Remote Host Port Number
bul.panjsheri.com 1234
NICK n[USA|XP]0002913
USER 4625 “” “lol” :4625
JOIN #po#
NICK [USA|XP]9349820
USER 4548 “” “lol” :4548
ther details
* To mark the presence in the system, the following Mutex object was created:
o SN6JSN868L
* The following ports were open in the system:
Port Protocol Process
1034 TCP aiambc.exe (%Windir%aiambc.exe)
1035 TCP aiambc.exe (%Windir%aiambc.exe)
* The following Host Name was requested from a host database:
o bul.panjsheri.com
Registry Modifications
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
aiambc.exe %Windir%aiambc.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 57 344 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:a.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %Windir%aiambc.exe
[file and pathname of the sample #1] 139 365 bytes MD5: 0x9A249086E57E144B7E992D19A1C7F586
SHA-1: 0x824D56C5C034ECCEE5B853E2928EAE708054D64A Trojan-Dropper.Win32.VB.amgq [Kaspersky Lab]