trin.bi.up.ac.za(botnet hosted with South Africa Pretoria Afrinic)

By Pig, December 4, 2010

Remote Host Port Number
137.215.75.246 6667
195.197.175.21 6667

NICK drugss
ISON akon black bleed blood dead devil dr evil ghost hustler lord Lucifer mad ManaGer Master mIRC Mr Power sadness Scorpions system
JOIN #Raps
MODE #raps
MODE mwahc +iwx
MODE drugss +iwx
SILENCE +*!*@*
USER net “” “rap-yo-city.dyndns.org” :
6Get away !
NICK samerl
USER leader “” “rap-yo-city.dyndns.org” :
4No Such Nick
SILENCE +*,~*!*@*undernet.org
PONG :1901875861
USERHOST drugss
NICK :mwahc
MODE drugss +i
USER Rap “” “Helsinki.FI.EU.Undernet.Org” :
NICK comr
PONG :3018525259
PONG :1944071925
PONG :3017032078
USERHOST comr
NICK :locod
NICK :positiona
MODE comr +i

Now talking in #raps
Modes On: [ #raps ] [ +nt ]
(ManaGerw) drugss uptime
(drugss) your mothers pussy same uptime lol

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvchost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCChannels
o HKEY_CURRENT_USERSoftwaremIRCLicense
o HKEY_CURRENT_USERSoftwaremIRCLockOptions
o HKEY_CURRENT_USERSoftwaremIRC%UserName%
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* Notes:
o %UserName% is a variable that refers to the current user name.

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ spoolsv = “”%Windir%tempspoolsvspoolsv.exe””

so that spoolsv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%tempspoolsvspoolsv.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC%UserName%]
+ (Default) = “WhiteHat”
o [HKEY_CURRENT_USERSoftwaremIRCLockOptions]
+ (Default) = “0,4096”
o [HKEY_CURRENT_USERSoftwaremIRCLicense]
+ (Default) = “5662-546732”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%Windows%temp%spoolsv% = “%Windir%tempspoolsv”

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 945,024 bytes MD5: 0x137CD7C1C2617D5DFEB8A1CB361B8E3A
SHA-1: 0xBD8F88AF84F2FD29A7BE3A039B18D6C7682E5A82 Trojan.Dropper [PCTools]
IRC Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
Backdoor.Win32.IRCFlood [Ikarus]
Dropper/Malware.945024.B [AhnLab]
2 %Windir%Tempspoolsva.reg 1,260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200 Trojan.RunKeys [PCTools]
IRC.Backdoor.Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
Backdoor.IRC.Zapchast [Ikarus]
REG/Zapchast [AhnLab]
3 %Windir%Tempspoolsvaliases.ini 11 bytes MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD
SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299 (not available)
4 %Windir%Tempspoolsvcom.mrc 9,955 bytes MD5: 0x9172FD1F774B08629CA77F8DF1E826B0
SHA-1: 0x1FB136F79DE369036765C09EE1308D63A60FD0C5 Trojan.IRCBot [PCTools]
IRC Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
5 %Windir%Tempspoolsvcontrol.ini 130 bytes MD5: 0x92C90A7CB157BBD431B43558675AC53D
SHA-1: 0x86A2FAEA8E55DA2B14F2E888CE6CCB369C204051 (not available)
6 %Windir%Tempspoolsvfullname.txt 1,120 bytes MD5: 0x9ED3F8443F7F4F028C6B57252745A2D8
SHA-1: 0xF08E8CF56CAB9C5EC0924F07BC2CC01A7BF07341 (not available)
7 %Windir%Tempspoolsvident.txt 347 bytes MD5: 0xEEA2FD643937A55AACC4BAA5A3AB25A7
SHA-1: 0xD57073ABEFD14E440E5295991E05B6E7ADCECCAD (not available)
8 %Windir%Tempspoolsvmirc.ico 5,694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7 Backdoor.IRC.Agent [Ikarus]
9 %Windir%Tempspoolsvmirc.ini 3,374 bytes MD5: 0xFD7B67FC4D3C5529E43FBC084D65105D
SHA-1: 0x123B20CD61A7D965FF2DA522916BC29E02F2357B Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
IRC/Flood.gen.b [McAfee]
Mal/Zapchas-C [Sophos]
Backdoor.IRC.Zapchast [Ikarus]
10 %Windir%Tempspoolsvremote.ini 3,206 bytes MD5: 0xC070E887388DDAA6AF07D98B9E3249EF
SHA-1: 0x3863DBE329EA22B42C6D1E96BEC04B8C29E16482 (not available)
11 %Windir%Tempspoolsvrun.bat 194 bytes MD5: 0x08FD9592BFA14C19955FC760BE2BB98A
SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81 Backdoor.IRC.Zapchast [PCTools]
Backdoor.IRC.Flood [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Generic component [McAfee]
Troj/Zapchas-ER [Sophos]
Backdoor.IRC.Zapchast [Ikarus]
BAT/Zapchast [AhnLab]
12 %Windir%Tempspoolsvs.mrc 1,476 bytes MD5: 0x36314B4D17E0C0B9A5B724998EE54AB6
SHA-1: 0x8E370BBF4C6C407DFED6F0E94CB2C5D1698381FC (not available)
13 %Windir%Tempspoolsvservers.ini 1,089 bytes MD5: 0x8543EDB441388841646C464E54EF7161
SHA-1: 0x3C838F3A8F7D61F08D5C523BCFF5AA0760994192 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
14 %Windir%Tempspoolsvspoolsv.exe 1,790,464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 Backdoor.IRCBot [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
15 %Windir%Tempspoolsvusers.ini 306 bytes MD5: 0x5D8AA63B073C2C88DB89C2422F336345
SHA-1: 0x1CE81A9A6C09F1F435F01059EF472805D684583B (not available)
16 %Windir%Tempspoolsvxmas.JPG 110,771 bytes MD5: 0x3C930CCBB0982D3A57317983DC5A1F3F
SHA-1: 0x967F79971C58C645F9D6D2AF85110233549BDEF7 (not available)

infos about hosting:
http://whois.domaintools.com/137.215.75.246
http://whois.domaintools.com/195.197.175.21

Categories: Uncategorized