213.239.201.80(ruski bots)

By Pig, November 25, 2009

Remote Host Port Number
213.239.201.80 8000
213.239.201.80 80

* The data identified by the following URL was then requested from the remote web server:
o http://nero872.cn/a/

Registry Modifications

* The following Registry Keys were created:
o HKEY_CURRENT_USERSoftwareMinisoft
o HKEY_CURRENT_USERSoftwareVideohost
o HKEY_CURRENT_USERSoftwareXML

* The following Registry Keys were deleted:
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot Bus Extender
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot file system
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalCryptSvc
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalDcomLaunch
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmadmin
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmboot.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmio.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmload.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmserver
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalEventLog
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalFile system
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalFilter
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalHelpSvc
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalNetlogon
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPCI Configuration
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPlugPlay
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPNP Filter
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPrimary disk
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalRpcSs
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSCSI Class
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalsermouse.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalsr.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSRService
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSystem Bus Extender
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalvga.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalvgasave.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalWinMgmt
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{36FC9E60-C465-11CF-8056-444553540000}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E965-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E969-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96A-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96B-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96F-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E977-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E97B-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E97D-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E980-E325-11CE-BFC1-08002BE10318}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkAFD
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkAppMgmt
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBase
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBoot Bus Extender
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBoot file system
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBrowser
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkCryptSvc
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDcomLaunch
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDhcp
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmadmin
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmboot.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmio.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmload.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmserver
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDnsCache
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkEventLog
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkFile system
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkFilter
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkHelpSvc
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkip6fw.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkipnat.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLanmanServer
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLanmanWorkstation
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLmHosts
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkMessenger
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNDIS
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNDIS Wrapper
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNdisuio
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBIOS
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBIOSGroup
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBT
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetDDEGroup
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetlogon
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetMan
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetwork
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetworkProvider
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworknm
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworknm.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNtLmSsp
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPCI Configuration
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPlugPlay
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPNP Filter
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPNP_TDI
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPrimary disk
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpcdd.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpdd.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpwd.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdsessmgr
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkRpcSs
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSCSI Class
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworksermouse.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSharedAccess
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworksr.sys
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSRService
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkStreams Drivers
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSystem Bus Extender
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkTcpip

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Host Process = “%FontsDir%svchost.exe”
+ calc = “rundll32.exe %System%calc.dll,_IWMPEvents@0”

so that svchost.exe runs every time Windows starts
so that calc.dll runs every time Windows starts
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ calc = “rundll32.exe %UserProfile%ntuser.dll,_IWMPEvents@0”
+ Videohost = “%Temp%b.exe”

so that ntuser.dll runs every time Windows starts
so that b.exe runs every time Windows starts

* The following Registry Values were deleted:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
+ (Default) = “Human Interface Devices”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
+ (Default) = “Volume”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E980-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “Floppy disk drive”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E97D-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “System”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E97B-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “SCSIAdapter”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E977-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “PCMCIA Adapters”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96F-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “Mouse”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96B-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “Keyboard”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E96A-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “Hdc”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E969-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “Standard floppy disk controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “DiskDrive”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{4D36E965-E325-11CE-BFC1-08002BE10318}]
+ (Default) = “CD-ROM Drive”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimal{36FC9E60-C465-11CF-8056-444553540000}]
+ (Default) = “Universal Serial Bus controllers”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalWinMgmt]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalvgasave.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalvga.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSystem Bus Extender]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSRService]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalsr.sys]
+ (Default) = “FSFilter System Recovery”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalsermouse.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalSCSI Class]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalRpcSs]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPrimary disk]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPNP Filter]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPlugPlay]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalPCI Configuration]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalNetlogon]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalHelpSvc]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalFilter]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalFile system]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalEventLog]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmserver]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmload.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmio.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmboot.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimaldmadmin]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalDcomLaunch]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalCryptSvc]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot file system]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBoot Bus Extender]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalBase]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootMinimalAppMgmt]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkAFD]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkAppMgmt]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBase]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBoot Bus Extender]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBoot file system]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkBrowser]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkCryptSvc]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDcomLaunch]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDhcp]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmadmin]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmboot.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmio.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmload.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkdmserver]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkDnsCache]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkEventLog]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkFile system]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkFilter]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkHelpSvc]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkip6fw.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkipnat.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLanmanServer]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLanmanWorkstation]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkLmHosts]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkMessenger]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNDIS]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNDIS Wrapper]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNdisuio]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBIOS]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBIOSGroup]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetBT]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetDDEGroup]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetlogon]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetMan]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetwork]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNetworkProvider]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworknm]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworknm.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkNtLmSsp]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPCI Configuration]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPlugPlay]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPNP Filter]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPNP_TDI]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkPrimary disk]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpcdd.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpdd.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdpwd.sys]
+ (Default) = “Driver”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkrdsessmgr]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkRpcSs]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSCSI Class]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworksermouse.sys]
+ (Default) = “Driver”
o [[pathname with a string SHARE]SharedAccess]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworksr.sys]
+ (Default) = “FSFilter System Recovery”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSRService]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkStreams Drivers]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkSystem Bus Extender]
+ (Default) = “Driver Group”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkTcpip]
+ (Default) = “Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootNetworkTDI]
+ (Default) = “Driver Group”

* The following Registry Value was modified:
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
svchost.exe %FontsDir%svchost.exe 307 200 bytes
raaug.exe %UserProfile%raaug.exe 98 304 bytes
YRxSmH.exe %UserProfile%yrxsmh.exe 430 080 bytes
cique.exe c:cique.exe 8 192 bytes
[filename of the sample #1] [file and pathname of the sample #1] 307 200 bytes

* The following module was loaded into the address space of other process(es):

Module Name Module Filename Address Space Details
2.tmp %System%spoolPRTPROCSW32X862.tmp Process name: spoolsv.exe
Process filename: %System%spoolsv.exe
Address space: 0xE70000 – 0xE85000

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%7.tmp 70 656 bytes MD5: 0x6AB8B26677AD4D74465310F99BC55997
SHA-1: 0xDA530642E4044DD8CA8F8CBE97022F4A3BB64FD4 Backdoor.Tidserv [Symantec]
Packed.Win32.TDSS.z [Kaspersky Lab]
Trojan:Win32/Alureon.CT [Microsoft]
2 %Temp%a.exe 300 032 bytes MD5: 0x36A70E2F4CA65E194D10FF6160E533D5
SHA-1: 0x7A93484B9D902807CB077C22820901E98C441530 Trojan.FakeAV!gen [Symantec]
Downloader-BWS [McAfee]
3 %Temp%b.exe 177 664 bytes MD5: 0xBDF3EBD3C952A476416C8243D9C22B82
SHA-1: 0x9F0779E5968CB01DCA6746C27E4013A25654C283 Trojan.FakeAV!gen [Symantec]
Downloader-BWS [McAfee]
4 %Temp%c.exe
%Windir%msa.exe 191 488 bytes MD5: 0x8C970D83063DF6E49CB17E1AB6A9A504
SHA-1: 0x14A8240E7182CA37377FAF6EC3D6EE76568BB04B Trojan.FakeAV!gen [Symantec]
Downloader-BWS [McAfee]
5 %Temp%nsrbgxod.bak 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
6 %Temp%rundll32.dll
%UserProfile%ntuser.dll
%Programs%Startupscandisk.dll
%System%calc.dll 24 064 bytes MD5: 0x924E3B39C1D23AA30FD5629448027C47
SHA-1: 0x4552D656E087C8A5B495E66BBE8247094E17A420 Infostealer [Symantec]
Packed.Win32.Krap.ah [Kaspersky Lab]
Generic.dx!hca [McAfee]
Mal/EncPk-MA, Mal/FakeDouf-B [Sophos]
Trojan.CryptRedol [Ikarus]
7 %UserProfile%raaug.exe 86 016 bytes MD5: 0x2D0A610B1CAAA44DCB02CE81E4345863
SHA-1: 0x58EF7C9DBDEEBC010FE7368DAE70B385F86C8B35 (not available)
8 %Programs%Startupscandisk.lnk 655 bytes MD5: 0x6DD9F4546AA0A7BCD89C00844B635F53
SHA-1: 0x5A6D36E041C59B1689B6CD62FE32C93369C55FFD (not available)
9 %FontsDir%svchost.exe 303 123 bytes MD5: 0xBCF6141C8B311D3F5BE723CB177B44D6
SHA-1: 0x33FAA2CB334E310E3E5ADEC106789AAAB1CF15FA Backdoor.IRC.Bot [Symantec]
Trojan-Downloader.Win32.VB.dck [Kaspersky Lab]
Generic BackDoor.f [McAfee]
W32/Zipwire-A [Sophos]
TrojanDownloader:Win32/Tonick.gen [Microsoft]
Win-Trojan/Xema.variant [AhnLab]
10 [file and pathname of the sample #1] 303 122 bytes MD5: 0xF42ECEAC27EDDFD921A3F58EBDFEEC31
SHA-1: 0xB25B0DFDE1B627523809484B4F566C2B1B004E48 Backdoor.IRC.Bot [Symantec]
Trojan-Downloader.Win32.VB.dck [Kaspersky Lab]
Generic BackDoor.f [McAfee]
W32/Zipwire-A [Sophos]
TrojanDownloader:Win32/Tonick.gen [Microsoft]
Win-Trojan/Xema.variant [AhnLab]
11 %System%sshnas.dll 179 200 bytes MD5: 0xD455A786BB11CE128C3F40597EE37A3D
SHA-1: 0xCF68EAC313284F5B75F6077E50D2BB85EEAB1BE3 Trojan.FakeAV!gen [Symantec]
12 %System%wbemPerformanceWmiApRpl_new.h 357 bytes MD5: 0x231323658D79D9BDF946E1CFBE01E500
SHA-1: 0xD3D145D037FCA0C669C4B3E2990906B922B22ADE (not available)
13 %Windir%Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job 246 bytes MD5: 0x925BF6E1788C287B8D2ABCD971497573
SHA-1: 0x6F78B587198E64DAEEDFA6215EB41B71B06D3C69 (not available)
14 %Windir%Tasks{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job 290 bytes MD5: 0x2F1251B220C4EE9E3553D5EF7FB720C6
SHA-1: 0x4D22381BA3656A782AAF30A09FB7EBBEDCDADE46 (not available)

Categories: Uncategorized