fix.winware.info

Remote Host Port Number
fix.winware.info 3482

NICK {NEW}[USA][XP-SP2]785275
USER 2736 “” “lol” :2736
JOIN #zxt
NICK [USA][XP-SP2]054542
USER 8053 “” “lol” :8053
NICK [USA][XP-SP2]607001
USER 2802 “” “lol” :2802

(DiGiGoth) ;udp 88.228.140.151 80 10
([USA][XP-SP3]283124)UDP Flood Started
([CAN][VS-SP2]535032) UDP Flood Started
([USA][XP-SP2]738296) UDP Flood Started
([POL][XP-SP3]293661) UDP Flood Started
([FIN][XP-SP2]233285) UDP Flood Started
([ARG][XP-SP3]568580) UDP Flood Started
([DEU][XP-SP3]184458) UDP Flood Started

(TereZz) .login fs
({NEW}[USA][XP-SP2]18414 12) .login fs
[11:16]@(DiGiGoth) ;]
[11:17]@(DiGiGoth) ;ver

Other details

* To mark the presence in the system, the following Mutex objects were created:
o RAL3BBE6CE7
o 3BBE6CE7::WK
o hdf93hfsDS

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}InprocServer
o HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}InprocServer32
o HKEY_LOCAL_MACHINESOFTWARELicenses

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}InprocServer32]
+ (Default) = “oleaut32.dll”
+ InprocServer32 = “Fs99c’tvV9[6a*%9La^qToolbox>M5KDYSUnf(HA*L[xeX)y”
+ ThreadingModel = “Both”
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}InprocServer]
+ (Default) = “ole2disp.dll”
o [HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{74E902B0-4D42-E37E-EC7F-DE7A8389195A}]
+ (Default) = “PSTypeInfo”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%lsass.exe”

so that lsass.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWARELicenses]
+ {R7C0DB872A3F777C0} = 4A 8D 7D 4C
+ {K7C0DB872A3F777C0} = BC DB 12 5D 83 10 1F 68 77 3F 6D 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%lsass.exe”

so that lsass.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
lsass.exe %Temp%lsass.exe 1 208 320 bytes
[filename of the sample #1] [file and pathname of the sample #1] 1 208 320 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Temp%google_cache101.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
2 %Temp%lsass.exe
[file and pathname of the sample #1] 954 368 bytes MD5: 0xA2401AC5984CBB39503C28C6EF2BEEF1
SHA-1: 0x076491CDE0DF6F1EB0605DD7BD32F44E3FC17D95

1 Comment

  • Software says:

    hahahaha and what do u think u did with this u idiot, did u test before posting ?
    thats lame to post this before testing

    now this is a VPS by MH2
    IRC: vps1.modernhacker2.info port: 1337
    enjoy