95.154.216.63

Remote Host Port Number
95.154.216.63 3211 PASS Virus

NICK VirUs-prpgqjsq
USER VirUs “” “hjr” :
8Coded
8VirUs..
JOIN #koko# Virus
PONG :fbi.gov

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67XOR2B0-3GMC-89VV-JIJ1-24KL2R3222431}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{67XOR2B0-3GMC-89VV-JIJ1-24KL2R3222431}]
+ StubPath = “c:SABERV2009SABER.exe”

so that SABER.exe runs every time Windows starts

* The following directories were created:
o c:SABER
o c:SABERV2009

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:SABERV2009Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:SABERV2009SABER.exe
[file and pathname of the sample #1] 31 232 bytes MD5: 0x7B71ECB1855DF010282E6FEFB67451CF
SHA-1: 0x3D00BFECDF0AE69BA7AA4ECF5A30825F221071A5 W32.Pilleuz!gen2 [Symantec]
Mal/EncPK-LL [Sophos]
Worm:Win32/Hamweq.A [Microsoft]

Categories: Uncategorized
Previous post
Next post