Month: April 2010

moves.vaiosys.com(SnK new domain )

Remote Host Port Number moves.vaiosys.com 81 NICK [USA|XP]3955007 USER s “” “lol” :s JOIN #newgen# JOIN #USA (null) NICK n[USA|XP]1780382 NICK [USA|XP]1860968 * To mark the presence in the system, the following Mutex object was created: o 9n7v6v9n8v5bn8 * The following ports were open in the system: Port Protocol Process 1034 TCP egun.exe (%AppData%egun.exe) 1035

windowsupdatecenter.net (SnK aspergillus mod)

www.scopeo-eng.com www.scopeo-eng.com 213.186.33.2 UDP Connections Remote IP Address: 127.0.0.1 Port: 1053 Send Datagram: 47 packet(s) of size 1 Recv Datagram: 47 packet(s) of size 1 Download URLs http://213.186.33.2/fonctions/o.exe (www.scopeo-eng.com) Outgoing connection to remote server: www.scopeo-eng.com TCP port 80 DNS Lookup Host Name IP Address windowsupdatecenter.net 85.12.60.20 * C&C Server: 85.12.60.20:81 * Server Password: * Username:

fusiiion.info

Remote Host Port Number fusiiion.info 51987 NICK [USA-161730] USER 4197 “” “lol” :4197 JOIN #Asper NICK [USA-551703] USER 8351 “” “lol” :8351 Other details * To mark the presence in the system, the following Mutex object was created: o GDT768YHJ * The following ports were open in the system: Port Protocol Process 1033 TCP svchost.exe

add.e2doo.net

add.e2doo.net:2345 chanel:#imb test wd53 cambia il topic in ‘.msn.stop|.msn.msg foto 😀 http://dondererphoto.com/showimage.php?=’ browseusers.myspace.com browseusers.myspace.com 216.178.38.168 x.myspacecdn.com x.myspacecdn.com 212.201.100.169 myspace.ivwbox.de myspace.ivwbox.de 193.46.63.103 cms.myspacecdn.com cms.myspacecdn.com 212.201.100.169 UDP Connections Remote IP Address: 127.0.0.1 Port: 1089 Send Datagram: 20 packet(s) of size 1 Recv Datagram: 20 packet(s) of size 1 Download URLs http://216.178.38.168/Browse/Browse.aspx (browseusers.myspace.com) http://212.201.100.169/modules/common/static/css/uploadcontrol_ioe1imsn.css (x.myspacecdn.com) http://212.201.100.169/modules/browse/static/css/browse_qzzglnfy.css (x.myspacecdn.com) http://212.201.100.169/modules/common/static/img/header/header001.png

216.246.99.115

Remote Host Port Number 216.246.99.115 1234 NICK n[USA|XP]8338762 USER 9111 “” “lol” :9111 JOIN #dl# PONG 422 * The following port was open in the system: Port Protocol Process 1053 TCP secfil.exe (%Windir%secfil.exe) Registry Modifications * The following Registry Value was modified: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] + Userinit = Memory Modifications * There was a new

cx10man.weedns.com

Resolved : [cx10man.weedns.com] To [79.113.167.139] Resolved : [cx10man.weedns.com] To [67.202.215.250] Resolved : [cx10man.weedns.com] To [210.166.223.51] Resolved : [cx10man.weedns.com] To [203.136.50.155] Resolved : [cx10man.weedns.com] To [62.193.249.122] Resolved : [cx10man.weedns.com] To [210.127.253.90] Remote Host Port Number 210.127.253.90 3305 NICK P|uz2kln8y2 USER ovoe6avbz * 0 :USA|XP|590 USERHOST P|uz2kln8y2 MODE P|uz2kln8y2 JOIN #mm RSA PRIVMSG #mm :+Cpiwe/Bec9E07RQ/c0vtb4S//EdYX/xXUDj093Z0X0JV7.c0ys0/7/xwG5K1ha85306R4h2/YHwTF/PxQdA067AvB/I3dvk159vvk//p1d3/tEsA/0b7FNk0cuplp14Otlj1MT7lW/KzwsA.RKUWp.jZL2z0EkS7/.wqp6e1 PRIVMSG #mm

mile.dbsarticles.com

mile.dbsarticles.com 205.234.222.37 * C&C Server: 205.234.222.37:2345 * Server Password: * Username: XP-0642 * Nickname: NEW-[DEU|00|P|85489] * Channel: #imb (Password: test) * Channeltopic: :.msn.stop|.msn.msg foto 😀 http://expensiveimages.com/image.php?= Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:IM35616.JPGwww.myspace.com.exe” = c:IM35616.JPGwww.myspace.com.exe:*:Enabled:Firewall Administrating HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:IM35616.JPGwww.myspace.com.exe” = C:WINDOWSinfocard.exe:*:Enabled:Firewall Administrating HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Firewall Administrating” = C:WINDOWSinfocard.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Firewall Administrating” = C:WINDOWSinfocard.exe

server.beareserver1.com

Remote Host Port Number 204.0.5.34 80 204.0.5.41 80 204.0.5.49 80 204.0.5.51 80 204.0.5.58 80 216.178.38.103 80 216.178.38.168 80 63.135.86.30 80 63.135.86.39 80 64.210.61.214 80 64.202.120.57 2345 ircd here * The data identified by the following URLs was then requested from the remote web server: o http://1.download.advertise.myspace.com/upld/cs/1//cs4_lb_1705_.jpg o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_3469_.jpg o http://x.myspacecdn.com/modules/common/static/css/global_dbasuqgy.css o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css o

85.12.60.20

Remote Host Port Number 85.12.60.20 81 NICK n[USA|XP]5266080 USER n “” “lol” :n JOIN #control# PONG 422 PONG :request.not.found Other details * The following port was open in the system: Port Protocol Process 1053 TCP winvsnc.exe (%AppData%winvsnc.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + WindowsUpdateControl = “%AppData%winvsnc.exe” so that winvsnc.exe

207.58.186.227(pBot)

var $config = array(“server”=>”207.58.186.227”, “port”=>7000, “pass”=>””, //senha do server “prefix”=>”[B]”, “maxrand”=>4, “chan”=>”#crack”, “key”=>”tow”, //senha do canal “modes”=>”+p”, “password”=>”la”, //senha do bot “trigger”=>”.”, “hostauth”=>”*” // * for any hostname here u can download this php bot: http://stashbox.org/866727/stla.txt