69.16.172.40

Remote Host Port Number
69.16.172.40 7000

NICK marthan
USER roland “” “69.16.172.40” :kendrick
PONG :2613115303
PONG :1661756035
PONG :1971802411

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvchost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCChannels
o HKEY_CURRENT_USERSoftwaremIRCLicense
o HKEY_CURRENT_USERSoftwaremIRCLockOptions
o HKEY_CURRENT_USERSoftwaremIRC%UserName%
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* Notes:
o %UserName% is a variable that refers to the current user name.

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ spoolsv = “”%Windir%tempspoolsvspoolsv.exe””

so that spoolsv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%tempspoolsvspoolsv.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC%UserName%]
+ (Default) = “WhiteHat”
o [HKEY_CURRENT_USERSoftwaremIRCLockOptions]
+ (Default) = “0,4096”
o [HKEY_CURRENT_USERSoftwaremIRCLicense]
+ (Default) = “5662-546732”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%Windows%temp%spoolsv% = “%Windir%tempspoolsv”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
spoolsv.exe %Windir%tempspoolsvspoolsv.exe 1 892 352 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 974 824 bytes MD5: 0xE09A47872239D19A803D597DB26BA7BF
SHA-1: 0x363AB6E273C36C7FEDF313655A76CD2070276C29 IRC Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc, Backdoor.IRC.Zapchast.g, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
Mal/Zapchas-A [Sophos]
packed with UPX [Kaspersky Lab]
2 %Windir%Tempspoolsva.reg 1 260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200 IRC.Backdoor.Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
Backdoor.IRC.Zapchast [Ikarus]
3 %Windir%Tempspoolsvaliases.ini 71 bytes MD5: 0x8F3C103E48937DDD0EFFAC34E19101E4
SHA-1: 0x058DD77C6E7B16064E3AF54BEFB92B1F56FE4F17 (not available)
4 %Windir%Tempspoolsvcom.mrc 16 131 bytes MD5: 0x8BB0E40DB5DE71EAC7CB5243A8CE0597
SHA-1: 0x16B38CB0E4F87A871F715AA4638C8A6D6D43824D IRC Trojan [Symantec]
5 %Windir%Tempspoolsvcontrol.ini 815 bytes MD5: 0x4231ED92D5FE8105DC6C383573BF2F87
SHA-1: 0xCF77D0FAA82FE9F500A2A6D598DCEBD66B7BF97D (not available)
6 %Windir%TempspoolsvDesktop.ini 77 bytes MD5: 0x624E33C2611C3507D3C8D6663A5BAED6
SHA-1: 0xCDE4B249382CE6A7903DFA1CF8D3F68CA424AB02 (not available)
7 %Windir%Tempspoolsvident.txt 54 974 bytes MD5: 0x807C70E89735A428AA39BE765F8ED758
SHA-1: 0x019960FAA02B3EBE6475E64785E72B1EB7AC9FB7 IRC.Cloner [Ikarus]
8 %Windir%Tempspoolsvmirc.ico 5 694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7 (not available)
9 %Windir%Tempspoolsvmirc.ini 3 307 bytes MD5: 0x117E970DA91479A8CF20F7589F035695
SHA-1: 0x11369763C22E0CAA073295C3690BAC0296FBB630 Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Mal/Zapchas-C [Sophos]
10 %Windir%Tempspoolsvpopups.txt 2 639 bytes MD5: 0xACCBAA68AFB41C0FAED208B8D8CC7F37
SHA-1: 0x5203AC8199C044A9C17F71AA31D8B4885A36D08E (not available)
11 %Windir%Tempspoolsvremote.ini 53 303 bytes MD5: 0x9D1CF5CE4CDCBDA2E8656A7D98AB8CF0
SHA-1: 0x6A659C130D1740F5C533D83AF19CABB2A90A737B (not available)
12 %Windir%Tempspoolsvrun.bat 194 bytes MD5: 0x08FD9592BFA14C19955FC760BE2BB98A
SHA-1: 0x2CDC2FA19727DF675EEE0F8951B0333DBC6F4B81 Backdoor.IRC.Flood [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Generic component [McAfee]
Backdoor.IRC.Zapchast [Ikarus]
13 %Windir%Tempspoolsvservers.ini 1 267 bytes MD5: 0x0AB755388388D6EA1EC086D5341725C3
SHA-1: 0x21EB1B27856D984F07213CA8E310179342480BA7 (not available)
14 %Windir%Tempspoolsvspoolsv.exe 1 790 464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
15 %Windir%Tempspoolsvusers.ini 130 bytes MD5: 0xB6A973E14A074D8BC79D7254E2893FC9
SHA-1: 0xBB428D77178B3DDB9194B4E73FCD1BB0EDE6F0A8 (not available)
16 %Windir%Tempspoolsvxmas.jpg 264 957 bytes MD5: 0x6C43EC85F11F7F75D936B5DC24C22C68
SHA-1: 0x8E0696A3817ADE6DFB8449234051122D777E6878 (not available)