Remote Host Port Number 6680

PING hell1410.zapto.org
USER [NEW|7755] False * :kBotv5
NICK [NEW|7755]
JOIN #cutugno
PONG :You have not registered

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ dll = “%AppData%dllsvchost.exe”

so that svchost.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%dllhere.txt
%AppData%temp4876969.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %AppData%dllsvchost.exe
[file and pathname of the sample #1] 89 600 bytes MD5: 0x7B46B5BF10D40B5758ADECC7F671D1B4
SHA-1: 0x4D3C0F656D716A2638F3E42FAEC4778EFFF61554 Backdoor.MSIL.IrcBot.ct [Kaspersky Lab]
Worm:MSIL/Tawsebot.A [Microsoft]