jack.meoff.info

Remote Host Port Number
72.20.14.249 6667
85.195.117.41 80

NICK X-Rated[Sin]00001
NICK :X-Rated[Sin]00005
JOIN #xen f00kU
NICK :X-Rated[Sin]00006
MODE #Xen
NICK :X-Rated[Sin]00001
NICK :X-Rated[Sin]00007
USER Slut “urmom.com” “jack.meoff.info” :YOurMomIsMySlut
PRIVMSG #xen :

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvcfost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvcfostSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvcfostEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfostSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfostEnum
o HKEY_USERS.DEFAULTSoftwaremIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”c:108svchost.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”c:108svchost.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”c:108svchost.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”c:108svchost.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”c:108svchost.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “svcfost”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST000]
+ Service = “svcfost”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “svcfost”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SVCFOST]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvcfostEnum]
+ 0 = “RootLEGACY_SVCFOST000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvcfostSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvcfost]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “C:108service.exe”
+ DisplayName = “svcfost”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “svcfost”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST000]
+ Service = “svcfost”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “svcfost”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SVCFOST]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfostEnum]
+ 0 = “RootLEGACY_SVCFOST000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfostSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvcfost]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “C:108service.exe”
+ DisplayName = “svcfost”
+ ObjectName = “LocalSystem”
o [HKEY_USERS.DEFAULTSoftwaremIRC]
+ (Default) = “1263977341,0”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC]
+ (Default) = “1263977444,0”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%108% = “C:108”

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =

Memory Modifications

* There was a new service created in the system:

Service Name Display Name Status Service Filename
svcfost svcfost “Running” C:108service.exe

* The following directories were created:
o c:108
o c:108BoT-LisT
o c:108Scripts

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:108clearresults.bat 35 bytes MD5: 0x2DDBDBF80FFEA1ECAE62FAC41EC06990
SHA-1: 0x12FBB661782B6E4ACB62E7BF4B70F19603811348 (not available)
2 c:108MaiN.BoT 3 360 bytes MD5: 0x2626CD40CEC558F47B818632CB45B6C1
SHA-1: 0xC060AE72F7170262E9E266665D50061ED1671A70 IRC/Flood.gen.b [McAfee]
3 c:108recon.bat 234 bytes MD5: 0x542053DFA6DA93B2AE8D0D2F990961D5
SHA-1: 0xCE0114E578ACB9D85FBFCA20364B1EFD86B5BA08 (not available)
4 c:108remote.ini 387 bytes MD5: 0x1B25DD7DFF1669D526D8B768145163CF
SHA-1: 0xD902C2D1310EA8428C87F2B70EB438A69AD61061 (not available)
5 c:108run.bat 556 bytes MD5: 0x9A65C7B1E2F5D949826D383306A60BC9
SHA-1: 0x4CD76801629EDA4B21AA7881199E86162FF8E4CE (not available)
6 c:108script.dll 38 736 bytes MD5: 0x0B54F28028D6BA8219E9877DCFE66CC0
SHA-1: 0x0BF08A5154C0AB5A56F56F9B9BF1C4E5B65A561C (not available)
7 c:108Service.dll 180 bytes MD5: 0xDD563B8C343EFBA87737EA586A489746
SHA-1: 0x6BE665DBF9168E23514419892259D4EF4A1B96E2 (not available)
8 c:108service.exe 139 363 bytes MD5: 0x91009B6D27C4692FF57F2BC574F9F3FD
SHA-1: 0x562EF4F22765F36D0B7E5EAF0EDAE9B7C3B8AF0E (not available)
9 c:108stewznuts.dll 30 720 bytes MD5: 0x62456B6CBDB93B6F1458469D90C57E2C
SHA-1: 0xAEE316EF1F6E14E839DD3CE4EF6E4DCD0DACC4C9 (not available)
10 c:108svchost.exe 834 048 bytes MD5: 0x89A477FDD6B445E341CB3C34F1D846FE
SHA-1: 0x8444D29B70329076CEA33C073ED0D1C367B94B2D not-a-virus:Client-IRC.Win32.mIRC.617 [Kaspersky Lab]
packed with UPX [Kaspersky Lab]
11 [file and pathname of the sample #1] 1 011 347 bytes MD5: 0x2647165073A1F973538A168A31DCEB41
SHA-1: 0x1E44D0D468AEFA204CFFD9DC69C4E0F9489EB331 not-a-virus:Client-IRC.Win32.mIRC.617 [Kaspersky Lab]