Transport Protocol: TCP
Remote Address: 188.8.131.52
Remote Port: 6667
Connection Established: 0
|Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).|
|A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.|
|MS04-012: DCOM RPC Overflow exploit – replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots).|
|MS04-011: LSASS Overflow exploit – replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).|
|Capability to perform DoS attacks against other computers.|
|Capability to terminate Antivirus, Firewall and other security related processes.|
|Replication across networks by exploiting weakly restricted shares (common for Randex family of worms).|
|Communication with a remote IRC server.|
|Creates a startup registry entry.|
|Contains characteristics of an identified security risk.|
- The following Host Names were requested from a host database:
USER mkoblcpo 0 0 :USA|00|XP|SP2|36111938
MODE USA|00|XP|SP2|36111938 -x+iu
JOIN #NmZ pr1v8
NOTICE USA|00|XP|SP2|36111938 :.VERSION iroffer v1.3b10 [D&P 23874155], http://iroffer.org/.
NOTICE #NmZ :USA|00|XP|SP2|36111938 has just versioned me.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #NmZ :.n.z.m. (ddos.p.l.g) …. Done with flood (0KB/sec).
PRIVMSG #techs :.n.z.m. (patcher.p.l.g) …. fixed, version 1.
USER uijvxoxwfe 0 0 :USA|00|XP|SP2|97581468
MODE USA|00|XP|SP2|97581468 -x+iu
USER zoyurrnq 0 0 :USA|00|XP|SP2|18235787
MODE USA|00|XP|SP2|18235787 -x+iu
USER iqpdczbnuh 0 0 :USA|00|XP|SP2|47818328
MODE USA|00|XP|SP2|47818328 -x+iu