205.234.223.186(botnet hosted with United States Chicago Hostforweb Inc)

Remote Host Port Number
205.234.223.186 1234 PASS xxx
216.178.38.224 80
216.178.39.11 80
64.208.241.27 80
69.63.189.39 80

NICK NEW-[USA|00|P|16686]
USER XP-2777 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|16686] -ix
JOIN #!nn! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://www.myspace.com/browse/people
o http://www.myspace.com/help/browserunsupported
o http://x.myspacecdn.com/modules/splash/static/img/cornersSheet.png
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_infobox.jpg
o http://x.myspacecdn.com/images/BrowserUpgrade/icon_information.gif
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_browserSection.jpg
o http://x.myspacecdn.com/images/BrowserUpgrade/browserLogos_med.jpg
o http://www.facebook.com/home.php
o http://www.facebook.com/login.php

Other details

* The following ports were open in the system:

Port Protocol Process
1059 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1060 TCP nvsvc32.exe (%Windir%nvsvc32.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3,125,248 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%nvsvc32.exe
[file and pathname of the sample #1] 61,440 bytes MD5: 0x7C4B820C9746F02F2F648D329555D3DB
SHA-1: 0xBFB4068D48262B9F712355710CCB1CFB5CA7A121 W32.Yimfoca [Symantec]
Trojan.Win32.Jorik.IRCbot.qa [Kaspersky Lab]
Trojan:Win32/Ircbrute [Microsoft]
Virus.Win32.Injector [Ikarus]
Win-Trojan/Ircbrute.61440.C [AhnLab]

infos about the hoster:
http://whois.domaintools.com/205.234.223.186

Categories: Uncategorized