Note: New domains are at the bottom of the post
This is the skype “worm” that is in the news right now
Resolved venus.timeinfo.pl to 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
SSL is needed to connect, accept the invalid certificate
Edit: New Authhost: team
* Topic for #load is: !m on !dl hxxp://hotfile.com/dl/175556325/26b0a87/owefhiojcbr.html !j #px
* Topic for #load set by test at Tue Oct 09 23:06:00 2012
File in the topic is the skype spreader
* Topic for #px is: !rs1 126.96.36.199 4321
* Topic for #px set by wow at Sun Oct 07 19:09:42 2012
!j -c BE,DK,FI,FR,GR,HR,HU,IE,NO,PL,RO,SK #gi
* Topic for #gi is: !dl hxxp://hotfile.com/dl/175638047/d559819/2323324.html
* Topic for #gi set by wow at Wed Oct 10 15:05:42 2012
File is goldinstalls installer. Info on that here. His userid is 265.
!j -c RU,RUS #r
* Topic for #r is: !dl hxxp://hotfile.com/dl/175640723/9d7e062/93fgh.html
* Topic for #r set by wow at Wed Oct 10 15:42:32 2012
File is a click fraud program
Many different ips
188.8.131.52 United States Longwood Sentris Network Llc
184.108.40.206 Germany Nuremberg Hetzner Online Ag
220.127.116.11 Germany Karlsruhe 1&1 Internet Ag
18.104.22.168 Germany Karlsruhe 1&1 Internet Ag
22.214.171.124 Germany Karlsruhe 1&1 Internet Ag
126.96.36.199 France 1&1 Internet Ag
188.8.131.52 United States Waynesburg 1&1 Internet Inc.
Sample obtained from bartblaze via kernelmode.info
EDIT: New domains for the latest bot
All other info remains the same
A recent spreading url only got to 2000 clicks before the file was removed. I guess I’m not the only one in the channel.
<test> !logins Steam
<test> !logins Runescape
<test> !logins Youtube
New domains again
Anonymous - November 26, 2012 at 3:43 am
did he update his domains again? …been trying to track this guy down. …have a lot of info so far…but lot of his IPs dropped off.
any help much appreciated.
I_Post_Ur_Info - November 26, 2012 at 5:40 pm
I'm still able to connect through mercury.yori.pl.