Remote Host Port Number
88.255.104.172 80
88.255.104.172 81
NICK [00_USA_XP_4068627]
USER SP2-417 * 0 :COMPUTERNAME
NICK [N00_USA_XP_8141634]
USER SP2-844 * 0 :COMPUTERNAME
* The following ports were open in the system:
Port Protocol Process
1051 TCP Zsnkstm.exe (%System%Zsnkstm.exe)
1053 TCP Zsnkstm.exe (%System%Zsnkstm.exe)
1055 TCP Zsnkstm.exe (%System%Zsnkstm.exe)
1056 TCP Zsnkstm.exe (%System%Zsnkstm.exe)
1057 TCP Zsnkstm.exe (%System%Zsnkstm.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%System%Zsnkstm.exe”
so that Zsnkstm.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%System%Zsnkstm.exe”
so that Zsnkstm.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
Zsnkstm.exe %System%zsnkstm.exe 339 968 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%logfile32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%System%Zsnkstm.exe 290 816 bytes MD5: 0x216F53985E3FE5BDB444E80A49CB1362
SHA-1: 0x851A91682E14D9C519D60319E455077F50B224E6 Worm.Win32.Peda.j [Kaspersky Lab]
Trojan.Win32.Ircbrute [Ikarus]