Remote Host Port Number
spy.burimche.net 1111

NICK UserName15
USER UserName15 “hotmail.com” “spy.burimche.net” :UserName

Other details

* To mark the presence in the system, the following Mutex object was created:
o d3st0y

* The following ports were open in the system:

Port Protocol Process
113 TCP [file and pathname of the sample #1]
1033 TCP [file and pathname of the sample #1]

* The following Host Name was requested from a host database:
o spy.burimche.net

Registry Modifications

* The following Registry Key was created:
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Task Runner = “PLE_1.EXE”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
+ Windows Task Runner = “PLE_1.EXE”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 135 168 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%log.dll 140 bytes MD5: 0x2BC554082AA71638FEB5DD78D4D766AD
SHA-1: 0x65DD6D8D752C9C2C8CAA3C98A47E243E18B7A8B5 (not available)
2 [file and pathname of the sample #1] 79 904 bytes MD5: 0x617AA4F8FCE89A9C6CBE8E3E8BC78EF7
SHA-1: 0x24DAA6F9C869CEB1D9FC9F54E41C8445482FFB8C Worm.P2P.Spybot.Gen.3 [PCTools]
W32.Spybot.Worm [Symantec]
P2P-Worm.Win32.SpyBot.gen [Kaspersky Lab]
W32/Spybot.worm.gen.a [McAfee]
W32/Spybot-Gen [Sophos]
Worm:Win32/Spybot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]

Categories: Uncategorized
Previous post
Next post