zeus.sunke.info(irc botnet hosted in China Zhejiang Ninbo Lanzhong Network Ltd)

By Pig, November 14, 2011

122.224.6.164 zeus.sunke.info

ilo.brenz.pl
Resolved : [ilo.brenz.pl] To [94.63.149.150]
HTTP QueriesHTTP Query Text
– x82x96xa2xe3xdaxd1xc7

Remote Host Port Number
122.224.6.164 82
174.123.157.154 80
174.133.57.141 80
193.5.110.10 80
204.0.5.40 80
204.0.5.48 80
204.0.5.59 80
207.46.202.15 80
64.38.232.180 80
65.55.13.243 80
66.114.51.107 80
60.190.223.132 88
60.190.223.60 2011
60.190.223.60 2012
60.190.223.60 888
61.147.99.179 81
66.228.49.83 1867
83.133.119.197 65520 Service Pack 2.

USER wtwywf wtwywf wtwywf :pephacexcxsvvxhv
NICK AVwiDUnR
NICK cpwiecqr
USER y020501 . . :-
PONG :j.
JOIN &virtu

* The data identified by the following URLs was then requested from the remote web server:
o http://zeus.sunke.info:82/hn.gif?t=0.0204584
o http://a.95622.com/p6.asp?MAC=00-0C-29-7C-9D-7C&Publicer=dc99
o http://1.95622.com/p6.asp?MAC=00-0C-29-7C-9D-7C&Publicer=dc99
o http://www.ubs.com/1/live/homepage/shared/jquery.cookie.js
o http://www.ubs.com/1/live/homepage/shared/thickbox.js
o http://www.ubs.com/1/live/homepage/global/index_global.js
o http://www.ubs.com/1/live/homepage/global/img_flash_fallback_e.jpg
o http://www.ubs.com/1/e/index/global/feed_stockticker_global.xml
o http://www.ubs.com/1/webtrends.js
o http://www.ubs.com/
o http://www.ubs.com/1/live/homepage/shared/thickbox.css
o http://www.ubs.com/1/live/homepage/shared/index.css
o http://www.ubs.com/1/live/homepage/global/sprite_e.css
o http://www.ubs.com/1/live/homepage/shared/logo.gif
o http://www.ubs.com/1/live/homepage/shared/icon_arrow_right_white.gif
o http://www.ubs.com/1/live/homepage/shared/bg_country.gif
o http://www.ubs.com/1/live/homepage/shared/bg_login.gif
o http://www.ubs.com/1/live/homepage/shared/bg_nav.gif
o http://www.ubs.com/1/live/homepage/shared/jquery.js
o http://www.ubs.com/1/live/homepage/global/navsprite_e.gif
o http://www.ubs.com/1/live/homepage/shared/icon_arrow_trans.gif
o http://www.ubs.com/1/live/homepage/shared/sprites_icons.gif
o http://www.ubs.com/1/live/homepage/shared/swfobject.js
o http://as.casalemedia.com/sd?s=98198&f=1
o http://as.casalemedia.com/sd?s=98198&f=1&C=1
o http://cdn.optmd.com/V2/76675/195819/index.html?g=Af////8=&r=assetfixed.com/
o http://cdn.optmd.com/V2/76675/195819/index.html?g=Af////8=&r=assetfixed.com/default.php?qry=692b0bab97ed84cff77ac05f9fccf3b951f6e26d7d85c0d987fe40703dad85f6a41f76df59b701913b4edc15488b59a24
o http://i.casalemedia.com/imp.gif?c=76675&cr=195819
o http://myck.nucleardiscover.com:88/p6.asp?MAC=00-0C-29-7C-9D-7C&Publicer=100
o http://ck3.nucleardiscover.com:88/p6.asp?MAC=00-0C-29-7C-9D-7C&Publicer=100
o http://ru.letmedo.net:2011/myck.jpg?t=0.5733148
o http://ru.letmedo.net:2011/ck3.jpg?t=0.3679926
o http://sb.letmedo.net:2012/p/out/kp.exe
o http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.4368097
o http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.9603693
o http://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B2F69C0DCE5CA9F5FF3F6CFDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.4172785
o http://61.147.99.179:81/gggg_r.jpg?t=0.1321833
o http://businesscarcheaphire.info/
o http://www.gogogo.com/redirectError.php
o http://assetfixed.com/
o http://assetfixed.com/redirectExitTrack.php?d=assetfixed.com&r=27&u=http%3A%2F%2Fas.casalemedia.com%2Fsd%3Fs%3D98198%26f%3D1
o http://assetfixed.com/vtrack.php?qry=7941de4a2762f59718d9c086e4f76cd9c89311698a7c7110f9028625985f9bb1cc17d67a94d3413e8d41b401dd88b34d
o http://dietsnote.com/
o http://dietsnote.com/vtrack.php?qry=7e1c193f5aa60fddc332037c9aa7ce1c308134674f3196e8890739bc8708495a7e56cc821acbc1b2190aa5c6ca95158e
o http://assetfixed.com/vtrack.php?qry=4a762a79244d0be2e1e0b70e2323c008e490a3bb126ad2402a999c1fbe2173c63c184df962073b13d4f91b014a04769736352f76ffd17b51b8bf51ccaa52bc50
o http://dietsnote.com/vtrack.php?qry=850460056537949a0258fe4f35c108bda8c5df47270f7531940e08d68ba34fae7cdb3cebd12eaf2b9d1dc8bd9873d1d4
o http://activex.microsoft.com/objects/ocget.dll
o http://codecs.microsoft.com/isapi/ocget.dll
o http://images.ddc.com/nicheImages/778x91b/default.jpg
o http://images.ddc.com/nicheImages/60×22/default.jpg
o http://images.ddc.com/nicheImages/498×257/42.jpg
o http://images.ddc.com/images/1601-spacer2.jpg
o http://images.ddc.com/nicheImages/155×124/42.jpg
o http://images.ddc.com/nicheImages/270x26a/default.jpg
o http://images.ddc.com/nicheImages/155x124b/42.jpg
o http://images.ddc.com/nicheImages/270x26b/default.jpg
o http://images.ddc.com/nicheImages/155x124c/42.jpg
o http://images.ddc.com/nicheImages/778×69/default.jpg
o http://images.ddc.com/nicheImages/11×11/default.jpg
o http://images.ddc.com/nicheImages/270×96/42.jpg
o http://images.ddc.com/nicheImages/270x26c/default.jpg
o http://ad.doubleclick.net/adi/N5685.126265.1877228746421/B3560676.5;sz=720×300;click0=http://c.casalemedia.com/c/1/1/76675/;ord=
o http://s0.2mdn.net/879366/flashwrite_1_2.js
o http://s0.2mdn.net/2258832/1400_10mm_starfield_720x300.jpg

exe file used to spread from these lamers:
http://www.multiupload.com/53VSJUHD5M
http://78cc9867.ultrafiles.net

Virus Total Scan:
http://www.virustotal.com/file-scan/report.html?id=1ced3d60b5eebd8ca5a7b793a926af5c091b50cc20f4fd5bbde5313096874914-1321299285

Categories: Uncategorized