Remote Host Port Number
92.243.12.218 3211
92.243.21.78 3211
92.243.22.188 3211
NICK {NEW}[USA][XP-SP2]801696
NICK [USA][XP-SP2]784622
USER VirUs “” “lol” :4628
NICK [USA][XP-SP2]957255
USER VirUs “” “lol” :6212
USER VirUs “” “lol” :3708
NICK [USA][XP-SP2]707206
USER VirUs “” “lol” :6114
NICK [USA][XP-SP2]028704
USER VirUs “” “lol” :3165
NICK [USA][XP-SP2]934755
USER VirUs “” “lol” :7750
NICK 9552
NICK [USA][XP-SP2]577267
USER VirUs “” “lol” :4297
NICK [USA][XP-SP2]187946
USER VirUs “” “lol” :2869
NICK [USA][XP-SP2]042228
USER VirUs “” “lol” :2269
NICK [USA][XP-SP2]496137
USER VirUs “” “lol” :2019
NICK [USA][XP-SP2]974417
USER VirUs “” “lol” :1285
NICK [USA][XP-SP2]080277
USER VirUs “” “lol” :6320
NICK [USA][XP-SP2]192615
USER VirUs “” “lol” :2695
NICK [USA][XP-SP2]432956
USER VirUs “” “lol” :9124
NICK [USA][XP-SP2]022810
USER VirUs “” “lol” :7428
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%Winlogen.exe”
so that Winlogen.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%Winlogen.exe”
so that Winlogen.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
Winlogen.exe %Temp%winlogen.exe 61 440 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Temp%google_cache11113.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
2 %Temp%Winlogen.exe
[file and pathname of the sample #1] 106 497 bytes MD5: 0x2F62DBEB5C53122D70F144F66B0D129E
SHA-1: 0x3BD2BA8C8646774BA83C3678A8C758281D25BD0A