* The following Host Name was requested from a host database:

* The data identified by the following URLs was then requested from the remote web server:

* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %System%MSVBVM60.DLL

USER SBot79 SBot79 SBot79 SBot79 SBot79 SBot79
PRIVMSG : Successfully Download!!
JOIN #slayeraeb 199413
PRIVMSG #slayeraeb Online Now!
PRIVMSG slayeraeb Online Now!
PRIVMSG slayeraeb : Online!
PRIVMSG #slayeraeb Online!
USER SBot85 SBot85 SBot85 SBot85 SBot85 SBot85
USER SBot16 SBot16 SBot16 SBot16 SBot16 SBot16

Now talking in #slayeraeb
Topic On: [ #slayeraeb ] [ My new video: ]
Topic By: [ Slayeraeb ]
Modes On: [ #slayeraeb ] [ +pntrk 199413 ]

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ svchosts = “%Temp%svchosts.exe”

so that svchosts.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
svchosts.exe %Temp%svchosts.exe 688 128 bytes
[filename of the sample #1] [file and pathname of the sample #1] 688 128 bytes

* The following system services were modified:

Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %Temp%svchosts.exe
[file and pathname of the sample #1] 675 840 bytes MD5: 0x3B55A94ECFEAAFC47B90B5E27CCE75FA
SHA-1: 0x852CA8C08A3277E04B327C5C19D758417DA7A004

Categories: Uncategorized