PING join.kizlarevi.net
USER [NEW|9898] False * :neOn1
NICK [NEW|9898]
JOIN #k9
PONG :You have not registered
JOIN ##USA
Now talking in #k9
Topic On: [ #k9 ] [ !p2p ]
Topic By: [ LnX ]
join.kizlarevi.net 95.154.241.53
mue-88-130-35-093.dsl.tropolys.de 88.130.35.93
join.kizlarevi.net
Opened listening TCP connection on port: 113
* C&C Server: 95.154.241.53:6667
* Server Password:
* Username: co2
* Nickname: ^^selll23
* Channel: #!xp! (Password: )
* Channeltopic:
# C&C Server: 95.154.241.53:6667
# Server Password:
# Username: XP-4207
# Nickname: [DEU|00|P|54990]
# Channel: #source (Password: lnx)
# C&C Server: 95.154.241.53:6667
# Server Password:
# Username: jcbtlqzj
# Nickname: DEU[XP]7557829
# Channel: #sources (Password: fucker)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ dll = “%AppData%dllsvchost.exe”
so that svchost.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%dllhere.txt
%AppData%temp4876969.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %AppData%dllsvchost.exe
[file and pathname of the sample #1] 89 600 bytes MD5: 0x56E6ACAC20CDB2E4EF6042C323E1E3F9
SHA-1: 0xDEB168FA041D460E25E3F3BC169308FC61A34691 Worm:MSIL/Tawsebot.A [Microsoft]