64.202.120.41(botnet hosted with hostforweb.com)

By Pig, November 25, 2010

another botnet server hosted in US CHICAGO from www.hostforweb.com

Remote Host Port Number
204.0.5.42 80
204.0.5.43 80
204.0.5.58 80
208.43.117.134 80
216.178.38.103 80
216.178.38.168 80
63.135.86.30 80
63.135.86.37 80
64.208.138.101 80
66.220.149.25 80
64.202.120.41 1234 PASS xxx ircd here

NICK NEW-[USA|00|P|09511]
USER XP-8613 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|09511] -ix
JOIN #!nn! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://c3.ac-images.myspacecdn.com/images02/147/s_8578334d00dd4d37ace6b79e5c020f1e.jpg
o http://c3.ac-images.myspacecdn.com/images02/116/s_6dbe1cb5a75441fe83b6c43bad230846.jpg
o http://c3.ac-images.myspacecdn.com/images02/115/s_539cf2bef90e43889e7a7c1691be3d8a.jpg
o http://c3.ac-images.myspacecdn.com/images02/88/s_99af6df1b4194166aed67fb6b788738e.jpg
o http://c3.ac-images.myspacecdn.com/images02/127/s_c080c24bf8c84e0bba9e8c3c5c30377a.jpg
o http://c3.ac-images.myspacecdn.com/images02/150/s_87022d8de1d04d2b8839e3e3e30e7ada.jpg
o http://c3.ac-images.myspacecdn.com/images02/122/s_6e296553c14a4f1baf13cf54141d067e.jpg
o http://c3.ac-images.myspacecdn.com/images02/152/s_e11bf5f54de045ecb36f56b89ef3c46e.jpg
o http://c3.ac-images.myspacecdn.com/images01/57/s_c10763cd34f5a7cfeff08e3a01755f72.jpg
o http://c3.ac-images.myspacecdn.com/images02/115/s_3182373ec2ce46119a650f2f13ea87da.jpg
o http://c3.ac-images.myspacecdn.com/images01/68/s_834c7a0888f2141f0a305780f8236d76.jpg
o http://c3.ac-images.myspacecdn.com/images01/88/s_bb632d66cad39ef0d6af94bb08530fbe.jpg
o http://c3.ac-images.myspacecdn.com/images02/89/s_a51c05d06cc245058a9e3a93f2beec9e.jpg
o http://c4.ac-images.myspacecdn.com/images02/151/s_fbc348f71fcb4829b106823cb4a6966b.jpg
o http://c4.ac-images.myspacecdn.com/images02/133/s_bf9950d7ecea4ecb94985db2427e4eff.jpg
o http://c4.ac-images.myspacecdn.com/images02/13/s_64b5cd0ed43e4fc7a6aa8526de8257ef.jpg
o http://c4.ac-images.myspacecdn.com/images02/112/s_35ab3771bf3b4eee9ff42d8464a68a2b.jpg
o http://c4.ac-images.myspacecdn.com/images02/72/s_4913bf7d492c4821b87dcaa99066c357.gif
o http://c4.ac-images.myspacecdn.com/images02/65/s_8f5cf264c43b45cdb12043e5f974571f.jpg
o http://c4.ac-images.myspacecdn.com/images02/136/s_8373a9daaabb4f1b9c31107d931ab83f.jpg
o http://c1.ac-images.myspacecdn.com/images02/79/s_0d6ac8575e80466d84b9709517bc4cd8.jpg
o http://c1.ac-images.myspacecdn.com/images02/137/s_0c76d8ca0a664991ae1e026af6121ef4.jpg
o http://c2.ac-images.myspacecdn.com/images01/82/s_8bfbab0eee021a5c444c2c575e3ca4b9.jpg
o http://c2.ac-images.myspacecdn.com/images02/121/s_910e618c08d546d3a26e67cefad07821.jpg
o http://c2.ac-images.myspacecdn.com/images02/113/s_b8ac2f227d0a4a2bb24076eb99095181.jpg
o http://c1.ac-images.myspacecdn.com/images02/143/s_71cbe866ca9a4ea4ae41c006dc3e433c.jpg
o http://c1.ac-images.myspacecdn.com/images02/32/s_7d451bc2c6a246e998f361b97a97fc80.jpg
o http://c2.ac-images.myspacecdn.com/images02/133/s_6efdd9deb7f14b89bf63ff52d0143f59.jpg
o http://c2.ac-images.myspacecdn.com/images02/117/s_1fe68099554a46d28db3eeeb9bb913fd.jpg
o http://c2.ac-images.myspacecdn.com/images02/107/s_d4b8452329c44c6abd69b2425a495745.jpg
o http://c1.ac-images.myspacecdn.com/images02/131/s_3cfce8a5a3644ed8a605e3dfdeec52d0.jpg
o http://c1.ac-images.myspacecdn.com/images02/101/s_6a4f5cf6cb464802bdbdd09b94e3aab4.jpg
o http://c2.ac-images.myspacecdn.com/images02/119/s_b60616c4e1824aaea1e7e07496a623e9.jpg
o http://c1.ac-images.myspacecdn.com/images01/127/s_094f715e5992b08aef5e37f94ba82480.jpg
o http://c2.ac-images.myspacecdn.com/images02/102/s_2d9620548e0a47f682035a894c87f445.jpg
o http://c1.ac-images.myspacecdn.com/images02/140/s_16b36018c6e04ea6b30c99701b30175c.jpg
o http://c2.ac-images.myspacecdn.com/images02/65/s_9b165e5c8c50493e89204481e713e751.jpg
o http://c2.ac-images.myspacecdn.com/images02/27/s_d5848fb8f2c64b649f22b3f5fb316915.jpg
o http://c1.ac-images.myspacecdn.com/images02/142/s_cd7b6362d2be4d32925c3809e1568d94.jpg
o http://c2.ac-images.myspacecdn.com/images02/135/s_2a03d480ab094406b4f7e5ad2788de19.jpg
o http://geo-lb01.w55c.net/x/brs1009?cbid=C1Hk2Cs3Sw1B.b3Zw2Xb3Ov1Y&cb=1290671521498&size=160×600&ess=MySpaceUGC&refurl=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=920260495
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=920260495
o http://fim.adnxs.com/fpt?id=3594&size=728×90&flash=1&cookies=1&callback=C1Hk2Cs3Sw1B.b2Pk2Qs3Zw1X&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1290671521498
o http://www.facebook.com/home.php
o http://www.facebook.com/login.php
o http://ad.turn.com/server/bid/fan.bid?pub=10063193&cch=10063206&l=728×90&requestId=C1Hk2Cs3Sw1B.b1Ov2Yx3Aj1T&ref=http%3A%2F%2Fmyspace-ugc-foxaudiencenetwork.com&rand=1290671521498
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://googleads.g.doubleclick.net/pagead/imgad?id=CMmR3aHY__eUwQEQoAEYwgQyCMaBJcmvmR7-
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/expansion_embed.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/common/static/css/global_-cca62xx.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://1.download.advertise.myspace.com/03/f9/32/77f93201c5e46ea979fd3c40d85e53a7_final.jpg
o http://cms.myspacecdn.com/cms/js/ad_wrapper0160.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal_uabkhbad.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_ujzxjul0.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1290671521498&r=1&callback=C1Hk2Cs3Sw1B.b0Mf2Kt3Hm1C&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

Other details

* The following ports were open in the system:

Port Protocol Process
1060 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1082 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1088 TCP nvsvc32.exe (%Windir%nvsvc32.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3 137 536 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%mdlu.dl 2 244 bytes MD5: 0xFAB95E4AAD477D75873A922D483B2C49
SHA-1: 0x3DF3D9340480C7EE8EB283BF717CE920CB476D19 (not available)
2 %Windir%nvsvc32.exe
[file and pathname of the sample #1] 62 464 bytes MD5: 0x79B01A638EE22248D047EE56ABD4FF69
SHA-1: 0xC0516DD578C44890B76D1837C2B3E0EBA089CEBF W32.Yimfoca [Symantec]
Trojan.Win32.Jorik.SdBot.fm [Kaspersky Lab]
Generic.dx!uij [McAfee]
Mal/PushBot-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Trojan.Win32.Jorik [Ikarus]
Win-Trojan/Seint.62464.M [AhnLab]
3 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283 (not available)
4 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787 (not available)

Categories: Uncategorized