Month: March 2010

winupdservice.net

winupdservice.net 205.234.232.216 C&C Server: 205.234.232.216:81 Server Password: Username: s Nickname: n[DEU|XP]7063463 Channel: #start# (Password: ) Channeltopic: :, Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:Dokumente und EinstellungenAdministratorAnwendungsdatenwinsvcn.exe” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenwinsvcn.exe:*:Enabled:WindowsUpdateManager HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “WindowsUpdateManager” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenwinsvcn.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey” HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext” HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerAppCompatibility

test.panjsheri.com

# Remote Address: 70.39.83.130 # Host Name: test.panjsheri.com * IRC Data o User Name: s o Host Name: “” o Server Name: o Real Name: s o Nick Name: n[USA|XP]1031764 o Non RFC Conform: 1 + Channel # Name: #start# # Transport Protocol: TCP # Remote Address: 70.39.83.130 # Remote Port: 81 # Protocol: IRC

bul.panjsheri.com

Remote Host Port Number bul.panjsheri.com 1234 NICK n[USA|XP]0002913 USER 4625 “” “lol” :4625 JOIN #po# NICK [USA|XP]9349820 USER 4548 “” “lol” :4548 ther details * To mark the presence in the system, the following Mutex object was created: o SN6JSN868L * The following ports were open in the system: Port Protocol Process 1034 TCP aiambc.exe

irandy.info

Remote Host Port Number irandy.info 8160 NICK {USA-XP}481463 USER yjmpomf * 0 :COMPUTERNAME * The following ports were open in the system: Port Protocol Process 1033 TCP svhost.exe (%Windir%svhost.exe) 1034 TCP svhost.exe (%Windir%svhost.exe) * The following Host Name was requested from a host database: o irandy.info Other details * To mark the presence in the

stores.dellhp.net

# Remote Address: 82.114.87.46 # Host Name: stores.dellhp.net # Transport Protocol: TCP # Remote Address: 82.114.87.46 # Remote Port: 1234 # Protocol: IRC * IRC Data o User Name: 3052 o Host Name: “” o Server Name: o Real Name: 3052 o Nick Name: n[USA|XP]8081698 o Non RFC Conform: 1 + Channel # Name: #dl#

173.201.179.47

Remote Host Port Number 173.201.179.47 8016 NICK [00|USA|492539] PONG sv.privatenetwork.pv USER XP-0542 * 0 :COMPUTERNAME MODE [00|USA|492539] +su JOIN #private MODE #private +su NICK [00|USA|890609] USER XP-0460 * 0 :COMPUTERNAME MODE [00|USA|890609] +su * The following port was open in the system: Port Protocol Process 1054 TCP service.exe (%Windir%service.exe) Registry Modifications * The following Registry

electric-servers.com

electric-servers.com 217.23.7.121 C&C Server: 217.23.7.121:6667 Server Password: Username: XP-0733 Nickname: [DEU-[L]-65709]NEW Channel: #Cracker (Password: none) Channeltopic: Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftGDIPlus “FontCachePath” = C:Dokumente und EinstellungenAdministratorLokale EinstellungenAnwendungsdaten HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Micrososft Omg” = taskmgrr.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Micrososft Omg” = taskmgrr.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:Dokumente und EinstellungenAdministratorLokale EinstellungenTempfile1.exe” = C:Dokumente und EinstellungenAdministratorLokale EinstellungenTempfile1.exe:*:Enabled:Micrososft Omg

teamwaffle.net(SPAM BOT)

boards.4chan.org boards.4chan.org 204.152.204.174 static.4chan.org static.4chan.org 204.152.204.172 teamwaffle.net teamwaffle.net 94.102.55.216 0.thumbs.4chan.org 1.thumbs.4chan.org 0.thumbs.4chan.org 204.152.204.169 1.thumbs.4chan.org 204.152.204.169 2.thumbs.4chan.org 2.thumbs.4chan.org 204.152.204.169 edge.quantserve.com edge.quantserve.com 212.201.100.179 pixel.quantserve.com pixel.quantserve.com 4.71.209.20 www.google-analytics.com www.google-analytics.com 74.125.43.113 sys.4chan.org sys.4chan.org 204.152.204.156 UDP Connections Remote IP Address: 127.0.0.1 Port: 1128 Send Datagram: 401 packet(s) of size 1 Recv Datagram: 401 packet(s) of size 1 Download URLs http://204.152.204.174/b/

just.addsyrup.net

just.addsyrup.net 174.120.225.25 C&C Server: 174.120.225.25:6667 Server Password: Username: 9273 Nickname: [9273|DEU|XP] Channel: ##syrup## (Password: da32rga4a) Channeltopic: :http://teamwaffle.net/bots/syrup.exe Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Microsoft Windows Hosting Service Login” = C:DOKUME~1ADMINI~1LOKALE~1Tempexplorer.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard LayoutToggle

und.shkumbimi.net(JimyGJ next botnet)

und.shkumbimi.net 122.183.243.48 Opened listening TCP connection on port: 559 C&C Server: 122.183.243.48:12351 Server Password: Username: pdndt Nickname: pdndt Channel: (Password: ) Channeltopic: Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows System Configuration” = C:WINDOWSwinupdates.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey” HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext” HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File” HKEY_CURRENT_USERSoftwareMicrosoftCTF