Remote Host Port Number 32322

NICK wyhiwhkq
JOIN #t4 l4m
MODE wyhiwhkq +ix

* The following port was open in the system:

Port Protocol Process
1052 TCP Tolbars.exe (%Windir%WebTolbars.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSN = “%Windir%WebTolbars.exe”

so that Tolbars.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
Tolbars.exe %Windir%webtolbars.exe 319 488 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%WebTolbars.exe 74 240 bytes MD5: 0x72EF11A032DE6D040BB0A92F86DBF225
SHA-1: 0x6D686C473398F843DAB749C0D61B1473572C20EC Net-Worm.SillyFDC [PCTools]
W32.SillyFDC [Symantec]
Generic Downloader.de [McAfee]
Mal/Maher-A [Sophos]
Worm:Win32/Autorun.UC [Microsoft]
Trojan-Dropper.Delf [Ikarus]
packed with PE_Patch [Kaspersky Lab]
2 %Windir%ud.sys 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)

Categories: Uncategorized