rohypnol.bounceme.net

rohypnol.bounceme.net:6667
PASS pass8900
NICK n-870346
USER ecdsdhrp 0 0 :n-870346
USERHOST n-870346
MODE n-870346 -x+B
JOIN #channel pass8900
NOTICE n-870346 :.VERSION mIRC v6.14 Khaled Mardam-Bey.
PRIVMSG #channel :[MAIN]: Status: Ready. Bot Uptime: 0d 0h 0m.
PRIVMSG #channel :[MAIN]: Bot ID: Tr0gBot.
PRIVMSG #channel :[Scn]: Exploit Statistics: NetBios: 0, NTPass: 0, Dcom135: 0, Dcom1025: 0, Dcom2: 0, MSSQL: 0, lsass: 0, Total: 0 in 0d 0h 0m.
PRIVMSG #channel :[MAIN]: Uptime: 0d 0h 1m.
PRIVMSG #channel :[PROC]: Failed to terminate process: PROCESS_NAME_TO_TERMINATE
PRIVMSG #channel :[HTTPD]: Server listening on IP: 127.0.0.1:81, Directory: .
PRIVMSG #channel :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #channel :[DDoS]: Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #channel :[SYN]: Done with flood (0KB/sec).
PRIVMSG #channel :[SYN]: Flooding: (127.0.0.2:1234) for 50 seconds.
PRIVMSG #channel :[SCAN]: Random Port Scan started on 127.0.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.
PRIVMSG #channel :[SCAN]: Random Port Scan started on 127.0.x.x:139 with a delay of 5 seconds for 0 minutes using 10 threads.
PRIVMSG #channel :[SCAN]: Failed to start scan, port is invalid.
NICK n-602742
USER bfkxktf 0 0 :n-602742
USERHOST n-602742
MODE n-602742 -x+B
NICK n-070290
USER boezavx 0 0 :n-070290
USERHOST n-070290
MODE n-070290 -x+B
NICK n-857474
USER nzrcfbsc 0 0 :n-857474
USERHOST n-857474
MODE n-857474 -x+B
NICK n-078565
USER tylslb 0 0 :n-078565
USERHOST n-078565
MODE n-078565 -x+B

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “ghqnjd.exe”

so that ghqnjd.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft Update Machine = “ghqnjd.exe”

so that ghqnjd.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “ghqnjd.exe”

so that ghqnjd.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
nkqugi.exe %System%nkqugi.exe 520 192 bytes
ghqnjd.exe %System%ghqnjd.exe 520 192 bytes
CryptedFile.exe %Temp%CryptedFile.exe 520 192 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%ghqnjd.exe
%System%nkqugi.exe 327 264 bytes MD5: 0x903EBED080B33D24A19C5010F36E6CDA
SHA-1: 0xF1150DC18651361D66C5AF941AC79332D39E179F Worm.RBot.Gen.10 [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.aea [Kaspersky Lab]
W32/Sdbot.worm.gen.g [McAfee]
WORM_SPYBOT.GEN [Trend Micro]
W32/Rbot-Fam, W32/Rbot-Gen [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
2 [file and pathname of the sample #1] 344 184 bytes MD5: 0xC1A5CF538939BAD4C723F8999C2836E5
SHA-1: 0x74DB499F534A5C4D6D7B81DFCA11BC81205ECDA6 (not available)