NICK AdR[USA-XP]892916
USER AdR[USA-XP]892916 * 0 :(null)
MODE AdR[USA-XP]892916 +iR
JOIN #|bryan|#
NICK AdR[USA-XP]819671
USER AdR[USA-XP]819671 * 0 :(null)
MODE AdR[USA-XP]819671 +iR
NICK AdR[USA-XP]503906
USER AdR[USA-XP]503906 * 0 :(null)
MODE AdR[USA-XP]503906 +iR
NICK AdR[USA-XP]276625
USER AdR[USA-XP]276625 * 0 :(null)
MODE AdR[USA-XP]276625 +iR

Other details

* To mark the presence in the system, the following Mutex object was created:
o zgznzix9cj0

* The following ports were open in the system:

Port Protocol Process
1033 TCP svchost.exe (%Windir%svchost.exe)
1034 TCP svchost.exe (%Windir%svchost.exe)
1035 TCP svchost.exe (%Windir%svchost.exe)
1036 TCP svchost.exe (%Windir%svchost.exe)
1049 TCP svchost.exe (%Windir%svchost.exe)
1050 TCP svchost.exe (%Windir%svchost.exe)
1051 TCP svchost.exe (%Windir%svchost.exe)
1052 TCP svchost.exe (%Windir%svchost.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ MicrosoftCorp = “%Windir%svchost.exe”

so that svchost.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MicrosoftNAPC = “%Windir%svchost.exe”

so that svchost.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ sysdiag64.exe = “%Windir%svchost.exe”

so that svchost.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
svchost.exe %Windir%svchost.exe 647 168 bytes
[filename of the sample #1] [file and pathname of the sample #1] 380 928 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%svchost.exe
[file and pathname of the sample #1] 381 025 bytes MD5: 0x6BDFE945F677772A9E690B6CF9135EA0
SHA-1: 0x15A3756EF14200E41CB6D623A18C1B4893975D0F Trojan-Dropper.Win32.VB.ahrv [Kaspersky Lab]
W32/Spybot.worm!co [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Win-Trojan/Xema.variant [AhnLab]
2 %System%DROPPEDFILEOK.tmp 8 bytes MD5: 0x6D6000C6EA5A407BD59FC2CDA3B73BEE
SHA-1: 0x7B30D5EB44BE4471C718CEBFC5529E87B4C73604 (not available)

unassigned.psychz.net (

udp ports 517/518 are open

Categories: Uncategorized
Previous post