serv01.colo.owned.hu(botnet hosted with Egypt Afrinic)

By Pig, December 22, 2010

Remote Host Port Number
196.46.191.100 31092
212.97.132.151 80
95.211.84.41 80

NICK US|computername
USER duiizaui UNIX UNIX :username
JOIN #all#
JOIN #US

Now talking in #all#
Topic On: [ #all# ] [ zg8w2CSUq2uia0QJlZCB54+bx1ORaIYwuWdNWqLiaRItRqdzrOHaoL/ZlA/RBgykhuYXvz0p+UCC5AowzlgNggVoLqkXzM+L2HR5WjCPVOsWHS21OdGLfnuALxORajUP/gdM/hRbMXB+mBM995oqart5JdolC5OI ]
Modes On: [ #all# ] [ +smntMu ]

Resolved : [serv01.colo.owned.hu] To [83.15.2.2]
Resolved : [serv01.colo.owned.hu] To [83.233.167.103]
Resolved : [serv01.colo.owned.hu] To [81.219.80.126]
Resolved : [serv01.colo.owned.hu] To [196.46.191.100]

Other details

* The following ports were open in the system:

Port Protocol Process
1053 TCP taskhost.exe (%AppData%taskhost.exe)
1055 TCP taskhost.exe (%AppData%taskhost.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREWindowsLive

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Task Host = “%AppData%taskhost.exe”

so that taskhost.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREWindowsLive]
+ version = “1060”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Task Host = “%AppData%taskhost.exe”

so that taskhost.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
taskhost.exe %AppData%taskhost.exe 2,191,360 bytes
viewDrive.exe c:viewdrive.exe 2,191,360 bytes
[filename of the sample #1] [file and pathname of the sample #1] 2,191,360 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 c:autorun.inf 147 bytes MD5: 0x29F4BC0B76C36E9B71214715E65E9984
SHA-1: 0x4447BCC507BE7AD624C02C18F3360CCE87E86E49
2 %AppData%taskhost.exe
c:viewDrive.exe
[file and pathname of the sample #1] 3,264,917 bytes MD5: 0x1EEFB8EBA8BBAB7EB58794F26B92D53E
SHA-1: 0x3CFF3A0CC2B4E6C12A9DC26BF2C0D3F25C4DD2E7
3 %Temp%tools.exefile1926.tmp 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
4 %Temp%uypji1zwqanz7.exe 335 bytes MD5: 0x7CF8E9B0CAD3E69E28272C35A1A6C04B
SHA-1: 0x27BBCA4213A617CB90E2A6F0CAC052146493BD33
5 %Temp%viewdrive 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709

infos about hosting:
http://whois.domaintools.com/196.46.191.100

Categories: Uncategorized