83.140.172.212(Worm.IM.Sohanad)

Remote Host Port Number
64.62.181.46 80
83.140.172.212 6667

* The data identified by the following URL was then requested from the remote web server:
o http://h1.ripway.com/sxmast/config.php

NICK u-uu6
USER l4 8 * :0.0
PONG :3083554165
JOIN #sxsouls nopass

* The following port was open in the system:

Port Protocol Process
1056 TCP usx32.exe (%AppData%usx32.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ usx32 = “%AppData%usx32.exe”

so that usx32.exe runs every time Windows starts

* The following Registry Value was deleted:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ VMware Tools = “%ProgramFiles%VMwareVMware ToolsVMwareTray.exe”
+ VMware User Process = “%ProgramFiles%VMwareVMware ToolsVMwareUser.exe”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
usx32.exe %AppData%usx32.exe 2 306 048 bytes

* The following system services were modified:

Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %AppData%usx32.exe
[file and pathname of the sample #1] 1 622 016 bytes MD5: 0xFF968983FC6B41FD0E839A2EA3AF62B2
SHA-1: 0x736577E80709107230C533EFFC4F611ACA1E8E41