Outgoing Connections
Transport Protocol: TCP
Remote Address: 69.65.19.125
Remote Port: 6667
Connection Established: 0
Socket: 44
| Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine). |  |
| A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. |  |
| MS04-012: DCOM RPC Overflow exploit – replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots). | |
| MS04-011: LSASS Overflow exploit – replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). | |
| Capability to perform DoS attacks against other computers. | |
| Capability to terminate Antivirus, Firewall and other security related processes. | |
| Replication across networks by exploiting weakly restricted shares (common for Randex family of worms). | |
| Communication with a remote IRC server. |  |
| Creates a startup registry entry. |  |
| Contains characteristics of an identified security risk. |
- The following Host Names were requested from a host database:
- acen.no-ip.biz
- 127.0.0.2
NICK USA|00|XP|SP2|36111938
USER mkoblcpo 0 0 :USA|00|XP|SP2|36111938
USERHOST USA|00|XP|SP2|36111938
MODE USA|00|XP|SP2|36111938 -x+iu
JOIN #NmZ pr1v8
NOTICE USA|00|XP|SP2|36111938 :.VERSION iroffer v1.3b10 [D&P 23874155], http://iroffer.org/.
NOTICE #NmZ :USA|00|XP|SP2|36111938 has just versioned me.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Done with flood (0KB/sec).
PRIVMSG #techs :.n.z.m. (patcher.p.l.g) …. fixed, version 1.
NICK USA|00|XP|SP2|97581468
USER uijvxoxwfe 0 0 :USA|00|XP|SP2|97581468
USERHOST USA|00|XP|SP2|97581468
MODE USA|00|XP|SP2|97581468 -x+iu
NICK USA|00|XP|SP2|18235787
USER zoyurrnq 0 0 :USA|00|XP|SP2|18235787
USERHOST USA|00|XP|SP2|18235787
MODE USA|00|XP|SP2|18235787 -x+iu
NICK USA|00|XP|SP2|47818328
USER iqpdczbnuh 0 0 :USA|00|XP|SP2|47818328
USERHOST USA|00|XP|SP2|47818328
MODE USA|00|XP|SP2|47818328 -x+iu