keshmoney.biz
api.wipmania.com
usakesh.biz
heytherebitch.com these dns come from ngrbot exe to
Remote Host Port Number
204.15.252.199 4042
NICK new[USA|XP|COMPUTERNAME]nrrkpsz
USER hh “” “lol” :hh
JOIN #chronic
PONG 422
NICK new[USA|XP|COMPUTERNAME]hpfclbk
USER y0 “” “lol” :y0
JOIN #usakesh
PONG 422
UPDATE:
PRIVMSG #boss :[HTTP]: Updated HTTP spread message to “haha, facebook photos? :p http://tinyurl.com/Pic-15-04-2011”
JOIN #US
PRIVMSG #US :[MSN]: Updated MSN spread message to “wow is this you in this pic? http://tinyurl.com/Pic-15-04-2011”
PRIVMSG #US :[HTTP]: Updated HTTP spread message to “wow is this you in this pic? http://tinyurl.com/Pic-15-04-2011”
NICK n{US|XPa}fffmtby
USER fffmtby 0 0 :fffmtby
PONG :22A0DF79
JOIN #boss ngrBot
PRIVMSG #boss :[MSN]: Updated MSN spread interval to “6”
PRIVMSG #boss :[MSN]: Updated MSN spread message to “haha, facebook photos? :p http://tinyurl.com/Pic-15-04-2011”
PRIVMSG #boss :[HTTP]: Updated HTTP spread interval to “6”
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Windows USB = “%AppData%E-32948-2987-28740hostraid.exe”
so that hostraid.exe runs every time Windows starts
Registry Modifications
The newly created Registry Value is:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
Mobile Device Service = “%AppData%J-93219-1923-12901mobile32.exe”
so that mobile32.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%E-32948-2987-28740hostraid.exe
[file and pathname of the sample #1] 55,808 bytes MD5: 0x77B567AD2AFFAC889A1AAA5BED4F83B4
SHA-1: 0x5AF57EF44865525ED00E1230DC97200F7C1AF758 packed with UPX [Kaspersky Lab]
2 %AppData%windows.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
infos about hosting:
http://whois.domaintools.com/204.15.252.199