Remote Host Port Number
72.184.197.176 6667
NICK XP|00|USA|SP2|7921
USER aqxt 0 0 :XP|00|USA|SP2|7921
USERHOST XP|00|USA|SP2|7921
MODE XP|00|USA|SP2|7921 +x+iB
JOIN #ecko
PONG :FederalBereauofInvestigation
Other details
* The following ports were open in the system:
Port Protocol Process
113 TCP msconfig.exe (%System%msconfig.exe)
1052 TCP msconfig.exe (%System%msconfig.exe)
Registry Modifications
* The following Registry Keys were created:
o [pathname with a string SHARE]MSConfig
o [pathname with a string SHARE]services
o [pathname with a string SHARE]startupfolder
o [pathname with a string SHARE]startupreg
o [pathname with a string SHARE]state
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
o HKEY_CURRENT_USERSoftwareMicrosoftOLE
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableRemoteConnect = “N”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ DRam prosessor = “msconfig.exe”
so that msconfig.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ DRam prosessor = “msconfig.exe”
so that msconfig.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ MaxConnectionsPer1_0Server = 0x00000050
+ MaxConnectionsPerServer = 0x00000050
o [HKEY_CURRENT_USERSoftwareMicrosoftOLE]
+ DRam prosessor = “msconfig.exe”
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
msconfig.exe %System%msconfig.exe 1 179 648 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%psssystem.ini.backup 231 bytes MD5: 0xB143A6852C9EF93E0BDECB02F524F9F2
SHA-1: 0x83C15BD58DFF36C08DB093F81ECFD431C404A933 (not available)
2 %Windir%psswin.ini.backup 477 bytes MD5: 0x8715347D6B7B2E3A7CFE5ADF2D510CE3
SHA-1: 0x36C55AE9BD5F13E601A9C2FCB79B3237032D4AA7 (not available)
3 %System%msconfig.exe 261 632 bytes MD5: 0x26BF016FA1C4AE5B30CBE59928B1C740
SHA-1: 0x68388C00EEBDB69837B0CB6844BE8A663B8456E6 Net-Worm.Randex [PCTools]
W32.Randex.gen [Symantec]
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
W32/Sdbot.worm.gen.g [McAfee]
WORM_RBOT.GEN-1 [Trend Micro]
W32/Rbot-Fam, W32/Rbot-Gen [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]
4 [file and pathname of the sample #1] 501 288 bytes MD5: 0x960C035EA8B60C13C012F0BFBB17914D
SHA-1: 0x696D106B16E2BDA9E17DE1AE8F826DB867B843C8 (not available)
5 %System%wbemPerformanceWmiApRpl_new.ini 2 bytes MD5: 0xC4103F122D27677C9DB144CAE1394A66
SHA-1: 0x1489F923C4DCA729178B3E3233458550D8DDDF29 (not available)