ghostnet.ghostmarket.net

Remote Host Port Number
58.30.17.229 8080

NICK {NEW-USA-XP-SXYOQB}
USER USA “” “lol” :USA
JOIN #!Rape
PONG :ghostnet.ghostmarket.net

Other details

* The following port was open in the system:

Port Protocol Process
1052 TCP File.exe (%UserProfile%File.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Drive Guard32 = “%UserProfile%File.exe”

so that File.exe runs every time Windows starts

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %UserProfile%File.exe
%Temp%CryptedFile.exe 17 408 bytes MD5: 0x3EC8E47A22DE3BAECF5BBD97BDA4746A
SHA-1: 0x88E11E2F7CDE42C1D71DA30A6745CF177BF62761
2 %System%NewAge.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
3 [file and pathname of the sample #1] 746 008 bytes MD5: 0x93C80462173571D403E1B538C9036105
SHA-1: 0x0B3A62FBF6721ED49FCC971E2DE13FE9DA59DAB6

Message of the day:
26/11/2009 1:55
Ohi there. You stumbled across another c&c server. Congrats.
I hope you feel accomplished about your amazing discovery and whatnot. I mean shittt, you must be like the next marco polo right?
But anyways, ill let you go so you can try to steal thoseconnected to this server or whatever. Adios.