3 domains are used to control bots:
j.rania-style.com active
j.symtec.us not active
j.idolmovies.com not active
Resolved : [j.rania-style.com] To [175.6.1.159]
Resolved : [j.rania-style.com] To [122.226.202.221]
Resolved : [j.rania-style.com] To [117.21.224.29]
Resolved : [j.rania-style.com] To [121.61.118.106]
C&C server:
j.rania-style.com:1888
j.rania-style.com:6971
Traffic – by DNS
14 domain found
Country Domain IP
US 113890url.displayadfeed.com 66.45.56.124
US myvideos.stream-free-movies-online.com 66.45.56.124
CH viewster.com 80.74.132.62
US player.viewster.com 203.77.188.253
MY fpdownload2.macromedia.com 202.187.31.11
US viewster-farm.hiro.tv 203.77.188.253
US cdn.hiro.tv 216.137.55.129
NL viewsterapp.hiro.tv 176.34.226.113
US v.admaxserver.com 64.236.90.73
SG bs.serving-sys.com 202.79.210.121
MY ds.serving-sys.com 202.187.31.40
US event.adxpose.com 205.217.176.16
US divaag-99.fcod.llnwd.net 203.77.189.204
US 203.77.189.204 0.0.0.0
Traffic – by TCP/IP Connections
21 outbound connection found
Country IP Port
CN 117.21.224.29 1888
US 203.77.189.198 1935
US 65.54.234.101 443
US 66.45.56.124 80
CH 80.74.132.62 80
US 203.77.188.253 80
US 203.77.188.254 80
MY 202.187.31.11 80
US 216.137.55.129 80
NL 176.34.226.113 80
US 64.236.90.73 80
US 64.236.90.72 80
US 64.236.90.9 80
SG 202.79.210.121 80
MY 202.187.31.40 80
US 205.217.176.16 80
US 64.236.90.8 80
US 165.193.73.49 80
US 203.77.189.204 80
US 0.0.0.0 80
US 66.119.33.141 80
Traffic – by URL
77 outbound URL connection found
URL
113890url.displayadfeed.com/cpv.jsp?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6
113890url.displayadfeed.com/impressions?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20
113890url.displayadfeed.com/impressions/?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20
113890url.displayadfeed.com/favicon.ico
113890url.displayadfeed.com/cresults.jsp?JS=X&p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20&POS=4×136&VIEWPORT=773×437&IFRAME=N&FLASH=Y&COOKIES=Y&RES=800×600&REFERER=NONE
myvideos.stream-free-movies-online.com/results1/?http%3A%2F%2Fviewster.com%2Fsplash%2Fstar-interview-2.aspx%3Futm_source%3Dadon_275151_113890_10036145_none%26utm_medium%3Dcpv%26utm_campaign%3Dasiacpv%26adv%3D573900%26req%3D%24%7BCLICKID%7D
myvideos.stream-free-movies-online.com/favicon.ico
viewster.com/splash/star-interview-2.aspx?utm_source=adon_275151_113890_10036145_none&utm_medium=cpv&utm_campaign=asiacpv&adv=573900&req=${CLICKID}
player.viewster.com/landing-video/js/star-interview-2.js
player.viewster.com/landing-video/js/jquery-1.6.1.min.js
player.viewster.com/landing-video/flowplayer/flowplayer-3.2.6.min.js
player.viewster.com/landing-video/js/jquery.tools.min.1.2.7.js
player.viewster.com/landing-video/img/overlay/transparent.png
player.viewster.com/landing-video/img/index-screenshot.jpg
player.viewster.com/landing-video/img/headline-switcher.png
player.viewster.com/landing-video/img/overlay/close.png
player.viewster.com/landing-video/flowplayer/flowplayer.commercial-3.2.7-3.swf
fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml10.0.45.2
player.viewster.com/landing-video/flowplayer/flowplayer.analytics-3.2.2.swf
viewster.com/favicon.ico
player.viewster.com/landing-video/flowplayer/flowplayer.rtmp-3.2.3.swf
viewster-farm.hiro.tv/crossdomain.xml
viewster-farm.hiro.tv/iframes/scripts/webshop/Flowplayer_Hiro.swf
player.viewster.com/iframes/scripts/api/PublisherEvents.js
player.viewster.com/landing-video/flowplayer/flowplayer.controls-3.2.5.swf
cdn.hiro.tv/CookieSetterAS3.swf
viewsterapp.hiro.tv/crossdomain.xml
v.admaxserver.com/crossdomain.xml
v.admaxserver.com/?advideo/3.0/559.1/3744635/0//cc=2;vidAS=pre_roll;vidRT=VAST;vidRTV=2.0
v.admaxserver.com/?advideo/3.0/559.1/3744635/0//cc=2;cfp=1;rndc=1338601909;vidAS=pre_roll;vidRT=VAST;vidRTV=2.0
bs.serving-sys.com/crossdomain.xml
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601909882&cim=1
viewster.com/splash/star-interview-2.aspx/IncreaseTotalAdCount?{}
ds.serving-sys.com/BurstingRes//Site-13717/Type-12/c6611ed9-d6fe-4d2e-a6dd-bcc53f2b7483.flv
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2719198354;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2719198354;
event.adxpose.com/event.flow?uid=XL9NIwSc8U6QB7Yr_77001371&eventcode=000_000_12&location=&wh=&xy=&vchannel=3744635&cid=7700137&duration=0&iframed=0&referer=&p=0;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601921145&cim=1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2719198354;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2517875528;
divaag-99.fcod.llnwd.net/fcs/ident2
203.77.189.204/open/1
divaag-99.fcod.llnwd.net/open/1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601963243&cim=1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=94545476&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2585018788;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=602038204&cim=1
channels,logins,strings included here:
Processes: PID ParentPID User Path -------------------------------------------------- 896 1200 xxxx:xxx C:Documents and SettingsxxxMes documentsxxxxxxhhhh Ports: Port PID Type Path -------------------------------------------------- Explorer Dlls: DLL Path Company Name File Description -------------------------------------------------- No changes Found IE Dlls: DLL Path Company Name File Description -------------------------------------------------- No changes Found Loaded Drivers: Driver File Company Name Description -------------------------------------------------- Monitored RegKeys Registry Key Value -------------------------------------------------- Kernel31 Api Log -------------------------------------------------- ***** Installing Hooks ***** 719f74df RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters) 719f80c4 RegOpenKeyExA (Protocol_Catalog9) 719f777e RegOpenKeyExA (000000B1) 719f764d RegOpenKeyExA (Catalog_Entries) 719f7cea RegOpenKeyExA (000000000001) 719f7cea RegOpenKeyExA (000000000002) 719f7cea RegOpenKeyExA (000000000003) 719f7cea RegOpenKeyExA (000000000004) 719f7cea RegOpenKeyExA (000000000005) 719f7cea RegOpenKeyExA (000000000006) 719f7cea RegOpenKeyExA (000000000007) 719f7cea RegOpenKeyExA (000000000008) 719f7cea RegOpenKeyExA (000000000009) 719f7cea RegOpenKeyExA (000000000010) 719f7cea RegOpenKeyExA (000000000011) 719f7cea RegOpenKeyExA (000000000012) 719f7cea RegOpenKeyExA (000000000013) 719f7cea RegOpenKeyExA (000000000014) 719f7cea RegOpenKeyExA (000000000015) 719f7cea RegOpenKeyExA (000000000016) 719f7cea RegOpenKeyExA (000000000017) 719f7cea RegOpenKeyExA (000000000018) 719f7cea RegOpenKeyExA (000000000019) 719f2623 WaitForSingleObject(790,0) 719f87c6 RegOpenKeyExA (NameSpace_Catalog5) 719f777e RegOpenKeyExA (00000039) 719f835b RegOpenKeyExA (Catalog_Entries) 719f84ef RegOpenKeyExA (000000000001) 719f84ef RegOpenKeyExA (000000000002) 719f84ef RegOpenKeyExA (000000000003) 719f84ef RegOpenKeyExA (000000000004) 719f2623 WaitForSingleObject(788,0) 719e1af2 RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters) 719e198e GlobalAlloc() 7c80b72f ExitThread() 7d2454bb LoadLibraryA(KERNEL32.dll)=7c800000 7d2454bb LoadLibraryA(USER32.dll)=7e390000 7d2454bb LoadLibraryA(comdlg32.dll)=76340000 5cea9ca0 GetCurrentProcessId()=1200 58b53344 GetVersionExA() 58b533ab GetCommandLineA() 7d252c63 WaitForSingleObject(7e4,7530) 58b54952 GetVersionExA() 58b554e8 GetCurrentProcessId()=1200 58b55742 GetVersionExA() 7d252c63 WaitForSingleObject(77c,7530) 7ca0a547 GetVersionExA() 76341daf GetVersionExA() 7d23eab5 WaitForSingleObject(7e4,7530) 40175c GetCommandLineA() 4015f3 LoadLibraryA(advapi32.dll)=77da0000 7c8191f8 LoadLibraryA(advapi32.dll)=77da0000 77db991b RegOpenKeyExA (SOFTWAREMicrosoftCryptographyProvidersType 001) 77db99ab RegOpenKeyExA (HKLMSOFTWAREMicrosoftCryptographyDefaultsProvider TypesType 001) 77db7a7b RegOpenKeyExA (HKLMSOFTWAREMicrosoftCryptographyDefaultsProviderMicrosoft Strong Cryptographic Provider) 77db8d6c ReadFile() 7c821a94 CreateFileA(C:WINDOWSsystem32rsaenh.dll) 68026005 ReadFile() 680265ce RegOpenKeyExA (HKLMSoftwarePoliciesMicrosoftCryptography) 77db8830 LoadLibraryA(rsaenh.dll)=68000000 680223ff RegOpenKeyExA (HKLMSoftwareMicrosoftCryptography) 680257b0 RegOpenKeyExA (HKLMSoftwareMicrosoftCryptographyOffload) 4011f6 WriteProcessMemory(h=778,len=400) 401272 WriteProcessMemory(h=778,len=10000) 401272 WriteProcessMemory(h=778,len=3800) 401272 WriteProcessMemory(h=778,len=1e00) 4012e4 WriteProcessMemory(h=778,len=4) 401913 ExitProcess() ***** Injected Process Terminated ***** DirwatchData -------------------------------------------------- WatchDir Initilized OK Watching C:DOCUME~1xxxLOCALS~1Temp Watching C:WINDOWS Watching C:Program Files Modifed: C:WINDOWSpfirewall.log Created: C:DOCUME~1xxxLOCALS~1TempJET200A.tmp Created: C:DOCUME~1xxxLOCALS~1TempJET41.tmp Deteled: C:DOCUME~1xxxLOCALS~1TempJET41.tmp Deteled: C:DOCUME~1xxxLOCALS~1TempJET200A.tmp File: hhhh Size: 120832 Bytes MD5: DA214414C6CB140A90C571BA64865517 Packer: File not found C:iDEFENSESysAnalyzerpeid.exe File Properties: CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion Exploit Signatures: --------------------------------------------------------------------------- Scanning for 19 signatures Scan Complete: 312Kb in 0,031 seconds Urls -------------------------------------------------- http://%s/%s http://%s/ http:// http://api.wipmania.com/ftp://%s:%s@%s:%d RegKeys -------------------------------------------------- gdatasoftware. sunbeltsoftware. SoftwareMicrosoftWindowsCurrentVersionRun SoftwareMicrosoftWindowsCurrentVersionRun SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem .DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun ExeRefs -------------------------------------------------- File: hhhh_dmp.exe_ .exe %windir%system32cmd.exe &&%%windir%%explorer.exe %%cd%%%s Internet Exploreriexplore.exe pidgin.exe wlcomm.exe msnmsgr.exe msmsgs.exe opera.exe chrome.exe ieuser.exe iexplore.exe firefox.exe .ipconfig.exe verclsid.exe regedit.exe rundll32.exe cmd.exe regsvr32.exe .exe lol.exe winlogon.exe explorer.exe lsass.exe Raw Strings: -------------------------------------------------- File: hhhh_dmp.exe_ MD5: 06aa74d1dea550ab154e5c1ce59b16bc Size: 319490 Ascii Strings: --------------------------------------------------------------------------- !This program cannot be run in DOS mode. Rich: .text `.rdata @.data .reloc WPVS t1h( _[^] QRPWV RPQWV QRPSV txVhD uaVhD QRPSV SVW3 u3h0 u!h( u3h0 PQRV RPQW u:WhD u#WhD QRPW RPQV RPQV PQRV RPQW RSSh vG9u t0WSV WVRj WSPQR vt9u t0WSV WVRj WSPQR gfff WVRj PWQR u3h0 u!h( u3h0 >CAL uGh4 =MSG t =SDG >MSG u` SVW3 SVW3 9:vP G;9r @W;F Wj h t&j,j Wjdj F4VP SWf9 t-f; t=hH _^[] =pzC |04+~4 _^[] SVWP3 QWSVR =lzC QPRWS RPQS WQRV _^[] _^[] un9F t2j h L9_@vI ;_@r WVPQR SQRj STFU =pzC A8j@ QWRPV B0QPV =4yA PQRj PQRj SVWh STFU Vh@P@ L9^8vE ;^8r =pzC hpP@ STFU PL9^(v^ 9+=pzC +=pzC +=pzC +=pzC +=pzC +=pzC ;^(r 9~0v/ ;~0r 9^8v; :+=pzC +=pzC +=pzC ;^8r 9^@v2 :+=pzC +=pzC +=pzC ;^@r tu9] RVWPQ uXWV QVWRP u$WP E$_^[ tpVW uTVW E$_^[ E$^[ E$_^[ j&hx t}hP QVWh 95hVA QVht 8POST tWWV PQWj RPQVW RPQVW WVRPS u h( QWRS SVWh SVW3 95PWA ;5PWA 95PWA ;5PWA VWQh4 t"j V SVWh =USERt =PASS :Uu#Vh 8Pu. =FEATt =TYPEt =PASVu =STATt =LISTu uuhh ucWVh RPQh PQRh QRPh QVh: Rh~f _[^] _[^] F/PQ ~(WR T0(RW t=VW Qh~f u4SV W$RP tmQh RSSh t,PVQ O,@PQ TSVW3 WWWWh F4RP LSVW3 ^<^[ V4QR vJ9^,u ;F8v N4PQ F4RP F@@PR F,BRP u-SSV RSWWj 8httpu1 u$8H QRVP RVPQ QRVP RVPQ =|[A Qh~f SVWP =|[A Rh~f hh)A h`)A =|[A tlWP =|[A tlWP =|[A Rh~f =|[A =|[A _^[] h0^A hh^A SVWj _^Yj QPPPPh h(*A SVWj, VjP [@^] Vj.P [@^] QRRj RRRRf [_^] SVWh h0*A *t2: VhH*A Qh4*A QSV3 j PhxWA h`*A Vj#S _^[] Wj*P ^[_] h0+A h$+A SVWh VVVV WWVS SVW3 RVh- @PVj PVh- VhH+A SVW3 @PVj RVj"W hT+A hT+A h|+A ht+A Rhh+A QhX+A @PVR Wj j+V <%u2 VVVV SVWh QRPu PQRu h ,A QRhL]A PhTA Ph$]A 9Q@w RRhh h`]A h`]A h`]A h`]A Ph0]A 8nu8h Rh0]A Qh0]A Rh0]A Ph@]A 8nu8h Rh@]A Qh@]A Rh@]A htXA h@XA PVRQhT`A PQRVh RQPhT`A PQRSh 8_^[ hPXA hXA hHXA Rh0]A Rh0]A Rh@]A Qh@]A h|,A h|,A hx,A QhP_A Qh|_A hx,A h(XA hp,A hd,A h8XA 8httpuM 8:uE u>8P PhD,A $_^[ Qh@`A _^[ h@,A h(`A h|bA QRPh4,A h`XA h4XA hXXA hpXA QRPh4,A hhXA RPQh4,A SVWh 8#t" RVWP SVWR hx,A hx,A hx]A Qhl]A PQh0]A u(hl Ph$]A QRh0]A SVW3 h -A t"h<-A t"h0-A u5h(-A Vh$cA VhDcA VhdcA VhpcA t)h0u SVW3 RPhD-A QRPh QRPh PQRhTaA PQhDbA PRh(aA QRPh SVW3 tRh|,A uBPh h`]A h -A PWQRh SPQh PSRhTaA PhTaA PRhDbA Ph(aA hx,A tqCh s[h5 ht.A SWhl.A hd.A t'j j h<.A h46A SVWh hx,A Rh$6A h/A h/A tb@Ph Rhd/A ;< t SVW3 Wh00A h 0A 5$iA 50iA 5<iA 5HiA 5TiA 5`iA 5liA 95$iA 6 iA taVW h@0A hD0A Ph<_A |Sj 3 tlSSSSSSSSSShL0A Phd0A tU< u u2Wh h(3A hT+A hT+A SVWh hT+A h,3A u.h,3A SVWh RhP3A PVQR h@3A ;SDG 8SDG h,3A Qhx3A RPhl3A QRhT3A t!WV _^[] hl.A hd.A hl.A hd.A h(mA h(5A t!h85A _^t) 9|:~ :~+w:~ %s.%s pdef %s.%S %s.Blocked "%s" from removing our bot file! %s.Blocked "%S" from removing our bot file! block bdns CreateFileW 0123456789ABCDEF i.root-servers.org %s.Blocked "%s" from moving our bot file %s.Blocked "%S" from moving our bot file %s.p10-> Message hijacked! %s.p10-> Message to %s hijacked! %s.p21-> Message hijacked! msnmsg msnint baddr X-MMS-IM-Format: CAL %d %256s msnu Done frst ngr->blocksize: %d block_size: %d NtFreeVirtualMemory NtAllocateVirtualMemory NtQuerySystemInformation LdrEnumerateLoadedModules NtQueryInformationProcess LdrGetProcedureAddress NtQueryVirtualMemory LdrLoadDll NtQueryInformationThread LdrGetDllHandle RtlAnsiStringToUnicodeString .pipe%s kernel32.dll GetNativeSystemInfo %s_%d %s_0 -%sMutex SeDebugPrivilege ntdll.dll NtGetNextProcess %s-pid %s-comm NtResumeThread PONG JOIN # PRIVMSG # %s.Blocked "%S" from creating "%S" %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot! .exe %s.Detected process "%S" sending an IRC packet to server %s:%d. %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s). PRIVMSG %255s JOIN %255s PRIVMSG JOIN %s:%d NtSetInformationProcess %s.%s%s %S%s%s HKCU HKLM %s.%S%S %S%S%S state_%s %s.%s (p='%S') pop3://%s:%s@%s:%d popgrab %s:%s@%s:%d anonymous ftp://%s:%s@%s:%d ftpgrab %s.%s ->> %s (%s : %s) %s.%s ->> %s : %s Directadmin WHCMS cPanel blog %s-%s-%s ffgrab iegrab %s.Blocked possible browser exploit pack call on URL '%s' %s.Blocked possible browser exploit pack call on URL '%S' webroot. fortinet. virusbuster.nprotect. gdatasoftware. virus. precisesecurity. lavasoft. heck.tc emsisoft. onlinemalwarescanner. onecare.live. f-secure. bullguard. clamav. pandasecurity. sophos. malwarebytes. sunbeltsoftware. norton. norman. mcafee. symantec comodo. avast. avira. avg. bitdefender. eset. kaspersky. trendmicro. iseclab. virscan. garyshood. viruschief. jotti. threatexpert. novirusthanks. virustotal. login[password] login[username] *members*.iknowthatgirl*/members* IKnowThatGirl *youporn.*/login* YouPorn *members.brazzers.com* Brazzers clave numeroTarjeta *clave=* *bcointernacional*login* Bcointernacional *:2222/CMD_LOGIN* *whcms*dologin* *:2086/login* *:2083/login* *:2082/login* *webnames.ru/*user_login* Webnames *dotster.com/*login* Dotster loginid *enom.com/login* Enom login.Pass login.User *login.Pass=* *1and1.com/xml/config* 1and1 token *moniker.com/*Login* Moniker LoginPassword LoginUserName *LoginPassword=* *namecheap.com/*login* Namecheap loginname *godaddy.com/login* Godaddy Password EmailName *Password=* *alertpay.com/login* Alertpay *netflix.com/*ogin* Netflix *thepiratebay.org/login* Thepiratebay *torrentleech.org/*login* Torrentleech *vip-file.com/*/signin-do* Vip-file *pas=* *sms4file.com/*/signin-do* Sms4file *letitbit.net* Letitbit *what.cd/login* Whatcd *oron.com/login* Oron *filesonic.com/*login* Filesonic *speedyshare.com/login* Speedyshare *pw=* *uploaded.to/*login* Uploaded *uploading.com/*login* Uploading loginUserPassword loginUserName *loginUserPassword=* *fileserv.com/login* Fileserve *hotfile.com/login* Hotfile *4shared.com/login* 4shared txtpass txtuser *txtpass=* *netload.in/index* Netload *freakshare.com/login* Freakshare login_pass *login_pass=* *mediafire.com/*login* Mediafire *sendspace.com/login* Sendspace *megaupload.*/*login* Megaupload *depositfiles.*/*/login* Depositfiles userid *signin.ebay*SignIn eBay *officebanking.cl/*login.asp* OfficeBanking *secure.logmein.*/*logincheck* LogMeIn session[password] session[username_or_email] *password]=* *twitter.com/sessions Twitter txtPassword txtEmail *&txtPassword=* *.moneybookers.*/*login.pl Moneybookers *runescape*/*weblogin* Runescape *dyndns*/account* DynDNS *&password=* *no-ip*/login* NoIP *steampowered*/login* Steam quick_password quick_username username *hackforums.*/member.php Hackforums email *facebook.*/login.php* Facebook *login.yahoo.*/*login* Yahoo passwd login *passwd=* *login.live.*/*post.srf* Live TextfieldPassword TextfieldEmail *TextfieldPassword=* *gmx.*/*FormLogin* *Passwd=* Gmail FLN-Password FLN-UserName *FLN-Password=* *fastmail.*/mail/* Fastmail pass user *pass=* *bigstring.*/*index.php* BigString screenname *screenname.aol.*/login.psp* password loginId *password=* *aol.*/*login.psp* Passwd Email *service=youtube* *google.*/*ServiceLoginAuth* YouTube login_password login_email *login_password=* *paypal.*/webscr?cmd=_login-submit* PayPal %s / ?%d HTTP/1.1 Host: %s User-Agent: %s Keep-Alive: 300 Connection: keep-alive Content-Length: 42 POST Mozilla/4.0 Connection: Close X-a: b .PHYSICALDRIVE0 00100 SeShutdownPrivilege NtShutdownSystem This binary is invalid. Main reasons: - you stupid cracker - you stupid cracker... - you stupid cracker?! ngrBot Error shell32.dll http httpi usbi dnsapi.dll DnsFlushResolverCache http://%s/%s http://%s/ HTTP Host: POST /%1023s [%s[%s%s[%s N%s[%s[%s%s[%s <br> admin isadmin %s|%s|%s [DNS]: Redirecting "%s" to "%s" disabled enabled %s|%s [Logins]: Cleared %d logins #user #admin #new removing exiting reconnecting MOTD bsod disable POP3 -> FTP -> [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s) dlds http:// rebooting [Login]: %s [DNS]: Blocked %d domain(s) - Redirected %d domain(s) [Speed]: Estimated upload speed %d KB/s SoftwareMicrosoftWindowsCurrentVersionRun ngrBot running IPC_Check shellopencommand= shellexplorecommand= icon=shell32.dll,7 useautoplay=1 action=Open folder to view files shellexecute= [autorun] .lnk %windir%system32cmd.exe &&%%windir%%explorer.exe %%cd%%%s /c "start %%cd%%RECYCLER%s RECYCLER .inf %s%s .%c: %s%s %sautorun.tmm %sautorun.inf %c: gdkWindowToplevelClass %0x.scr comment-text *bebo.*/c/home/ajax_post_lifestream_comment bebo Lifestream *bebo.*/c/profile/comment_post.json bebo Comment Message *bebo.*/mail/MailCompose.jsp* bebo Message *friendster.*/sendmessage.php* Friendster Message comment Friendster Comment shoutout *friendster.*/rpc.php Friendster Shoutout *vkontakte.ru/mail.php vkontakte Message *vkontakte.ru/wall.php vkontakte Wall message *vkontakte.ru/api.php vkontakte Chat text *twitter.*/*direct_messages/new* Twitter Message *twitter.*/*status*/update* Twitter Tweet status *facebook.*/ajax/*MessageComposerEndpoint.php* Facebook Message msg_text *facebook.*/ajax/chat/send.php* Facebook IM -_.!~*'() Content-Length: %s.%s hijacked! MSG %d %s %d MSG %d %1s SDG %d %d Reliability: From: Content-Length: %d X-MMS-IM-Format: SDG %d bmsn %s_0x%08X RegCreateKeyExW RegCreateKeyExA URLDownloadToFileW URLDownloadToFileA PR_Write DnsQuery_W DnsQuery_A InternetWriteFile HttpSendRequestW HttpSendRequestA GetAddrInfoW send CreateFileA MoveFileW MoveFileA DeleteFileW DeleteFileA CopyFileW CopyFileA NtQueryDirectoryFile NtEnumerateValueKey %08x OPEN DnsFree DnsQuery_A DNSAPI.dll FreeContextBuffer InitializeSecurityContextW FreeCredentialsHandle DeleteSecurityContext QueryContextAttributesW AcquireCredentialsHandleW EncryptMessage DecryptMessage InitializeSecurityContextA ApplyControlToken Secur32.dll SHGetSpecialFolderPathW SHGetFileInfoA ShellExecuteA SHELL32.dll InternetCloseHandle InternetReadFile InternetQueryDataAvailable HttpQueryInfoA InternetOpenUrlA InternetOpenA HttpQueryInfoW InternetQueryOptionW WININET .dll PathAppendW StrStrIA PathAppendA PathFindExtensionA SHLWAPI.dll WS2_32.dll memset wcsstr strstr wcsrchr ??3@YAXPAX@Z atoi sscanf _strcmpi printf _snprintf sprintf strncpy _memicmp _wcsnicmp _vsnprintf _stricmp strtok strchr _snwprintf ??2@YAPAXI@Z _strnicmp isxdigit memmove strncmp toupper strrchr vsprintf isalnum strncat MSVCRT.dll lstrcpyA MoveFileExA lstrcmpA WideCharToMultiByte MoveFileExW lstrcmpW ExitThread MultiByteToWideChar GetFileAttributesA SetFileAttributesW GetFileAttributesW LoadLibraryW CloseHandle SetFileTime CreateFileW GetFileTime GetSystemTimeAsFileTime WriteFile GetModuleHandleW GetLastError ReadFile GetTickCount HeapAlloc GetProcessHeap HeapFree lstrlenA Sleep WriteProcessMemory ReadProcessMemory InitializeCriticalSection LeaveCriticalSection EnterCriticalSection HeapReAlloc SetEvent ConnectNamedPipe CreateNamedPipeA CreateEventA DisconnectNamedPipe GetOverlappedResult WaitForMultipleObjects CreateFileA VirtualFreeEx VirtualAllocEx IsWow64Process CreateRemoteThread OpenProcess WaitForSingleObject ReleaseMutex MapViewOfFile OpenFileMappingA CreateFileMappingA InterlockedIncrement UnmapViewOfFile CreateMutexA GetVersionExA GetModuleFileNameW InterlockedCompareExchange CreateThread GetWindowsDirectoryW DeleteFileW GetTempFileNameW lstrcatW lstrcpynW DeleteFileA SetFileAttributesA lstrcpyW LocalFree LocalAlloc lstrcpynA SetFilePointer DeviceIoControl VirtualAlloc CreateProcessW ExitProcess lstrcatA GetVolumeInformationW GetLocaleInfoA FlushFileBuffers CopyFileW FindClose FindNextFileA FindFirstFileA SetCurrentDirectoryA LockFile GetFileSize CreateDirectoryA GetLogicalDriveStringsA OpenMutexA GetModuleFileNameA GetWindowsDirectoryA KERNEL32.dll MessageBoxA wvsprintfA wsprintfW DefWindowProcA DispatchMessageA TranslateMessage GetMessageA RegisterDeviceNotificationA CreateWindowExA RegisterClassExA USER32.dll CryptGetHashParam CryptDestroyHash CryptHashData CryptReleaseContext CryptCreateHash CryptAcquireContextA AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken RegCloseKey RegSetValueExW RegCreateKeyExW RegNotifyChangeKeyValue RegSetValueExA RegOpenKeyExA ADVAPI32.dll CoCreateInstance CoInitialize ole32.dll n;^ Qkkbal i]Wb 9a&g MGiI wn>Jj #.zf +o*7 !!!!!!!! @@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"""""""""""""""" @@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x j.rania-style.com smart j.symtec.us smart j.idolmovies.com smart smart fbi.gov ]1.1.0.0 30e4}aa1 FvLQ49Il IyLjj6m msn.set msn.int http.set http.int http.inj mdns stats speed logins slow ssyn stop F4XA gGWHXA 5hXA ZpXA _ WA )0WA u{A<WA [@WA PASS %s [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} SSRR %s 0 0 :%s KCIK %s SEND %s %s PART %s PPPPMSG %s :%s QUIT :%s PPNG %s PING PPPPMSG [v="%s" c="%s" h="%s" p="%S"] [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d [Slowloris]: Starting flood on "%s" for %d minute(s) [Slowloris]: Finished flood on "%s" [UDP]: Starting flood on "%s:%d" for %d second(s) [UDP]: Finished flood on "%s:%d" [SYN]: Starting flood on "%s:%d" for %d second(s) [SYN]: Finished flood on "%s:%d" [USB]: Infected %s [MSN]: Updated MSN spread message to "%s" [MSN]: Updated MSN spread inte rval to "%s" [HTTP]: Updated HTTP spread message to "%s" [HTTP]: Injected value is now %s. [HTTP]: Updated HTTP spread interval to "%s" [Visit]: Visited "%s" [DNS]: Blocked "%s" [usb="%d" msn="%d" http="%d" total="%d"] [ftp="%d" pop="%d" http="%d" total="%d"] [RSOCK4]: Started rsock4 on "%s:%d" [RSOCK4]: Stopped rsock4 [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s) [d="%s"] Error downloading file [e="%d"] [d="%s"] Error writing download to "%S" [e="%d"] [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"] [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"] [d="%s"] Error getting temporary filename. [e="%d"] [d='%s"] Error getting application data path [e="%d"] [Visit]: Error visitng "%s" [FTP Login]: %s [POP3 Login]: %s [FTP Infect]: %s was iframed [HTTP Login]: %s [HTTP Traffic]: %s [Ruskill]: Detected File: "%s" [Ruskill]: Detected DNS: "%s" [Ruskill]: Detected Reg: "%s" [PDef+]: %s [DNS]: Blocked DNS "%s" [MSN]: %s [HTTP]: %s ftplog poplog ftpinfect httplogin httptraff ruskill rdns rreg httpspread http://api.wipmania.com/ .pipe%08x_ipc 0;0G0O0V0d0n0s0 1)13181Y1e1u1|1 2C2c2 3 363M3j3u3 6(6/686J6O6T6m6 7 7(7O7V7_7 7=8T88 9#9:9W9^9f9~9 98:R:[: ;U<e<j<p< <g=o= >*>N> ?%?/?6?A?P? 0<0E0L0S0c0i0t0{0 2!3-4d4n4s4 5(5:5?5D5a5x5 6 6J6a6 7&7.7>7I7N7f7 1#2_2 8"8Q8X8g8q8 9':;:Y: <'<1<H<X<x< =%=7=D=K=Z=w=}= >@>R>>m> ?1?<?B?j? 0g0g1 1"2Q2~2 203N3 424>4^4 8;9~9 :K:';A;_; <4<><T<^<h< =*=>=D=N=l=u= >#>)>8>>>O>Y>^>p>u> ?8?L?c?u? 0$1-1H1N1_1n1 313Y3k3 414l4 515B5P5u5 676V6_6f6v6 889Y9r9 :-:G: ;#;(;2;7;<;A;F;W; <5<?<^< <W=l=|= =d>o>{> ?/?U?`?p? 1P2T2X2 3?4a4h4 5A5H5|5 7U8]8f8}8 9'9-939q9 : :%:n: ;1;J;d; <%<3<<<B<i<v< =$=+=0===E=L=T=o=v= =6>E> ?%?4?? 0'0K0 s0x0}0 091M1g1t1 3[3q3 3*494 4-575w5~5 5B6L6 6(7I7]7z7 848_9m9w9 :+:1:7:D:Q:V:e:t: ; ;,;8;L;Q;V;n;s;x;}; ;5<B<]<w< =5===B=N=S=g=l= 5"6-6B6L6Q6c6u6 7 70767=7L7R7 94:{: '010 1.1F1^1 2(2>2P2b2t2 4K5f5 6=6K6Y6 7*7/7L7S7r7 8]8i8 9+9;9A9G9d9q9w9}9 9/:b:h: ;!;S;`;h;s; ;E<e<w< =.=<=A=F=L=R=k=u= >#>,>X> ?-??y? 42484T4`4f4 4X5]5|5 6-646D6Q6[6b6g6q6z6 9 9&9<9G9R9W99q9v9 9::G:M:b:j:z: ;.;6;;;B;H;S;c;k; <+<F<T<`< =3=E=Q= >3>T>k>z> ?Z?r?{? %0<0V0h0 141>1l1 3g3r3 34c4 5*585R5w5 6!6<6R6a6 7=7C7T7g7z7 8-9L9w9 9-:D:W: ;#;4;:;T;Z; <#<(<-<2<7<P<j<w< =)=.=K=[=`=}= >+>I>V>[>s>z> ?*?H?T?a?g?u? 0,0J0Z0g0l0v0 1%101=1C1I1W1s1y1 2'212<2J2_2 3"3@3P3V3 4)4J4h4x4 535Q5s5 6!6.656D6S6`6m6z6 7?7E7 7'8,818[8w8 8.9K9V9s9 :':,:D:T:Y:r: ;2;7;W;r;w;|; <$<5<<<F<N<b< =(=I=O=Z=r=|= >V>g>|> >#?h? 0-070D0x0 0@1G1 132D2Z2p2 3*343=3R3^3 3-434=4F5P5]5 536N6[6 637B7U7d7q7 818>8T8]8|8 9T9`9o9u9z9 :!:,:3:;:A:O:Y:f:l:r: ;(;3;9;?;Q;];c;i;{; <&<3<8<G<T<Z<`<n< <,=3=A=G=W=w=|= >@>E>> >W?`? 010C0H0M0a0f0k0 1 1$1<1M1U1 1-2O2z2 3I3Z3o3z3 4"4'4<4U4_4t4z4 575=5r5|5 6(6=6P6m6z6 7 767<7~7 8A8F8Y8c8j8 999C9 :%:,:3:=:F:e: ;+;=;D;X;];c;i;n; ;.<4<;<@<e<p<w< ="=*=0=;=F=O=Z=b=g=v={= =7>N>W>]> >&?7?~? 40;0A0Q0a0 2)2A2[2 2T3]3f5 6F6Y6t6 7I7Y7_7e7k7q7w7}7 8*808;8~8 9 9O9X9^9 9$:0:Q: :&;2;8;F; <"<2<=<Q<W<i< =$=*=4=:=E=K=S=e= >;>I> ?!?F?M?W? 1$1<1I1[1g1 2%2>2V2a2t2|2 373E3M3a3l3 3@4N4U4 5/565<5R5k5 666i6 7.7M7 8,818M8[8`8 8?9R9 :#:4:9:?:E:P:{: ;#;B;U;[;b;r; <!<o< =$=;=C=N=S=X=i=n=s=}= >">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|> ?B?H?N?T?Z?`?f?l?r?x?~? 4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6 7D7L7X77`7d7h7l7p7t7 9(949@9L9X9d9p9|9 :$:0:<:H:T:`:l:x: ; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h; 4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4 5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5 6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6 7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7 8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8 8 9,989D9P99h9x9|9 : :(:,:0:8:<:@:X:`:d:h:l:p:x:|: ; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x; < <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|< =(=0=8=@=H=T==d=l= Unicode Strings: --------------------------------------------------------------------------- Ajjj jjjj jjjj jjjj $jjj Ajjj DBWIN .pipe kernel32.dll ntdll.dll Internet Exploreriexplore.exe autorun.inf pidgin.exe wlcomm.exe msnmsgr.exe msmsgs.exe flock.ex opera.exe chrome.exe ieuser.exe iexplore.exe firefox.exe HKCU HKLM Microsoft Unified Security Protocol Provider .ipconfig.exe verclsid.exe regedit.exe rundll32.exe cmd.exe regsvr32.exe l"%s" %S POST .exe lol.exe n127.0.0.1 %s:Zone.Identifier wininet.dll secur32.dll ws2_32.dll :%S%SDesktop.ini winlogon.exe explorer.exe Aadvapi32.dll urlmon.dll nspr4.dll dnsapi.dll Akernel23.dll y%s%s.scr lsass.exe Shell SoftwareMicrosoftWindowsCurrentVersionRun SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem .DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
sample for analysis here
and here
Xandora scan here
hosting infos:
http://whois.domaintools.com/175.6.1.159