[botnets] possible botnet? channel #asn2 at dynamic1084.amdwebhost.com:6667

Wed, 05 Apr 2006 03:20:29 -0700 

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I'm not an IRC guy, but I imagine this is not a good thing?

cheers,
 Jamie

nepenthes-721e2a9c2fa4efd12f80672a87fb977b-asn2.exe : [SANDBOX]
contains a security risk - W32/Spybot.gen3 (Signature:
W32/Spybot.AHRJ)
 [ General information ]
   * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [EMAIL PROTECTED]
- REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
   * **Locates window "NULL [class mIRC]" on desktop.
   * File length:       158208 bytes.
   * MD5 hash: 721e2a9c2fa4efd12f80672a87fb977b.

 [ Changes to filesystem ]
   * Creates file C:\WINDOWS\SYSTEM32\xagw.exe.
   * Deletes file 1.

 [ Changes to registry ]
   * Creates value "Windows ASN2 Services"="xagw.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
   * Creates value "Windows ASN2 Services"="xagw.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
   * Sets value "restrictanonymous"="" in key
"HKLM\System\CurrentControlSet\Control\Lsa".
   * Sets value "restrictanonymoussam"="" in key
"HKLM\System\CurrentControlSet\Control\Lsa".

 [ Network services ]
   * Looks for an Internet connection.
   * Connects to "dynamic1084.amdwebhost.com" on port 6667 (TCP).
   * Connects to IRC server.
   * IRC: Uses password R4DRR4KZ6ZD3.
   * IRC: Uses nickname aSNb-8034002.
   * IRC: Uses username ezkieyaca.
   * IRC: Joins channel #asn2 with password PdIAykAD.
   * IRC: Sets the usermode for user aSNb-8034002 to .
   * Attempts to delete share named "IPC$" on local system.
   * Attempts to delete share named "ADMIN$" on local system.
   * Attempts to delete share named "C$" on local system.
   * Attempts to delete share named "D$" on local system.

 [ Process/window information ]
   * Creates a mutex rzasnb.
   * Will automatically restart after boot (I'll be back...).

 [ Signature Scanning ]
   * C:\WINDOWS\SYSTEM32\xagw.exe (158208 bytes) : W32/Spybot.AHRJ.


(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information
source only.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Reply via email to