64.120.14.52

By Pig, February 1, 2010

Remote Host Port Number
64.120.14.52 27034 PASS sextsex

MODE #!!pp!!# +ix
NICK [00|USA|765097]
USER XP-4182 * 0 :COMPUTERNAME
MODE [00|USA|765097] +ix
JOIN #!!pp!!# sextsex

Other details

* The following port was open in the system:

Port Protocol Process
1052 TCP tub3tex.exe.exe (%Windir%tub3tex.exe.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Java Update = “tub3tex.exe.exe”

so that tub3tex.exe.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
tub3tex.exe.exe %Windir%tub3tex.exe.exe 311 296 bytes
[filename of the sample #1] [file and pathname of the sample #1] 311 296 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%tub3tex.exe.exe 28 160 bytes MD5: 0x2530CBF491EB8D8BFBE6F71FB91A14E8
SHA-1: 0xDDC033D5F4833E7F51F20985DE775FC89A9617DA Backdoor.SdBot.FNT [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.SdBot.eit [Kaspersky Lab]
W32/Sdbot.worm.gen.a [McAfee]
Mal/IRCBot-B, Mal/IRCBot-C [Sophos]
Worm:Win32/Pushbot.gen [Microsoft]
Win32/IRCBot.worm.variant [AhnLab]

Categories: Uncategorized
Previous post
Next post