Month: January 2010

java.KUTLUFAMILY.COM

java.KUTLUFAMILY.COM 66.90.113.196 membres.lycos.fr membres.lycos.fr 213.131.252.251 membres.multimania.fr membres.multimania.fr 213.131.252.251 proxyworld.ifrance.com proxyworld.ifrance.com 82.196.5.79 Download URLs http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr) http://82.196.5.79/azenv.php (proxyworld.ifrance.com) * C&C Server: 66.90.113.196:81 * Server Password: * Username: SP3-536 * Nickname: [N00_DEU_XP_9471050]ˆð@ * Channel: (Password: ) * Channeltopic: * C&C Server: 66.90.113.196:80 * Server Password:

onlinecentralstore.com

onlinecentralstore.com onlinecentralstore.com 193.105.0.60 76.191.104.55 76.191.104.55 Opened listening TCP connection on port: 28976 Opened listening TCP connection on port: 37660 Download URLs http://193.105.0.60/pemperem.bin (onlinecentralstore.com) http://193.105.0.60/pemperem.bin (onlinecentralstore.com) http://193.105.0.60/ononnono.exe (onlinecentralstore.com) Outgoing connection to remote server: onlinecentralstore.com TCP port 80 Outgoing connection to remote server: onlinecentralstore.com TCP port 80 Outgoing connection to remote server: 76.191.104.55 TCP port 443 Outgoing

mindleak.com(detox bot)

mindleak.com 0xff.memzero.info 0x80.online-software.org 0x80.goingformars.com 0x80.martiansong.com 0x80.my1x1.com /server 194.109.11.65 6556 channel: #9#, #raw #exploit detox bot

mot.thand.su

mot.thand.su 69.42.218.72 fr.thand.su fr.thand.su 67.214.175.92 www.cship.info www.cship.info 87.98.247.2 Download URLs http://67.214.175.92/ (fr.thand.su) http://67.214.175.92/ (fr.thand.su) http://67.214.175.92/ (fr.thand.su) http://87.98.247.2/azenv.php (www.cship.info) http://87.98.247.2/azenv.php (www.cship.info) http://87.98.247.2/azenv.php (www.cship.info) http://87.98.247.2/azenv.php (www.cship.info) * C&C Server: 69.42.218.72:1863 * Server Password: * Username: SP3-082 * Nickname: [N00_DEU_XP_8844899]_CHAR(0x18)_á@ * Channel: (Password: ) * Channeltopic: * C&C Server: 69.42.218.72:1863 * Server Password: * Username: SP3-582 * Nickname:

grummerhens.net

grummerhens.net grummerhens.net 66.96.219.101 Opened listening TCP connection on port: 21366 Download URLs http://66.96.219.101/13/cc.bin (grummerhens.net) Outgoing connection to remote server: grummerhens.net TCP port 80 Outgoing connection to remote server: grummerhens.net TCP port 80 Outgoing connection to remote server: grummerhens.net TCP port 80 Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,

95.154.216.63

Remote Host Port Number 95.154.216.63 3211 NICK XP5e7Y3 USER Mazyon_1z7 “” “” : 14Don`t 14Abuse 14Power JOIN #g xpass MODE #G PRIVMSG XP5e7Y3 : PING 1264507340 Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREClasses.cha o HKEY_LOCAL_MACHINESOFTWAREClasses.chat o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec

92.243.19.221(10k bots)

Remote Host Port Number 92.243.19.221 16667 NICK [USA]XP-SP2[00]1154 USER qhvb 0 0 : JOIN #l# lam 2k bots inside USERHOST [USA]XP-SP2[00]1154 MODE [USA]XP-SP2[00]1154 -x+i PONG :MBoY.Org Invisible Users: 6556 Channels: 19 channels formed Clients: I have 6557 clients and 0 servers Local users: Current Local Users: 6557 Max: 13429 Global users: Current Global Users: 6557

ju.backup-host.ru(45k bots)

193.104.27.98 193.104.27.98 UDP Connections Remote IP Address: 127.0.0.1 Port: 1036 Send Datagram: 9 packet(s) of size 1 Recv Datagram: 9 packet(s) of size 1 Download URLs http://193.104.27.98/2krn.bin (193.104.27.98) Outgoing connection to remote server: 193.104.27.98 TCP port 80 DNS Lookup Host Name IP Address dell-d3e62f7e26 10.1.10.2 10.1.10.1 10.1.10.1 wpad 193.104.27.98 193.104.27.98 193.104.27.107 193.104.27.107 Opened listening TCP

sql.mytijn.org

Remote Host Port Number 93.185.77.230 43000 NICK [00|USA|XP|SP2|6283 USER rpiid 0 0 :[00|USA|XP|SP2|6283 USERHOST [00|USA|XP|SP2|6283 MODE [00|USA|XP|SP2|6283 +i JOIN #@tijn@# PRIVMSG #@tijn@# : 12 ScAnAgE 15 Random Method started at 192.168.x.x :sql-3306 for 0 minutes 5 delay 50 threads PONG :B5B44799 * The following ports were open in the system: Port Protocol Process 69 UDP

private.beer-rox.net

private.beer-rox.net 194.242.6.81 * C&C Server: 194.242.6.81:5822 PASS aaa * Server Password: * Username: XP-0428 * Nickname: [00|DEU|298531] * Channel: #ddos# (Password: open) * Channeltopic: :.msn.msg Estas foto es tuyo? http://www.sexy-brazil.com/mad.exe?= #log# #gt# 15K bots #log# = .pstore Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “MSN Update” = wms.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard