corp-200-105-228-106-uio.punto.net.ec(botnet hosted in Ecuador Quito Puntonet S.a)

By Pig, January 3, 2011

Remote Host Port Number
200.105.228.106 8888

NICK inf444945
USER usrlsr 8 * : .: usrlsr :.
JOIN #java
PRIVMSG #java :GET / HTTP/1.0

Remote Host Port Number
200.105.228.106 8181

NICK bmi16146850
USER psdrman 8 * : .: psdrman :.
JOIN #help
PRIVMSG #help :Ready!

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%netsvc.exe
%Programs%Startupnetsvc.exe
%System%netsvc.exe
[file and pathname of the sample #1] 1,552,460 bytes MD5: 0xA5AE2D8670C8EEC15CA8920A3BB1519F
SHA-1: 0xD75C71BFB3A51F483C0118C0C7A9BCBE4F736D0C (not available)
2 %Temp%p2xtmp-1716B.dll 94,297 bytes MD5: 0x9CF98E7FB4EA91546E149DDFDFE05451
SHA-1: 0xD2C90DB948AFF0EFEF0A69EADBB1BB6638173827 (not available)
3 %Temp%p2xtmp-1716Console.dll 49,274 bytes MD5: 0xF4DEFF37A0AA9AE0EB6E3A2FD62CB120
SHA-1: 0xE5E7D863F9F5B5B0091C7A9CCBDFEF294E92F5F5 (not available)
4 %Temp%p2xtmp-1716Cwd.dll 20,584 bytes MD5: 0xF3553AB5D6B5FD10ECE7A8169C3BE3A0
SHA-1: 0x3DA3D1AFF0B3584970EC37D4B45531AB997E57C6 (not available)
5 %Temp%p2xtmp-1716Fcntl.dll 24,673 bytes MD5: 0xE9F17EF68E321F3186DCB0C1CD0D792A
SHA-1: 0x4D7B5662FA542DB09FBA2329EB1592CD9DC3FB02 (not available)
6 %Temp%p2xtmp-1716File.dll 82,024 bytes MD5: 0x8E3F3E8A318DEF912EDB0A1259E62772
SHA-1: 0x2810E4A9E594063BF6663FEAABA5BEDB971A3BE1 (not available)
7 %Temp%p2xtmp-1716IO.dll 24,667 bytes MD5: 0x41E2517BA7B513962FC2ABB02B7DB864
SHA-1: 0xFD03934871243F6C6512F1500B77D2C3C42F32AC (not available)
8 %Temp%p2xtmp-1716p2x5101.dll 414,208 bytes MD5: 0xA5C0FD969F6608502843EF2881BCC53B
SHA-1: 0x687688DD5B0ED98F4BA9879CB4B6CB4A1E62EA0F packed with UPX [Kaspersky Lab]
9 %Temp%p2xtmp-1716re.dll 176,219 bytes MD5: 0x3CCF534DE765CC20AECB45AE87E3606A
SHA-1: 0xDC4383423CC2F495F9D8B1F8BB80DB653E908335 (not available)
10 %Temp%p2xtmp-1716Socket.dll 28,771 bytes MD5: 0x3CC7CA4CAE592A09456DC9E4F1955FD4
SHA-1: 0x982AB08BCD8648F9D36D41144DB1214EB1963A50 (not available)
11 %Temp%p2xtmp-1716Util.dll 32,887 bytes MD5: 0x0122C4764F27A1456D5370DCE31AC73B
SHA-1: 0x3EE39678307C21B46E18CEE7511AA6E3D400AF3C (not available)
12 %Temp%p2xtmp-1716Win32.dll 41,057 bytes MD5: 0x0EEC3B352E5B03AA2619FE6BBF5D59E8
SHA-1: 0x1514EAA57A7E831A94E78A283E6C4FACB2BBF895 (not available)
13 %Windir%TasksAt1.job 306 bytes MD5: 0xE93825B6C66C5104B475072B0493D6C1
SHA-1: 0x21083EC051B797FFD530792604FC6A844CAB0404 (not available)
14 %Windir%TasksAt2.job 350 bytes MD5: 0x2A791BAAB5092E1929033600CA4FEE11
SHA-1: 0x5DF2C9F2BB54AF2F638F1C2FB1C7446309103CC3 (not available)

infos about hosting:
http://whois.domaintools.com/200.105.228.106

Categories: Uncategorized