Server : FBI.GoV [Crew]

By Pig, December 4, 2009

Remote Host Port Number
82.146.52.236 6667

MODE [solo][USA|XP|LAN|71546] -ix
JOIN #nes# usb
PONG FBI.GoV

* The following port was open in the system:

Port Protocol Process
1050 TCP winsvc32.exe (%Windir%winsvc32.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ winsvc32 = “winsvc32.exe”

so that winsvc32.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
winsvc32.exe %Windir%winsvc32.exe 360 448 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winsvc32.exe 147 456 bytes MD5: 0x06EAEBA7E1D343F14EB528A60BC8AECB
SHA-1: 0xC7FFF55B39E48CA040C008B9EE78811E36689A15 Trojan Horse [Symantec]
Worm.Win32.Carrier.hq [Kaspersky Lab]
Mal/Generic-A [Sophos]
VirTool:Win32/VBInject.gen!CE [Microsoft]
Win32/Carrier.worm.147456.C [AhnLab]

Categories: Uncategorized