To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- ... yesterday at 21:53 GMT. Norman Sandbox output:
nepenthes-538f57f4804a626e6f7f0af6dd9fe8e6-bootmngr32.exe : [SANDBOX] contains a security risk - W32/Spybot.gen3 (Signature: W32/Hupigon.FCX) [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [EMAIL PROTECTED] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 120320 bytes. * MD5 hash: 538f57f4804a626e6f7f0af6dd9fe8e6. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\bootmngr32.exe. * Deletes file 1. [ Changes to registry ] * Creates key "HKLM\Software\\Microsoft\\Windows". * Sets value "Windows Boot Manager"="bootmngr32.exe" in key "HKLM\Software\\Microsoft\\Windows". * Creates key "HKCU\Software\\Microsoft". * Sets value "Windows Boot Manager"="bootmngr32.exe" in key "HKCU\Software\\Microsoft". * Sets value "EnableDCOM"="N" in key "HKLM\Software\\Microsoft". [ Network services ] * Looks for an Internet connection. * Connects to "server.townbidness.com" on port 42086 (TCP). * Sends data stream (22 bytes) to remote address "server.townbidness.com", port 42086. * Connects to IRC Server. * IRC: Uses nickname |803400. * IRC: Uses username ezkieyac. * IRC: Joins channel #fk with password bayshit. * IRC: Sets the usermode for user |803400 to +i-w. * Attempts to delete share named "IPC$" on local system. * Attempts to delete share named "ADMIN$" on local system. * Attempts to delete share named "C$" on local system. * Attempts to delete share named "D$" on local system. [ Process/window information ] * Creates a mutex . * Enumerates running processes. * Enumerates running processes several parses.... [ Signature Scanning ] * C:\WINDOWS\SYSTEM32\bootmngr32.exe (120320 bytes) : W32/Hupigon.FCX. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
