To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
- From a nepenthes-snared malware...
Binary name : vmmon32.exe : Not detected by sandbox (Signature:NO_VIRUS)
MD5 hash: dc8e9c6097d2a3a7fad073f85899b812
My analysis :
Connects to an IRC server..
IRC Server : 66.98.134.29 (irc.debelizombi.com)
- - seems to be located in Houston, Texas, USA.
NICK [XP]|24882702
USER zvvnoxpr 0 0 :[XP]|24882702
Snippet from pcap :
Request: :irc.debelizombi.com 252 [XP]|24882702 1 :operator(s) online
Request: :irc.debelizombi.com 253 [XP]|24882702 1014 :unknown
connection(s)
Request: :irc.debelizombi.com 254 [XP]|24882702 9 :channels formed
Request: :irc.debelizombi.com 255 [XP]|24882702 :I have 2123 clients
and 0 servers
Request: :irc.debelizombi.com 265 [XP]|24882702 :Current Local
Users: 2123 Max: 7705
Request: :irc.debelizombi.com 266 [XP]|24882702 :Current Global
Users: 2123 Max: 3162
Request: :irc.debelizombi.com 422 [XP]|24882702 :MOTD File is missing
Request: :[XP]|24882702 MODE [XP]|24882702 :+iwx
It then does this :
MODE [XP]|24882702 +n+B
JOIN #!nja! tn10a4
/topic of #!nja! : #advscan asn1smbnt 200 4 0 -r -b -s -a
There was one ChanOp on the channel : @S
/whois S :
* [S] ([EMAIL PROTECTED]): S
* [S] @#!nja!
* [S] irc.debelizombi.com :Debelizombi Server
* [S] is a Network Administrator
* [S] is available for help.
* [S] idle 00:00:08, signon: Mon Mar 20 09:10:39
* [S] End of WHOIS list.
I have additional information on what else the binary does on the
infected system if anyone is interested.
Regards
Tron.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEH9NuBzVUSpB18YoRA64kAJ92O0QMORSUIeTexX5cEofevLKaRgCfXTbT
MWsRaYE8MD3dWZ5aBwhEoOY=
=O3ju
-----END PGP SIGNATURE-----
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
