MicrosoftUpdate.yi.org

[ DetectionInfo ]
* Filename: C:analyzerscansvcnost.exe.
* Sandbox name: W32/Backdoor.
* Signature name: Ircbot.BAYQ.
* Compressed: NO.
* TLS hooks: NO.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 73728 bytes.
* MD5 hash: a9bfb1db9d131e1bcce5b8f1f3132871.
* SHA1 hash: e7e8d1ce421b418a31180beb25a3e758265ea9c7.
* Entry-point detection: Microsoft Visual C++.

[ Changes to filesystem ]
* Creates directory C:PROGRA~1COMMON~1.
* Creates file C:PROGRA~1COMMON~1Systemsvcnost.exe.
* Overwrites file C:PROGRA~1COMMON~1Systemsvcnost.exe.

[ Changes to registry ]
* Creates key “HKLMSoftwareMicrosoftWindows”.
* Sets value “Windows Update”=”C:PROGRA~1COMMON~1Systemsvcnost.exe” in key “HKLMSoftwareMicrosoftWindows”.
* Creates key “HKLMSystemCurrentControlSetServicesSharedAccessParameters”.
* Sets value “C:PROGRA~1COMMON~1Systemsvcnost.exe”=”C:PROGRA~1COMMON~1Systemsvcnost.exe:*:Enabled:Windows Update” in key “HKLMSystemCurrentControlSetServicesSharedAccessParameters”.

[ Network services ]
* Connects to “MicrosoftUpdate.yi.org” on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname cBOT|BrUFBagOyl.
* IRC: Uses username mbnzihg.
* IRC: Joins channel #VNC with password x0r.

[ Process/window information ]
* Creates a mutex cC-Team:2007.
* Creates process “svcnost.exe”.

[ Signature Scanning ]
* C:PROGRA~1COMMON~1Systemsvcnost.exe