irc.shkumbimi.net(JimyGJ albanian lamer botnet)

By Pig, December 20, 2009

irc.shkumbimi.net DNS_TYPE_A 122.183.243.48 1

122.183.243.48:12351
Nick: `iuxauoe
Username: `iuxauoe
Joined Channel: #.serve with Password kr
Channel Topic for Channel #.serve: “`adv.start lsass 100 5 0 -r -b -s |`sniff.on -s |`adv.start lsass 75 5 0 114.51.x.x -r -s”

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRunOnce]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
+ windows updatess = “winavs.exe”

so that winavs.exe runs every time Windows starts

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
winavs.exe %System%winavs.exe 873 290 bytes
[filename of the sample #1] [file and pathname of the sample #1] 873 290 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%System%winavs.exe 87 882 bytes MD5: 0x2263BE89A81DD416A97EE00B49368BDB
SHA-1: 0xE82FB1BCB4164C9AA53B4E4793A92C22907E4828 Backdoor.Graybird [PCTools]
Backdoor.Graybird [Symantec]
Net-Worm.Win32.Kolab.epf [Kaspersky Lab]
Mal/Krap-D [Sophos]
Net-Worm.Win32.Kolab [Ikarus]

Categories: Uncategorized