67.43.232.36 – Inside Your Botnet

Remote Host Port Number
204.0.5.51 80
208.53.183.20 80
208.53.183.46 80
67.210.170.179 80
205.188.59.194 25
64.12.90.98 25
67.43.232.36 5190

* The data identified by the following URLs was then requested from the remote web server:
o http://http.icq.com.edgesuite.net/pub/ICQ_Win95_98_NT4/ICQ_4/Lite_Edition/icq4_setup.exe
o http://yutunrz.1dumb.com/reg?u=7710BA55&v=187&s=0&su=0&p=1&e=0&o=0&a=0&wr=75

JOIN #kok7
USERHOST FQixZtkC
MODE ##xddc +smntu
MODE #xddc1 +smntu
MODE #xddc2 +smntu
MODE #kok7 +smntu
USER sxanro sxanro sxanro :kyxiqeezkkdoxrdj
NICK FQixZtkC
MODE FQixZtkC +xi

Other details

* The following ports were open in the system:

Port Protocol Process
1060 TCP spoolsvc.exe (%System%spoolsvc.exe)
1114 TCP spoolsvc.exe (%System%spoolsvc.exe)
37286 TCP spoolsvc.exe (%System%spoolsvc.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ qozx = “%System%ikjwcqijcmewox.exe”
+ Spooler SubSystem App = “%System%spoolsvc.exe”

so that ikjwcqijcmewox.exe runs every time Windows starts
so that spoolsvc.exe runs every time Windows starts

* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
spoolsvc.exe %System%spoolsvc.exe 311 296 bytes
ikjwcqijcmewox.exe %System%ikjwcqijcmewox.exe 73 728 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%apfgu.exe 43 008 bytes MD5: 0x0F48EE11F8AD24456B28C36328990D29
SHA-1: 0xB6F0ACF24BD786D6980C7B51B4467AB4AB05FAD2 Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
P2P-Worm.Win32.Palevo.rmm [Kaspersky Lab]
Generic.dx!noa [McAfee]
Troj/DelfInj-E [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.52736.E [AhnLab]
2 %System%eltn.exe 33 280 bytes MD5: 0x62F81A1FAE4AA2ECD47F326B5D18D2E1
SHA-1: 0x81CC7F780B41DD785685402E12FAE5EC32B661D6 Backdoor.Trojan [PCTools]
Backdoor.Trojan [Symantec]
Email-Flooder.Win32.Agent.r [Kaspersky Lab]
Generic Flooder!a [McAfee]
Mal/Generic-A [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.33280.D [AhnLab]
3 %System%ifdgzku.exe 43 008 bytes MD5: 0x1024BC6D735206A85209341A54672AFB
SHA-1: 0xE3CC24CFD3368790BB001990E67123BEEA7E866C Backdoor.Trojan [PCTools]
Backdoor.Trojan [Symantec]
P2P-Worm.Win32.Palevo.rmm [Kaspersky Lab]
Generic.dx!nns [McAfee]
Troj/DelfInj-E [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.52736.E [AhnLab]
4 %System%ikjwcqijcmewox.exe 43 520 bytes MD5: 0x98A09933FC8884944F75D65B07964FA1
SHA-1: 0xDB95B69E3E42B172C81E6C32413C40364B544E87 Net-Worm.Bobic!sd5 [PCTools]
W32.Bobax.AJ@mm [Symantec]
Net-Worm.Win32.Bobic.n [Kaspersky Lab]
W32/Bobax.worm.gen@MM [McAfee]
WORM_BOBAX.BD [Trend Micro]
W32/Bobax-S [Sophos]
Worm:Win32/Bobax.U [Microsoft]
Net-Worm.Win32.Bobic [Ikarus]
Win32/Bobax.worm.43520 [AhnLab]
5 %System%lxtgldvy.exe 43 008 bytes MD5: 0x131117E06F5D6B2C8CDBEC3A63FC6163
SHA-1: 0x8629C5BCD5D273897B0D33BDFD3A46125987E11D Backdoor.Trojan [PCTools]
Backdoor.Trojan [Symantec]
P2P-Worm.Win32.Palevo.rmm [Kaspersky Lab]
Generic.dx!nns [McAfee]
Troj/DelfInj-E [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.52736.E [AhnLab]
6 %System%ojfchby.exe 43 008 bytes MD5: 0x9EB6DE0D4226C65F964E5DB470992AA5
SHA-1: 0x548A98A7F0F17D0E783D9367C30E8D8BA80A7C25 Adware.Lop [PCTools]
Adware.Lop [Symantec]
P2P-Worm.Win32.Palevo.rmm [Kaspersky Lab]
Generic.dx!nns [McAfee]
Troj/DelfInj-E [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.52736.E [AhnLab]
7 %System%spoolsvc.exe 224 788 bytes MD5: 0x9D84A7CC448456368914A620D305EEA8
SHA-1: 0xB38E68017D91D1FF52561904CCA5871689C75FB4 Trojan.IRCBot [PCTools]
W32.IRCBot [Symantec]
Net-Worm.Win32.Bobic.bc [Kaspersky Lab]
W32/Bobax.worm.gen [McAfee]
PE_BOBAX.AH [Trend Micro]
W32/Bobax-S [Sophos]
Virus:Win32/Bobax.A [Microsoft]
Win32/Bobic.worm.225280 [AhnLab]
8 %System%xeumiqrc.exe 43 008 bytes MD5: 0x58010458BD245244AC726EC0434262F5
SHA-1: 0x28983A7E246D240198E59996A0AC82E98CE5F394 Adware.Lop [PCTools]
Adware.Lop [Symantec]
P2P-Worm.Win32.Palevo.rmm [Kaspersky Lab]
Generic.dx!noa [McAfee]
Troj/DelfInj-E [Sophos]
VirTool:Win32/DelfInject.gen!BH [Microsoft]
Win32/Palevo.worm.52736.E [AhnLab]