Remote Host Port Number
darkjester.xplosionirc.net 8080
Other details
* The following Host Name was requested from a host database:
o darkjester.xplosionirc.net
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{AC1FC6A8-D767-4FD2-A75F-63BA7FDDB043}
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{AC1FC6A8-D767-4FD2-A75F-63BA7FDDB043}InProcServer32
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{AC1FC6A8-D767-4FD2-A75F-63BA7FDDB043}InProcServer32]
+ (Default) = “rdshost.dll”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
+ rdshost = “{AC1FC6A8-D767-4FD2-A75F-63BA7FDDB043}”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 45 056 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%photo album.zip 41 096 bytes MD5: 0xB45944A04431347152C811DC33A83FEA
SHA-1: 0x34B735897F1CF94BF8166B366B48B32E3A52C94A Backdoor.Sdbot [Symantec]
Backdoor.Win32.IRCBot.aaq [Kaspersky Lab]
2 %System%rdshost.dll 14 848 bytes MD5: 0x16B99C55235E1516C48942C6352A7F9A
SHA-1: 0x018F776F24EAC436873C7B341E9461E0FA3CDA0A Backdoor.IRCBot.AAQ [PCTools]
Backdoor.Sdbot [Symantec]
Backdoor.Win32.IRCBot.aaq [Kaspersky Lab]
BackDoor-AZX.dll [McAfee]
WORM_SDBOT.EEY [Trend Micro]
Backdoor:Win32/IRCbot [Microsoft]
Win-Trojan/ShadoBot.14848 [AhnLab]
3 [file and pathname of the sample #1] 40 960 bytes MD5: 0x6C070365264B23BD21C90B34E050E8A0
SHA-1: 0x0F433ECD48F7A28E981E92ECAC3EF78E13C8737E Backdoor.IRCBot.AUQ [PCTools]
Backdoor.Sdbot [Symantec]
Backdoor.Win32.IRCBot.aaq [Kaspersky Lab]
BackDoor-AZX.gen [McAfee]
WORM_SDBOT.EEY [Trend Micro]
Backdoor:Win32/IRCbot [Microsoft]
Win32/ShadoBot.worm.41472 [AhnLab]