217.23.13.45 – Inside Your Botnet

Remote Host Port Number
217.23.13.45 2012

NICK {iNF-00-USA-XP-COMP-5233}
USER blaze * 0 :COMP
JOIN #kyle94shop
NICK {00-USA-XP-COMP-6395}
PONG priv8.net

Other details

* The following ports were open in the system:

Port Protocol Process
1054 TCP windows-krb.exe (%Windir%windows-krb.exe)
2591 TCP windows-krb.exe (%Windir%windows-krb.exe)
2592 TCP windows-krb.exe (%Windir%windows-krb.exe)
2593 TCP windows-krb.exe (%Windir%windows-krb.exe)
2594 TCP windows-krb.exe (%Windir%windows-krb.exe)
2595 TCP windows-krb.exe (%Windir%windows-krb.exe)
2596 TCP windows-krb.exe (%Windir%windows-krb.exe)
2597 TCP windows-krb.exe (%Windir%windows-krb.exe)
2598 TCP windows-krb.exe (%Windir%windows-krb.exe)
2599 TCP windows-krb.exe (%Windir%windows-krb.exe)
2600 TCP windows-krb.exe (%Windir%windows-krb.exe)
2601 TCP windows-krb.exe (%Windir%windows-krb.exe)
2602 TCP windows-krb.exe (%Windir%windows-krb.exe)
2603 TCP windows-krb.exe (%Windir%windows-krb.exe)
2604 TCP windows-krb.exe (%Windir%windows-krb.exe)
2605 TCP windows-krb.exe (%Windir%windows-krb.exe)
2606 TCP windows-krb.exe (%Windir%windows-krb.exe)
2607 TCP windows-krb.exe (%Windir%windows-krb.exe)
2608 TCP windows-krb.exe (%Windir%windows-krb.exe)
2609 TCP windows-krb.exe (%Windir%windows-krb.exe)
2610 TCP windows-krb.exe (%Windir%windows-krb.exe)
2611 TCP windows-krb.exe (%Windir%windows-krb.exe)
2612 TCP windows-krb.exe (%Windir%windows-krb.exe)
2613 TCP windows-krb.exe (%Windir%windows-krb.exe)
2614 TCP windows-krb.exe (%Windir%windows-krb.exe)
2615 TCP windows-krb.exe (%Windir%windows-krb.exe)
2616 TCP windows-krb.exe (%Windir%windows-krb.exe)
2617 TCP windows-krb.exe (%Windir%windows-krb.exe)
2618 TCP windows-krb.exe (%Windir%windows-krb.exe)
2619 TCP windows-krb.exe (%Windir%windows-krb.exe)
2620 TCP windows-krb.exe (%Windir%windows-krb.exe)
2621 TCP windows-krb.exe (%Windir%windows-krb.exe)
2622 TCP windows-krb.exe (%Windir%windows-krb.exe)
2623 TCP windows-krb.exe (%Windir%windows-krb.exe)
2624 TCP windows-krb.exe (%Windir%windows-krb.exe)
2625 TCP windows-krb.exe (%Windir%windows-krb.exe)
2626 TCP windows-krb.exe (%Windir%windows-krb.exe)
2627 TCP windows-krb.exe (%Windir%windows-krb.exe)
2628 TCP windows-krb.exe (%Windir%windows-krb.exe)
2629 TCP windows-krb.exe (%Windir%windows-krb.exe)
2630 TCP windows-krb.exe (%Windir%windows-krb.exe)
2631 TCP windows-krb.exe (%Windir%windows-krb.exe)
2632 TCP windows-krb.exe (%Windir%windows-krb.exe)
2633 TCP windows-krb.exe (%Windir%windows-krb.exe)
2634 TCP windows-krb.exe (%Windir%windows-krb.exe)
2635 TCP windows-krb.exe (%Windir%windows-krb.exe)
2675 TCP windows-krb.exe (%Windir%windows-krb.exe)
2676 TCP windows-krb.exe (%Windir%windows-krb.exe)
2677 TCP windows-krb.exe (%Windir%windows-krb.exe)
2678 TCP windows-krb.exe (%Windir%windows-krb.exe)
30226 TCP windows-krb.exe (%Windir%windows-krb.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Data Serivce = “windows-krb.exe”

so that windows-krb.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
windows-krb.exe %Windir%windows-krb.exe 368 640 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%nigzss.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%windows-krb.exe 99 840 bytes MD5: 0xF753E71596E634CD0E7B2A8C4A4DE154
SHA-1: 0x2BD42F05E910133A69A81BC789190A77B0010069 Trojan.Win32.Jorik.Blazebot.g [Kaspersky Lab]
Trojan:Win32/Ircbrute [Microsoft]