new net

Outgoing Connections
Transport Protocol: TCP
Remote Address:
Remote Port: 6667
Connection Established: 0
Socket: 44

Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit – replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).
MS04-011: LSASS Overflow exploit – replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Capability to perform DoS attacks against other computers.
Capability to terminate Antivirus, Firewall and other security related processes.
Replication across networks by exploiting weakly restricted shares (common for Randex family of worms).
Communication with a remote IRC server.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

  • The following Host Names were requested from a host database:

NICK USA|00|XP|SP2|36111938
USER mkoblcpo 0 0 :USA|00|XP|SP2|36111938
USERHOST USA|00|XP|SP2|36111938
MODE USA|00|XP|SP2|36111938 -x+iu
JOIN #NmZ pr1v8
NOTICE USA|00|XP|SP2|36111938 :.VERSION iroffer v1.3b10 [D&P 23874155],
NOTICE #NmZ :USA|00|XP|SP2|36111938 has just versioned me.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Flooding: ( for 50 seconds.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Done with flood (0KB/sec).
PRIVMSG #techs :.n.z.m. (patcher.p.l.g) …. fixed, version 1.
NICK USA|00|XP|SP2|97581468
USER uijvxoxwfe 0 0 :USA|00|XP|SP2|97581468
USERHOST USA|00|XP|SP2|97581468
MODE USA|00|XP|SP2|97581468 -x+iu
NICK USA|00|XP|SP2|18235787
USER zoyurrnq 0 0 :USA|00|XP|SP2|18235787
USERHOST USA|00|XP|SP2|18235787
MODE USA|00|XP|SP2|18235787 -x+iu
NICK USA|00|XP|SP2|47818328
USER iqpdczbnuh 0 0 :USA|00|XP|SP2|47818328
USERHOST USA|00|XP|SP2|47818328
MODE USA|00|XP|SP2|47818328 -x+iu

Categories: Uncategorized
Previous post
Next post