Remote Host Port Number
67.43.226.242 8080
67.43.232.37 1863
91.207.7.116 80
USER pmawga pmawga pmawga :ymfiwtkaatzcxdhr
NICK RGqbPVQe
MODE RGqbPVQe +xi
JOIN #las6
USERHOST RGqbPVQe
MODE #m +smntu
MODE #las6 +smntu
NICK gYZaluELE
MODE gYZaluELE +xi
JOIN #rrrrr
USERHOST gYZaluELE
MODE ##xddc +smntu
MODE #xddc1 +smntu
MODE #xddc2 +smntu
MODE #rrrrr +smntu
USER ixaexy ixaexy ixaexy :dpsqkauvusrtzeaz
Other details
* The following ports were open in the system:
Port Protocol Process
1052 TCP spoolsvc.exe (%System%spoolsvc.exe)
2335 TCP firewall.exe (%System%firewall.exe)
37025 TCP spoolsvc.exe (%System%spoolsvc.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Spooler SubSystem App = “%System%spoolsvc.exe”
+ Windows Network Firewall = “%System%firewall.exe”
so that spoolsvc.exe runs every time Windows starts
so that firewall.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
spoolsvc.exe %System%spoolsvc.exe 131 072 bytes
firewall.exe %System%firewall.exe 131 072 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %System%bmzblnso.bat 130 bytes MD5: 0xA0E2BEF2C732BC311B57981099015F4C
SHA-1: 0x0433C79BD95B79FFE3323CA61A2F6B5270E82A0E (not available)
2 %System%firewall.exe 138 240 bytes MD5: 0x31AB688B36E7D8E5CE1082FAA95F730E
SHA-1: 0xF7DAB9248D83084F86DED1CA6F651EAA0ED79C14 Trojan-PSW.Banker [PCTools]
Infostealer.Banker.C [Symantec]
Backdoor.Win32.Nepoe.po [Kaspersky Lab]
Mal/Generic-A [Sophos]
Backdoor:Win32/Poebot.gen [Microsoft]
3 %System%hvhqsk.bat 128 bytes MD5: 0xAF2C4D094718725E75871AC4ECE463F8
SHA-1: 0x53CD474C88D645C1E149E5A020F9B1A48920FFFE (not available)
4 %System%icncde.bat 128 bytes MD5: 0xA2A0A3EB031D7016DBDA3C2501DC89E8
SHA-1: 0xC039B1B11A550B0CE789621A493E77EC6CBB2A1F Iroffer.bat [McAfee]
5 %System%prec.bat 126 bytes MD5: 0xDD2797E3CFC39AC7BCB951788B907454
SHA-1: 0x7AFD9E9833FEEE27C202AC852AFE984229EE28BB Iroffer.bat [McAfee]
6 %System%spoolsvc.exe 138 752 bytes MD5: 0xD816943EEB29A00CEB54EC7B012DD4F1
SHA-1: 0x08B5C2049D9CD02BCC00ABC6A8A95263BD43FED6 Trojan.IRCBot [PCTools]
W32.IRCBot [Symantec]
Backdoor.Win32.Nepoe.po [Kaspersky Lab]
Mal/Generic-A [Sophos]
Backdoor:Win32/Poebot.gen [Microsoft]
Win-Trojan/Malware.138752.D [AhnLab]