tshge.mamadody.mobi

By Pig, February 16, 2010

tshge.mamadody.mobi 74.117.174.95

* C&C Server: 74.117.174.95:15656
* Server Password:
* Username: nn
* Nickname: hh[DEU|XP]5178227
* Channel: #t (Password: )
* Channeltopic: :.td http://expobauhaus.net/b00t.exe c:Icon32fuhygfdnf.exe 1 -s

* C&C Server: 74.117.174.95:15656
* Server Password:
* Username: nn
* Nickname: [DEU|XP]5665417
* Channel: #t (Password: )
* Channeltopic: :.td http://expobauhaus.net/b00t.exe c:Icon32fuhygfdnf.exe 1 -s

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:WINDOWSsystem32dlllhost.exe” = C:WINDOWSsystem32dlllhost.exe:*:Enabled:Netlogon
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32dlllhost.exe
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession Manager “PendingFileRenameOperations”

File Changes by all processes
New Files C:WINDOWSsystem32dlllhost.exe
C:WINDOWSsystem32dlllhost.exe
DeviceRasAcd
Opened Files .PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
C:WINDOWSsystem32dlllhost.exe
C:WINDOWSsystem32dlllhost.exe
Deleted Files
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Create File: C:WINDOWSsystem32dlllhost.exe
Copy File: c:b00t.exe to C:WINDOWSsystem32dlllhost.exe
Set File Attributes: C:WINDOWSsystem32dlllhost.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32dlllhost.exe
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSsystem32dlllhost.exe (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:WINDOWSsystem32dlllhost.exe (OPEN_EXISTING)

Categories: Uncategorized