fatalz.opendns.be

Possible Security Risk

* Attention! Characteristics of the following security risks were identified in the system:

Security Risk Description
Trojan.Agent.AZV Trojan.Agent.AZV spams itself via email requiring the user to download a fake codec. While installing itself, it produces a fake error message, the trojan also produces pop-up advertisements.
Backdoor.IRCBot!sd6 Backdoor.IRCBot!sd6 is a family of IRC backdoors allowing unauthorized access to an infected PC. It has the capability to spread over a network exploiting various Windows vulnerabilities.

* Attention! The following threat categories were identified:

Threat Category Description
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment
A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013md32.exe
[file and pathname of the sample #1] 39 986 bytes MD5: 0xCAB048AF46B6EBC914E9D16C5BCF6D27
SHA-1: 0x5E327796DE8045FAE730DA937187893DF41D75CC Backdoor.IRCBot!sd6 [PCTools]
W32.IRCBot [Symantec]
Worm.Win32.AutoRun.tla [Kaspersky Lab]
Generic PUP.x [McAfee]
W32/Inject-DE [Sophos]
VirTool:Win32/CeeInject.gen!J [Microsoft]
VirTool.Win32.CeeInject [Ikarus]

* The following directory was created:
o c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 20 480 bytes

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
+ StubPath = “c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013md32.exe”

Other details

* Analysis of the file resources indicate the following possible country of origin:

Israel

* To mark the presence in the system, the following Mutex object was created:
o nigger

* The following Host Name was requested from a host database:
o fatalz.opendns.be

* There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
fatalz.opendns.be 81

Outbound traffic (potentially malicious)

* Attention! There was a new connection established with a remote IRC Server. The generated outbound IRC traffic is provided below
PASS fbi.can.suck.my.dick
NICK xcmtua
USER fbivcy “” “fgx” :fbivcy

Categories: Uncategorized