Remote Host Port Number
195.197.175.21 6667
201.45.219.146 6667
NICK Venw
USER lalitha “” “Helsinki.FI.EU.Undernet.Org” :
Gigi
PONG :1030512791
SILENCE +*!*@*
MODE Venw +iwx
MODE nathaniea +iwx
USER Orlie “” “remuser.strangled.net” :
NICK iani
USER khan “” “remuser.strangled.net” :
14OOooOO Lume Noua!!!
NICK :orangen
MODE iani +i
NICK :nathaniea
MODE Venw +i
JOIN #drone
MODE #drone
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvchost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCChannels
o HKEY_CURRENT_USERSoftwaremIRCLicense
o HKEY_CURRENT_USERSoftwaremIRCLockOptions
o HKEY_CURRENT_USERSoftwaremIRC%UserName%
o HKEY_CURRENT_USERSoftwareWinRAR SFX
* Notes:
o %UserName% is a variable that refers to the current user name.
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ spoolsv = “”%Windir%tempspoolsvspoolsv.exe””
so that spoolsv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%tempspoolsvspoolsv.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC%UserName%]
+ (Default) = “WhiteHat”
o [HKEY_CURRENT_USERSoftwaremIRCLockOptions]
+ (Default) = “0,4096”
o [HKEY_CURRENT_USERSoftwaremIRCLicense]
+ (Default) = “5662-546732”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%Windows%temp%spoolsv% = “%Windir%tempspoolsv”
* The following directories were created:
o %Windir%Tempspoolsv
o %Windir%Tempspoolsvdownload
o %Windir%Tempspoolsvlogs
o %Windir%Tempspoolsvsounds
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 958 347 bytes MD5: 0xDD4638F017C1432A4E2A502C3A3B25B9
SHA-1: 0x6D7CAA1000BEBE9C584901C24FD0AC226BBE77B5 Backdoor.IRC.Zapchast.zwrc, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
Mal/Zapchas-A [Sophos]
Backdoor.Win32.IRCFlood [Ikarus]
2 %Windir%Tempspoolsva.reg 1 260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
Backdoor.IRC.Zapchast [Ikarus]
3 %Windir%Tempspoolsvaliases.ini 11 bytes MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD
SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299 (not available)
4 %Windir%Tempspoolsvcom.mrc 9 983 bytes MD5: 0x9FB655AF02074F0E218FA2E9FD054D98
SHA-1: 0x3EDDDA50EEBF44085E10180CC58DD216B3B3BD82 (not available)
5 %Windir%Tempspoolsvcontrol.ini 130 bytes MD5: 0x92C90A7CB157BBD431B43558675AC53D
SHA-1: 0x86A2FAEA8E55DA2B14F2E888CE6CCB369C204051 (not available)
6 %Windir%Tempspoolsvfullname.txt 3 647 bytes MD5: 0xDAD2C1150385D4D5F3EC0FC2762FEA92
SHA-1: 0x8D13938EA47694A4FDD22EDF5D00C0E32D1C4723 (not available)
7 %Windir%Tempspoolsvident.txt 83 167 bytes MD5: 0x071704D6A49339AED07B791171355EA1
SHA-1: 0x3CFCF160EAE48932910DE76BF453FAEDAD6D6455 (not available)
8 %Windir%Tempspoolsvmirc.ico 5 694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7 (not available)
9 %Windir%Tempspoolsvmirc.ini 3 237 bytes MD5: 0x4DB2BD6D79B132F38A1A9019E2655799
SHA-1: 0x2C33BD7513DEF22F10583F1DDF00ED98B3E37EF0 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
IRC/Flood.gen.b [McAfee]
Mal/Zapchas-C [Sophos]
Backdoor.IRC.Zapchast [Ikarus]
10 %Windir%Tempspoolsvremote.ini 3 474 bytes MD5: 0x5023F295866DF627C06E9A41A6327D11
SHA-1: 0xF5D17D20907D2B42D918BA93D3DBF1BDAF9FF037 (not available)
11 %Windir%Tempspoolsvrun.bat 194 bytes MD5: 0x08FD9592BFA14C19955FC760BE2BB98A
SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Generic component [McAfee]
Backdoor.IRC.Zapchast [Ikarus]
12 %Windir%Tempspoolsvs.mrc 1 419 bytes MD5: 0x579E0F87C272C666CED9EDA444E4953E
SHA-1: 0x62C50CA0B83F58BD922C1272A182C3CEC5C3C919 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Backdoor.IRC.Zapchast [Ikarus]
VBS/Zapchast [AhnLab]
13 %Windir%Tempspoolsvservers.ini 1 968 bytes MD5: 0x8BB02530275006E5AB803A2DA9BD63E7
SHA-1: 0xE02D5B2869A4DF6404884FB34D090461D730B30E (not available)
14 %Windir%Tempspoolsvspoolsv.exe 1 790 464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
15 %Windir%Tempspoolsvusers.ini 289 bytes MD5: 0xC373E6A8E07A733FBB03A6F16B990ADB
SHA-1: 0xCCF5548664907EA6C32C3614ADA071B816C28330 (not available)
16 %Windir%Tempspoolsvxmas.jpg 124 304 bytes MD5: 0xAE2A93C7E766B4D6A49C4427F110CC32
SHA-1: 0x47E9AEE2BE2295A103B6AC443DC39C02AB30F752 (not available)