Author: Pig

Remote Host Port Number 173.1.102.35 81 NICK n[USA|XP|COMPUTERNAME]stnlxlc USER n “” “lol” :n JOIN #biz# PONG 422 JOIN #USA# (null) Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + WindowsDriverControl = “%AppData%C-76947-8457-2745winmsngrn.exe” so that winmsngrn.exe runs every time Windows starts File System Modifications * The following files were created in the system:Read more...

Remote Host Port Number 91.211.117.33 6667 NICK {XPUSA933915} JOIN ##spam## PONG irc.priv8net.com USER COMPUTERNAME * 0 :COMPUTERNAME MODE {XPUSA933915} -ix Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Services = “service.exe” so that service.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Update = “%Temp%service.exe” so that service.exe runsRead more...

Remote Host Port Number 66.187.108.125 81 NICK n[USA|XP|COMPUTERNAME]vdpunpf USER n “” “lol” :n JOIN #biz# PONG 422 JOIN #USA# (null) Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + WindowsDriverControl = “%AppData%C-76947-8457-2745winmsngrn.exe” so that winmsngrn.exe runs every time Windows starts File System Modifications * The following files were created in the system:Read more...

Remote Host Port Number 184.73.209.168 80 204.0.5.41 80 204.0.5.48 80 204.0.5.49 80 204.0.5.51 80 204.0.5.57 80 204.0.5.58 80 204.0.5.59 80 216.178.38.103 80 216.178.38.168 80 205.234.236.19 1234 PASS xxx NICK NEW-[USA|00|P|36443] USER XP-9032 * 0 :COMPUTERNAME MODE NEW-[USA|00|P|36443] -ix JOIN #!nn! test PONG 22 MOTD * The data identified by the following URLs was then requestedRead more...

Remote Host Port Number 184.154.74.130 20 184.154.74.130 21 64.208.241.65 80 * The data identified by the following URLs was then requested from the remote web server: o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/DataScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/CodeScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/UIScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/ResourceScript.js o http://update.adobe.com/pub/adobe/acrobat/js/6.x/rdr/win/enu/MasterScript.js USER uploader@demo.ymlook.com passwd !234567* Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewall o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRead more...

DNS Lookup Host Name IP Address webpro569.redirectme.net 46.4.245.19 C&C Server: 46.4.245.19:6667 Server Password: Username: 0127 Nickname: {N}|DEU|XP|DELL-D3E62F7E26|970986 Channel: #webpro (Password: SRR569) Channeltopic: :oppp pecie of candy Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Windows Update Sched” = c:BotCrypted.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkRead more...

Remote Host Port Number 174.139.92.250 4466,6764 USER waahud waahud waahud :cuipesjdhissjgkx NICK d[jLyAxEK]b MODE d[jLyAxEK]b +xi JOIN #balengor USERHOST d[jLyAxEK]b MODE #balengor +smntu PONG :binidic.net Now talking in #balengor Topic On: [ #balengor ] [ * exe 91.203.146.65 9933 ][ * ipscan s.s.s netapi -s ] Topic By: [ aessg ] Other details * TheRead more...

niktonidumal.biz 91.215.157.104 C&C Server: 91.215.157.104:81 Server Password: Username: 4390 Nickname: sdbahqa|INF|18|45|4|187| Channel: #iusb# (Password: ) Chanel : #biz# Channeltopic: :, !/98/115/36/73/121/96/119/48/55/34/122/125/119/50/113/98/117/109/126/122/102/124/37/71/89/121/109/120/110/100/55/105/111/110/46/79/47/102/113/71/ .s /99/106/112/81/55/59/40/125/111/122/35/108/97/127/114/97/121/103/119/59/104/109/106/84/65/124/108/52/105/120/116/37/112/113/110/70/104/111/39/82/114/112/60/111/104/40/50/59/39/63/37/32/18/17/45/113/121/67/118/110/41/80/70/71/40/57/39/18/44/55/22/50/54/56/58/46/86/119/71/ .j , Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MicrosoftUpdateServices” = Dokumente und EinstellungenAdministratorwinusbsmgr.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “AllOrNone” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeMicrosoftApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeWindowsApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoTextLog”Read more...

DNS Lookup Host Name IP Address 0 127.0.0.1 browseusers.myspace.com browseusers.myspace.com 216.178.38.168 x.myspacecdn.com myspace.ivwbox.de myspace.ivwbox.de 193.46.63.103 x.myspacecdn.com 212.201.100.176 pagead2.googlesyndication.com pagead2.googlesyndication.com 74.125.43.166 googleads.g.doubleclick.net googleads.g.doubleclick.net 74.125.43.154 www.google-analytics.com www.google-analytics.com 209.85.135.101 js.myspacecdn.com js.myspacecdn.com 212.201.100.169 cms.myspacecdn.com cms.myspacecdn.com 212.201.100.176 qs.ivwbox.de qs.ivwbox.de 91.215.101.32 b.myspace.com b.myspace.com 216.178.38.103 c4.ac-images.myspacecdn.com c1.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com c4.ac-images.myspacecdn.com 195.176.255.157 c1.ac-images.myspacecdn.com 195.176.255.152 c2.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com 195.176.255.143 c2.ac-images.myspacecdn.com 195.176.255.145 desk.opt.fimserve.com delb.opt.fimserve.com desk.opt.fimserve.com 63.135.86.39 delb.opt.fimserve.comRead more...

Remote Host Port Number 178.18.113.122 6667 Other details * The following port was open in the system: Port Protocol Process 1051 TCP [file and pathname of the sample #1] Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerrun o HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 * The newly created RegistryRead more...