85.12.60.20

By Pig, April 23, 2010

Remote Host Port Number
85.12.60.20 81

NICK n[USA|XP]5266080
USER n “” “lol” :n
JOIN #control#
PONG 422
PONG :request.not.found

Other details

* The following port was open in the system:

Port Protocol Process
1053 TCP winvsnc.exe (%AppData%winvsnc.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WindowsUpdateControl = “%AppData%winvsnc.exe”

so that winvsnc.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
winvsnc.exe %AppData%winvsnc.exe 65 536 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%winvsnc.exe
[file and pathname of the sample #1] 50 688 bytes MD5: 0xF23B548E69F88590F30B07A9422E9255
SHA-1: 0x7AAAEAEB63E444E36BF6BE7BF2BC6EBC7AF2C285 New Malware.b [McAfee]
2 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)

Categories: Uncategorized