comegetrocked.servequake.com(Ganja Bot)

Remote Host Port Number
217.23.13.116 6667

NICK n{USA|XP}338226
USER 4981 “” “TsGh” :4981
PONG :7656ABE7
JOIN Monster
PRIVMSG :New Infection!
PONG :comegetrocked.servequake.com

Now talking in
Topic On: [ ] [ Fud Ganja —>http://dl.dropbox.com/u/12206167/Ganja.exe dont bother trying to jack our bots bc we have auth-host and a way to weed you out. you wll be punished ]
Topic By: [ theboss ]
Modes On: [ ] [ +pn ]

Quits: {GBR|WN7}116439 [1164@26875CB7.64C30E5D.80B4DFF9.IP] (Ping timeout)
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive Q:
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive P:
Joins: {DEU|WN7}603990 [6039@BE242610.1A18CDC5.9D6673AA.IP
([USB]{RUS|WN7}633699{RUS|WN7}) [USB] Infected Drive Q:

* The following port was open in the system:

Port Protocol Process
1052 TCP taskeng.exe (%AppData%taskeng.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%taskeng.exe”

so that taskeng.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%taskeng.exe”

so that taskeng.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
taskeng.exe %AppData%taskeng.exe 57 344 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%taskeng.exe
[file and pathname of the sample #1] 1 224 704 bytes MD5: 0xE33CB0D0F66EA5527412E88B380D1EBE
SHA-1: 0x7F841B6F9D555B48055768F24C19EB84267DE57A
2 %Temp%google2cache2.tmp
%Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891

another dns from that lamer :
mmonster.no-ip.org DNS_TYPE_A 217.23.13.116
the noob use no-ip for bots

Categories: Uncategorized