Remote Host Port Number
92.243.19.221 16667
NICK [USA]XP-SP2[00]1154
USER qhvb 0 0 :
JOIN #l# lam 2k bots inside
USERHOST [USA]XP-SP2[00]1154
MODE [USA]XP-SP2[00]1154 -x+i
PONG :MBoY.Org
Invisible Users: 6556
Channels: 19 channels formed
Clients: I have 6557 clients and 0 servers
Local users: Current Local Users: 6557 Max: 13429
Global users: Current Global Users: 6557 Max: 10398
* The following ports were open in the system:
Port Protocol Process
69 UDP npyormm.exe (%System%npyormm.exe)
1052 TCP npyormm.exe (%System%npyormm.exe)
1542 TCP npyormm.exe (%System%npyormm.exe)
1543 TCP npyormm.exe (%System%npyormm.exe)
1544 TCP npyormm.exe (%System%npyormm.exe)
1545 TCP npyormm.exe (%System%npyormm.exe)
1546 TCP npyormm.exe (%System%npyormm.exe)
1547 TCP npyormm.exe (%System%npyormm.exe)
1548 TCP npyormm.exe (%System%npyormm.exe)
1549 TCP npyormm.exe (%System%npyormm.exe)
1550 TCP npyormm.exe (%System%npyormm.exe)
1551 TCP npyormm.exe (%System%npyormm.exe)
1552 TCP npyormm.exe (%System%npyormm.exe)
1553 TCP npyormm.exe (%System%npyormm.exe)
1554 TCP npyormm.exe (%System%npyormm.exe)
1555 TCP npyormm.exe (%System%npyormm.exe)
1556 TCP npyormm.exe (%System%npyormm.exe)
1557 TCP npyormm.exe (%System%npyormm.exe)
1558 TCP npyormm.exe (%System%npyormm.exe)
1559 TCP npyormm.exe (%System%npyormm.exe)
1560 TCP npyormm.exe (%System%npyormm.exe)
1561 TCP npyormm.exe (%System%npyormm.exe)
1562 TCP npyormm.exe (%System%npyormm.exe)
1563 TCP npyormm.exe (%System%npyormm.exe)
21680 TCP npyormm.exe (%System%npyormm.exe)
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft System Service = “npyormm.exe”
so that npyormm.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft System Service = “npyormm.exe”
so that npyormm.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft System Service = “npyormm.exe”
so that npyormm.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
npyormm.exe %System%npyormm.exe 749 568 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %System%npyormm.exe
[file and pathname of the sample #1] 124 416 bytes MD5: 0xD62F7469F528CF487E9A61430067639A
SHA-1: 0x06F5821068CB9A601E142138B23F2BEA80BC2210 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
Exploit-DcomRpc.gen [McAfee]
WORM_RBOT.GEN-1 [Trend Micro]
W32/Rbot-Fam [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]