201.40.117.44

Remote Host Port Number
201.40.117.44 6667

NICK n-123107
USER enuiknr 0 0 :n-123107
USERHOST n-123107
MODE n-123107 -x+B
JOIN #teste
NICK n-813308
USER natauv 0 0 :n-813308
USERHOST n-813308
MODE n-813308 -x+B

Other details

* The following ports were open in the system:

Port Protocol Process
113 TCP rgysir.exe (%System%rgysir.exe)
1054 TCP rgysir.exe (%System%rgysir.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “rgysir.exe”

so that rgysir.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft Update Machine = “rgysir.exe”

so that rgysir.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “rgysir.exe”

so that rgysir.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
rgysir.exe %System%rgysir.exe 3 096 576 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %System%rgysir.exe
[file and pathname of the sample #1] 1 375 232 bytes MD5: 0xADD57E59536C73B1F3D49FB9378DE6D5
SHA-1: 0x64F47B80AA375098666119EDF014EC6DBEBFD582 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Packed.Win32.Black.a [Kaspersky Lab]
Mal/Behav-285 [Sophos]
packed with ASPack [Kaspersky Lab]

Categories: Uncategorized