big net)

Remote Host Port Number 51987

NICK pLagUe{USA}56265
MODE pLagUe{USA}56265 -ix
USER pLagUe * ok
TeaM UniX b0at 0.4
PC has been ~iNfEctEd~

Other details

* The following port was open in the system:

Port Protocol Process
1051 TCP raidhost.exe (%Windir%raidhost.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ raidhost = “raidhost.exe”

so that raidhost.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
raidhost.exe %Windir%raidhost.exe 356 352 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%raidhost.exe
[file and pathname of the sample #1] 46 596 bytes MD5: 0xD01C7B0483049A0DC63E28875F6A43CF
SHA-1: 0x81FD1DC85AF1D8DB4F6398CDD1A90D08CDEA169C Worm:Win32/Hamweq.A [Microsoft]
2 %System%YoItzVlad.tmp 5 bytes MD5: 0xD356C81C0BDF1FE2059EABDA720CA0D4
SHA-1: 0x6A09BBFD26586342F7A9F19B82EBBE5AAB023E06 (not available)

Categories: Uncategorized