skype worm

x01bkr2.biz (snk asper mod irc botnet hosted by buyurl.net, alibabahost.com)

Resolved x01bkr2.biz to 94.242.237.128, 37.221.170.208 Server:  x01bkr2.biz Port:  4723 Channel:  #o.O Topic for #o.O is: .dl hxxp://www.mediafire.com/download.php?dqr1p0wz8tpz9tz | .dl hxxp://www.mediafire.com/download.php?uqqhg3equchc7bd Topic for #o.O set by SpliT at Sat Apr 27 17:57:29 2013 The skype spreader downloads messages from hxxp://waxortraxe.org/icon.jpg Alternate domains: zr0x1b9.biz xkzykxb.biz xeyaz.biz Hosting infos: http://whois.domaintools.com/94.242.237.128 Hosting infos: http://whois.domaintools.com/37.221.170.208 EDIT: snk is now desperately

h.opennews.su (irc botnet hosted by qhoster.com)

Resolved h.opennews.su to 5.45.181.254 Server:  h.opennews.su Port:  9000 Channel: #sp Channel password:  yop Topic for #sp is: !wB/smZJsKbDADvo5ab8sIF/r5RP7kkXfEsreBMH+9hiVs3ilngzFHh0Ph9sbgtC/EeqYw5x0Vj2IqRyb/knFS+LUzo6bf3cW/A1SyUXkVxz8ERDPS2K/qHObIS3TFyR2JAiWdnWc82S3KnAwUHQFMEb6h/kQqB9TcZElsKS4BnyDiGp1B19crjVgBes7+ilkHVmFLRRgoSPyUBx71ioiUporVdeOIEUhA547CIbp0odHxRQ41LK9wPz13N8KYZx6/QE//rZhBqCorPJqg3w= Topic for #sp set by SNK at Thu Apr 04 06:16:09 2013 Example bot nick:  n{USA-XPx86u}gjekbowg Alternate domains: f.eastmoon.pl gigasbh.org gigasphere.su o.dailyradio.su photobeat.su s.richlab.pl uranus.kei.su xixbh.com xixbh.net You may recognize some of the domains from previous posts

xixbh.net (ngrbot irc botnet hosted by oneandone.net)

Resolved xixbh.net to 212.227.83.111, 213.165.68.138, 85.25.86.198 Server:  xixbh.net (alternate domains: xixbh.com gigasbh.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: !dl hxxp://hotfile.com/dl/200451226/2ff4c3f/orf4Duu.html Topic for #jobs set by x at Fri Mar 29 13:40:52 2013 SSL is required to connect to this server This is the same guy as these previous posts.

mikimouse.net (ngrbot irc botnet hosted by yisp.nl)

Resolved mikimouse.net to 46.182.107.35 Server:  mikimouse.net (Alternate domains mikimouse.org mikispace.org) Port:  1863 Server password:  jobs Channel:  #jobs Topic for #jobs is: Topic for #jobs set by h at Sat Feb 23 19:28:30 2013 This is the same bot, port and spreading method as a previously posted botnet. However that had been sinkholed so it appears

afkm.in(irc bot spreading through skype hosted in Germany Karlsruhe 1&1 Internet Ag)

This botnet belongs to our lame friend snk(he uses aspergillus mod) It was reported by I Post Your Info here Domain Names used from snk: w4hw5wg3488h.net this one now is not active Resolved : [afkm.in] To [82.165.140.66] active domain name used to control bots hxxp://213.165.83.232/b.exe (www.dgp-vision.de) bot exe here The bot downloads 2 exe files

venus.timeinfo.pl (ngrbot irc botnet hosted by 1&1 Internet Ag)

Note: New domains are at the bottom of the post This is the skype “worm” that is in the news right now Articles: http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/ http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/ http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/ http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/ Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178 Server: venus.timeinfo.pl Port: 1863 Password: 24r34t SSL is needed to connect, accept the invalid certificate Authhost: bossman