95.211.21.131

Remote Host Port Number 95.211.21.131 8888 NICK i{USA|XP}euyuyij USER i{USA|XP}euyuyij 0 0 :i{USA|XP}euyuyij JOIN #botoholiker Registry Modifications * The following Registry Key was created: o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionApp * The following Registry Keys were deleted: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot Bus Extender o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot file system o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalCryptSvc o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalDcomLaunch o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmadmin

173.204.76.243

Remote Host Port Number 173.204.76.243 81 NICK n[USA|XP]0956120 USER s “” “lol” :s JOIN #newbin# PONG 422 JOIN #USA (null) Now talking in #newbin# Topic On: [ #newbin# ] [ .st ] Topic By: [ vps ] * The following port was open in the system: Port Protocol Process 1057 TCP msng.exe (%AppData%msng.exe) Registry Modifications

95.154.216.63

Remote Host Port Number 95.154.216.63 3211 PASS Virus NICK VirUs-prpgqjsq USER VirUs “” “hjr” : 8Coded 8VirUs.. JOIN #koko# Virus PONG :fbi.gov Registry Modifications * The following Registry Key was created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67XOR2B0-3GMC-89VV-JIJ1-24KL2R3222431} * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67XOR2B0-3GMC-89VV-JIJ1-24KL2R3222431}] + StubPath = “c:SABERV2009SABER.exe” so that SABER.exe runs every

eaglezinc.com

Remote Host Port Number eaglezinc.com 4723 join #EaGLeZ NICK n{USA|XP}fopvzai USER n{USA|XP}fopvzai 0 0 :n{USA|XP}fopvzai * To mark the presence in the system, the following Mutex object was created: o DirectSound Administrator shared thread array (lock) * The following Host Name was requested from a host database: o eaglezinc.com Registry Modifications * The following Registry

join.kizlarevi.net

PING join.kizlarevi.net USER [NEW|9898] False * :neOn1 NICK [NEW|9898] JOIN #k9 PONG :You have not registered JOIN ##USA Now talking in #k9 Topic On: [ #k9 ] [ !p2p ] Topic By: [ LnX ] join.kizlarevi.net 95.154.241.53 mue-88-130-35-093.dsl.tropolys.de 88.130.35.93 join.kizlarevi.net Opened listening TCP connection on port: 113 * C&C Server: 95.154.241.53:6667 * Server Password: *

irc.ppoeconx.com

98.209.125.232 (6667) Invisible Users: 246 Operators: 2 operator(s) online Channels: 8 channels formed Clients: I have 266 clients and 0 servers Local users: Current Local Users: 266 Max: 435 Global users: Current Global Users: 266 Max: 345 join #cyba

74.82.163.179

Remote Host Port Number 74.82.163.179 998 Other details * The following port was open in the system: Port Protocol Process 1053 TCP spjsxy.exe (%System%spjsxy.exe) Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC000 o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC000Control o HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskcmdsvc o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcSecurity o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcEnum o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMediaResourcesmsvideo o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC000 o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC000Control

34real.ru

34real.ru 193.105.207.120 Opened listening TCP connection on port: 11012 Opened listening TCP connection on port: 17479Download URLs http://193.105.207.120/http/bin.bin (34real.ru) http://193.105.207.120/http/bin.exe (34real.ru) http://193.105.207.120/http/rapport.exe (34real.ru) http://193.105.207.120/http/killaa.exe (34real.ru) http://193.105.207.120/http/bin.bin (34real.ru) http://193.105.207.120/http/bin.exe (34real.ru) http://193.105.207.120/http/bin.bin (34real.ru) Data posted to URLs http://193.105.207.120/http/logosex.php (34real.ru) http://193.105.207.120/http/logosex.php (34real.ru) http://193.105.207.120/http/logosex.php (34real.ru) http://193.105.207.120/http/logosex.php (34real.ru) http://193.105.207.120/http/logosex.php (34real.ru) http://193.105.207.120/http/logosex.php (34real.ru) Outgoing connection to remote server: 34real.ru TCP port

200.113.159.243

Remote Host Port Number 200.113.159.243 1234 * The data identified by the following URLs was then requested from the remote web server: o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css o http://x.myspacecdn.com/modules/common/static/img/spacer.gif o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png o http://x.myspacecdn.com/modules/splash/static/img/bgSheet.png o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js o http://c2.ac-images.myspacecdn.com/images02/128/s_f5f31b5c62934a8981f86322d27ab9d9.jpg o http://c2.ac-images.myspacecdn.com/images02/31/s_5fca5e8a00964098918e8845b69d08d9.jpg o http://c2.ac-images.myspacecdn.com/images02/36/s_93f01f33cc9241ff9f863449b75882cd.jpg o