PASS cih4n1313
NICK USA|XP|SP2|00|0059
USER ivchk 0 0 :..4CodeD .8By …1zerX.-…Virus.
USERHOST USA|XP|SP2|00|0059
MODE USA|XP|SP2|00|0059 -x+i
JOIN #Botistan cih4n1313
NOTICE USA|XP|SP2|00|0059 :.VERSION mIRC v6.21 Khaled Mardam-Bey.
PRIVMSG #Botistan :.8,1-VrX- Bot ID: 915860.
PRIVMSG #Botistan :.8,1-VrX- Uptime: 0d 0h 2m.
PRIVMSG #Botistan :-.4.procs..- Failed to terminate process: PROCESS_NAME_TO_TERMINATE
The following port was open in the system:
Port Protocol Process
1041 TCP zjeecr.exe (%System%zjeecr.exe)
Other details
To mark the presence in the system, the following Mutex object was created:
915860
Registry Modifications
The following Registry Key was created:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
Windows Service Agent = “zjeecr.exe”
so that zjeecr.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
Windows Service Agent = “zjeecr.exe”
so that zjeecr.exe runs every time Windows starts
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
Windows Service Agent = “zjeecr.exe”
so that zjeecr.exe runs every time Windows starts
Memory Modifications
There were new processes created in the system:
Process Name Process Filename Main Module Size
zjeecr.exe %System%zjeecr.exe 778,240 bytes
[filename of the sample #1] [file and pathname of the sample #1] 778,240 bytes