Month: December 2010

al0r.net(botnet hosted in Germany Hetzner Online Ag)

Remote Host Port Number 178.63.104.143 6667 NICK XP-97862026 USER 65162170 “” “sohbet.az” :00693017 JOIN #Dos! MODE #Dos! USER 78139397 “” “sohbet.az” :35822378 NICK XP-42563252 USER 29409822 “” “sohbet.az” :93325375 NICK XP-18370044 Now talking in #Dos! Topic On: [ #Dos! ] [ .open http://www.google.com.tr/url?sa=t&source=web&cd=12&ved=0CG4QFjAL&url=http%3A%2F%2Fwww.onlinediziizleme.com%2F&rct=j&q=online%20dizi%20izle&ei=ddUcTYKfKsnCswarsIn6DA&usg=AFQjCNHLc6A8OMCjWpeOhCyWwAUBIQj4Og&cad=rja ] Topic By: [ Drox ] Modes On: [ #Dos! ] [

irc.mafia-mexicana.org.mx(botnet hosted in Viet Nam Ip Range For Xdsl Iptv Fixed Phone Service At Hcmc)

Remote Host Port Number 118.69.220.81 6667 NICK MP3-MD-l[8236]l NICK MP3-MD-l[8236]l 2 NICK MP3-MD-l[8236]l 3 NICK MP3-MD-l[8236]l 4 NICK MP3-MD-l[8236]l 5 PING irc.mafia-mexicana.org.mx NICK MP3-MD-l[8236]l 6 USER MM 32 . ::: Mafia-Mexicana :: MODE MP3-MD-l[8236]l +ipx NICK MP3-MD-l[8236]l 0 NICK MP3-MD-l[8236]l 1 Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWARECygnus Solutions o HKEY_LOCAL_MACHINESOFTWARECygnus

penguin.unixbsd.info(Zeus Trojan hosted in PSYCHZ.NET USA)

Remote Host Port Number 208.87.242.18 80 * The data identified by the following URLs was then requested from the remote web server: o http://208.87.242.18/~remngor/files/depp/web/config.bin o http://208.87.242.18/~remngor/files/depp/web/gate.php o http://208.87.242.18/~remngor/files/depp/web/system/ip.php Registry Modifications * The following Registry Keys were created: o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} o HKEY_USERS.DEFAULTSoftwareMicrosoftProtected Storage System Provider * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

mrssimonquispe.enladisco.com(botnet hosted in United States Forney Networld Internet Services)

Remote Host Port Number 206.123.89.191 6567 PASS s1m0n3t4 MODE [SI|USA|00|P|61978] -ix JOIN #iausto# c1rc0dus0leil PONG Coupe2.Network NICK [SI|USA|00|P|61978] USER XP-6042 * 0 :COMPUTERNAME * The following port was open in the system: Port Protocol Process 1053 TCP tanga.exe (%Windir%tanga.exe) Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Service ares = “tanga.exe”

unknown.ord.scnet.net( botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number 64.202.102.234 50500 NICK {New}[USA-1244024-XP] USER 6950797 “” “lol” :6950797 JOIN #LED PONG 422 Topic On: [ #LED ] [ light emitting diode ] Topic By: [ Switch ] Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + rgservs = “%Temp%rgservs.exe” so that rgservs.exe runs every time Windows starts

193.106.173.129(Botnet hosted inRussian Federation Iqhost Ltd)

server Ip: 193.106.173.129 Server Port: 1338 Channel Name: #TM There are 1 users and 501 invisible on 1 servers 69 unknown connection(s) channels formed I have 502 clients and 0 servers Current Local Users: 502 Max: 619 Current Global Users: 502 Max: 584 Now talking in #TM Topic On: [ #TM ] [ Try command

orbitaurl.com( botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number 66.225.241.182 2345 NICK New[USA|00|P|11539] PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. USER XP-5074 * 0 :COMPUTERNAME MODE New[USA|00|P|11539] -ix JOIN #!loco! PONG 22 MOTD – DNS Queries: Name Query Type Query Result Successful Protocol orbitaurl.com DNS_TYPE_A 158.2.125.114 14.73.178.183 YES udp 210.170.62.115:2345 Nick: New[AUT|00|P|38063] Username:

static.187.176.4.46.clients.your-server.de(botnet hosted in Germany Hetzner Online Ag)

Remote Host Port Number 46.4.176.187 6669 JOIN ##ReliviuM InVaLiDDD PONG :BoTNeT.GoV Other details * The following port was open in the system: Port Protocol Process 1052 TCP [file and pathname of the sample #1] Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceSetup o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoaddows