ana.smo7he.net

By Pig, November 29, 2009

Host Name IP Address
ana.smo7he.net 95.128.242.245
dell-d3e62f7e26 10.1.14.2
alkeichah.com
alkeichah.com 72.35.84.6
u1.k129129.com
UDP Connections
Remote IP Address: 95.128.242.245 Port: 1975
Send Datagram: packet(s) of size 7
Send Datagram: 2 packet(s) of size 3
Send Datagram: packet(s) of size 49
Send Datagram: packet(s) of size 58
Send Datagram: packet(s) of size 1
Recv Datagram: 6329 packet(s) of size 0
Recv Datagram: packet(s) of size 8
Recv Datagram: 2 packet(s) of size 3
Recv Datagram: packet(s) of size 35
Download URLs
http://72.35.84.6/u1.exe (alkeichah.com)
Outgoing connection to remote server: alkeichah.com TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-33CF-AAX5-35GX1C642122} “StubPath” = c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRDPNPNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWebClientNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceslanmanworkstationNetworkProvider “Name”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDiskEnum “0”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareMicrosoftVisual Basic6.0 “AllowUnsafeObjectPassing”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373Desktop.ini
C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe
C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe
C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373Desktop.ini
.pipezhtGvbaaaaa
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
Dfs
Opened Files .PIPElsarpc
C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.PIPEwkssvc
.PIPEDAV RPC SERVICE
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.PIPElsarpc
Deleted Files c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
Chronological Order Set File Attributes: C:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373Desktop.ini
Copy File: c:881.exe to C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe
Set File Attributes: C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373isl.exe (OPEN_ALWAYS)
Create/Open File: C:RECYCLERS-1-5-21-9173823888-3026357259-104145650-2373Desktop.ini (OPEN_ALWAYS)
Create NamedPipe: .pipezhtGvbaaaaa
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe
Get File Attributes: c:cwsandboxcwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe
Set File Attributes: c:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
Set File Attributes: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe to c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe
Create/Open File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Fixer32.exe (OPEN_ALWAYS)
Open File: .PIPEwkssvc (OPEN_EXISTING)
Create/Open File: Dfs (OPEN_ALWAYS)
Open File: .PIPEDAV RPC SERVICE (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp95.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)

o Transport Protocol: UDP
o Remote Address: 95.128.242.242
o Remote Port: 1975
o Protocol: Unknown
o Connection Established: 1
o Socket: 1228

* Outgoing Connections
o HTTP Data
+ Method: GET
+ Url: 67.228.233.182/new/w.exe
+ HTTP Version: HTTP/1.1
# Header Data
* User-Agent: Mozilla
* Host: 67.228.233.182:1999

Vc Panel inside also
http://67.228.233.182:1999/Default.aspx

# Transport Protocol: TCP
# Remote Address: 67.228.233.182
# Remote Port: 1999
# Protocol: HTTP

Categories: Uncategorized