irc.mafia-mexicana.org.mx(botnet hosted in Viet Nam Ip Range For Xdsl Iptv Fixed Phone Service At Hcmc)

By Pig, December 29, 2010

Remote Host Port Number
118.69.220.81 6667

NICK MP3-MD-l[8236]l
NICK MP3-MD-l[8236]l 2
NICK MP3-MD-l[8236]l 3
NICK MP3-MD-l[8236]l 4
NICK MP3-MD-l[8236]l 5
PING irc.mafia-mexicana.org.mx
NICK MP3-MD-l[8236]l 6
USER MM 32 . ::: Mafia-Mexicana ::
MODE MP3-MD-l[8236]l +ipx
NICK MP3-MD-l[8236]l 0
NICK MP3-MD-l[8236]l 1

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWARECygnus Solutions
o HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwin
o HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwinmounts v2
o HKEY_LOCAL_MACHINESOFTWARECygnus SolutionsCygwinProgram Options
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security Center
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security CenterSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security CenterEnum
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-U
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-USecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-UEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security Center
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security CenterSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security CenterEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-U
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-USecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-UEnum
o HKEY_USERS.DEFAULTSoftwareCygnus Solutions
o HKEY_USERS.DEFAULTSoftwareCygnus SolutionsCygwin
o HKEY_USERS.DEFAULTSoftwareCygnus SolutionsCygwinmounts v2
o HKEY_USERS.DEFAULTSoftwareCygnus SolutionsCygwinProgram Options
o HKEY_CURRENT_USERSoftwareCygnus Solutions
o HKEY_CURRENT_USERSoftwareCygnus SolutionsCygwin
o HKEY_CURRENT_USERSoftwareCygnus SolutionsCygwinmounts v2
o HKEY_CURRENT_USERSoftwareCygnus SolutionsCygwinProgram Options
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Microsoft Security Center”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER000]
+ Service = “Microsoft Security Center”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Microsoft Security Center”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_MICROSOFT_SECURITY_CENTER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Serv-U”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U000]
+ Service = “Serv-U”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Serv-U FTP Server”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SERV-U]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security CenterEnum]
+ 0 = “RootLEGACY_MICROSOFT_SECURITY_CENTER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security CenterSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesMicrosoft Security Center]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%Windir%HelpMUIDebugsvchost.exe”
+ DisplayName = “Microsoft Security Center”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-UEnum]
+ 0 = “RootLEGACY_SERV-U000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-USecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesServ-U]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%Windir%HelpMUIDebugsmss.exe”
+ DisplayName = “Serv-U FTP Server”
+ ObjectName = “LocalSystem”
+ Description = “Provides FTP services and allows remote FTP clients to connect to this computer”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Microsoft Security Center”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER000]
+ Service = “Microsoft Security Center”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Microsoft Security Center”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_MICROSOFT_SECURITY_CENTER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Serv-U”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U000]
+ Service = “Serv-U”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Serv-U FTP Server”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SERV-U]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security CenterEnum]
+ 0 = “RootLEGACY_MICROSOFT_SECURITY_CENTER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security CenterSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMicrosoft Security Center]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%Windir%HelpMUIDebugsvchost.exe”
+ DisplayName = “Microsoft Security Center”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-UEnum]
+ 0 = “RootLEGACY_SERV-U000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-USecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-U]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%Windir%HelpMUIDebugsmss.exe”
+ DisplayName = “Serv-U FTP Server”
+ ObjectName = “LocalSystem”
+ Description = “Provides FTP services and allows remote FTP clients to connect to this computer”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%WINDOWS%Help%MUI%Debug% = “%Windir%HelpMUIDebug”

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
svchost.exe %Windir%helpmuidebugsvchost.exe 69,632 bytes

* There were new services created in the system:

Service Name Display Name Status Service Filename
Microsoft Security Center Microsoft Security Center “Running” %Windir%HelpMUIDebugsvchost.exe
Serv-U Serv-U FTP Server “Running” %Windir%HelpMUIDebugsmss.exe

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%HelpMUIDebugconvertxdccfile.exe 95,873 bytes MD5: 0x63503BE0F41DE3FCA3A20C450CB0A8F3
SHA-1: 0x2267C391007C31240ABD5707178670451B021407 Backdoor.Win32.Alphabot.e [Kaspersky Lab]
Iroffer [McAfee]
Mal/Generic-A [Sophos]
Backdoor.Win32.Iroffer [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]
2 %Windir%HelpMUIDebugcygcrypt-0.dll 6,656 bytes MD5: 0xFCAAAD96B6B4E41DBAF9076109DCB964
SHA-1: 0xBE4BEB7C0835DF03FFB1D8F0AC1A4FF4CC5D7355 (not available)
3 %Windir%HelpMUIDebugcygwin1.dll 1,872,821 bytes MD5: 0x361EF4049C7D6229E5E378624FB400DF
SHA-1: 0x4DED11CF5231DA0E7E9E9808100652601C51635B (not available)
4 %Windir%HelpMUIDebugLogsHaX.log 1,948 bytes MD5: 0xA852534D42DC8A5993EC19BC59F602B5
SHA-1: 0x49F976449F1B019510932D76FEC846A8EE7FB740 (not available)
5 %Windir%HelpMUIDebugLogsHaX.pid 4 bytes MD5: 0xFBAA030EEE9A34CEFD5248D7C90055F7
SHA-1: 0x6A1FE6818B2CAF73CFF145FB790E65E2AF03D1EF (not available)
6 %Windir%HelpMUIDebugLogsHaX.state 272 bytes MD5: 0xAAA1DFEF2FA52B3F434FEAF755266650
SHA-1: 0x3BB781FA2C1D2F267EEA8B6730F46E28CA6A47B7 (not available)
7 %Windir%HelpMUIDebugLogsHaX.state ~ 272 bytes MD5: 0x5BB0CDBF190FA345F503BFBE481B2E0E
SHA-1: 0xA61151223BBA1B7AD8AFD930E119A07E4B790D8E (not available)
8 %Windir%HelpMUIDebugmdl.txt 1,376 bytes MD5: 0x96D9593658CD27E2751FE6C8721B2186
SHA-1: 0x70631B042B7617654B3181531EF2225ABC0F57E4 (not available)
9 %Windir%HelpMUIDebugrun.bat 132 bytes MD5: 0x292359DD4D511583D928B93B824919B0
SHA-1: 0xC810272F7E7BAF1621986B92EAE353BE999482E0 (not available)
10 %Windir%HelpMUIDebugServices.exe 338,509 bytes MD5: 0xD5D28B18DA2FF3D9911B0DEF5458FE2A
SHA-1: 0x91EEFCB4EC04758048FEF221808852C4A22CD954 Backdoor.Win32.Iroffer.13b8 [Kaspersky Lab]
Iroffer [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/Sdbot [Microsoft]
Backdoor.Win32.Iroffer [Ikarus]
Win-Trojan/Iroffer.338509 [AhnLab]
11 %Windir%HelpMUIDebugServUDaemon.ini 1,380 bytes MD5: 0xB1DAEFD605EA8EE71A03B374ED1C619B
SHA-1: 0x23DF7C5836097765EAA1540AF26BE2CCF4387E3B (not available)
12 %Windir%HelpMUIDebugServUStartUpLog.txt 531 bytes MD5: 0x3F0761AFCC2B5773E3D8041423EAB353
SHA-1: 0x150E39B01D005E38CDBA5594BFFE2F0E8C653B31 (not available)
13 %Windir%HelpMUIDebugsetup.bat 2,038 bytes MD5: 0xAECD7F0475507A09A45B58DDE080120B
SHA-1: 0xB74C15173047F0A48C79EB49C3A9075088ECC1E2 Virus-Kit [Ikarus]
14 %Windir%HelpMUIDebugsmss.exe 1,857,536 bytes MD5: 0xED27BE3154143F7027298A2ED5E8F739
SHA-1: 0x8935F227E024B54D1E855584EBE81A830E7476F3 not-a-virus:Server-FTP.Win32.Serv-U.3016 [Kaspersky Lab]
ServU-Daemon.gen [McAfee]
not-a-virus:Server-FTP.Win32.Serv-U.3016 [Ikarus]
15 %Windir%HelpMUIDebugsvchost.exe 53,760 bytes MD5: 0xEA2E9E72F5BC8AC2549B325A757D321D
SHA-1: 0x82968811C3329C44EDF796ACAAF3F04618F99D97 Backdoor.Win32.Iroffer [Ikarus]
16 %Windir%HelpMUIDebugsvchost.ini 647 bytes MD5: 0x8A2D62F4DA186348377FEC0B4BED1120
SHA-1: 0x4FC7D7BF428A79AAD3326AADA1F08C9246760D7C (not available)
17 %Windir%HelpMUIDebugsvchost.log 45 bytes MD5: 0xD2E848521F83C801DA593114E3EEF9BE
SHA-1: 0x2299059E980D3A2FEE5A51EEF4F3E577E0FED0F5 (not available)
18 [file and pathname of the sample #1] 1,408,616 bytes MD5: 0x0E6A07782AEAC44AC4D3C6EA251AACAF
SHA-1: 0xFA16DC30BB7E470F5173F9276BF6DB2885E00826 Backdoor.Win32.Alphabot.e, Backdoor.Win32.Iroffer.13b8, not-a-virus:Server-FTP.Win32.Serv-U.3016 [Kaspersky Lab]
Virus-Kit [Ikarus]

infos about hosting:
http://whois.domaintools.com/118.69.220.81

Categories: Uncategorized