al0r.net(botnet hosted in Germany Hetzner Online Ag)

Remote Host Port Number
178.63.104.143 6667

NICK XP-97862026
USER 65162170 “” “sohbet.az” :00693017
JOIN #Dos!
MODE #Dos!
USER 78139397 “” “sohbet.az” :35822378
NICK XP-42563252
USER 29409822 “” “sohbet.az” :93325375
NICK XP-18370044

Now talking in #Dos!
Topic On: [ #Dos! ] [ .open http://www.google.com.tr/url?sa=t&source=web&cd=12&ved=0CG4QFjAL&url=http%3A%2F%2Fwww.onlinediziizleme.com%2F&rct=j&q=online%20dizi%20izle&ei=ddUcTYKfKsnCswarsIn6DA&usg=AFQjCNHLc6A8OMCjWpeOhCyWwAUBIQj4Og&cad=rja ]
Topic By: [ Drox ]
Modes On: [ #Dos! ] [ +smntMNG ]

(Drox) .login tr0
([M]TUR|26929) -main- Password accepted.
(Drox) .open http://www.google.com.tr/url?sa=t&source=web&cd=12&ved=0CG4QFjAL&url=http%3A%2F%2Fwww.onlinediziizleme.com%2F&rct=j&q=online%20dizi%20izle&ei=ddUcTYKfKsnCswarsIn6DA&usg=AFQjCNHLc6A8OMCjWpeOhCyWwAUBIQj4Og&cad=rja
Joins: DZA|95945 [owckby@41.98.48.44]
([M]TUR|26929) -shell- File opened: http://www.google.com.tr/url?sa=t&source=web&cd=12&ved=0CG4QFjAL&url=http%3A%2F%2Fwww.onlinediziizleme.com%2F&rct=j&q=online%20dizi%20izle&ei=ddUcTYKfKsnCswarsIn6DA&usg=AFQjCNHLc6A8OMCjWpeOhCyWwAUBIQj4Og&cad=rja

Other details

* The following ports were open in the system:

Port Protocol Process
113 TCP wacult.exe (%Windir%systemwacult.exe)
1050 TCP wacult.exe (%Windir%systemwacult.exe)
1052 TCP wacult.exe (%Windir%systemwacult.exe)
1053 TCP wacult.exe (%Windir%systemwacult.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallms32
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwarems32
o HKEY_CURRENT_USERSoftwarems32DateUsed
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%systemwacult.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%systemwacult.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%systemwacult.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%systemwacult.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinXPService = “%Windir%systemwacult.exe”

so that wacult.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallms32]
+ DisplayName = “ms32”
+ UninstallString = “”%Windir%systemwacult.exe” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwarems32DateUsed]
+ (Default) = “1293823905”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%%WINDOWS%system = “C://WINDOWS/system”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
wacult.exe %Windir%systemwacult.exe 1,941,504 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%systemedih.dll 40,960 bytes MD5: 0xA85A6F809B5500ADF9F163F60CBD9B25
SHA-1: 0x9B81D20E5FFBF9BAE4BB95595579B29A282DAB0F Backdoor.IRC.Flood [PCTools]
Hacktool.Flooder [Symantec]
IRC/Flood.tool [McAfee]
Troj/Flood-I [Sophos]
Trojan:Win32/Flood.L [Microsoft]
IRC.Flood [Ikarus]
Win-Trojan/Flooder.45056.B [AhnLab]
2 %Windir%systemms32.sys 2,615 bytes MD5: 0x0DA0ACCDF25A1D3B0E67A0454C6664D9
SHA-1: 0x80CB1230AE243DC120049098DBA10ECDBCD2A8DC IRC/Flood.gen.b [McAfee]
Backdoor.IRC.Zapchast [Ikarus]
3 %Windir%systemremote.ini 83 bytes MD5: 0xAA0ED913BB73ED871D12FF14F98C2229
SHA-1: 0xC97D54234758BFF8B947CE1D0265EF2A65E79FD1 (not available)
4 %Windir%systemsystem32msconfg.dll 2,797 bytes MD5: 0x8D449472DA26237FE881358941A56C06
SHA-1: 0x1B84CCF82169F9AE3B1E0E7868EFBE9C9B8663E7 Trojan.IRC.Flood.ISC [Ikarus]
5 %Windir%systemsystem32Systemx.dll 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
6 %Windir%systemwacult.exe 652,800 bytes MD5: 0xD478A83DA99BE6115785DAEC679FC6B3
SHA-1: 0x62317793DD455495441D7E3D21C030CAF71EEAE9 Backdoor.IRCBot [PCTools]
Backdoor.Trojan [Symantec]
not-a-virus:Client-IRC.Win32.mIRC.602 [Kaspersky Lab]
Troj/Kirsun-A [Sophos]
Backdoor:Win32/Kirsun.A [Microsoft]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/Kirsun.652800 [AhnLab]
packed with ASPack [Kaspersky Lab]
7 [file and pathname of the sample #1] 714,103 bytes MD5: 0xC15CE192BDB2526C055B69683751AA07
SHA-1: 0x47B2B0DE982E2BFDA5CAB68859947EF0F1232E08 not-a-virus:Client-IRC.Win32.mIRC.602 [Kaspersky Lab]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]

infos about hosting:
http://whois.domaintools.com/178.63.104.143