Remote Host Port Number
217.70.188.30 5900 PASS Virus
92.243.28.194 5900 PASS Virus
95.142.168.229 5900 PASS Virus
NICK VirUs-xlaixqgo
USER VirUs “” “zbo” :
8Coded
8Ahmed.Ramzey@Hotmail.Com..
NICK VirUs-firqfllm
USER VirUs “” “zux” :
NICK VirUs-nqcgfvif
USER VirUs “” “pcm” :
NICK VirUs-whzmmafw
USER VirUs “” “kga” :
NICK VirUs-rffujwic
USER VirUs “” “xvi” :
NICK VirUs-ubjkqifu
NICK VirUs-zsqyylgv
USER VirUs “” “awk” :
USER VirUs “” “iuq” :
NICK VirUs-rszadxfa
USER VirUs “” “olx” :
this is the email adres of this Egyptian lamer
Ahmed.Ramzey@Hotmail.Com
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J1-4OPM-00WE-AAX5-71EF1D187311}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J1-4OPM-00WE-AAX5-71EF1D187311}]
+ StubPath = “c:KEYF-2-3-13-23878789098-7675432123-0000900091-777x0rr0x.exe”
so that x0rr0x.exe runs every time Windows starts
* The following directories were created:
o c:KEY
o c:KEYF-2-3-13-23878789098-7675432123-0000900091-777
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:KEYF-2-3-13-23878789098-7675432123-0000900091-777Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:KEYF-2-3-13-23878789098-7675432123-0000900091-777x0rr0x.exe 188 417 bytes MD5: 0xA489DFED41254903F1FE1437657161DF
SHA-1: 0x21083B6A84A1992F2DB9BAE23CA5D16F1B953733 W32.IRCBot [Symantec]
Worm.Win32.AutoRun.bpyh [Kaspersky Lab]
W32/Autorun.worm.c [McAfee]
Mal/VBInject-D [Sophos]
Trojan:Win32/Ircbrute [Microsoft]
Trojan.Win32.Ircbrute [Ikarus]
Win-Trojan/Ircbrute.188417 [AhnLab]
infos about the Uk hoster:
http://whois.domaintools.com/95.142.168.229 UK
http://whois.domaintools.com/92.243.28.194 FRANCE
http://whois.domaintools.com/217.70.188.30 FRANCE
ça fait rire quand on vois le govenernement français sortir des lois contre le piratage et permetre des Hebergeurs comme Gandi heberger des grands Botnets qui pour la plus part ont infecte plus que 80.000 utilisateurs d’internet dans le monde entier