april2.botsgod.info ip: 92.243.28.194
april2.botsgod.info ip: 95.142.168.229
april2.botsgod.info ip: 217.70.188.30
Remote Host Port Number
217.70.188.30 4949
92.243.28.194 4949
95.142.168.229 4949
NICK {NOVY}[USA][XP-SP2]043406
USER VirUs “” “lol” :0320
NICK [USA][XP-SP2]073489
USER VirUs “” “lol” :7113
USER VirUs “” “lol” :4947
NICK [USA][XP-SP2]725879
USER VirUs “” “lol” :8170
NICK [USA][XP-SP2]710812
USER VirUs “” “lol” :0319
NICK [USA][XP-SP2]250195
USER VirUs “” “lol” :5720
NICK [USA][XP-SP2]667826
NICK [USA][XP-SP2]190728
USER VirUs “” “lol” :2317
NICK [USA][XP-SP2]891028
USER VirUs “” “lol” :9662
NICK [USA][XP-SP2]510729
USER VirUs “” “lol” :0542
NICK [USA][XP-SP2]473005
USER VirUs “” “lol” :3336
NICK [USA][XP-SP2]492608
USER VirUs “” “lol” :9810
NICK [USA][XP-SP2]392809
USER VirUs “” “lol” :6185
NICK [USA][XP-SP2]730659
USER VirUs “” “lol” :6450
NICK [USA][XP-SP2]972686
USER VirUs “” “lol” :1859
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Firewall 2.9 = “%Temp%MSFW.exe”
so that MSFW.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Firewall 2.9 = “%Temp%MSFW.exe”
so that MSFW.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
MSFW.exe %Temp%msfw.exe 53 248 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%MSFW.exe
[file and pathname of the sample #1] 122 881 bytes MD5: 0xC2C9E12C63CD9CF9A05567E2B90AB57C
SHA-1: 0x2D722D327CCC24C8661B59F2A12A1150796D0722 Trojan.Win32.Jorik.IRCbot.jx [Kaspersky Lab]
Trojan:Win32/Ircbrute [Microsoft]
Trojan-Dropper.Small [Ikarus]
2 %Temp%sWo_log_2211346.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
Detailed info about hosting here:
http://whois.domaintools.com/95.142.168.229
http://whois.domaintools.com/92.243.28.194
http://whois.domaintools.com/217.70.188.30
Botnets are hosted in UK and France countrys where this is strictly forbiden