200.164.228.252(Slice’s botnet)

Remote Host Port Number
200.164.228.252 31337 pass 1a2z3a4za6z5s6x5

NICK ^[USA]-[XP-SP2]-069721
USER 1360 “” “lol” :1360
PONG :412CF8FD
JOIN #jklolimawasp## 1a2z3a4za6z5s6x5
PRIVMSG #jklolimawasp## :
Bot killed from the system!

Now talking in #jklolimawasp##
Topic On: [ #jklolimawasp## ] [ !msn lol omfg. watch this http://www.ibrokemyinter.net/clips/ ]
Topic By: [ nickserv ]
Modes On: [ #jklolimawasp## ] [ + ]

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%mserver.exe”

so that mserver.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%mserver.exe”

so that mserver.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
mserver.exe %Temp%mserver.exe 86 016 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%google_cache364.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%mserver.exe
[file and pathname of the sample #1] 208 896 bytes MD5: 0x457FAAFCED3705DE1268C12830C99B10
SHA-1: 0xF72CC1DF85E46E5B25C074D20B6DF16327C81EA0 VirTool:Win32/VBInject.KR [Microsoft]
Trojan.Win32.Ircbrute [Ikarus]

here the botnet owner:
(whois Slice` )
nick: Slice`
name: (wut)
hostname: m@lolkthx.bai
channels: @#opers @#jklolimawasp##
server: google.com (Like.A.Baws.) IP: 200.164.228.252
oper status: Network Administrator
raw info: available for help.
idle: 7hrs 22mins 16secs
( end whois Slice` )