irc.sicakalem.com – Inside Your Botnet

irc.sicakalem.com 212.174.140.71

* C&C Server: 212.174.140.71:6667
* Server Password:
* Username: XP-1648
* Nickname: [00|DEU|239956]
* Channel: (Password: )
* Channeltopic:

* C&C Server: 212.174.140.71:6667
* Server Password:
* Username: XP-8131
* Nickname: [00|DEU|184371]
* Channel: (Password: )
* Channeltopic:

* C&C Server: 212.174.140.71:6667
* Server Password:
* Username: XP-6634
* Nickname: [00|DEU|338589]
* Channel: (Password: )
* Channeltopic:

* C&C Server: 212.174.140.71:6667
* Server Password:
* Username: XP-4425
* Nickname: [00|DEU|657924]
* Channel: (Password: )
* Channeltopic:

* C&C Server: 212.174.140.71:6667
* Server Password:
* Username: XP-1075
* Nickname: [00|DEU|982165]
* Channel: #x# (Password: hacimackackac)
* Channeltopic: :.msn.stop|.msn.msg Foto m ? http://img-img.co.cc/index.php?=

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update Manager” = systmde.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files c:imagesFoto0015JPG.exe
DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSsystmde.exe
C:WINDOWSsystmde.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
Opened Files .Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
.Ip
Deleted Files
Chronological Order Create/Open File: c:imagesFoto0015JPG.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystmde.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:imagesFoto0015JPG.exe to C:WINDOWSsystmde.exe
Set File Attributes: C:WINDOWSsystmde.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSsystmde.exe
Create/Open File: C:WINDOWSsystmde.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)