Remote Host Port Number
64.20.46.176 81
67.195.145.141 80
* The data identified by the following URL was then requested from the remote web server:
o http://wallprofiles.net/pic.exe
NICK n[USA|XP|COMPUTERNAME]putuqyw
USER n “” “lol” :n
JOIN #biz#
PONG 422
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsDriverControl = “%AppData%C-76947-8457-2745wincdrsvn.exe”
so that wincdrsvn.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
gnt.exe %Temp%gnt.exe 323 584 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%C-76947-8457-2745wincdrsvn.exe
%Temp%gnt.exe 323 584 bytes MD5: 0xF06F4893C8D7D972A1888055ABB3043E
SHA-1: 0xBCFD472DC2412D9CEE088D97A52F19645B8BEA7B Backdoor.LolBot [PCTools]
2 [file and pathname of the sample #1] 286 720 bytes MD5: 0xE4E921C2C44E97B7327251A0C17A2EB8
SHA-1: 0x338FE93F833ED7B54B86CAADCCD2F6E21581EFA6 Backdoor.LolBot [PCTools]
3 %System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)