Remote Host Port Number
74.82.163.179 998
Other details
* The following port was open in the system:
Port Protocol Process
1053 TCP spjsxy.exe (%System%spjsxy.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC�000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC�000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskcmdsvc
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlMediaResourcesmsvideo
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC�000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC�000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvc
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvcSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvcEnum
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “kcmdsvc”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC�000]
+ Service = “kcmdsvc”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Kemote Command Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KCMDSVC]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcEnum]
+ 0 = “RootLEGACY_KCMDSVC�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskcmdsvcSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskcmdsvc]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “%System%spjsxy.exe”
+ DisplayName = “Kemote Command Service”
+ ObjectName = “LocalSystem”
+ Description = “kindows Resource Kit”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC�000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “kcmdsvc”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC�000]
+ Service = “kcmdsvc”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Kemote Command Service”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KCMDSVC]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvcEnum]
+ 0 = “RootLEGACY_KCMDSVC�000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvcSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskcmdsvc]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “%System%spjsxy.exe”
+ DisplayName = “Kemote Command Service”
+ ObjectName = “LocalSystem”
+ Description = “kindows Resource Kit”
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
spjsxy.exe %System%spjsxy.exe 1 892 352 bytes
* There was a new service created in the system:
Service Name Display Name Status Service Filename
kcmdsvc Kemote Command Service “Running” %System%spjsxy.exe
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%System%spjsxy.exe 851 968 bytes MD5: 0x8AE07D708EC70DAF8BDFF0C9D1B6B831
SHA-1: 0x4623DC28A4CC487755D11D71299C42C7300029C1 HeurEngine.ZeroDayThreat [PCTools]
Suspicious.IRCBot [Symantec]
Backdoor.Win32.Xyligan.abi [Kaspersky Lab]
Mal/Generic-L [Sophos]
Backdoor:Win32/Small.D [Microsoft]
Backdoor.Win32.Xyligan [Ikarus]
Win-Trojan/Agent.851968.O [AhnLab]