178.63.104.185 (botnet hosted in Germany Hetzner Online Ag)

Remote Host Port Number
178.63.104.185 6667

NICK meral
USER Bahar-ankara “SohbetCeLL” “178.63.104.185” :Begum23
JOIN #Dos BoTisTaN
MODE meral +i
MODE #Dos
PRIVMSG #Dos :”CACA EHZEHBUGKERK, JA’DOF”
R’AK JADL

(tr0j3n) !q kapat
(tr0j3n) !identclone kapat
(tr0j3n) !identclone kapat

Other details

* The following ports were open in the system:

Port Protocol Process
1053 TCP KCA.exe (%Windir%systemKCA.exe)
1056 TCP kca.exe (%Windir%systemkca.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “ms32”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%systemkca.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%systemkca.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “ms32”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%systemkca.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%systemkca.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinSmsFi = “kca.exe”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%systemkca.exe” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1293987477”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%%WINDOWS%system = “C://WINDOWS/system”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
KCA.exe %Windir%systemkca.exe 1,892,352 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%systemChans.dll 404 bytes MD5: 0x3D7F19F85CDD303A793B232FF3BC77CD
SHA-1: 0x9195C47075816C8D5441905EA122645E209D1A07 (not available)
2 %Windir%systemdemo.xt 20,629 bytes MD5: 0x9853052BEC08929C1AB678D04DD0B4F0
SHA-1: 0xAE48E3E98F306663981B91F58B73B2D7CD22AE29 IRC/Flood.dv [McAfee]
IRC_Generic [Trend Micro]
Trojan.IRC.Flood.DV [Ikarus]
3 %Windir%systememail.txt 19,080 bytes MD5: 0xA83C141FEC1D065165CF59F5DA00D893
SHA-1: 0xD8C1A50B8981B8EC9DD03B21C8B5CD60C0E24492 (not available)
4 %Windir%systemfn.xt 11,773 bytes MD5: 0x17E9E7690A3B7C5859B78679FD5D540B
SHA-1: 0xBF6892A1CCBDABC4BBCF002D4192241AED1F7780 (not available)
5 %Windir%systemfucker.jpg 35,352 bytes MD5: 0x2396AD9B1263E93277AB6F53C4CFFBBB
SHA-1: 0x20D54BF3F34F81CD8D6032BC9D1E8C139534C26D Trojan.IRC-Mimic [PCTools]
IRC.Mimic [Symantec]
Net-Worm.Win32.Randon [Ikarus]
6 %Windir%systemKCA.exe 1,790,464 bytes MD5: 0xA35434C25FB2ED3BA36A016C03CB636C
SHA-1: 0xB4E8103B52ABCC8DCD9D2B058E9EF105EFE508CC not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
7 %Windir%systemmIRC.ini 4,952 bytes MD5: 0x98BEFFB0B85A9BEF9C541F67DDFA28BF
SHA-1: 0xE321670C1422D687726EA09522F4683C0062B432 IRC/Flood.gen.b [McAfee]
Backdoor.IRC.Kelebek.ak [Ikarus]
8 %Windir%systemnHTMLn_2.95.dll 10,240 bytes MD5: 0x4EDD1B6C4745BFED1CA141A01F6A9FD2
SHA-1: 0x932ED7A74D9D048E99E5795FCA2CA7578FEC9CAE Troj/Merc-A [Sophos]
9 %Windir%systemserver.dll 151 bytes MD5: 0x94C1F122EFD9F7FFD66BD969251C8161
SHA-1: 0x91A9ADCDB9A7FA78B754C3AE9126F4C15E43CADB (not available)
10 %Windir%systemSfwwin32.dll 40,960 bytes MD5: 0xA85A6F809B5500ADF9F163F60CBD9B25
SHA-1: 0x9B81D20E5FFBF9BAE4BB95595579B29A282DAB0F Backdoor.IRC.Flood [PCTools]
Hacktool.Flooder [Symantec]
IRC/Flood.tool [McAfee]
Troj/Flood-I [Sophos]
Trojan:Win32/Flood.L [Microsoft]
IRC.Flood [Ikarus]
Win-Trojan/Flooder.45056.B [AhnLab]
11 %Windir%systemsysingB32.dll 35 bytes MD5: 0x5BF3BCF6CF12022FC57DF86DE87DFA9B
SHA-1: 0x93085530F9F3F0691D77FFF751D98C3606739993 (not available)
12 %Windir%systemwin.ini 477 bytes MD5: 0x8715347D6B7B2E3A7CFE5ADF2D510CE3
SHA-1: 0x36C55AE9BD5F13E601A9C2FCB79B3237032D4AA7 (not available)
13 [file and pathname of the sample #1] 770,826 bytes MD5: 0x317D2749A4CA336B84F9C4FC847FA5D5
SHA-1: 0xE9F82436E17D4190580BFED2E544BC900A93C663 not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC.Flood [Ikarus]

infos about hosting:
http://whois.domaintools.com/178.63.104.185