Remote Host Port Number
poo.panjsheri.com 1234

NICK [USA|XP]5234294
USER 8687 “” “lol” :8687
JOIN #po#
NICK n[USA|XP]0719163
USER 3151 “” “lol” :3151

Other details

* To mark the presence in the system, the following Mutex object was created:
o SN5JSN868L

* The following ports were open in the system:

Port Protocol Process
1034 TCP winmbu.exe (%Windir%winmbu.exe)
1035 TCP winmbu.exe (%Windir%winmbu.exe)

* The following Host Name was requested from a host database:
o poo.panjsheri.com

Registry Modifications

* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
winmbu.exe %Windir%winmbu.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 65 536 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:a.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%winmbu.exe 50 688 bytes MD5: 0x0D0AA686CF4CABAA19C552CBB6C96906
SHA-1: 0x41B0E5E3ECE7C1866B3562D3F02B73E9D6FAF91F Trojan.Win32.Scar.bbwe [Kaspersky Lab]
Mal/Generic-L [Sophos]
Worm:Win32/Pushbot.gen!C [Microsoft]
Trojan.Win32.Scar [Ikarus]
Win-Trojan/Scar.50688.I [AhnLab]

Categories: Uncategorized