Resolved w4hw5wg3488h.net to 62.255.175.157
snk is back, using an old domain and buying bots from Heckforums skids.
Server: w4hw5wg3488h.net
Port: 5050
Channel: #$
* Topic for #$ is: ,
* Topic for #$ set by x at Sat Dec 22 16:42:47 2012
Channel: #lol
* Topic for #lol is: .d /100/97/111/124/49/59/47/105/111/111/102/66/103/119/105/115/118/101/109/120/103/126/56/111/112/38/112/78/51/100/111/62/70/112/98/
* Topic for #lol set by x at Sat Dec 22 05:46:16 2012
Channel: #1
* Topic for #l is: .d /100/97/111/124/49/59/47/105/111/111/102/66/103/119/105/115/118/101/109/120/103/126/56/111/112/38/112/78/51/100/111/62/70/112/98/
* Topic for #l set by x at Sat Dec 22 05:46:29 2012
Files downloaded:
Channels #l and #lol
hxxp://62.255.175.157/hu.exe (connects to channel #$)
Other files
hxxp://adgraphicdesign.co.uk/k.exe (Joins irc.trolled.tv:6667 #security Nick: {PIG-BOT-v5}gkhlegr You upset about something snk?)
hxxp://adgraphicdesign.co.uk/g.exe downloads hxxp://adgraphicdesign.co.uk/st.exe
hxxp://adgraphicdesign.co.uk/st.exe (connects to channel #$)
hxxp://adgraphicdesign.co.uk/lol.exe
hxxp://adgraphicdesign.co.uk/1.txt to 327.txt (email lists used for spamming)
hxxp://adgraphicdesign.co.uk/images.php drops IMG0540250-JPG.scr, most likely used for spreading (IMG0540250-JPG.scr downloads hu.exe)
Hosting infos: http://whois.domaintools.com/62.255.175.157
Anonymous - December 23, 2012 at 3:14 am
You might wanna check out all the malware/bins on sharesend dot info.
Anonymous - December 23, 2012 at 4:18 am
im telling you. this user is p@rdon from HF.
Anonymous - December 23, 2012 at 5:07 am
http://sharesend.info/
mysticals big hecker site
Mike Radcliff i mean
Anonymous - December 23, 2012 at 9:33 pm
Can you post all files you have?
I would like to study this further.
I_Post_Ur_Info - December 23, 2012 at 10:44 pm
The site was down when I checked it. Feel free to send files by linking a zip.