afkm.in(irc bot spreading through skype hosted in Germany Karlsruhe 1&1 Internet Ag)

This botnet belongs to our lame friend snk(he uses aspergillus mod)
It was reported by I Post Your Info here

Domain Names used from snk:
w4hw5wg3488h.net this one now is not active
Resolved : [afkm.in] To [82.165.140.66] active domain name used to control bots
hxxp://213.165.83.232/b.exe (www.dgp-vision.de) bot exe here

The bot downloads 2 exe files
hxxp://82.165.140.66/fd.exe (afkm.in)
hxxp://82.165.140.66/m2.exe (afkm.in)  Cutwail here

Server:
afkm.in
:5050
Server Password:
Username: x
Nickname: n[DEU|XP]vsfohdb
Channel: #l (Password: (null))
Channeltopic: :.j #lol .d /100/97/111/124/49/59/47/48/57/38/37/21/34/49/49/36/34/46/40/39/47/118/114/34/122/112/96/

Now talking in #l
Topic On: [ #l ] [.j #lol .d /100/97/111/124/49/59/47/48/57/38/37/21/34/49/49/36/34/46/40/39/47/118/114/34/122/112/96/ ]
Topic By: [ x ]
(x) .d /100/97/111/124/49/59/47/48/57/38/37/21/34/49/49/36/34/46/40/39/47/118/114/34/122/112/96/

Now talking in #lol
Topic On: [ #lol ] [ , ]
Topic By: [ x ]

UPDATE:
the lamer changed domain name again and here it is next backup found by I Post Your Info

Resolved : [39f3t9eewhd.net] To [82.165.140.66]

Server:39f3t9eewhd.net:5050

Server Password:
Username: x
Nickname: n[DEU|XP]vsfohdb
Channel: #l (Password: (null))
Now talking in #l
Topic On: [ #l ] [ .j #lol .d /100/97/111/124/49/59/47/48/57/38/37/21/34/49/49/36/34/46/40/39/47/118/114/34/122/112/96/ ]
Topic By: [ x ]

hosting infos:
http://whois.domaintools.com/82.165.140.66

Categories: Uncategorized

1 Comment

I_Post_Ur_Info - December 11, 2012 at 1:24 am

:x!x@x TOPIC #l :,
PING :x.x
PONG :x.x
:x.x NOTICE n[USA|XP]yxswhzw :Server Terminating. x

snk you just going to give up?

Comments are closed