Remote Host Port Number
174.129.200.54 80
91.211.119.179 2882
* The data identified by the following URL was then requested from the remote web server:
o http://api.hostip.info/get_html.php
PING :igotyour.info
USER MartyBot 1 * :MartyBot
NICK {WinXP|US|COMPUTERNAME|7322}
MODE {WinXP|US|COMPUTERNAME|7322}-ix
JOIN #pirates#
PONG #pirates#
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Generic Host = “%AppData%Microsoftsvchost.exe”
so that svchost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] N/A
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 c:autorun.exe
%AppData%Microsoftsvchost.exe
[file and pathname of the sample #1] 20 992 bytes MD5: 0xA93476A203A7905CCFA87F71EB7B8C4E
SHA-1: 0x0016DACA323BA3BB672CB45088C9DF8CDD3F0AF6
2 c:autorun.inf 29 bytes MD5: 0xF3C6F70DAD2C7A91120529E701283F53
SHA-1: 0xD597D1FDCF3FF458946F85D47E2F6FA02A4C6C6C