venus.timeinfo.pl (ngrbot irc botnet hosted by 1&1 Internet Ag)

Note: New domains are at the bottom of the post

This is the skype “worm” that is in the news right now
Articles:
http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html
http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/
http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/
http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/
http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/

Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178

Server: venus.timeinfo.pl
Port: 1863
Password: 24r34t
SSL is needed to connect, accept the invalid certificate

Authhost: bossman
wow (keshout@bossman)
b (java@bossman)

Edit: New Authhost: team
 snk__ (keshout@team)
 b (java@team)

Channel: #load
* Topic for #load is: !m on !dl hxxp://hotfile.com/dl/175556325/26b0a87/owefhiojcbr.html !j #px
* Topic for #load set by test at Tue Oct 09 23:06:00 2012
File in the topic is the skype spreader

Channel: #px
* Topic for #px is: !rs1 91.121.201.169 4321
* Topic for #px set by wow at Sun Oct 07 19:09:42 2012

!j -c BE,DK,FI,FR,GR,HR,HU,IE,NO,PL,RO,SK #gi
Channel: #gi
 * Topic for #gi is: !dl hxxp://hotfile.com/dl/175638047/d559819/2323324.html
 * Topic for #gi set by wow at Wed Oct 10 15:05:42 2012
 File is goldinstalls installer. Info on that here. His userid is 265.

!j -c RU,RUS #r
Channel: #r
* Topic for #r is: !dl hxxp://hotfile.com/dl/175640723/9d7e062/93fgh.html
* Topic for #r set by wow at Wed Oct 10 15:42:32 2012
File is a click fraud program

Other domains: 
photobeat.su
mars.dothome.pl

Samples here

Many different ips
63.223.107.62 United States Longwood Sentris Network Llc
176.9.192.131 Germany Nuremberg Hetzner Online Ag
213.165.71.142 Germany Karlsruhe 1&1 Internet Ag
217.160.108.147 Germany Karlsruhe 1&1 Internet Ag
213.165.71.153 Germany Karlsruhe 1&1 Internet Ag
87.106.98.157 France 1&1 Internet Ag
74.208.112.178 United States Waynesburg 1&1 Internet Inc.

Sample obtained from bartblaze via kernelmode.info

EDIT: New domains for the latest bot

earth.pipro.net
uranus.kei.su
saturn.losa.pl

All other info remains the same
A recent spreading url only got to 2000 clicks before the file was removed. I guess I’m not the only one in the channel.

EDIT2:
big heckers
<test> !logins Steam
<test> !logins Runescape
<test> !logins Youtube

EDIT3:
New domains again

stargate.parad.su
star.helli.pl
mercury.yori.pl

EDIT4:
Bitcoins ahoy