202.73.11.63

202.73.11.63 (6667) Current Local Users: 68 Max: 14 Current Global Users: 68 Max: 146 #kimi# 28 #boot# 2 #lnx 1 #!x! #vnc?# 1

n.main-update.com

n.main-update.com:81 #newbin# http://share-friend.com/n/phto-jpg-2010-05-29.scr

91.211.117.87

Remote Host Port Number 91.211.117.87 4723 NICK n{USA|XP}jjywrvd USER n{USA|XP}jjywrvd 0 0 :n{USA|XP}jjywrvd JOIN #E# Registry Modifications * The following Registry Key was created: o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionApp * The following Registry Keys were deleted: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot Bus Extender o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot file system o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalCryptSvc o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalDcomLaunch o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmadmin

n3w.metraiciono.com

n3w.metraiciono.com 74.82.57.113 * C&C Server: 74.82.57.113:6567 PASS pr1v4d0onl1n3r * Server Password: * Username: XP-5152 * Nickname: [SI|DEU|00|P|69152] * Channel: #salvando# (Password: c1rc0s0leil) * Channeltopic: :- MODE [SI|USA|00|P|84975] -ix JOIN #n3wb0t# c1rc0s0leil PRIVMSG #n3wb0t# :[Dl]: File download: 104.1KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_06333.exe @ 104.1KB/sec. QUIT [Update]: Updating to new bin. NICK [SI|USA|00|P|37304] USER XP-5387 * 0 :COMPUTERNAME MODE

64.202.120.49

Remote Host Port Number 204.0.5.41 80 204.0.5.42 80 204.0.5.43 80 204.0.5.48 80 204.0.5.51 80 207.38.101.12 80 216.178.38.103 80 216.178.38.168 80 63.135.86.21 80 63.135.86.37 80 64.202.120.49 81 ircd here PASS xxx JOIN #XXL test PONG 22 MOTD NICK NEW-[USA|00|P|16828] USER XP-8033 * 0 :COMPUTERNAME MODE NEW-[USA|00|P|16828] -ix * The data identified by the following URLs was

66.225.219.7

Remote Host Port Number 204.0.5.40 80 204.0.5.41 80 204.0.5.48 80 204.0.5.50 80 204.0.5.51 80 204.0.5.59 80 207.38.101.12 80 216.178.38.103 80 216.178.38.168 80 63.135.86.30 80 66.225.219.7 1234 ircd here PASS xxx JOIN #jakarta test MODE NEW-[USA|00|P|03217] -ix NICK NEW-[USA|00|P|03217] USER XP-9813 * 0 :COMPUTERNAME PONG irc.priv8net.com * The data identified by the following URLs was then

url.digitwordurl.com

url.digitwordurl.com 213.154.225.135 update.articlesdealing.com 74.86.97.166 74.86.97.166 74.86.97.166 Download URLs http://74.86.97.166/check.php (update.articlesdealing.com) * C&C Server: 213.154.225.135:1234 * Server Password: * Username: XP-3409 * Nickname: NEW-[DEU|00|P|04478] * Channel: #jakarta (Password: test) * Channeltopic: :.m.s|.m.n foto 😀 http://tinyurl.com/fb-views-album Outgoing connection to remote server: update.articlesdealing.com TCP port 80 Resolved : [url.digitwordurl.com] To [213.154.225.135] Resolved : [url.digitwordurl.com] To [200.113.159.243] browseusers.myspace.com browseusers.myspace.com

irc.ThunderNet.gr

Remote Host Port Number 123.242.226.29 14032 NICK latest_|USA||XP-SP2|631276 USER 6476 “” “lol” :6476 JOIN #.x.# %3%#%!%#^#%@^ PONG :irc.ThunderNet.gr Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Java updater2 = “%Temp%jusched2.exe” so that jusched2.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Java updater2 = “%Temp%jusched2.exe” so that jusched2.exe runs every time

173.203.112.32

Remote Host Port Number 173.203.112.32 81 NICK n[USA|XP]1345482 USER s “” “lol” :s JOIN #newbin# PONG 422 JOIN #USA (null) * The following port was open in the system: Port Protocol Process 1055 TCP msng.exe (%AppData%msng.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows System Guard = “%AppData%msng.exe” so that

doko.no-ip.org

doko.no-ip.org 72.20.1.26 Opened listening TCP connection on port: 13156 * C&C Server: 72.20.1.26:6667 * Server Password: * Username: ilkxj * Nickname: [nLh-VNC]wkceru * Channel: ##!seuz!## (Password: hackmx) * Channeltopic: :+scan 60 1 189.x.x.x 3 1 200.x.x.x Outgoing connection to remote server: 200.133.0.250 TCP port 5900 Outgoing connection to remote server: 200.216.191.20 TCP port 5900 Outgoing