codienviet.com(1k bots in one chanel)

Remote Host Port Number
174.136.55.4 80
202.169.224.12 6667

* The data identified by the following URL was then requested from the remote web server:
o http://codienviet.com/bot/notwelcome.php

NICK TLG-FVDBXNPG
USER TLG-LTZZCCTX 0 0 TLG-LTZZCCTX
NICK TLG-YTWZHFAX
USER TLG-YTWZHFAX 0 0 TLG-YTWZHFAX
USER TLG-FVDBXNPG 0 0 TLG-FVDBXNPG
PONG :1444004578
JOIN #dunghoitaisao 150685
MODE TLG-FVDBXNPG +i
MODE #dunghoitaisao +ps
MODE #dunghoitaisao +k 150685
NICK TLG-LTZZCCTX
ChanServ sets mode: +k 3939

* The following ports were open in the system:

Port Protocol Process
1058 TCP svihost.exe (%System%svihost.exe)
1060 TCP svihost.exe (%System%svihost.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Updates = “%System%svihost.exe”

so that svihost.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Window Title = “AUTOKIEMTHE.COM – AUTOPLAY KIEMTHE ONLINE”

* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
svihost.exe %System%svihost.exe 663 552 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 261 511 bytes MD5: 0xCF2A931445658B38034DA87EA01FB463
SHA-1: 0x9C4FF171F07DADABAA461AE8FA803689E504A80D packed with PE_Patch.UPX [Kaspersky Lab]
2 %System%svihost.exe 404 135 bytes MD5: 0xC637662344CF39FC4C7FCA73B7B378D6
SHA-1: 0x69DE0D02E8ECF87B1EAFB7EF6FFD109E8E2A07D8 packed with PE_Patch.UPX [Kaspersky Lab]