Note: New domains are at the bottom of the post
This is the skype “worm” that is in the news right now
Articles:
http://www.techspot.com/news/50443-dorkbot-worm-spreading-via-skype-installs-nasty-ransomware.html
http://news.cnet.com/8301-1009_3-57528353-83/worm-spreading-on-skype-im-installs-ransomware/
http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/
http://www.forbes.com/sites/adriankingsleyhughes/2012/10/08/ransomware-worm-spreading-via-skype/
http://countermeasures.trendmicro.eu/skype-worm-spreading-fast/
Resolved venus.timeinfo.pl to 63.223.107.62, 176.9.192.131, 213.165.71.142, 217.160.108.147, 213.165.71.153, 87.106.98.157, 74.208.112.178
Server: venus.timeinfo.pl
Port: 1863
Password: 24r34t
SSL is needed to connect, accept the invalid certificate
Authhost: bossman
wow (keshout@bossman)
b (java@bossman)
Edit: New Authhost: team
snk__ (keshout@team)
b (java@team)
Channel: #load
* Topic for #load is: !m on !dl hxxp://hotfile.com/dl/175556325/26b0a87/owefhiojcbr.html !j #px
* Topic for #load set by test at Tue Oct 09 23:06:00 2012
File in the topic is the skype spreader
Channel: #px
* Topic for #px is: !rs1 91.121.201.169 4321
* Topic for #px set by wow at Sun Oct 07 19:09:42 2012
!j -c BE,DK,FI,FR,GR,HR,HU,IE,NO,PL,RO,SK #gi
Channel: #gi
* Topic for #gi is: !dl hxxp://hotfile.com/dl/175638047/d559819/2323324.html
* Topic for #gi set by wow at Wed Oct 10 15:05:42 2012
File is goldinstalls installer. Info on that here. His userid is 265.
!j -c RU,RUS #r
Channel: #r
* Topic for #r is: !dl hxxp://hotfile.com/dl/175640723/9d7e062/93fgh.html
* Topic for #r set by wow at Wed Oct 10 15:42:32 2012
File is a click fraud program
Other domains:
photobeat.su
mars.dothome.pl
Samples here
Many different ips
63.223.107.62 United States Longwood Sentris Network Llc
176.9.192.131 Germany Nuremberg Hetzner Online Ag
213.165.71.142 Germany Karlsruhe 1&1 Internet Ag
217.160.108.147 Germany Karlsruhe 1&1 Internet Ag
213.165.71.153 Germany Karlsruhe 1&1 Internet Ag
87.106.98.157 France 1&1 Internet Ag
74.208.112.178 United States Waynesburg 1&1 Internet Inc.
Sample obtained from bartblaze via kernelmode.info
EDIT: New domains for the latest bot
earth.pipro.net
uranus.kei.su
saturn.losa.pl
All other info remains the same
A recent spreading url only got to 2000 clicks before the file was removed. I guess I’m not the only one in the channel.
EDIT2:
big heckers
<test> !logins Steam
<test> !logins Runescape
<test> !logins Youtube
EDIT3:
New domains again
stargate.parad.su
star.helli.pl
mercury.yori.pl
EDIT4:
Bitcoins ahoy
Anonymous - November 26, 2012 at 3:43 am
did he update his domains again? …been trying to track this guy down. …have a lot of info so far…but lot of his IPs dropped off.
any help much appreciated.
I_Post_Ur_Info - November 26, 2012 at 5:40 pm
I'm still able to connect through mercury.yori.pl.