Remote Host Port Number
n33d.r00taccess.com 6769
NICK {NEW}[USA][XP-SP2]447382
USER 6799 “” “lol” :6799
JOIN #r00t# rootroot
NICK [USA][XP-SP2]408098
USER 5014 “” “lol” :5014
NICK [USA][XP-SP2]094963
USER 3399 “” “lol” :3399
Other details
* To mark the presence in the system, the following Mutex object was created:
o gHJHTthrtTRu
* The following port was open in the system:
Port Protocol Process
1036 TCP lssas.exe (%Temp%lssas.exe)
* The following Host Name was requested from a host database:
o n33d.r00taccess.com
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ MicrosoftCorp = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
lssas.exe %Temp%lssas.exe 69 632 bytes
[filename of the sample #1] [file and pathname of the sample #1] 217 088 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%google_cache110.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%lssas.exe
[file and pathname of the sample #1] 261 709 bytes MD5: 0x40AD49FA54BFBDD5A65EF8B97B39CD8C
SHA-1: 0x213D92D4291607D987BEB21A5FA17E424A5F2330 W32.IRCBot [Symantec]
Troj/VB-EOQ [Sophos]