Author: Pig

Remote Host Port Number213.239.201.80 8000213.239.201.80 80 * The data identified by the following URL was then requested from the remote web server: o http://nero872.cn/a/ Registry Modifications * The following Registry Keys were created: o HKEY_CURRENT_USERSoftwareMinisoft o HKEY_CURRENT_USERSoftwareVideohost o HKEY_CURRENT_USERSoftwareXML * The following Registry Keys were deleted: o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot BusRead more...

Remote Host Port Number66.90.110.138 7070 MODE [CPF|USA|00|P|20484] -ixJOIN #FUD f1f4fudPRIVMSG #FUD :[IM]: Thread Activated: Sending Message.PONG Buchananas21.Coupe.MxNICK [CPF|USA|00|P|20484]USER XP-9366 * 0 :COMPUTERNAME PASS couperlz Other details * The following port was open in the system: Port Protocol Process1053 TCP baeksyesrn.exe (%Windir%baeksyesrn.exe) Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows SecRead more...

85.214.114.224:6668 Nick: AUT[XP]1627252Username: phuznpvJoined Channel: ##tomillarChannel Topic for Channel ##tomillar: “.asc vnc 75 0 0 -r -b “Private Message to Channel ##tomillar: “[REALMBOT] Random Exploitation started on 192.168.x.x:5900 waiting 5 seconds for 0 minutes using 75 threads.”

java1.webhop.net 89.148.0.52java2.webhop.net Outgoing connection to remote server: java1.webhop.net TCP port 443Outgoing connection to remote server: java1.webhop.net TCP port 443 Registry Changes by all processesCreate or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{54AF1E87-2769-558F-34E9-EC1E2A442DD1} “StubPath” = C:WINDOWSsystem32widll.exeHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “widll” = C:WINDOWSsystem32widll.exeReads HKEY_LOCAL_MACHINESOFTWAREMicrosoftAdvanced INF Setup “AdvpackLogFile”HKEY_LOCAL_MACHINESOFTWAREClassesHTTPshellopencommand “”HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{54AF1E87-2769-558F-34E9-EC1E2A442DD1} “StubPath”HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “widll” File Changes by all processesNew Files C:WINDOWSsystem32widll.exeDeviceRasAcdOpened Files C:rxvtermc:PIUD.EXEC:WINDOWSsystem32widll.exeDeletedRead more...

189.19.68.201:6667 Nick: AUT|m0d4|732363Username: zqtihakzServer Pass: analJoined Channel: ##AnaL## with Password a

Remote Host Port Number64.89.27.36 51987 NICK pLagUe{USA}72995MODE pLagUe{USA}72995 -ixJOIN #treesPONG irc.lulz.eeUSER SkuZ * okTeaM UniX b0at 0.4PRIVMSG #trees :New PC Infected. Other details * The following port was open in the system: Port Protocol Process1052 TCP raidhost.exe (%Windir%raidhost.exe) Registry Modifications * The newly created Registry Value is: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + raidhost = “raidhost.exe” so thatRead more...

69.147.233.136:6667 NICK n-611470USER vupyrjg 0 0 :n-611470USERHOST n-611470MODE n-611470 -x+BJOIN #AlexBotNOTICE n-611470 :.VERSION mIRC v6.12 Khaled Mardam-Bey.PRIVMSG #AlexBot :[MAIN]: Status: Ready. Bot Uptime: 0d 0h 0m.PRIVMSG #AlexBot :[MAIN]: Bot ID: AlexBot.PRIVMSG #AlexBot :[Scn]: Exploit Statistics: NetBios: 0, NTPass: 0, Dcom135: 0, Dcom1025: 0, Dcom2: 0, MSSQL: 0, lsass: 0, Total: 0 in 0d 0h 0m.PRIVMSGRead more...

Remote Host Port Number82.146.49.155 6667 PING :ircirc.servebeer.comJOIN ##[ENG]PONG :You have not registeredJOIN #secret videoNICK [ENG][COMPUTERNAME]23717 PASS video File System Modifications * The following file was created in the system: # Filename(s) File Size File Hash1 %AppData%taskmgrtaskmgr.exe[file and pathname of the sample #1] 83 456 bytes MD5: 0x39D08E3693F4C5AA84B90981348AC4B8SHA-1: 0x7A256A381FB118A43F2C9B4F068D1099A449BE3E * Note: o %AppData% is a variableRead more...

Remote Host Port Number193.242.108.49 8066.45.237.212 8064.120.11.167 5900 File System Modifications * The following files were created in the system: # Filename(s) File Size File Hash1 %UserProfile%update.exe 57 387 bytes MD5: 0xD037B4F37AF523C6F7CFB0BA122296A2SHA-1: 0x23CD0E21CF3C0693E2F4ECA7A2DB3B04E43D351E2 c:GardiTuxatbov.exe[file and pathname of the sample #1] 69 632 bytes MD5: 0x99CA8EFB12FB35FA09D10C595EB37DC8SHA-1: 0xA97BE1EBB176D74C6191D17774E1888330CE86FD3 c:GardiTuxatDesKTop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9ADSHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 * Note: o %UserProfile%Read more...

* Requested Host: sk1.no-ip.info* Resulting Address: 217.147.29.246 * Unknown Connections o Host By Name: + Requested Host: michael-f156cf7 + Resulting Address: 192.168.1.117 + Requested Host: sk1.no-ip.info + Resulting Address: 217.147.29.246 + Requested Host: www.whatismyip.com + Error Code: WSAHOST_NOT_FOUND + Requested Host: www.whatismyip.com + Resulting Address: 72.233.89.198 + Requested Host: checkip.dyndns.org + Error Code: WSAHOST_NOT_FOUND +Read more...