tmcn.gadarlar.net

tmcn.gadarlar.net 93.190.140.115 * C&C Server: 93.190.140.115:6667 * Server Password: * Username: tkcjkbb * Nickname: [DEU|XP|958278] * Channel: #infected (Password: infected) * Channeltopic: Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Services” = marqi.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Windows Services” = marqi.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:ecem.exe” = c:ecem.exe:*:Enabled:Windows Services Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot” HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir” HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”

69.245.107.191

69.245.107.191 (6667) chanel #rb Invisible Users: 267 Operators: 1 operator(s) online Channels: 7 channels formed Clients: I have 289 clients and 0 servers Local users: Current Local Users: 289 Max: 412 Global users: Current Global Users: 289 Max: 412

us.unicatz.com

– DNS Queries: Name Query Type Query Result Successful Protocol us.unicatz.com DNS_TYPE_A 66.252.13.214 1 66.252.13.214:2010 Nick: vnzznnsc Username: vnzznnsc Joined Channel: #us# with Password d0s

lamentin97.sytes.net

o Host By Name: + Requested Host: lamentin97.sytes.net + Resulting Address: 82.230.41.47 o Connection Established: 0 o Socket: 0 * UDP connections_listening o Transport Protocol: TCP o Local Port: 113 o Connection Established: 0 o Socket: 1704 * Outgoing Connections + IRC Data # User Name: jiuy # Host Name: 0 # Server Name: #

www.zzgame.co.kr

Host Name IP Address www.zzgame.co.kr www.zzgame.co.kr 220.90.213.158 114.207.112.169 114.207.112.169 Download URLs http://220.90.213.158/SPMgrs/SPMgrs.svc (www.zzgame.co.kr) http://114.207.112.169/MSSPMGR/NVCC.exe (114.207.112.169) http://220.90.213.158/SPMgrs/initi.dll (www.zzgame.co.kr) http://114.207.112.169/count_log/log/boot.php?p=SPMgrs&m=00-00-00-00-00-00 (114.207.112.169) Outgoing connection to remote server: www.zzgame.co.kr TCP port 80 Outgoing connection to remote server: 114.207.112.169 TCP port 80 Outgoing connection to remote server: www.zzgame.co.kr TCP port 80 Outgoing connection to remote server: 114.207.112.169 TCP port 80

75.73.242.77

Remote Host Port Number 75.73.242.77 6667 NICK USA|00|XP|SP2|4431695 USER ftjjnps 0 0 :USA|00|XP|SP2|4431695 USERHOST USA|00|XP|SP2|4431695 MODE USA|00|XP|SP2|4431695 -x+i JOIN ###chaosbot### chaosisfullalulz PRIVMSG ###chaosbot### :[NETINFO]: [Type]: LAN (LAN Connection). [IP Address]: 192.168.194.128. [Hostname]: 174.133.89.72. JOIN ###dd0s### (null) PRIVMSG ###chaosbot### : (patcher.p fixed, version 1. PONG :CE21787E There was an outbound traffic produced on port 6667: 00000000

bbs.moiservice.com

* Unknown Connections o Host By Name: + Requested Host: bbs.moiservice.com + Resulting Address: 81.94.201.34 o Connection Established: 0 o Socket: 0 * Outgoing Connections + IRC Data # User Name: wrzorp # Host Name: 0 # Server Name: # Real Name: _CHAR(0x03)_15‹_CHAR(0x03)_4·_CHAR(0x03)_01_CHAR(0x02)_l_CHAR(0x02)_a_CHAR(0x03)_04_CHAR(0x02)_m_CHAR(0x02)__CHAR(0x03)_01e_CHAR(0x02)_r_CHAR(0x02)__CHAR(0x03)_4·_CHAR(0x03)_15› # Nick Name: [USA]XP-SP2[00]9467 # Non RFC Conform: 1 * Channel o

cc.valid.cc

Host Name IP Address cc.valid.cc 92.32.1.33 Outgoing connection to remote server: cc.valid.cc port 80 Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerrun “win32” = C:WINDOWSsystem32wnd32.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “win32” = C:WINDOWSsystem32wnd32.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “win32” = C:WINDOWSsystem32wnd32.exe HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsSrvIDID “ID” = Kebab HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:vir.exe” = c:vir.exe:*:Enabled:Windows Messanger HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DoNotAllowExceptions” = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList

flex.sintoniatotal.org

meinedosis.de meinedosis.de 85.13.138.83 UDP Connections Remote IP Address: 127.0.0.1 Port: 1037 Send Datagram: 269 packet(s) of size 1 Recv Datagram: 269 packet(s) of size 1 Download URLs http://85.13.138.83/.sys/1 (meinedosis.de) http://85.13.138.83/.sys/2 (meinedosis.de) http://85.13.138.83/.sys/3 (meinedosis.de) http://85.13.138.83/.sys/4 (meinedosis.de) Outgoing connection to remote server: meinedosis.de TCP port 80 Outgoing connection to remote server: meinedosis.de TCP port 80 Outgoing connection

mails.pes2009.biz(Kolab Worm)

The following Host Name was requested from a host database: mails.pes2009.biz There was registered attempt to establish connection with the remote host. The connection details are: Remote Host Port Number mails.pes2009.biz 8800 Registry Modifications The newly created Registry Values are: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] Taskman = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455psysnew.exe” so that psysnew.exe runs every time Windows starts [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] psysnew