75.102.25.96(deccode 30 k botnet)

Remote Host Port Number
204.0.5.41 80
204.0.5.48 80
204.0.5.58 80
204.0.5.59 80
216.178.38.168 80
63.135.80.58 80
63.135.86.21 80
64.208.138.215 80
64.211.162.72 80
64.211.162.75 80
75.102.25.96 2345 PASS xxx

NICK NEW-[USA|00|P|44284]
USER XP-0195 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|44284] -ix
JOIN #!gf! test
PONG 22 MOTD

* The data identified by the following URLs was then requested from the remote web server:
o http://c2.ac-images.myspacecdn.com/images02/134/s_40910876f70541abad1da6207ed8a9dd.jpg
o http://c2.ac-images.myspacecdn.com/images02/139/s_d481e16a69494b13b0725d92e1ddd9c1.jpg
o http://c2.ac-images.myspacecdn.com/images02/144/s_b3aa792027244ae4be7f1e8e432c61bd.jpg
o http://c2.ac-images.myspacecdn.com/images02/100/s_1d4085ac3bb4409db1bf887982ea07bd.jpg
o http://c2.ac-images.myspacecdn.com/images02/123/s_5060b52ede76436cb90acf82c4c6da8d.jpg
o http://c2.ac-images.myspacecdn.com/images02/73/s_4750023b26e141dfae9e707f7fc3bec5.jpg
o http://c1.ac-images.myspacecdn.com/images02/123/s_9b28482ca0414b20a25006df96ee6424.jpg
o http://c1.ac-images.myspacecdn.com/images02/121/s_f7efc73afde34744842cd98845d3cfb8.jpg
o http://c1.ac-images.myspacecdn.com/images02/123/s_c7d2ae20a14b4b4f85c2d811584ba9a4.jpg
o http://c1.ac-images.myspacecdn.com/images02/136/s_da4693b6b42b4ea4ab24673b24440324.jpg
o http://c1.ac-images.myspacecdn.com/images02/152/s_dcc3d288b80944d69ba0597cbae36288.jpg
o http://c1.ac-images.myspacecdn.com/images02/92/s_b87bce910a034e7c9fb58f3630955d50.jpg
o http://c1.ac-images.myspacecdn.com/images01/61/s_a80ff5bca908dce4c2e0155129a6c070.jpg
o http://c1.ac-images.myspacecdn.com/images02/141/s_5cb096d627c647799b96d7a305821dc8.jpg
o http://c3.ac-images.myspacecdn.com/images02/117/s_1844d177e88f4e4d8db733bca908eb72.jpg
o http://c3.ac-images.myspacecdn.com/images02/95/s_d2aa865a8c0242dc9ecbb3cee6b4e72e.jpg
o http://c3.ac-images.myspacecdn.com/images02/141/s_0a86734d5ac44536bda81b65ad7c6f9a.jpg
o http://c3.ac-images.myspacecdn.com/images02/130/s_0f6074e62c0445a18ea80afd2a165d92.jpg
o http://c3.ac-images.myspacecdn.com/images02/107/s_96edc4f7a7ea4c80b549797ec2b5788a.jpg
o http://c3.ac-images.myspacecdn.com/images02/142/s_cad37ba4d1c9484394e9f708acb03002.jpg
o http://c3.ac-images.myspacecdn.com/images02/147/s_d2c28b7c159e4462914e5726f0a78ff6.jpg
o http://c3.ac-images.myspacecdn.com/images02/87/s_5526af4231a24f478ed6069aa085b096.jpg
o http://c3.ac-images.myspacecdn.com/images02/137/s_70ea236e94364705a8daa6a563192fae.jpg
o http://c3.ac-images.myspacecdn.com/images02/113/s_33851c964b3f40b8bf93109d78953d5e.jpg
o http://c4.ac-images.myspacecdn.com/images02/138/s_530d0f6ec162462a8bcdad7858c6e887.jpg
o http://c4.ac-images.myspacecdn.com/images02/109/s_fa2ed73d17a74b5bad6e96d56e5d0307.jpg
o http://c4.ac-images.myspacecdn.com/images02/105/s_709de6b6ca13408ebf6539a796e14b9b.jpg
o http://c4.ac-images.myspacecdn.com/images02/83/s_48ce6f90633748dbb9082b3bbd8f3533.jpg
o http://c4.ac-images.myspacecdn.com/images02/84/s_0cbae076962d4ac79fcefd07686b90cb.jpg
o http://c4.ac-images.myspacecdn.com/images02/100/s_3ddfe11d42814cfca541953eaa4c358f.jpg
o http://c4.ac-images.myspacecdn.com/images02/135/s_1eda16fa545548839e9879f974bfd2ef.jpg
o http://c4.ac-images.myspacecdn.com/images02/120/s_28b746dddafe43999c905f2ce2ebcb73.jpg
o http://c4.ac-images.myspacecdn.com/images02/112/s_4d8b621753d846aaa25142016138439b.jpg
o http://c4.ac-images.myspacecdn.com/images02/118/s_e34fd67a78264c49b6768f499121d5cb.gif
o http://c4.ac-images.myspacecdn.com/images02/124/s_d2e3d580e2ce4e1dad222ca0563613bf.jpg
o http://c4.ac-images.myspacecdn.com/images02/140/s_db80e4c7509a4efc98de72521ee9f73b.jpg
o http://c4.ac-images.myspacecdn.com/images02/4/s_77722c7fedd74ac9a271a4ed33f4e293.jpg
o http://c4.ac-images.myspacecdn.com/images02/123/s_eb29060c3a644ea590eab8423ab18cd3.jpg
o http://c4.ac-images.myspacecdn.com/images02/149/s_bd68e05ad574463aaa2b73b42ccf7bb3.jpg
o http://c4.ac-images.myspacecdn.com/images02/125/s_985c624819184417a6a019987d7fb11b.jpg
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=611657855
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=611657855
o http://fim.adnxs.com/fpt?id=3594&size=728×90&flash=1&cookies=1&callback=C1Zh7Cv6Sd9O.b0Tg7Lo6Qj9A&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1282140376501
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Ao7Je6Hc5T.b0Hc7Tr6Cs5Y&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1282140376407
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_c4kr8f-5.css
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_747_.jpg
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal__7us4lzq.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_ujzxjul0.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://cms.myspacecdn.com/cms/js/ad_wrapper0153.js
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Zh7Cv6Sd9O.b1Ds7Ju6Rp9G/bnum=1282140376501
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Zh7Cv6Sd9O.b1Ds7Ju6Rp9G/bnum=1282140376501
o http://p.ic.tynt.com/b/p?id=bjNOt4bfyr35kFadbiUt4I&ts=1282140376782&t=Browse%20MySpace%20Friends%20and%20Profiles
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://homak.ru/fake.css
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1282140376501&r=1&callback=C1Zh7Cv6Sd9O.b2Sd7Oe6Tg9L&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1282140376407&r=1&callback=C1Ao7Je6Hc5T.b1Yp7Uq6Bj5E&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

* The following ports were open in the system:

Port Protocol Process
1059 TCP jusched.exe (%Windir%jusched.exe)
1097 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPhuxobab

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPhuxobab]
+ Yjutiheha = 45 01 32 03 45 05 3F 07 4D 09 48 0B 3E 0D 4A 0F 28 11 21 13 2C 15 55 17 2C 19 29 1B 58 1D 2A 1F 18 21 67 23 60 25 10 27 6C 29 1B 2B 1A 2D 6A 2F 75 31 73 33 76 35 02 37 7D 39 0D 3B 7D 3D 0B 3F 40 41
+ Hxaluqidefay = 43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F 47 11 41 13 48 15 65 17 74 19 79 1B 70 1D 7B 1F 50 21 49 23 46 25 08 27 4C 29 46 2B 40 2D 2E 2F
+ Sheqid = “161”
+ Lmehuqufuna = 31 01 30 03 37 05 33 07 08 09
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”
+ Pwulinubesida = “rundll32.exe “%Windir%slclepkb.dll”,Startup”

so that jusched.exe runs every time Windows starts
so that slclepkb.dll runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes
css.exe c:css.exe 86 016 bytes

* The following modules were loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
slclepkb.dll %Windir%slclepkb.dll Process name: explorer.exe
Process filename: %Windir%explorer.exe
Address space: 0x1E70000 – 0x1E85000
slclepkb.dll %Windir%slclepkb.dll Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%internet exploreriexplore.exe
Address space: 0x1940000 – 0x1955000
slclepkb.dll %Windir%slclepkb.dll Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0x10000000 – 0x10015000

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 c:css.exe 72 704 bytes MD5: 0xB5271FD111F378BB6A4D60038AC52F53
SHA-1: 0x74D157ADFD8D996E2AB960D77868D086A7A91103
2 %Windir%jusched.exe
[file and pathname of the sample #1] 69 120 bytes MD5: 0x038E09A094625CF40C203A9D2C404323
SHA-1: 0x9274C2D6A71FEE6A291C8C7BBB242A94A562A270
3 %Windir%mdll.dl 2 209 bytes MD5: 0x54D17A3ACA3E71E84C4C0D382FA0A5A9
SHA-1: 0x87A3D20DE560F216B76578EC79BCCBBB54A6873E
4 %Windir%slclepkb.dll 72 704 bytes MD5: 0xD67195F7282CA900E1D8416B0522D023
SHA-1: 0xA864A14542BE23957613F0BD30B686AD7803EE56
5 %Windir%wintybrd.png 3 416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283
6 %Windir%wintybrdf.jpg 3 968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787

Categories: Uncategorized
Previous post
Next post