95.154.216.63

By Pig, January 26, 2010

Remote Host Port Number
95.154.216.63 3211

NICK XP5e7Y3
USER Mazyon_1z7 “” “” :
14Don`t
14Abuse
14Power
JOIN #g xpass
MODE #G
PRIVMSG XP5e7Y3 :
PING 1264507340

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “m1RC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Temp%gsf2winup.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Temp%gsf2winup.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “m1RC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Temp%gsf2winup.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Temp%gsf2winup.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinXPService = “%Temp%gsf2winup.exe”

so that winup.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Temp%gsf2winup.exe” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1264507268”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 90 112 bytes

* The following directories were created:
o %Temp%gsf2
o %Temp%gsf2download

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%GS1.tmp 45 568 bytes MD5: 0x7D46EA623EBA5073B7E3A2834FE58CC9
SHA-1: 0x29AD585CDF812C92A7F07AB2E124A0D2721FE727 Win-Trojan/Zapchast.45568 [AhnLab]
packed with ASPack [Kaspersky Lab]
2 %Temp%gsf2Beclickz.dll 10 240 bytes MD5: 0x8381B6F4FCDC6E53E1C7F48F57E7A097
SHA-1: 0x25E6A76640E7ABA1844E83501CDB6FD59480775D Virtool.Flood.A [PCTools]
IRC/Flood.tool [McAfee]
Backdoor:IRC/Mircflood.B [Microsoft]
IRC.Flood [Ikarus]
3 %Temp%gsf2g11.reg 172 bytes MD5: 0xC9C6D9147FABB880A4A2877EC6BE12C8
SHA-1: 0x2960FE5DAF13D0F9D2F4802065AC537CE20C2DE7 (not available)
4 %Temp%gsf2hd.exe 143 360 bytes MD5: 0xAF9F7D7AF3E2FF4101CC9E8DD0F9383D
SHA-1: 0xEA1FEED229AFEF1C0850A19865144AB59785481D Hacktool.HideWindow [PCTools]
Hacktool.HideWindow [Symantec]
not-a-virus:RiskTool.Win32.HideWindows [Kaspersky Lab]
HideWindow!c [McAfee]
Mal/Packer [Sophos]
packed with Molebox [Kaspersky Lab]
5 %Temp%gsf2imds.hlp 36 814 bytes MD5: 0x7DB39BA5BB20D9BD0AEEE511C9FF7181
SHA-1: 0x18F1310397BFFBE067415AF85A2A755467A7AF64 Troj/Zapchas-EJ [Sophos]
6 %Temp%gsf2ionfgs.hlp 33 425 bytes MD5: 0x120EDE4562207137FC3E70C46699DC07
SHA-1: 0x0047DD48D457A73F807EFCE309E1FBD82F49B3B7 Backdoor.IRC.Cloner [Ikarus]
7 %Temp%gsf2irsss.hlp 33 851 bytes MD5: 0x487A0D2AD5CD447DDD5814546F42A08E
SHA-1: 0x4F4B09F0B33BD711E992EC6CB2F7E6E3293F8B04 Troj/Zapchas-EJ [Sophos]
8 %Temp%gsf2mirc.ini 12 093 bytes MD5: 0xB8A045446A182FB22A9B09D479498EBA
SHA-1: 0x2ADE9DBE00AC9E85805953ACAAB78A61FFA4A3E7 IRC/Flood.gen.b [McAfee]
9 %Temp%gsf2odcb.ini 11 947 bytes MD5: 0x033848B3CDD769B877111D14EB725A7E
SHA-1: 0xA8384822E91A872998568CEBFDE988CF19609BAC Spyware.Perfect [PCTools]
Spyware.Perfect [Symantec]
mIRC/Xema [AhnLab]
10 %Temp%gsf2Refix.ocx 3 984 bytes MD5: 0xFB9E66F8361998435B8C6CDD41EC2F86
SHA-1: 0x120E4B1E28E7D2E11DF30FCADD78DDDA107CA2A0 Backdoor.IRC.Zapchast [Ikarus]
11 %Temp%gsf2winup.exe 1 707 520 bytes MD5: 0x2C63530B46BD52F35AA1E8173D55B259
SHA-1: 0x7368751FD5ED36375317DC692CA78FDDF54202E1 Spyware.Perfect [PCTools]
Spyware.Perfect [Symantec]
not-a-virus:Client-IRC.Win32.mIRC.591 [Kaspersky Lab]
Mal/Generic-A [Sophos]
12 [file and pathname of the sample #1] 743 612 bytes MD5: 0x1FA5A5B75B0D3F4FF5232DB7A4B72854
SHA-1: 0x0BDD66B965CA7355C4B8E27024EC27095C805A1B Trojan.DR.Duckirc.Gen [PCTools]
IRC Trojan [Symantec]
not-a-virus:RiskTool.Win32.HideWindows, not-a-virus:Client-IRC.Win32.mIRC.591 [Kaspersky Lab]
Backdoor.IRC.Zapchast [Ikarus]

Categories: Uncategorized