23u.no-ip.info

By Pig, October 15, 2010

Remote Host Port Number
23u.no-ip.info 51987
Resolved : [3u.no-ip.info] To [82.146.49.176]

PASS google_cache2.tmp
NICK NEW{EpicBot-USA|XP}615228
USER 7570 “” “TsGh” :7570
JOIN #Cheese#

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Simatic Updates = “%Windir%winlogon.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”

so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Simatic Updates = “%Windir%winlogon.exe”

so that winlogon.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
iExplorer.exe %Temp%iExplorer.exe 57 344 bytes
winlogon.exe %Windir%winlogon.exe 57 344 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%hoa3.tmp
%Temp%qha1.tmp
%Temp%wha2.tmp
%Temp%yoa6.tmp 176 128 bytes MD5: 0x5D367E6597E664F00639947AFD180DDF
SHA-1: 0xCEE7FA600540BF16DF7ADEE32DC215288114278F (not available)
3 %Temp%iExplorer.exe
%Windir%winlogon.exe 212 057 bytes MD5: 0x2364998AC3FD451A742032654053BB92
SHA-1: 0xB5BA1C7D9C00E68D57DD04E9AF41D1BB15D79326 Net-Worm.Spybot.C!rem [PCTools]
W32.Spybot.Worm [Symantec]
IM-Worm.Win32.Zeroll.b [Kaspersky Lab]
Troj/Zeroll-Gen [Sophos]
VirTool:Win32/VBInject.gen!DO [Microsoft]
packed with UPX [Kaspersky Lab]
4 %Temp%MeTuS Delphi 2.8.exe 1 881 600 bytes MD5: 0x76E1605D0D20771788BE1A370338F3CB
SHA-1: 0x9C302158E69334A5B7DEA76D63054C63C37A893A Trojan.Generic [PCTools]
Trojan Horse [Symantec]
Trojan.Win32.Agent.cppg [Kaspersky Lab]
Generic.dx!ffy [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Orsam!rts [Microsoft]
Trojan.Win32.Agent [Ikarus]
Win-Trojan/Agent.1881600 [AhnLab]
5 [file and pathname of the sample #1] 3 113 185 bytes MD5: 0x54EE505C58D88D60D5ED22CD0776D918
SHA-1: 0x67F5A7661ADE7D74C5F709A5C362D61F6804B30F Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Mal/Mdrop-BF [Sophos]
Virus.MSIL [Ikarus]

Categories: Uncategorized