Remote Host Port Number
winupdservice.net 81
NICK [USA|XP]vsauaea
USER s s s :s
JOIN #twizt#
NICK n[USA|XP]rdcsdfo
NICK [USA|XP]ciirgkj
Other details
* To mark the presence in the system, the following Mutex object was created:
o L6C8D3B8H7E3N6
* The following ports were open in the system:
Port Protocol Process
1034 TCP winsvcn.exe (%AppData%winsvcn.exe)
1035 TCP winsvcn.exe (%AppData%winsvcn.exe)
1036 TCP winsvcn.exe (%AppData%winsvcn.exe)
* The following Host Name was requested from a host database:
o winupdservice.net
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Service Manager = “%AppData%winsvcn.exe”
so that winsvcn.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
winsvcn.exe %AppData%winsvcn.exe 20 480 bytes
[filename of the sample #1] [file and pathname of the sample #1] 143 360 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%winsvcn.exe
[file and pathname of the sample #1] 38 401 bytes MD5: 0x57B0C79C6FAEF5169F46A4BC352825EC
SHA-1: 0xA7286A0E3201F1137EC2FFA430B5CF19173858BE Trojan.Win32.Scar.bzjj [Kaspersky Lab]
Trojan:Win32/Ircbrute [Microsoft]
Trojan.Win32.Scar [Ikarus]
Win-Trojan/Bypassagent.38401 [AhnLab]
packed with PE_Patch.UPX [Kaspersky Lab]
2 %System%wbhjob.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709