All posts by D O

[ Walkthrough : X-CTF 2016 – Worm ]

Quest: A malware was caught infecting “NUS GOVT” thumb drive. Encryption was used to encrypt outgoing data. Please submit the answer in the following format: XCTF{SHA1 of (key1 + key2 + key3)}

File: add4f352cbcb62fffe01eccf78a912b8

SHA1 Hash: 16e9245a14e223b83fde700aa6904e2f487ef07b

Let’s begin by firing up IDA Pro to see what we can find.

Going through the IAT, we can see that SetupDI… are called. A quick reference to MSDN reveals that these functions are used to enum plug and play devices.

SetupDiGetDeviceRegistryProperty function retrieves a specified Plug and Play device property.

imports
Figure 1. Imports

Cross-referencing (Press x in IDA Pro) the function reveals much more stuff… It seems like the malware is trying to find a USBSTOR device. This definitely makes sense since the quest already stated that the malware infected a “NUS GOVTthumb drive. Let’s do a breakpoint later in ollydbg to see what is really going on.  Further down the disassembly, we can see that it is trying to match with a String “NUS GOVT“. Just take note of this for now.

IDA
Figure 2. Checking for SPDRP_ENUMERATOR_NAME & SPDRP_FRIENDLYNAME

In the strings, we could see interesting artifacts as well… looks like the malware is trying to infect via autorun.inf… OK let’s take note of that for now. We could also see stuff like wsock32.dll, Ws2_32.dll… but in imports, we did not see any functions with relation to these libraries. Probably GetProcAddress is being used…

strings
Figure 3. autorun.inf in strings

Ok let’s fire up ollydbg. Crap we encountered access violation! Scrolling upwards we will realize what the malware is doing… Anti Debugging mechanism!

accessViolationDebugger
Figure 4. Access Violation

A jmp is made to 0x4141FD+1 if a debugger is found else the next eip should be 0x4041F4. We can simply just set new origin to 0x4041F4 to bypass the anti-debug stuff.

antiDebugger
Figure 5. fs[18h]
Let’s set a breakpoint @0x4026D1, refer to Figure 2 with a thumb drive plug in =).

NUSGOVT
Figure 6. Matching Thumb drive name with NUS GOVT

Ok… let’s just change the extracted device name to NUS GOVT manually as shown below.

mod
Figure 7. Changing name to NUS GOVT

Run the binary and see what happens…

The binary crashes again… but this time round some files are dropped into my thumb drive.

droppedFile
Figure 8. autorun.inf

Seems like there is a binary dropped into the RECYCLER folder. It seems to be hidden. Let’s use “attrib -h -s” to unhide the folders.

secure
Figure 9. Dropped Binary

Firing up the binary in IDA pro, it seems like the binaries are the same… But the hash is different. Loading the binary in OllyDbg, we encountered the same anti-debugger code. So let’s set up the same breakpoint again @0x4026D1 and change the thumb drive name to “NUS GOVT“… Being lazy i just hit on the run button and monitor any dynamic traces. Wireshark sniffed some http traffic!

traffic
Figure 10. HTTP traffic detected!

Remember earlier we suspect that GetProcAddress is used since we can’t see any network related API in imports and we noticed such libraries in the strings segment. Set a breakpoint @GetProcAddress and see if we can find anything useful.

WSA
Figure 11. WSAStartup via GetProcAddress

Returning back to user code… we see this in ollydbg… =(

1
Figure 12. Rubbish Codes?

Re-analyse the code to see a more english representation of the above =)

2
Figure 13. Assembly codes =)

Analyzing the functions above, we can see outgoing connections to nus.edu.sg/ctf.php with some stuff(passed in via arguments) appended to user agent string…. Lets return to see who call this function.

encryptedData
Figure 14. Encrypted Data?

It seems like the function @0x403210 is protected. Therefore if you were to put a software breakpoint inside 0x403210, it would become useless when the codes get rebuild in runtime. For this case, we should use hardware breakpoint instead. Seems like before calling 0x403210, a function @0x401FD0 is called twice to deobfuscate the code @0x403210. Then after invoking the function @ 0x403210, @0x401FD0 gets called twice again to re-obfuscate the code.

caller
Figure 15. Send Data out

Scrolling up from figure 15, we can see a pattern… It seems that a function @0x401090 is deobfuscated&reobfuscated 3 times before a call was made to the above send function (0x403210).

401090
Figure 16. 0x401090 the encryption method

Putting a breakpoint @0x401090. We can observe something pretty interesting… It seems like the function is passing in my Computer Name and a string which might be the encryption key.

key1
Figure 17. Key 1 found

Running through 2 more breakpoints, we would have collected the 3 keys!

key2
Figure 18. 2nd Key found
key3
Figure 19. 3rd key found

OK so the flag should be

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONDEADBEEFNU5_MA5T3R”)

XCTF{1f5020e4c091d1464c16c157bc0e56f3d81a3b3a}

WRONG!

It turns out that the above flag is wrong. Remember the autorun.inf… there are some parameters passed in… refer to Figure 8.

Lets try to re-run the steps with the parameters passed in…

newkey
Figure 20. A different 2nd Key

and… we got a different 2nd key!

sha1(“MED DNI PTS oRTO RUO VAN MOC iASP VED MDA IONMEDiCINENU5_MA5T3R”)

AND THE ACTUAL FLAG IS: XCTF{db8496580ff636bc51ade827d1999d32d5dabb1c}

40 points =D

[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website http://wiki.osdev.org/PE for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.

MZ

Figure 3 – MZ header spotted

MZ-end

Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (106.42.73.61).

stealth

Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.

writefile

Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.

processcreate

Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.

DefaultBrowseri

Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.

mutant

Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.

registry

Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.

processDump_strings

Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.

otherstrings

Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.

antidote

Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, fget-career.com. It also attempts to resolve google.com.

wireshark

Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.

tcpmon

Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. fget-career.com (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Domain Name: MAYBANKK2U.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok https://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

Domain Name: MAYBANK2U-MY.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok http://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

networkwhois

Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and who.is, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that fget-career.com seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.

D O

[ Technical Teardown: HongKong Protest Malware ]

[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.

[ Sample used in the analysis ]

[ Updates ] Since @vietwow requested for a copy of the sample.
We have attached it here like always.
Letter To Hong Kong 20141011_pdf_viewer. The pw to the zip is “infected29A
[ Tool Used ]

 

[ Analysis of Dropper ]
1) The executable is being camouflaged as an adobe executable (pdf viewer) by using an adobe icon as shown here.
logo
Image 1 : Screenshot of Dropper

A Microsoft Excel Icon is also found in the executable as well (using resource hacker tool). However the icon is not used at all. Probably there is another version of the dropper that disguise itself as a Excel document.

resource hacker Image 2 : Extra icon using ResHacker

2) Upon execution of the dropper, the malware copied itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe. The path that the malware copied to varies depending on the operating system versions. For Win XP, the path would be [drive]:\Documents and Settings\[User Name]\Application Data\WMService.exe] while for vista and above the path would be [drive]:\Users\[User Name]\AppData\Roaming\WMService.exe.

envImage 3 : Screenshot of Dropped location

The first function of interest when running the malware is the decryption of the encrypted strings in the program. @address 00403E9A we can see that there is a function call to address 00401F70.

decrypt

 Image 4 : List of Encoded Strings

From the above assembly codes, we can see several encrypted strings. Note that there are several calls to function 00401AAE. This function is called to decrypt the encrypted strings. Instead of going through the decryption routine… my approach is to use ollydbg to help me to decrypt the strings in runtime as shown below.

decrypted

 Image 5 : List of Decoded Strings

now we can make a better educated guess on what the malware is doing with the decrypted string. Previously IDA Pro strings did not really churn out any useful strings for us but with the decrypted strings we can see the evil server domain name.

Moving on we can see that after the decryption routine, an argument -st is supplied to the executable.
On analyzing the dropper via IDA Pro, the dropper has 2 distinct paths.
1 of the paths (Path A) is taken when an -st argument is not supplied when executing the dropper while the other path (Path B) is taken when -st argument is supplied to the binary.
Path A is taken when the dropper is first executed by the user in which no arguments is passed in to the process. Path B is taken when the system boots up and execute the dropper via registry’s run in which an argument is provided to the process.

paths

Image 6 : 2 Paths of Malware

[ Analysis of Path A ]

At address 00403FAF we can see that a function @00403B55 is being called. This function forms the cmd.exe’s command and execute it as shown below.

command

Image 7 : Command Line to add Registry Entry

A registry entry is added via  reg add hkcu\software\microsoft\windows\currentversion\run /v hotkey /t reg_sz /d “C:\Documents and Settings\Administrator\Application Data\WMService.exe -st”

After execution, the dropper “deletes” itself by moving itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe via c:\windows\system32\cmd.exe.

delete

Image 8 : Command Line to “Move” Malware to another location

[ Analysis of Path B ]

The first thing that Path B does was to create a Mutex object with the name “c8aabdc4” using CreateMutex function. In the event that the mutex already exists, the program will terminate.

mutex

 Image 9 : Creation of MutexName

The mutex is used to prevent 2 of such process running at the same time. The malware then continues to call function at address 0040264A where it gets the computer name and internal IP address of the computer.

Next GetTempPathA is called to form the path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin which is used as the destination file path of the actual payload.

The function at address 00403D60 takes in the domain name www.sslquery.myz.info:443 and resolve it to an IP address – 113.10.245.133.

sslquery

 Image 10 : Possibly C&C of Malware

Function 00402350 is called to form the Get Request to the C&C server. In the function we can see that computer name and internal IP address as shown below.

data

 Image 11 : Data that are sent back to C&C

The appended information gotten from the victim  are encoded and appended to the URL.

URLDownloadToFileA is then called to upload user info and download the payload from the url below:

http://113.10.245.133:443/23qRBtcuhhT6RQlyu1UCPE7/Xr3zuUKejqj7jvbDS1lOxlTzc4W/3LaRfo+f6HiSg+RE1LQHP0Dd0tSVMT9KXTMmKh71dOj9vKvFS6Rn6+6Qf2jVjmNyHWn5BUV0QP+zEm9/XEXDd9RR0Tvnq2BpE66tKoZkUtDLuVT8X7BGjOa2Ct/VHNHXdTdWvYRYfnoXU0fCXtr7927GHEHho5uvxXgW149eEuExWXjslwtvniW0lF6maDcOmWbAcohjm/jLbHIa1RWR3hMY8y/+nmJXSrQ6D3wah9JHwORUvCUKK1X3Kt4w3AJBXJzC9qtD131K4P3R++cZdtdAewC+66LHA+3oBk9nIbTaGsD6prIZS1LrhRh3xB0ZJuds/bsxqJodiATKSWnASEvbMU2ZCs605p/3KorQsDgkdXEZOUzv8NEPyN/vLTTN3opci7d7N+sBtZXA3OqG+1tn+pBLIfggVDSZP/LJcOEYHfo+eLLweqc=.bin

to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin

However at the time of analyzing the sample, the server was already down…

download

 Image 12 : Download URL of another payload

should the actual payload (s.bin) exists we would expect that the first byte of the downloaded payload is the type of command to execute as shown in the switch statement below. The function responsible for reading the commands from the downloaded payload is at address 00402553.

switch

 Image 13 : List of Commands for Malware

Based on the above switch statements, we can observe that the payload downloaded is in fact commands to be executed on the machine. We do not really need to download and analyze the payload to know what it is doing. The functions that the malware can perform are reading files, upload file to server, executing commands, delete file, find file and retrieving logical drive info.

Once the command to the malware is executed, the instruction file, s.bin, is deleted.

As we can see in the image below, the malware would call back to its server every hourly and retrieve new commands to execute.

processloop

 Image 14 : Hourly Sleep

[ Dropping of Persistent Backdoor ]
Earlier on, we have mentioned that the malware added an entry to the registry. This registry key is added for persistence.
Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: Hotkey
Value: C:\Documents and Settings\Administrator\Application Data\WMService.exe -st

You may find a screen shot of this at [ Analysis of Path A ] section

[ Anti Analysis Features ]
The author of this malware implemented time delay in the program possibly for the purpose of evading anti virus detection. It is known that anti virus executes program to detect for malicious codes however it would only execute the program for a short period of time. A time delay approach could potentially evades such scanning.

Using breakpoint in OllyDbg, we observed that IsDebuggerPresent is used to detect if a debugger is attached to the dropper. However there is no difference in the core operations even if the dropper detects that a debugger is present.

[ Whois Investigation ]
A quick Whois query using CentralOps revealed that the domain name (www.sslquery.myz.info) is also pointing to the IP address (113.10.245.133) which
we have had also found it earlier in the binary. As myz.info is a “Free Dynamic DNS” service offered by ChangeIP.com, the infiltrator can change the IP address easily without affecting the callback.

However the server is currently inactive. (Information correct as of 22/10/2014)

[ Domain Whois record ]

Queried whois.afilias.info with “myz.info”…

Domain Name:MYZ.INFO
Domain ID: D1182102-LRMS
Creation Date: 2001-10-26T05:20:59Z
Updated Date: 2012-07-12T14:25:25Z
Registry Expiry Date: 2017-10-26T05:20:59Z
Sponsoring Registrar:Network Solutions, LLC (R122-LRMS)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:52605919-NSI
Registrant Name:ChangeIP Network OperationsZZZ
Registrant Organization:
Registrant Street: 1200 Brickell Avenue
Registrant Street: Suite 1950
Registrant City:Miami
Registrant State/Province:FL
Registrant Postal Code:33131
Registrant Country:US
Registrant Phone:+1.8007913367
Registrant Phone Ext:
Registrant Fax: +1.7862246593
Registrant Fax Ext:
Registrant Email:noc@changeip.com
Admin ID:52605919-NSI
Admin Name:ChangeIP Network OperationsZZZ
Admin Organization:
Admin Street: 1200 Brickell Avenue
Admin Street: Suite 1950
Admin City:Miami
Admin State/Province:FL
Admin Postal Code:33131
Admin Country:US
Admin Phone:+1.8007913367
Admin Phone Ext:
Admin Fax: +1.7862246593
Admin Fax Ext:
Admin Email:noc@changeip.com
Billing ID:C1256251-LRMS
Billing Name:ChangeIP.com
Billing Organization:ChangeIP.com
Billing Street: 1200 Brickell Avenue
Billing Street: Suite 1950
Billing City:Miami
Billing State/Province:FL
Billing Postal Code:33131
Billing Country:US
Billing Phone:+1.8007913367
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email:billing@changeip.com
Tech ID:52605919-NSI
Tech Name:ChangeIP Network OperationsZZZ
Tech Organization:
Tech Street: 1200 Brickell Avenue
Tech Street: Suite 1950
Tech City:Miami
Tech State/Province:FL
Tech Postal Code:33131
Tech Country:US
Tech Phone:+1.8007913367
Tech Phone Ext:
Tech Fax: +1.7862246593
Tech Fax Ext:
Tech Email:noc@changeip.com
Name Server:NS1.CHANGEIP.ORG
Name Server:NS2.CHANGEIP.ORG
Name Server:NS3.CHANGEIP.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

inetnum: 113.10.245.0 – 113.10.245.255

netname: NWTBB-HK
descr: NWT Broadband Service
country: HK
admin-c: NC315-AP
tech-c: KW315-AP
status: ASSIGNED NON-PORTABLE
remarks: For network abuse email <abuse@newworldtel.com>
mnt-irt: IRT-NEWWORLDTEL-HK
changed: kmmwong@newworldtel.com 20101208
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

irt: IRT-NEWWORLDTEL-HK
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
e-mail: abuse@newworldtel.com
abuse-mailbox: abuse@newworldtel.com
admin-c: KW315-AP
tech-c: IDC1-AP
tech-c: NC315-AP
auth: # Filtered
mnt-by: MAINT-HK-NEWWORLDTEL
changed: abuse@newworldtel.com 20101207
source: APNIC

person: Kwong Ming Wong
nic-hdl: KW315-AP
e-mail: kmmwong@newworldtel.com
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
phone: +852-21300120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20060814
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

person: Network Management Center
nic-hdl: NC315-AP
e-mail: nmc@newworldtel.com
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong.
phone: + 852 – 2130-0120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20080804
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

% Information related to ‘113.10.245.0/24AS17444’

route: 113.10.245.0/24
descr: NWT Route Object
origin: AS17444
mnt-by: MAINT-HK-NEWWORLDTEL
changed: kmmwong@newworldtel.com 20110114
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)

 

Signing Off
D O & J Soo