62.193.249.122

By Pig, August 22, 2010

Remote Host Port Number
62.193.249.122 3305 PASS secretpass

NICK P|zmm6xnq61
USER bv41i7oge * 0 :USA|XP|932
USERHOST P|zmm6xnq61
MODE P|zmm6xnq61
JOIN #mm RSA

Other details

* The following ports were open in the system:

Port Protocol Process
69 UDP unwise_.exe (%FontsDir%unwise_.exe)
1053 TCP unwise_.exe (%FontsDir%unwise_.exe)
38045 TCP unwise_.exe (%FontsDir%unwise_.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShell Extensions]
+ intime = “08/22/2010, 03:58 AM”
+ reup = 0x0000007C
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
+ DoNotAllowXPSP2 = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
+ DontReportInfectionInformation = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection]
+ SFCDisable = 0xFFFFFF9D
+ SFCScan = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER000]
+ Service = “Windows Hosts Controller”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Windows Hosts Controller”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WINDOWS_HOSTS_CONTROLLER]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerEnum]
+ 0 = “RootLEGACY_WINDOWS_HOSTS_CONTROLLER000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts ControllerSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows Hosts Controller]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%FontsDir%unwise_.exe””
+ DisplayName = “Windows Hosts Controller”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables Windows Host Controller Service. This service cannot be stopped.”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ MaxConnectionsPer1_0Server = 0x0000FFFE
+ MaxConnectionsPerServer = 0x0000FFFE
+ ProxyEnable = 0x00000000

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
unwise_.exe %FontsDir%unwise_.exe 5 046 272 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
Windows Hosts Controller Windows Hosts Controller “Running” “%FontsDir%unwise_.exe”

* The following system services were modified:

Service Name Display Name New Status Service Filename
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %FontsDir%unwise_.exe 150 528 bytes MD5: 0x2F87B30B25400F268FF02812905FDF4F
SHA-1: 0xC5FB5CBE478F2A4818EAE5CE5FF473239C56D2A2

* Note:
o %FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:WindowsFonts.

* The following files were modified:
o %ProgramFiles%NetMeetingcb32.exe
o %Windir%hh.exe
o %Windir%infunregmp2.exe
o %Windir%Microsoft.NETFrameworkNETFXSBS10.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727aspnet_regiis.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727InstallUtil.exe
o %Windir%Microsoft.NETFrameworkv2.0.50727RegSvcs.exe
o %Windir%NOTEPAD.EXE
o %Windir%regedit.exe
o %System%accwiz.exe
o %System%actmovie.exe
o %System%ahui.exe
o %System%arp.exe
o %System%asr_fmt.exe
o %System%asr_ldm.exe
o %System%asr_pfu.exe
o %System%at.exe
o %System%atmadm.exe
o %System%attrib.exe
o %System%auditusr.exe
o %System%autochk.exe
o %System%autoconv.exe
o %System%autofmt.exe
o %System%autolfn.exe
o %System%blastcln.exe
o %System%bootcfg.exe
o %System%bootok.exe
o %System%bootvrfy.exe
o %System%cacls.exe
o %System%calc.exe
o %System%charmap.exe
o %System%chkdsk.exe
o %System%chkntfs.exe
o %System%cidaemon.exe
o %System%cipher.exe
o %System%cisvc.exe
o %System%ckcnv.exe
o %System%cleanmgr.exe
o %System%clean_all.exe
o %System%cliconfg.exe
o %System%clipbrd.exe
o %System%clipsrv.exe
o %System%cmd.exe
o %System%cmdl32.exe
o %System%cmmon32.exe
o %System%cmstp.exe
o %System%Comcomrepl.exe
o %System%Comcomrereg.exe
o %System%comp.exe
o %System%compact.exe
o %System%conime.exe
o %System%control.exe
o %System%convert.exe
o %System%cscript.exe
o %System%dcomcnfg.exe
o %System%ddeshare.exe
o %System%defrag.exe
o %System%dfrgfat.exe
o %System%dfrgntfs.exe
o %System%diantz.exe
o %System%diskpart.exe
o %System%diskperf.exe
o %System%dllhst3g.exe
o %System%dmadmin.exe
o %System%dmremote.exe
o %System%doskey.exe
o %System%dplaysvr.exe
o %System%dpnsvr.exe
o %System%dpvsetup.exe
o %System%driverquery.exe
o %System%drwtsn32.exe
o %System%dumprep.exe
o %System%dvdplay.exe
o %System%dvdupgrd.exe
o %System%dxdiag.exe
o %System%esentutl.exe
o %System%eudcedit.exe
o %System%eventcreate.exe
o %System%eventtriggers.exe
o %System%expand.exe
o %System%extrac32.exe
o %System%fc.exe
o %System%find.exe
o %System%findstr.exe
o %System%finger.exe
o %System%fixmapi.exe
o %System%fltMc.exe
o %System%fontview.exe
o %System%forcedos.exe
o %System%freecell.exe
o %System%fsquirt.exe
o %System%fsutil.exe
o %System%ftp.exe
o %System%gen_host.exe
o %System%getmac.exe
o %System%gpresult.exe
o %System%gpupdate.exe
o %System%grpconv.exe
o %System%help.exe
o %System%hostname.exe

Categories: Uncategorized
Previous post
Next post