Remote Host Port Number
174.133.63.91 51987
NICK pLagUe{USA}56265
MODE pLagUe{USA}56265 -ix
JOIN #H1N1
PRIVMSG #H1N1 :
USER pLagUe * ok
TeaM UniX b0at 0.4
PC has been ~iNfEctEd~
Other details
* The following port was open in the system:
Port Protocol Process
1051 TCP raidhost.exe (%Windir%raidhost.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ raidhost = “raidhost.exe”
so that raidhost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
raidhost.exe %Windir%raidhost.exe 356 352 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%raidhost.exe
[file and pathname of the sample #1] 46 596 bytes MD5: 0xD01C7B0483049A0DC63E28875F6A43CF
SHA-1: 0x81FD1DC85AF1D8DB4F6398CDD1A90D08CDEA169C Worm:Win32/Hamweq.A [Microsoft]
2 %System%YoItzVlad.tmp 5 bytes MD5: 0xD356C81C0BDF1FE2059EABDA720CA0D4
SHA-1: 0x6A09BBFD26586342F7A9F19B82EBBE5AAB023E06 (not available)