irc.priv8net.com

Remote Host Port Number
208.98.57.48 2201

NICK rpvlut
USER vafssj “” “kgq” :vafssj
PONG :FDFA11A9
JOIN #unf mks
PONG :irc.priv8net.com

PASS MSMS

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
+ StubPath = “c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013iseL2.exe”

so that iseL2.exe runs every time Windows starts

* The following directory was created:
o c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013iseL2.exe
[file and pathname of the sample #1] 19 456 bytes MD5: 0x016786F9AC759EEF17B256CB55036B67
SHA-1: 0x42AE1E0630DB47FD48C96BDA0D2C90C2A6E5A6F4 W32.Ircbrute [Symantec]
IRC-Worm.Win32.Small.bt [Kaspersky Lab]
Mal/Generic-A [Sophos]
Worm:Win32/Hamweq.A [Microsoft]
Win32/Xema.worm.19456.W [AhnLab]