fatalz.net

By Pig, December 2, 2009

Remote Host Port Number
200.74.240.149 80
94.23.121.227 7000

* The data identified by the following URL was then requested from the remote web server:
o http://facebook.freephphosting.biz/illusion/?act=online&s4=25580&s5=0&nickname=Q29tcHV0ZXJOYW1lWzExNDcwM10=

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionConsoleNameSpace
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_NTNDIS
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_NTNDIS000
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesntndis
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesntndisSecurity

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionConsoleNameSpace]
+ ftpd_port = 0x00000015
+ socks4_state = 0x00000001
+ socks4_port = 0x000063EC
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_NTNDIS000]
+ Service = “ntndis”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “ntndis”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_NTNDIS]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesntndisSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesntndis]
+ Type = 0x00000001
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “%System%driversntndis.sys”
+ DisplayName = “ntndis”

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%driversntndis.exe
[file and pathname of the sample #1] 77 824 bytes MD5: 0xAC7A90AC2688A380E1084C9C333A1B7F
SHA-1: 0xC3224353CEA1A0F2FDAB7CCBCD3D3ED85031EDA3 Worm.Sdbot.ETU [PCTools]
Backdoor.Lusillon [Symantec]
Backdoor.Win32.IRCBot.auf [Kaspersky Lab]
New Malware.b [McAfee]
Mal/Behav-104, Mal/Behav-010, Mal/Basine-C [Sophos]
Backdoor:Win32/Sdbot [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
2 %System%driversntndis.sys 4 864 bytes MD5: 0x6B5FE575A6BF660767864A8A1B2B94CE
SHA-1: 0x5B2A95EA4EFD7B4F46EBDC586451F05B1BB6800D Backdoor.Sdbot.AGP [PCTools]
Hacktool.Rootkit [Symantec]
Backdoor.Win32.SdBot.aqp [Kaspersky Lab]
W32/Sdbot.worm [McAfee]
Troj/RKProc-F [Sophos]
VirTool:WinNT/Rootkitdrv.AA [Microsoft]
Win32/IRCBot.worm.variant [AhnLab]

Categories: Uncategorized