j00000000.inluver.com

Remote Host Port Number
j00000000.inluver.com 47221

00000000 | 5041 5353 206C 6574 6D65 696E 0D0A 4E49 | PASS letmein..NI
00000010 | 434B 205B 4E30 305F 5553 415F 5850 5F39 | CK [N00_USA_XP_9
00000020 | 3832 3839 3536 5D18 E740 0D0A 5553 4552 | 828956]..@..USER
00000030 | 2053 5032 2D36 3935 202A 2030 203A 434F | SP2-695 * 0 :CO
00000040 | 4D50 5554 4552 4E41 4D45 0D0A | MPUTERNAME..

Other details

* To mark the presence in the system, the following Mutex objects were created:
o Global�zm�����4�??amz�?�m
o jftx81iciiibat

* The following ports were open in the system:

Port Protocol Process
1034 TCP jjdrive32.exe (%Windir%jjdrive32.exe)
1035 TCP jjdrive32.exe (%Windir%jjdrive32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Update Setup = “%Windir%jjdrive32.exe”

so that jjdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Setup = “%Windir%jjdrive32.exe”

so that jjdrive32.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
jjdrive32.exe %Windir%jjdrive32.exe 339 968 bytes
[filename of the sample #1] [file and pathname of the sample #1] 339 968 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%jjdrive32.exe
[file and pathname of the sample #1] 180 224 bytes MD5: 0x6A1B83A05BE0795313F609DCE7B483A0
SHA-1: 0x8F22CC09243577C6B584332F8F184917A71A7447 Win32.Polipos.A [PCTools]
W32.Polip [Symantec]
P2P-Worm.Win32.Polip.a [Kaspersky Lab]
W32/Polip [McAfee]
PE_POLIP.A [Trend Micro]
W32/Polipos-A [Sophos]
Virus:Win32/Polip.A [Microsoft]
Trojan.Win32.Buzus [Ikarus]
Win32/Polip [AhnLab]

* The following files were modified:
o %ProgramFiles%Internet ExplorerConnection Wizardicwconn1.exe
o %ProgramFiles%Internet ExplorerConnection Wizardicwconn2.exe
o %ProgramFiles%Windows Media Playerwmplayer.exe
o %ProgramFiles%Windows NTPinballPINBALL.EXE