niktonidumal.biz 91.215.157.104 C&C Server: 91.215.157.104:81 Server Password: Username: 4390 Nickname: sdbahqa|INF|18|45|4|187| Channel: #iusb# (Password: ) Chanel : #biz# Channeltopic: :, !/98/115/36/73/121/96/119/48/55/34/122/125/119/50/113/98/117/109/126/122/102/124/37/71/89/121/109/120/110/100/55/105/111/110/46/79/47/102/113/71/ .s /99/106/112/81/55/59/40/125/111/122/35/108/97/127/114/97/121/103/119/59/104/109/106/84/65/124/108/52/105/120/116/37/112/113/110/70/104/111/39/82/114/112/60/111/104/40/50/59/39/63/37/32/18/17/45/113/121/67/118/110/41/80/70/71/40/57/39/18/44/55/22/50/54/56/58/46/86/119/71/ .j , Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “MicrosoftUpdateServices” = Dokumente und EinstellungenAdministratorwinusbsmgr.exe Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “AllOrNone” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeMicrosoftApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeWindowsApps” HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoTextLog”Read more...

DNS Lookup Host Name IP Address 0 127.0.0.1 browseusers.myspace.com browseusers.myspace.com 216.178.38.168 x.myspacecdn.com myspace.ivwbox.de myspace.ivwbox.de 193.46.63.103 x.myspacecdn.com 212.201.100.176 pagead2.googlesyndication.com pagead2.googlesyndication.com 74.125.43.166 googleads.g.doubleclick.net googleads.g.doubleclick.net 74.125.43.154 www.google-analytics.com www.google-analytics.com 209.85.135.101 js.myspacecdn.com js.myspacecdn.com 212.201.100.169 cms.myspacecdn.com cms.myspacecdn.com 212.201.100.176 qs.ivwbox.de qs.ivwbox.de 91.215.101.32 b.myspace.com b.myspace.com 216.178.38.103 c4.ac-images.myspacecdn.com c1.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com c4.ac-images.myspacecdn.com 195.176.255.157 c1.ac-images.myspacecdn.com 195.176.255.152 c2.ac-images.myspacecdn.com c3.ac-images.myspacecdn.com 195.176.255.143 c2.ac-images.myspacecdn.com 195.176.255.145 desk.opt.fimserve.com delb.opt.fimserve.com desk.opt.fimserve.com 63.135.86.39 delb.opt.fimserve.comRead more...

Remote Host Port Number 178.18.113.122 6667 Other details * The following port was open in the system: Port Protocol Process 1051 TCP [file and pathname of the sample #1] Registry Modifications * The following Registry Keys were created: o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerrun o HKEY_CURRENT_USERSoftwareMicrosoftActive SetupInstalled Components{AAECD99A-AAA4-CD63-DDDF-5CF8BAD8D2F2 * The newly created RegistryRead more...

Remote Host Port Number testusa.helohmar.com 8800 Resolved : [testusa.helohmar.com] To [76.73.36.42] Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] + Taskman = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe” so that fddg.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Tji771 = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe” so that fddg.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon] + Shell =Read more...

Remote Host Port Number 178.63.148.49 6667 NICK n{USA|XP}693101 USER 4584 “” “TsGh” :4584 JOIN #Adam Registry Modifications * The newly created Registry Values are: o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] + Windows Update System = “%AppData%winlogon.exe” + UserFaultCheck = “%System%dumprep 0 -u” so that winlogon.exe runs every time Windows starts o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + Windows Update System = “%AppData%winlogon.exe” soRead more...

Remote Host Port Number 66.187.110.152 81 NICK n[USA|XP]1167074 USER s “” “lol” :s JOIN #newbin# PONG 422 JOIN #USA (null) * The following port was open in the system: Port Protocol Process 1053 TCP msnd.exe (%AppData%msnd.exe) Memory Modifications * There was a new process created in the system: Process Name Process Filename Main Module SizeRead more...

Remote Host Port Number 124.217.239.92 1234 PASS xxx 184.73.209.168 80 204.0.5.41 80 204.0.5.42 80 204.0.5.58 80 204.0.5.59 80 216.178.38.103 80 216.178.38.168 80 63.135.86.21 80 63.135.86.25 80 64.208.138.220 80 NICK NEW-[USA|00|P|84708] USER XP-1884 * 0 :COMPUTERNAME MODE NEW-[USA|00|P|84708] -ix JOIN #!nn! test PONG 22 MOTD

Remote Host Port Number insidehighered.com 1034 * The following Internet Connection was established: Server Name Server Port Connect as User Connection Password browseusers.myspace.com 80 (null) (null) * The following GET requests were made: o Browse/Browse.aspx o Browse/index.jpg * The data identified by the following URL was then requested from the remote web server: o http://4.45.182.239/index.phpRead more...

Resolved : [p34s3.hmarhelo.com] To [209.90.137.223] Resolved : [p34s3.hmarhelo.com] To [209.90.137.224] Resolved : [p34s3.hmarhelo.com] To [209.90.137.222] Resolved : [p34s3.hmarhelo.com] To [209.90.137.221] Remote Host Port Number p34s3.hmarhelo.com 1199 Registry Modifications * The newly created Registry Value is: o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] + 12CFG214-K641-12SF-N85P = “C:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe” so that vsbntlo.exe runs every time Windows starts Memory Modifications * There were newRead more...

Remote Host Port Number 220.229.232.69 4891 USER fyejoxvc fyejoxvc fyejoxvc :morggdnd NICK FNaVaqaVE MODE FNaVaqaVE +xi JOIN #maxi USERHOST FNaVaqaVE MODE #maxi +smntu Now talking in #maxi Topic On: [ #maxi ] [ =glRW7E+NAInKAWQQ9QNpMjm2/81PJzDl0ggaCl8I9h9tSzyjtM4cn6mC9aL1JrmzdqVs5/a9kXPXyRkv7CNtD6uKgjNKvUDhzc7e7bNqdGGL+T/DDRuqVsdOVnWpBdDPucbFYwN/AJyLkrYs9h6fLKN6q3x ] Topic By: [ DIKFK ] Modes On: [ #maxi ] [ +smntSMCu ]