operator(s) onlineChannels: 38 channels formedClients: I have 509 clients and 1 serversLocal users: Current Local Users: 509 Max: 673Global users: Current Global Users: 520 Max: 682 File System Modifications * The following files were created in the

Invisible Users: 52Operators: 1 operator(s) onlineChannels: 4 channels formedClients: I have 53 clients and 0 serversLocal users: Current Local Users: 53 Max: 104Global users: Current Global Users: 53 Max: 88 :6667 chanels #win,#system

# Winsock Section… * Unknown Connections o Host By Name: + Requested Host: + Resulting Address: o Connection Established: 0 o Socket: 0 * UDP connections_listening o Transport Protocol: TCP o Local Port: 47154 o Connection Established: 0 o Socket: 1296 * Outgoing Connections o Transport Protocol: TCP o Remote Address: o

Remote Host Port Number88.255.120.47 6667 NICK aynur|CamUSER Bahar11 “Cod” “” :aLeynaNICK kontroLUSER aynur1 “Cod” “” :melekUSERHOST aynur|CamMODE #Security#JOIN #!! birtanemMODE aynur|Cam +iMODE #!PRIVMSG #!! :ben geldimNICK Aysun883 * The following ports were open in the system: Port Protocol Process113 TCP caves.exe (%System%caves.exe)1052 TCP caves.exe (%System%caves.exe)1053 TCP caves.exe (%System%caves.exe)1054 TCP caves.exe (%System%caves.exe) Registry Modifications * The