rQ1.up.aic.pa

Remote Host Port Number
74.117.174.3 1863

NICK [l4M3r]pdmcl
USER .fregj “” “lch” :fregj
JOIN #lamers# l4mo
PONG :rQ1.up.aic.pa

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{28ABC5C0-4FCB-11CF-AAX5-21CX1C643131}]
+ StubPath = “c:SYSTEMS-1-5-21-1482476501-1644491937-682003330-1013system32.exe”

so that system32.exe runs every time Windows starts

# he following directories were created:

* c:SYSTEM
* c:SYSTEMS-1-5-21-1482476501-1644491937-682003330-1013

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 c:SYSTEMS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)
2 c:SYSTEMS-1-5-21-1482476501-1644491937-682003330-1013system32.exe
[file and pathname of the sample #1] 118 784 bytes MD5: 0x1D5FAD8636788D69E03324493FC1D985
SHA-1: 0x3C6108B2DE90721995A40E9043CDE27187E9ABE0 Backdoor.IRCBot!sd6 [PCTools]
W32.IRCBot [Symantec]
Worm.Win32.AutoRun.vhg [Kaspersky Lab]
W32/Sdbot.worm.gen.ay [McAfee]
WORM_HAMWEQ.BU [Trend Micro]
W32/SdBot-DOE [Sophos]
Worm:Win32/Hamweq.A [Microsoft]
Worm.Win32.AutoRun [Ikarus]
Win32/Autorun.worm.118784.B [AhnLab]