173.203.112.32

By Pig, May 23, 2010

Remote Host Port Number
173.203.112.32 81

NICK n[USA|XP]1345482
USER s “” “lol” :s
JOIN #newbin#
PONG 422
JOIN #USA (null)

* The following port was open in the system:

Port Protocol Process
1055 TCP msng.exe (%AppData%msng.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msng.exe”

so that msng.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
msng.exe %AppData%msng.exe 65 536 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %AppData%msng.exe
%Temp%oia.exe 212 992 bytes MD5: 0xC6B667A786744872F38EB394942FC977
SHA-1: 0x89657D90FDA7E156746FFFD50E65928C18687823
2 [file and pathname of the sample #1] 167 936 bytes MD5: 0x1C7951F6058A260D6780F4919576FFB5
SHA-1: 0x4A0A790BE0AC2C19E8E2F948F18142E7490052C6
3 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709

Categories: Uncategorized
Previous post
Next post