proxim.ircgalaxy.pl

Remote Host Port Numberproxim.ircgalaxy.pl 65520 File System Modifications * The following files were modified: o [pathname with a string SHARE]msinfo32.exe o [pathname with a string SHARE]sapisvr.exe o %ProgramFiles%Internet ExplorerConnection Wizardicwconn1.exe o %ProgramFiles%Internet ExplorerConnection Wizardicwconn2.exe o %ProgramFiles%Internet ExplorerConnection Wizardicwrmind.exe o %ProgramFiles%Internet ExplorerConnection Wizardicwtutor.exe o %ProgramFiles%Internet ExplorerConnection Wizardinetwiz.exe o %ProgramFiles%Internet ExplorerConnection Wizardisignup.exe o %ProgramFiles%Internet Exploreriedw.exe o %ProgramFiles%MSNMSNIAmsniasvc.exe

nrm-sndbx01.osl.basefarm.net

Registry Modifications * The following Registry Key was created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Service Agent = “sup.exe” so that sup.exe runs every time Windows starts o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices] + Windows Service Agent = “sup.exe” so that sup.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Service

shv4.ath.cx

shv4.ath.cx:6667 NICK USA|7008USER rzec 0 0 :USA|7008USERHOST USA|7008MODE USA|7008 -x+iJOIN #bote2MODE #bote2 +sntNOTICE USA|7008 :.VERSION mIRC v6.14 Khaled Mardam-Bey.PRIVMSG #bote2 :[MAIN]: Status: Ready. Bot Uptime: 0d 0h 0m.PRIVMSG #bote2 :[MAIN]: Bot ID: [.:xarbot:.].PRIVMSG #bote2 :[SCAN]: Exploit Statistics: VNC: 0, dcom2-135: 0, dcom2-445: 0, Total: 0 in 0d 0h 0m.PRIVMSG #bote2 :[MAIN]: Uptime: 0d 0h 2m.PRIVMSG

update.xxxlilly.com(hidden+crim lamers clan)

Requested Host: update.xxxlilly.comResulting Address: 67.23.23.11Connection Established: 0Socket: 0Outgoing ConnectionsIRC DataUser Name: XP-2425Host Name: *Server Name: Real Name: HOME-OFF-D5F0ACPassword: ownedNick Name: [N00|USA|421198]Non RFC Conform: 1ChannelName: #!m!Password: abcTopic Deleted: : Transport Protocol: TCPRemote Address: 67.23.23.11Remote Port: 1863Protocol: IRCConnection Established: 1Socket: 1656 Resolved : [update.xxxlilly.com] To [212.174.134.33]Resolved : [update.xxxlilly.com] To [67.23.23.11]Resolved : [update.xxxlilly.com] To [123.176.7.36] Create Mutex:Name: msnfixedOwned:

wormbot.net

Unknown ConnectionsHost By Name:Requested Host: wormbot.netResulting Address: 92.241.168.85Connection Established: 0Socket: 0UDP ConnectionsSend DatagramRemote Address 92.241.168.85Remote Port: 5070Size: 7Receive DatagramLocal Port: 0Remote Address 92.241.168.85Remote Port: 5070Size: 0Plain Communication DataSendDump Line:Off Set: $0000Dump: 61 E5 6A 7C E1 6C A3 ASCII: a.j|.l.Transport Protocol: UDPRemote Address: 92.241.168.85Remote Port: 5070Protocol: UnknownConnection Established: 1Socket: 2736 Open KeysKey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonQuantity: 10Key:

bydvwqcdw.com

Remote Host Port Numberbydvwqcdw.com 8090 Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] + Taskman = “C:RECYCLERS-1-5-21-2344348871-565435639-736567348-2995azmit32.exe” so that azmit32.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + winprocsm = “C:RECYCLERS-1-5-21-2344348871-565435639-736567348-2995azmit32.exe” so that azmit32.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon] + Shell = “explorer.exe,C:RECYCLERS-1-5-21-2344348871-565435639-736567348-2995azmit32.exe” so that azmit32.exe runs every

xmmx.ax.lt

Remote Host Port Numberxmmx.ax.lt 443 PASS ddositNICK qasyiyUSER ocwbzy “” “yht” :ocwbzy Registry Modifications * The following Registry Key was created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAX5-00401C608512} * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAX5-00401C608512}] + StubPath = “c:subidondeservices.exe” so that services.exe runs every time Windows starts Server : irc.ux0.com [Unreal3.2-beta19]Created : Sun Feb

butterfly.BigMoney.biz(iserdos bfbot Pro costs 800 euro)

this is bfbot PRO from iserdo if someone can revert the exe to have the source pm me – DNS Queries: butterfly.BigMoney.biz DNS_TYPE_A 62.128.52.191 1 butterfly.sinip.es DNS_TYPE_A 200.74.244.84 1 qwertasdfg.sinip.es DNS_TYPE_A 76.73.56.12 1 UDP Traffic: 76.73.56.12:133662.128.52.191:1336200.74.244.84:1336 here anubis analyse of exe filehttp://anubis.iseclab.org/?action=result&task_id=1185bc701aeba0454f13d53c605878087&format=html

Server : irc.lulz.ee

Remote Host Port Numbervteamunix.info 51987 00000000 | 4E49 434B 2070 4C61 6755 657B 5350 4C4F | NICK pLagUe{SPLO00000010 | 6954 7D37 3738 3332 0D0A 5553 4552 2053 | iT}77832..USER S00000020 | 6E69 7061 202A 206F 6B20 0334 0254 6561 | nipa * ok .4.Tea00000030 | 4D20 556E 6958 2062 3061 7420 302E 340D | M

Secret2.Virus.Gov [Crew]

Remote Host Port Numberrelax.helldark.biz 3211 00000000 | 5041 5353 2056 6972 7573 0D0A 4E49 434B | PASS Virus..NICK00000010 | 2056 6972 5573 2D63 6776 656F 6A61 730D | VirUs-cgveojas.00000020 | 0A55 5345 5220 5669 7255 7320 2222 2022 | .USER VirUs “” “00000030 | 6A63 7222 203A 2003 322C 3102 0334 4961 | jcr” :