217.148.32.202

By Pig, January 18, 2010

Remote Host Port Number
217.148.32.202 27034

MODE #!!hh!!# +ix
NICK [00|USA|814587]
USER XP-7283 * 0 :COMPUTERNAME
MODE [00|USA|814587] +ix
JOIN #!!hh!!# sextsex

PASS sextsex

* The following port was open in the system:

Port Protocol Process
1054 TCP wwwwwww.exe.exe (%Windir%wwwwwww.exe.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java Update = “wwwwwww.exe.exe”

so that wwwwwww.exe.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
wwwwwww.exe.exe %Windir%wwwwwww.exe.exe 311 296 bytes
b0y.exe %Temp%IXP000.TMPb0y.exe 311 296 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%IXP000.TMPb0y.exe
%Windir%wwwwwww.exe.exe 52 831 bytes MD5: 0x281EFF608854D1F6279EEB250EFD687C
SHA-1: 0x0EE3170C19888C8C5F0F5EEA5FF4B9B2C79C3040 packed with PE_Patch [Kaspersky Lab]
2 [file and pathname of the sample #1] 100 352 bytes MD5: 0x21970426051514B1607F5E2EAC82BFBD
SHA-1: 0x2EF976CE987D72A70690CE10255015F1E97BEC48 (not available)

Categories: Uncategorized
Previous post
Next post