irc.seslichat5.com – Inside Your Botnet

Remote Host Port Number
irc.seslichat5.com 6664

Other details

* To mark the presence in the system, the following Mutex object was created:
o dang

* The following port was open in the system:

Port Protocol Process
113 TCP xnwdj.exe (%System%xnwdj.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Layer = “vpaqe.exe”

so that vpaqe.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Windows Layer = “vpaqe.exe”

so that vpaqe.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Layer = “vpaqe.exe”

so that vpaqe.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
xnwdj.exe %System%xnwdj.exe 1 101 824 bytes
vpaqe.exe %System%vpaqe.exe 1 101 824 bytes
[filename of the sample #1] [file and pathname of the sample #1] 1 101 824 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%System%vpaqe.exe
%System%xnwdj.exe 437 289 bytes MD5: 0x61A7B9D33B5389EFFC23C6473D2B26B7
SHA-1: 0xEB8B1811757E75845C427CA57D175ADCE200365A Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.djt [Kaspersky Lab]
New Malware.b [McAfee]
WORM_RBOT.GEN-1 [Trend Micro]
W32/Rbot-Fam, W32/Rbot-Gen [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]