Remote Host Port Number
74.117.174.99 32322
NICK wyhiwhkq
JOIN #t4 l4m
USER wyhiwhkq * 0 :COMPUTERNAME
MODE wyhiwhkq +ix
* The following port was open in the system:
Port Protocol Process
1052 TCP Tolbars.exe (%Windir%WebTolbars.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSN = “%Windir%WebTolbars.exe”
so that Tolbars.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
Tolbars.exe %Windir%webtolbars.exe 319 488 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%WebTolbars.exe 74 240 bytes MD5: 0x72EF11A032DE6D040BB0A92F86DBF225
SHA-1: 0x6D686C473398F843DAB749C0D61B1473572C20EC Net-Worm.SillyFDC [PCTools]
W32.SillyFDC [Symantec]
Generic Downloader.de [McAfee]
Mal/Maher-A [Sophos]
Worm:Win32/Autorun.UC [Microsoft]
Trojan-Dropper.Delf [Ikarus]
packed with PE_Patch [Kaspersky Lab]
2 %Windir%ud.sys 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)