vunrestrained.dyndns.info

By Pig, April 15, 2010

Remote Host Port Number
vunrestrained.dyndns.info 51987

NICK Unrestrained-331897
USER ercmoxzx 0 0 :Unrestrained-331897
USERHOST Unrestrained-331897
MODE Unrestrained-331897 -x+B
JOIN #Hydra#
NICK Unrestrained-231953
USER ixuzpou 0 0 :Unrestrained-231953
USERHOST Unrestrained-231953
MODE Unrestrained-231953 -x+B
NICK Unrestrained-465848
USER adwosov 0 0 :Unrestrained-465848
USERHOST Unrestrained-465848
MODE Unrestrained-465848 -x+B

Other details

* To mark the presence in the system, the following Mutex object was created:
o Tr0gBot

* The following Host Name was requested from a host database:
o vunrestrained.dyndns.info

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “irhlbz.exe”

so that irhlbz.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft Update Machine = “irhlbz.exe”

so that irhlbz.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “irhlbz.exe”

so that irhlbz.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
seqggd.exe %System%seqggd.exe 520 192 bytes
[filename of the sample #1] [file and pathname of the sample #1] 520 192 bytes
irhlbz.exe %System%irhlbz.exe 520 192 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %System%irhlbz.exe
[file and pathname of the sample #1]
%System%seqggd.exe 327 255 bytes MD5: 0xA67BE577C70A2FE13E230D11D0A85386
SHA-1: 0x721360812D02FAA34B0D076450DB008397487124 Worm.RBot.Gen.10 [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.aea [Kaspersky Lab]
W32/Sdbot.worm.gen.g [McAfee]
WORM_SPYBOT.GEN [Trend Micro]
W32/Rbot-Fam, W32/Rbot-Gen [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]

Categories: Uncategorized