Remote Host Port Number
193.242.108.49 80
216.45.58.150 80
64.120.11.167 5900
* The data identified by the following URLs was then requested from the remote web server:
o http://193.242.108.49/Dialer_Min/number.asp
o http://www.sitepalace.com/w0rmreaper/NoVaC.jpeg
NICK VirUs-jbqiiweh
USER VirUs “” “bud” :
8Coded
8VirUs..
JOIN #THeRaNdOm1# Virus
PRIVMSG #THeRaNdOm1# :Success.
PONG :DarkSons.Virus.Gov
PASS Virus
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-KKX2-457QWE23218}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-61WE-KKX2-457QWE23218}]
+ StubPath = “c:ACC1F1C1acc1.exe”
so that acc1.exe runs every time Windows starts
* The following directories were created:
o c:ACC1
o c:ACC1F1C1
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:ACC1F1C1acc1.exe
[file and pathname of the sample #1] 50 177 bytes MD5: 0x4217EFFAE2A71DCA3746FA7FC90C04E5
SHA-1: 0x2785F559E1DA0B56B0BFD323BF914941D0CB2D2C Mal/Generic-A [Sophos]
Worm:Win32/Hamweq.A [Microsoft]
Worm.Win32.Hamweq [Ikarus]
2 c:ACC1F1C1DesKTop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
3 %UserProfile%update.exe 65 580 bytes MD5: 0xF11D9F2B8D4CE8DC862A53550EC83BDB
SHA-1: 0xFF184F8E9581A037AE256AFA30A1882AAA1CAC5F VirTool:Win32/VBInject.DD [Microsoft]