Remote Host Port Number
spy.burimche.net 1111
NICK UserName15
USER UserName15 “hotmail.com” “spy.burimche.net” :UserName
Other details
* To mark the presence in the system, the following Mutex object was created:
o d3st0y
* The following ports were open in the system:
Port Protocol Process
113 TCP [file and pathname of the sample #1]
1033 TCP [file and pathname of the sample #1]
* The following Host Name was requested from a host database:
o spy.burimche.net
Registry Modifications
* The following Registry Key was created:
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Task Runner = “PLE_1.EXE”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
+ Windows Task Runner = “PLE_1.EXE”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 135 168 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %System%log.dll 140 bytes MD5: 0x2BC554082AA71638FEB5DD78D4D766AD
SHA-1: 0x65DD6D8D752C9C2C8CAA3C98A47E243E18B7A8B5 (not available)
2 [file and pathname of the sample #1] 79 904 bytes MD5: 0x617AA4F8FCE89A9C6CBE8E3E8BC78EF7
SHA-1: 0x24DAA6F9C869CEB1D9FC9F54E41C8445482FFB8C Worm.P2P.Spybot.Gen.3 [PCTools]
W32.Spybot.Worm [Symantec]
P2P-Worm.Win32.SpyBot.gen [Kaspersky Lab]
W32/Spybot.worm.gen.a [McAfee]
WORM_SPYBOT.GEN [Trend Micro]
W32/Spybot-Gen [Sophos]
Worm:Win32/Spybot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]