92.243.22.188(VirUs botnet)

Remote Host Port Number
92.243.22.188 3211

NICK {NOVY}[USA][XP-SP2]864460
USER VirUs “” “lol” :3037
JOIN #sWo2# VrX
PRIVMSG #sWo2# :Registry/Processes cleaned.
PONG :kindly.dont.suspend

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Driver Control Manager v1.0 = “%Temp%MCDT.exe”

so that MCDT.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Driver Control Manager v1.0 = “%Temp%MCDT.exe”

so that MCDT.exe runs every time Windows starts

* The following Registry Values were deleted:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ VMware Tools = “%ProgramFiles%VMwareVMware ToolsVMwareTray.exe”
+ VMware User Process = “%ProgramFiles%VMwareVMware ToolsVMwareUser.exe”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ MSMSGS = “”%ProgramFiles%Messengermsmsgs.exe” /background”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
MCDT.exe %Temp%mcdt.exe 53 248 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%explorer_cache2224422.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%MCDT.exe
[file and pathname of the sample #1] 131 073 bytes MD5: 0x0347E0C9C6339DC733F0E1D68D9633D6
SHA-1: 0xA84750F40D953DC1F5C82E53F777C2AE70B748F0 Mal/VBInject-D [Sophos]
Trojan:Win32/Ircbrute [Microsoft]

Categories: Uncategorized