To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- I see the [SANDBOX] on the end of those .exe's, what application are you useing to run these apps and get this information?
I'll go get myself a copy for just this sort of work. Thanks, bf On 3/9/06, Nepenthes Development Team <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I'm not sure if some got already mentioned > > > 1) > > nepenthes-a30ddbb3d3e45b0f5bf6c63e26dc13c9-Sound.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen6 (Signature: W32/SDBot.YNE) > * MD5 hash: a30ddbb3d3e45b0f5bf6c63e26dc13c9. > [ Network services ] > * Looks for an Internet connection. > * Connects to "reptile.locean-indien.com" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname NeT803400248. > * IRC: Uses username htpserldooa. > * IRC: Joins channel ##Rx-AsN## with password #Rx-AsN#. > * IRC: Sets the usermode for user NeT803400248 to -x+iB. > > 2) > nepenthes-7dc73bfa4d78284155dd5101991eeb34-index.html : [SANDBOX] > contains a security risk - W32/Malware (Signature: W32/Smalldrp.FDM) > * MD5 hash: 7dc73bfa4d78284155dd5101991eeb34. > > [ Network services ] > * Connects to "symantec.loves.the.cock.pheer.biz" on port 18067 (TCP). > * Sends data stream (13 bytes) to remote address > "symantec.loves.the.cock.pheer.biz", port 18067. > * Connects to IRC Server. > * Connects to "owjgp.game2max.net" on port 18067 (TCP). > * Sends data stream (13 bytes) to remote address > "owjgp.game2max.net", port 18067. > > 3) > nepenthes-195ef8c9328fab28b474c20edc3f7d3e-wvemsgr.exe : [SANDBOX] contains a > * MD5 hash: 195ef8c9328fab28b474c20edc3f7d3e. > [ Network services ] > * Looks for an Internet connection. > * Connects to "getsome.minilauncher.net" on port 65267 (TCP). > * Connects to IRC Server. > > 4) > nepenthes-9e2acfb52bd3844c1de0f6bc1f78ffe2-asn.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.AHDO) > * MD5 hash: 9e2acfb52bd3844c1de0f6bc1f78ffe2. > [ Network services ] > * Looks for an Internet connection. > * Connects to "dynamic1082.amdwebhost.com" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses password R4DRR4KZ6ZD3. > * IRC: Uses nickname aSNa-8034002. > * IRC: Uses username ezkieyaca. > * IRC: Joins channel #asn with password PdIAykAD. > * IRC: Sets the usermode for user aSNa-8034002 to . > > 5) > nepenthes-3adad9d9eaaa923d4fdbcdb8e11f94f9-winPE.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: W32/Pinfi.A) > [ General information ] > * MD5 hash: 3adad9d9eaaa923d4fdbcdb8e11f94f9. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "irc.nkclan.net" on port 7007 (TCP). > * Sends data stream (18 bytes) to remote address "irc.nkclan.net", > port 7007. > * Connects to IRC Server. > > 6) > nepenthes-c3cb486a2abe71534f76fa22bc14f9b7-winmgr.exe : [SANDBOX] > contains a security risk - W32/Backdoor (Signature: W32/Spybot.ACAD) > * MD5 hash: c3cb486a2abe71534f76fa22bc14f9b7. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "213.202.229.13" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname akka-803400. > * IRC: Uses username htpserld. > * IRC: Joins channel #akka with password reboot. > * IRC: Sets the usermode for user akka-803400 to -x+B. > > 7) > nepenthes-bc3318ace8785ae89b36a9d7f049aec8-p.exe : [SANDBOX] contains > a security risk - W32/Spybot.gen2 (Signature: W32/Spybot.AHWD) > * MD5 hash: bc3318ace8785ae89b36a9d7f049aec8. > > [ Network services ] > * Connects to "real80.act10l.com.ar" on port 80 (TCP). > * Connects to IRC Server. > > 8) > nepenthes-04c250c236aae5b7e2dae67c13a54b55-eraseme_00156.exe : > [SANDBOX] contains a security risk - W32/Downloader (Signature: > W32/SDBot.ZFP) > * MD5 hash: 04c250c236aae5b7e2dae67c13a54b55. > > [ Network services ] > * Downloads file from http://http.down.love.witlog.net/tds.exe as > C:\U.exe. > > 9) > nepenthes-19f531b289e0a22d3ca7aa6714e65c7b-plscd.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen4 (Signature: > W32/Spybot.AEHU) > * MD5 hash: 19f531b289e0a22d3ca7aa6714e65c7b. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "jrbot.kuso-fansub.info" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname aSn-803400248. > * IRC: Uses username ezkieyacagi. > * IRC: Joins channel #!asn! with password getfucked. > * IRC: Sets the usermode for user aSn-803400248 to -x+iB. > > 10) > nepenthes-a18949e4c5b1b04168edae841524f46b-valuex.exe : [SANDBOX] > contains a security risk - W32/Malware (Signature: W32/Spybot.ABYM) > > * MD5 hash: a18949e4c5b1b04168edae841524f46b. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "samba.core1.info" on port 10362 (TCP). > * Connects to IRC Server. > > 11) > nepenthes-80927bad81f9cde6f77d6a6dd9a642d8-winfixup.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.AGYF) > * MD5 hash: 80927bad81f9cde6f77d6a6dd9a642d8. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "home.paltalkdc.com" on port 7000 (TCP). > * Connects to IRC Server. > > 12) > nepenthes-195ef8c9328fab28b474c20edc3f7d3e-wvemsgr.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen4 (Signature: > W32/Spybot.AFHF) > * MD5 hash: 195ef8c9328fab28b474c20edc3f7d3e. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "getsome.minilauncher.net" on port 65267 (TCP). > * Connects to IRC Server. > > 13) > nepenthes-031e9668549ae3de7295bf20d4ababa1-laordewll.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: W32/Ircbot.AAY) > * MD5 hash: 031e9668549ae3de7295bf20d4ababa1. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "der.ifconfig.us" on port 7000 (TCP). > * Connects to IRC Server. > > 14) > nepenthes-2c84c2f9733d19bf1298307fa6ff779c-ohndddo.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.AHDB) > * MD5 hash: 2c84c2f9733d19bf1298307fa6ff779c. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "dem3ntedfreaks.net" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname ezkieyacagiz. > * IRC: Uses username ezkieyacagiz. > > 15) > nepenthes-382ca8e9409673715dedb98b38d85f58-USBhardware9.exe : > [SANDBOX] contains a security risk - W32/Spybot.gen2 (Signature: > W32/Spybot.VNS) > * MD5 hash: 382ca8e9409673715dedb98b38d85f58. > > [ Network services ] > * Connects to "tigroulaki.ugly.as" on port 3267 (TCP). > * Connects to IRC Server. > > 16) > nepenthes-fdef4b3c49706959cbdf41c755070fc1-msvpn.exe : [SANDBOX] > contains a security risk - W32/Malware (Signature: W32/Spybot.AGSB) > * MD5 hash: fdef4b3c49706959cbdf41c755070fc1. > > [ Network services ] > * Connects to "irc.suckmynuts.org" on port 2715 (TCP). > * Connects to IRC Server. > > 17) > nepenthes-f16800dea64522d686d88e67c7b02597-sysinfo.exe : [SANDBOX] > contains a security risk - W32/Malware (Signature: W32/Spybot.ABON) > * MD5 hash: f16800dea64522d686d88e67c7b02597. > > [ Network services ] > * Connects to "n0n0.d0d0n0.info" on port 8585 (TCP). > * Connects to IRC Server. > > 18) > nepenthes-dfa289dd1292fc6142e403b51d538c7d-iexplorers.exe : [SANDBOX] > contains a security risk - W32/Malware (Signature: W32/Spybot.AEWP) > * MD5 hash: dfa289dd1292fc6142e403b51d538c7d. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "forum.ednet.es" on port 8080 (TCP). > * Connects to IRC Server. > > 19) > nepenthes-e53cb0b03d39aec6376db9500cc3f966-scorti.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.AAUP) > * MD5 hash: e53cb0b03d39aec6376db9500cc3f966. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "manz.urshell.com" on port 7000 (TCP). > * Connects to IRC Server. > > 20) > nepenthes-1472561f918ef20af12e82a735cc5b64-update32.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.ABQJ) > * MD5 hash: 1472561f918ef20af12e82a735cc5b64. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "xfriends.devilslife.com" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname xXx-004472890. > * IRC: Uses username auafsqhguvv. > * IRC: Joins channel #xXx# with password XRealm. > * IRC: Sets the usermode for user xXx-004472890 to +x. > > 21) > nepenthes-ff13f42c816eea68c9abf03f4544f39f-ntsf.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen3 (Signature: > W32/Spybot.AHSL) > * MD5 hash: ff13f42c816eea68c9abf03f4544f39f. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "213.202.205.171" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses password eddyeguerrero77. > * IRC: Uses nickname [TheCroWCRe]-803400. > * IRC: Uses username ezkieyac. > > 22) > nepenthes-cc95b4224748a4886daa78487a40b8ed-lssas.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen7 (Signature: > W32/Spybot.AHTV) > * MD5 hash: cc95b4224748a4886daa78487a40b8ed. > > [ Network services ] > * Looks for an Internet connection. > * Connects to "online.ircstyle.net" on port 6667 (TCP). > * Connects to IRC server. > * IRC: Uses nickname GurL80340024. > * IRC: Uses username ezkieyacag. > * IRC: Joins channel ##rrxx with password li. > * IRC: Sets the usermode for user GurL80340024 to -x+B. > > 23) > nepenthes-6d8e44cf7e66e01a5c29bef865ef4510-mssh32.exe : [SANDBOX] > contains a security risk - W32/Spybot.gen7 (Signature: NO_VIRUS) > * MD5 hash: 6d8e44cf7e66e01a5c29bef865ef4510. > [ Network services ] > * Looks for an Internet connection. > * Connects to "dd0s.ns0.it" on port 3000 (TCP). > * Connects to IRC Server. > _______________________________________________ > botnets mailing list > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ botnets mailing list To report a botnet PRIVATELY please email: [EMAIL PROTECTED] http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
