ms.mobilerequests.com(Buterfly Bot very big server)

By Pig, November 24, 2010

First domain:
Resolved : [ms.mobilerequests.com] To [208.53.131.47]
Resolved : [ms.mobilerequests.com] To [212.117.163.35]
Resolved : [ms.mobilerequests.com To [89.149.223.140]
Resolved : [ms.mobilerequests.com] To [208.53.131.135]
Resolved : [ms.mobilerequests.com] To [188.72.230.153]
Resolved : [ms.mobilerequests.com] To [208.53.131.50]
Resolved : [ms.mobilerequests.com] To [89.149.223.136]
Resolved : [ms.mobilerequests.com] To [212.95.32.187]
Resolved : [ms.mobilerequests.com] To [188.72.230.154]
Resolved : [ms.mobilerequests.com] To [188.72.230.89]

Second domain:
Resolved : [ff.fjpark.com] To [76.73.124.10]
Resolved : [ff.fjpark.com] To [174.139.13.58]
Resolved : [ff.fjpark.com] To [212.95.32.187]
Resolved : [ff.fjpark.com] To [98.126.180.250]

DNS Lookup
Host Name IP Address
ms.mobilerequests.com 212.95.32.187
dell-d3e62f7e26 10.1.10.2
208.53.183.109 208.53.183.109
ff.fjpark.com 76.73.124.10
208.53.183.222 208.53.183.222
208.53.183.252 208.53.183.252
208.53.183.219 208.53.183.219
UDP Connections
Remote IP Address: 212.95.32.187 Port: 1863
Send Datagram: packet(s) of size 7
Send Datagram: 4 packet(s) of size 3
Send Datagram: packet(s) of size 61
Send Datagram: packet(s) of size 1
Recv Datagram: 5078 packet(s) of size 0
Recv Datagram: 3 packet(s) of size 8
Recv Datagram: packet(s) of size 3
Recv Datagram: packet(s) of size 37
Remote IP Address: 76.73.124.10 Port: 9955
Send Datagram: packet(s) of size 21
Send Datagram: 5 packet(s) of size 10
Send Datagram: packet(s) of size 20
Send Datagram: 3 packet(s) of size 2
Send Datagram: 2 packet(s) of size 1
Recv Datagram: 8081 packet(s) of size 0
Recv Datagram: packet(s) of size 21
Recv Datagram: packet(s) of size 10
Recv Datagram: packet(s) of size 537
Recv Datagram: packet(s) of size 81
Recv Datagram: packet(s) of size 80
Recv Datagram: packet(s) of size 82
Download URLs
http://208.53.183.109/95dshb._ (208.53.183.109)
http://208.53.183.222/schewj._ (208.53.183.222)
http://208.53.183.252/isjwb._ (208.53.183.252)
http://208.53.183.219/serv6.exe (208.53.183.219)

Outgoing connection to remote server: 208.53.183.109 TCP port 80
Outgoing connection to remote server: 208.53.183.222 TCP port 80
Outgoing connection to remote server: 208.53.183.252 TCP port 80
Outgoing connection to remote server: 208.53.183.219 TCP port 80DNS Lookup
Host Name IP Address
serv6.alwaysproxy8.info 77.37.100.22
UDP Connections

Opened listening TCP connection on port: 10548DNS Lookup
Host Name IP Address
dell-d3e62f7e26 10.1.10.2
ms4all.twoplayers.net 204.45.85.218
www.nippon.to
www.nippon.to 112.78.112.208
www.cooleasy.com
www.cooleasy.com 218.85.133.201
obsoletegod.com
Download URLs
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://218.85.133.201/cgi-bin/prxjdg.cgi (www.cooleasy.com)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)
http://112.78.112.208/cgi-bin/prxjdg.cgi (www.nippon.to)

Outgoing connection to remote server: ms4all.twoplayers.net port 47221
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.cooleasy.com TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80
Outgoing connection to remote server: www.nippon.to TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
HKEY_CURRENT_USERSessionInformation “ProgramCount” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “MSODESNV7” = C:WINDOWSsystem32msvmiode.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Advanced DLTHL Enable” = C:DOKUME~1ADMINI~1LOKALE~1Temp209.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Driver Setup” = C:WINDOWScfdrive32.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “Microsoft Driver Setup” = C:WINDOWScfdrive32.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762Desktop.ini
C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe
C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe
C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762Desktop.ini
.pipea4xht6x
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
.pipeyjuzglvzgwzcwp
C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe
C:DOKUME~1ADMINI~1LOKALE~1Temp770196.exe
C:DOKUME~1ADMINI~1LOKALE~1Temp209.exe
C:WINDOWSsystem32msvmiode.exe
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
C:WINDOWScfdrive32.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
%windir%/logfile32.log
Opened Files .PIPElsarpc
C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.PIPEwkssvc
C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.PIPElsarpc
.Ip
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
.Ip
%windir%/logfile32.log
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
C:WINDOWSsystem32msvmiode.exe
Deleted Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Chronological Order Set File Attributes: C:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762Desktop.ini
Copy File: c:cb6ec94b76c5d80f3dbe5140ea36d312 to C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe
Set File Attributes: C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762syscr.exe (OPEN_ALWAYS)
Create/Open File: C:RECYCLERS-1-5-21-5665984804-9947995352-181469919-7762Desktop.ini (OPEN_ALWAYS)
Create NamedPipe: .pipea4xht6x
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe
Get File Attributes: c:cwsandboxcwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe
Open File: .PIPEwkssvc (OPEN_EXISTING)
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe to C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenltzqai.exe (OPEN_EXISTING)
Create NamedPipe: .pipeyjuzglvzgwzcwp
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp770196.exe
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp209.exe
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp209.exe
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp770196.exe
Get File Attributes: C:WINDOWSsystem32winlogon.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp512.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp209.exe
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe (OPEN_EXISTING)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp6141.exe to C:WINDOWSsystem32msvmiode.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32msvmiode.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp770196.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWScfdrive32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp770196.exe to C:WINDOWScfdrive32.exe
Set File Attributes: C:WINDOWScfdrive32.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWScfdrive32.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: %windir%/logfile32.log (OPEN_EXISTING)
Create File: %windir%/logfile32.log
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: C:WINDOWSsystem32msvmiode.exe (OPEN_EXISTING)

update:
mydrivers.babypin.net ip: 109.196.130.50
mydrivers.babypin.net ip: 204.45.85.210
mydrivers.babypin.net ip: 109.196.130.66

port:6682
chanel:same as the one posted allready on this thread

the funy thing about this thread is that i reported this botnet wich is one of the bigest around to the hosting company wich is www.fdcservers.net located to chicago US
Maybe the city of chicago is offshore now lol

Categories: Uncategorized