server1.beetrootmusic.com(botnet hosted with United States Chicago Hostforweb Inc)

By Pig, December 11, 2010

Remote Host Port Number
216.178.38.224 80
216.178.39.11 80
64.208.241.41 80
66.225.241.182 2345 PASS xxx

JOIN #!gf! test
MODE NEW-[USA|00|P|39547] -ix
PONG 22 MOTD
NICK NEW-[USA|00|P|39547]
USER XP-2882 * 0 :COMPUTERNAME

* The data identified by the following URLs was then requested from the remote web server:
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://www.myspace.com/browse/people
o http://www.myspace.com/help/browserunsupported
o http://x.myspacecdn.com/modules/splash/static/img/cornersSheet.png
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_infobox.jpg
o http://x.myspacecdn.com/images/BrowserUpgrade/icon_information.gif
o http://x.myspacecdn.com/images/BrowserUpgrade/bg_browserSection.jpg
o http://x.myspacecdn.com/images/BrowserUpgrade/browserLogos_med.jpg

Other details

* The following port was open in the system:

Port Protocol Process
1055 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3,141,632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe
[file and pathname of the sample #1] 118,784 bytes MD5: 0x6805D6BFC38195CBD24366BB39902AF4
SHA-1: 0x0595CDCB7D0EA54EE2B132792940A74E0183CA45 Trojan.Win32.Buzus [Ikarus]

infos about hoster:
http://whois.domaintools.com/66.225.241.182

Categories: Uncategorized