Remote Host Port Number
wmim.solutionofmsn.org 1234
NICK {NEW}[USA][XP-SP2]074959
USER 1231 “” “lol” :1231
JOIN #b#
NICK [USA][XP-SP2]339973
USER 0146 “” “lol” :0146
Other details
* To mark the presence in the system, the following Mutex object was created:
o kOiJjfhjtgK
* The following port was open in the system:
Port Protocol Process
1036 TCP msnms.exe (%Temp%msnms.exe)
* The following Host Name was requested from a host database:
o wmim.solutionofmsn.org
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%msnms.exe”
so that msnms.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%msnms.exe”
so that msnms.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
msnms.exe %Temp%msnms.exe 69 632 bytes
[filename of the sample #1] [file and pathname of the sample #1] 69 632 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%google_cache94.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%msnms.exe
[file and pathname of the sample #1] 48 128 bytes MD5: 0x36CD09150A9A4EB61D9CE1E58D6ACFB8
SHA-1: 0x5877720B58E40E5105B1AF6E788073A51042703E New Malware.b [McAfee]
Mal/SillyFDC-A, Mal/IRCBot-B, Mal/IRCBot-C [Sophos]
Now talking in #b#
Topic On: [ #b# ] [ a ]
Topic By: [ r ]