unknown.hostforweb.com(botnet hosted with United States Chicago Hostforweb Inc)

Remote Host Port Number
174.37.200.82 80
63.135.80.224 80
63.135.80.46 80
64.208.241.27 80
66.220.149.25 80
64.202.107.109 1234 PASS xxx

JOIN #!nn! test
MODE NEW-[USA|00|P|82252] -ix
PONG 22 MOTD
NICK NEW-[USA|00|P|82252]
USER XP-0038 * 0 :COMPUTERNAME

* The data identified by the following URLs was then requested from the remote web server:
o http://174.37.200.82/index.php
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://www.myspace.com/browse/people
o http://www.myspace.com/help/browserunsupported
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_infobox.jpg
o http://x.myspacecdn.com/modules/splash/static/img/cornersSheet.png
o http://x.myspacecdn.com/images/BrowserUpgrade/icon_information.gif
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_browserSection.jpg
o http://x.myspacecdn.com/images/BrowserUpgrade/browserLogos_med.jpg
o http://www.facebook.com/home.php
o http://www.facebook.com/login.php

Other details

* The following ports were open in the system:

Port Protocol Process
1055 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1060 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1061 TCP nvsvc32.exe (%Windir%nvsvc32.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3,125,248 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%ndl.dl 2,239 bytes MD5: 0x2B7D5DC652AE5219EE3DDE307256164E
SHA-1: 0x4096C85E7A96F16AF2B360D99ABED243E54E1505
2 %Windir%nvsvc32.exe
[file and pathname of the sample #1] 65,024 bytes MD5: 0x40132ABAAC64E2526C048D213D4BFD72
SHA-1: 0x9680258A660A0169B507BCED36D40C2944A51AA9
3 %Windir%wibrf.jpg 3,968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787
4 %Windir%wiybr.png 3,416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283

infos about hoster:
http://whois.domaintools.com/64.202.107.109

Categories: Uncategorized