210.170.62.115( Botnet hosted in Japan with Japan Rcp Co Ltd and United States Chicago Hostforweb Inc)

Capability to manipulate a user list control in instant messenger (IM) programs such as AOL, Yahoo! Messenger, Skype. An affected user’s contact list could be used by an IM worm in order to replicate over the IM network.

210.170.62.115:2345 pass xxx
Nick: NEW-[AUT|00|P|85861]
Username: XP-1777
Server Pass: xxx
Joined Channel: #!gf! with Password test
Channel Topic for Channel #!gf!: “.m.s|.m.e is this you ? http://facezone.net/profile.php?=”
Private Message to User NEW-[AUT|00|P|85861]: “.s.p http://domredi.com/1/”

Remote Host Port Number
204.0.5.48 80
204.0.5.56 80
204.0.5.58 80
208.43.117.134 80
216.178.38.103 80
216.178.38.168 80
63.135.86.23 80
63.135.86.37 80
64.208.138.105 80
64.211.162.72 80
66.225.241.182 2345 pass xxx

SER XP-4207 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|22588] -ix
JOIN #!gf! test
PONG 22 MOTD
NICK NEW-[USA|00|P|22588]

* The data identified by the following URLs was then requested from the remote web server:
o http://c1.ac-images.myspacecdn.com/images02/150/s_9ac6821b2df84b9c9e24597762b0c9f8.jpg
o http://c1.ac-images.myspacecdn.com/images02/113/s_964589878ac7438d87dbb72dc87d30fc.jpg
o http://c1.ac-images.myspacecdn.com/images02/95/s_e2a3ab2941064a56be923c435e825070.jpg
o http://c1.ac-images.myspacecdn.com/images02/112/s_e940b3537c594f9094104aec1e4b7b94.jpg
o http://c1.ac-images.myspacecdn.com/images02/117/s_3e0139cbe659443f8ee6e549f521fbb0.jpg
o http://c4.ac-images.myspacecdn.com/images02/125/s_3c5a97453b594f51b1f0130649afde27.jpg
o http://c4.ac-images.myspacecdn.com/images02/145/s_10ae04f12f614f9cb24ac6475d83330f.jpg
o http://c4.ac-images.myspacecdn.com/images02/142/s_141db767daf34d778c292ee077aee40f.jpg
o http://c4.ac-images.myspacecdn.com/images01/78/s_5978064258ce18b94ed9fc8fc609c9e7.jpg
o http://c4.ac-images.myspacecdn.com/images02/122/s_7ffa3a3f5c7044058aede9fd805e404f.jpg
o http://c4.ac-images.myspacecdn.com/images02/131/s_6337d6682d16496a9fa02761dfe06cd3.jpg
o http://c4.ac-images.myspacecdn.com/images02/51/s_435cfc1a86e94fcaa22d80116afc88af.jpg
o http://c4.ac-images.myspacecdn.com/images02/73/s_8aeebcbff4a842e5a2659687a1f17d63.jpg
o http://c4.ac-images.myspacecdn.com/images02/95/s_c6774c5a9a5e4a92923393e3238828bf.jpg
o http://c4.ac-images.myspacecdn.com/images02/121/s_57529d7d3a8a4c6ba8180a7b1c42ff43.jpg
o http://c4.ac-images.myspacecdn.com/images02/145/s_b01201c27615499e8167b5821f1f0a9b.jpg
o http://c4.ac-images.myspacecdn.com/images02/109/s_bfada57171684be18059afa531e9b803.jpg
o http://c4.ac-images.myspacecdn.com/images02/139/s_1736de8c2ad042eda5ea526246338ac3.jpg
o http://c4.ac-images.myspacecdn.com/images02/89/s_cd90f729ed5a4f03876e0a040de59c5b.gif
o http://c4.ac-images.myspacecdn.com/images02/130/s_bb7056da73214b4e8701a255689bc4c7.jpg
o http://c2.ac-images.myspacecdn.com/images02/95/s_dbf2800c42ad45948138157d30c31d99.jpg
o http://c2.ac-images.myspacecdn.com/images02/141/s_1826486fc0584f8e89d499b708a1a87d.jpg
o http://c3.ac-images.myspacecdn.com/images02/136/s_3f2c37188fa942c99c44250615f32fe6.jpg
o http://c3.ac-images.myspacecdn.com/images02/130/s_412dcb9478df4d83a970af0acf6d07d6.jpg
o http://c3.ac-images.myspacecdn.com/images02/135/s_f1efc931dadf4f6798c48480194820a2.jpg
o http://c2.ac-images.myspacecdn.com/images02/129/s_9c6ce1e4c632478b93cac79978e02bf1.jpg
o http://c2.ac-images.myspacecdn.com/images02/145/s_32c9c407260d4957b7872ed47cf8ab99.jpg
o http://c3.ac-images.myspacecdn.com/images02/134/s_6bc2f2c14da84c2dac70cf7d1cd58656.jpg
o http://c3.ac-images.myspacecdn.com/images02/115/s_91d236cb52ae42b8b4100be0e5bd9dfa.jpg
o http://c2.ac-images.myspacecdn.com/images02/125/s_35cfae04ad034c399a0b46c56804ca69.jpg
o http://c3.ac-images.myspacecdn.com/images02/87/s_4cc65f8eb01e49e6a5ce0138d2d64fa2.jpg
o http://c2.ac-images.myspacecdn.com/images01/107/s_a1c6ad4acadd64f1c08a9d731b5ed681.jpg
o http://c2.ac-images.myspacecdn.com/images01/82/s_22d126c39d078b9ae8cfb0476c395ab9.jpg
o http://c3.ac-images.myspacecdn.com/images02/133/s_8ea884e73219413badfa362196f93b06.jpg
o http://c2.ac-images.myspacecdn.com/images02/37/s_aee3c01323eb4f21aaa7a63a7821b72d.jpg
o http://c3.ac-images.myspacecdn.com/images02/94/s_0225c180d812484e86f337fe267e09a2.jpg
o http://c2.ac-images.myspacecdn.com/images02/139/s_a9f5241e752b45f48e24e0b5b337d421.jpg
o http://c3.ac-images.myspacecdn.com/images02/125/s_de2ff3bd0c04427c89231150ec5caa6a.jpg
o http://c3.ac-images.myspacecdn.com/images02/123/s_2bf6025436f54db28b6f50ba9a79948a.jpg
o http://geo-lb01.w55c.net/x/brs1009?cbid=C1Gn2Cq7Ns6U.b0Zm2Gn7Cq6N&cb=1290975091669&size=160×600&ess=MySpaceUGC&refurl=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx
o http://browseusers.myspace.com/Browse/Browse.aspx
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=085765904
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=085765904
o http://fim.adnxs.com/fpt?id=3594&size=728×90&flash=1&cookies=1&callback=C1Gn2Cq7Ns6U.b3Ve2Yu7Op6X&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1290975091669
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://x.myspacecdn.com/modules/common/static/css/Sprites/globalNavRefreshSprite.png
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/browse/static/css/browse_qiz4yewv.css
o http://x.myspacecdn.com/modules/common/static/css/global_-cca62xx.css
o http://x.myspacecdn.com/modules/profilesdirectory/static/css/browsebyname_4vb3esmf.css
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://js.myspacecdn.com/modules/common/static/js/atlas/msglobal_uabkhbad.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/jquery/tracking/tynt_zcvgeagv.js?user=bjNOt4bfyr35kFadbiUt4I&lang=en
o http://js.myspacecdn.com/modules/common/static/js/atlas/quickpost_ujzxjul0.js
o http://js.myspacecdn.com/modules/common/static/js/atlas/richtexteditor_uvm5sqtf.js
o http://ad.turn.com/server/bid/fan.bid?pub=10063193&cch=10063206&l=728×90&requestId=C1Gn2Cq7Ns6U.b1Ul2Wh7Mx6Q&ref=http%3A%2F%2Fmyspace-ugc-foxaudiencenetwork.com&rand=1290975091669
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://googleads.g.doubleclick.net/pagead/imgad?id=CMb2o8q3psLPuwEQoAEYwgQyCNQEua5xEgVO
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/js/r20101117/r20101122/show_ads_impl.js
o http://pagead2.googlesyndication.com/pagead/expansion_embed.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://www.google-analytics.com/ga.js
o http://1.download.advertise.myspace.com/upld/cs/1//cs3_sk_747_.jpg
o http://cms.myspacecdn.com/cms/js/ad_wrapper0160.js
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796240&_salt=1290975091669&r=1&callback=C1Gn2Cq7Ns6U.b2Ns2Ul7Wh6M&cookie=1&flash=1&bvs=&hvs=BBJRUOOP&u=http%3A%2F%2Fbrowseusers.myspace.com%2FBrowse%2FBrowse.aspx

Other details

* The following port was open in the system:

Port Protocol Process
1057 TCP jusched.exe (%Windir%jusched.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java developer Script Browse = “%Windir%jusched.exe”

so that jusched.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
jusched.exe %Windir%jusched.exe 3 141 632 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jusched.exe 107 520 bytes MD5: 0x92CC5129690007C6ADE80F4A12CC26C7
SHA-1: 0x134721C8259C1DFDD8D67F77820C29A437311B2A Trojan.Win32.Buzus [Ikarus]

more info about the hoster:
http://whois.domaintools.com/210.170.62.115 or visit rcp.jp
http://whois.domaintools.com/66.225.241.182 or hostforweb.com

Categories: Uncategorized