1.sarkievi.net

Remote Host Port Number
212.175.158.43 6667 PASS lnx

Resolved : [1.sarkievi.net] To [212.175.158.43]

MODE [00|USA|227819] -ix
JOIN #Cd# NhG
NICK [00|USA|227819]
USER XP-7853 * 0 :COMPUTERNAME

Now talking in #Cd#
Topic On: [ #Cd# ] [ .msn.msg Foto 😀 http://to.ly/7Lkw?= ]
Topic By: [ Samuray ]

Other details

* The following port was open in the system:

Port Protocol Process
1052 TCP winupd.exe (%Windir%winupd.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update Manager = “winupd.exe”

so that winupd.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
winupd.exe %Windir%winupd.exe 323 584 bytes
[filename of the sample #1] [file and pathname of the sample #1] 323 584 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%Windir%winupd.exe 51 242 bytes MD5: 0x404AC8CFD40657B6BCF117B1484E1450
SHA-1: 0x2E53E01FCF69E43CDD0D65D4F6F4841760BAA08E Trojan.Dropper [PCTools]
Trojan.Dropper [Symantec]
Trojan.Win32.Buzus.fuqj [Kaspersky Lab]
Trojan:Win32/Meredrop [Microsoft]
Trojan.Win32.Buzus [Ikarus]