us2.holdbaby.com( banking trojan hosted in United States Dallas Theplanet.com Internet Services Inc)

By Pig, January 23, 2011

Resolved : [us2.holdbaby.com] To [174.121.110.122]
Remote Host Port Number
174.121.110.122 8800
208.82.236.129 80
208.82.238.129 80
67.212.77.13 80

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1191wdfewi.exe”

so that wdfewi.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Bfwe = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1191wdfewi.exe”

so that wdfewi.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
+ Shell = “explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1191wdfewi.exe”

so that wdfewi.exe runs every time Windows starts

infos about hosting:
http://whois.domaintools.com/174.121.110.122

Categories: Uncategorized

Previous posta.bestplay2010.com(botnet hosted in Russian Federation Vline Ltd)

Next post80.91.191.156(spyeye banking trojan hosted in Ukraine Kiev Webspace-datagroup)