199.71.214.54

By Pig, May 8, 2010

Remote Host Port Number
199.71.214.54 8160

NICK {USA-XP}822917
MODE {USA-XP}822917 -ix
JOIN #Test1#
USER kztgfpt * 0 :COMPUTERNAME
PRIVMSG #Test1# :
NEW MoFkN WebGrab!

Other details

* The following port was open in the system:

Port Protocol Process
1052 TCP svhost.exe (%Windir%svhost.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSN = “%Windir%svhost.exe”

so that svhost.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
svhost.exe %Windir%svhost.exe 311 296 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%svhost.exe
[file and pathname of the sample #1] 194 048 bytes MD5: 0xC97441E980F334EB43F357880521D3B8
SHA-1: 0x86A5C96913FB1B3B4CB88865CDBAB478BA17F8B8 W32.Pilleuz [Symantec]
2 %System%DROPPEDFILEOK1.tmp 9 bytes MD5: 0x91A584B875C98D3A04D9E6A8F54BB1E4
SHA-1: 0x6B6EADDB48D0177ACAA5B4FFA2900BE1F3FD7110 (not available)

Categories: Uncategorized