gs.unicatz.com

By Pig, December 25, 2009

Remote Host Port Number
gs.unicatz.com 2010

00000000 | 4E49 434B 2058 505C 4E73 6533 5C0A 5553 | NICK XPNse3.US
00000010 | 4552 206C 614D 6572 2022 2220 2267 732E | ER laMer “” “gs.
00000020 | 756E 6963 6174 7A2E 636F 6D22 203A 0334 | unicatz.com” :.4
00000030 | B703 6CE0 0334 024D 0203 E972 0334 B720 | ..l..4.M…r.4.
00000040 | 596F 7520 5468 696E 6B20 691F B01F 6D20 | You Think i…m
00000050 | 024E 0261 7567 6874 7920 038B 1F21 1F9B | .N.aughty …!..
00000060 | 0A55 5345 5248 4F53 5420 6E69 636B 0A50 | .USERHOST nick.P
00000070 | 4152 5420 6368 616E 6E65 6C0A 5041 5254 | ART channel.PART
00000080 | 2063 6861 6E6E 656C 0A50 4152 5420 6368 | channel.PART ch
00000090 | 616E 6E65 6C0A | annel.

# here was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:

* %System%dllcacheWinter.pif

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinXPService = “%System%dllcacheWinter.pif”

so that Winter.pif runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%System%dllcacheWinter.pif” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1261778683”

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
Winter.pif %System%dllcachewinter.pif 1 679 360 bytes
[filename of the sample #1] [file and pathname of the sample #1] 319 488 bytes

* The following directories were created:
o %System%dllcachelogs
o %System%dllcachesounds

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%dllcachedev2si.zip 12 512 bytes MD5: 0xAF1FBB7661BC09A7B906B60A5F16AF1A
SHA-1: 0x5C28AD5089762B83A27E5858196FB6000A503E8D Backdoor.IRC.Agent.q [Kaspersky Lab]
2 %System%dllcachedr67rf.zip 3 416 bytes MD5: 0x0988087B23F3D160BE8ACD8DA8A9DB9A
SHA-1: 0xBA1DD56646D0E54FAA6100135A652C889C502683 (not available)
3 %System%dllcacheei7g.msp 67 bytes MD5: 0xCB6105987640C924FE5D3D45E0A3498D
SHA-1: 0x3D4D2EBD70589A9AA61399F3CF8FA0CD2FC8B7D3 (not available)
4 %System%dllcachek25.reg 140 bytes MD5: 0x5C00611205E39B78A23D855BF0C00F58
SHA-1: 0xC756E3389627809EBDB01D0C9F435822EB2AEA97 (not available)
5 %System%dllcachel3ik7.zip 17 074 bytes MD5: 0xB1B803258C43CA239FB9CF50C5726B28
SHA-1: 0xB5D1AB8D9CDAC8CC570DBC394A57C728896C7ABB Hacktool.Flooder [PCTools]
Hacktool.Flooder [Symantec]
Backdoor.IRC.Agent.q [Kaspersky Lab]
6 %System%dllcacheo1o2o3o4 4 093 bytes MD5: 0xD79A98B432EA10CAED88E388C4C36E97
SHA-1: 0x3B117D79F1DA39F9B3932FD5FB7B6B8CC8D3B387 (not available)
7 %System%dllcachesi3sj9.dll 40 960 bytes MD5: 0xA85A6F809B5500ADF9F163F60CBD9B25
SHA-1: 0x9B81D20E5FFBF9BAE4BB95595579B29A282DAB0F Backdoor.IRC.Flood [PCTools]
Hacktool.Flooder [Symantec]
IRC/Flood.tool [McAfee]
Troj/Flood-I [Sophos]
Trojan:Win32/Flood.L [Microsoft]
Win-Trojan/Flooder.45056.B [AhnLab]
8 %System%dllcachevcr32.zip 21 100 bytes MD5: 0xFA5F4F2FEB0136838392597A6949656F
SHA-1: 0x2EE794D1130AE97762E4D83CE3C38138C57F4CC6 (not available)
9 %System%dllcacheWinter.pif 574 464 bytes MD5: 0xB3027DFFA9BBAC7E1999223CF737200B
SHA-1: 0x04F7BE390D135405B5D1925B205C0C871301B522 Backdoor.IRC.Flood [PCTools]
W32.IRCBot [Symantec]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
TROJ_BOTIRC.A [Trend Micro]
Troj/Multidr-FT [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Win-Trojan/MircPack.574464 [AhnLab]
packed with UPX [Kaspersky Lab]
10 [file and pathname of the sample #1] 890 383 bytes MD5: 0x74486B93F0583EFF04A3D3976238F49B
SHA-1: 0x6D789E65010CD8084A85C19953AFAF022811C34F Backdoor.IRC.Agent.q, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
W32/Spybot.worm!cq [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]

Categories: Uncategorized