i.greenleafyplants.info (Athena irc botnet hosted by Germany Frankfurt Am Main Voxility S.r.l.)

Resolved i.greenleafyplants.info to 37.221.170.211

Server: i.greenleafyplants.info
Port: 15001
Server password: 69
Channel: #A
Channel password: t
Nick format: _[USA|U|L|WIN7|x64|4c]alcaiwfs
Oper: _
[_] (u@v.Host): …
[_] @#A
[_] irc.server.net :IRC server
[_] is a Bot on IRC server
[_] idle 01:22:14, signon: Sun Dec 02 05:45:11
[_] End of WHOIS list.
His debug bot:
n[USA|U|D|WIN7|x64|4c]xqftcbqi (debug@173.254.195.173) has joined #A

This is the test channel of _Stoner, creator of the Athena irc bot. You may remember it for the parsing error that allowed anyone who knew what the authost was to steal bots.

This is the latest version with such advanced features as installing in multiple directories with multiple registry keys. Having different names for everything is still a little too advanced for it though.

Cramming the registry full of startup entries

His previous testing channel
Server: trout.privategaming.info
Port: 6667
Channel: #channel3
Channel password: channelkey

Some of that info seems familiar

And he claims he never stole bots

Here is the sample

Hosting infos: http://whois.domaintools.com/37.221.170.211

aba.net.ua (Athena http botnet hosted by thehost.com.ua)

burrito.wut.re (Athena irc botnet hosted by ovh.net)

fewet.com (Athena http botnet hosted by wrzhost.com)