75.118.123.95

Remote Host Port Number
75.118.123.95 8080 PASS secretpass

NICK gqlzHDrFG
USER xykablogB * 0 :USA|XP|481
MODE gqlzHDrFG
JOIN #i lol

Other details

* The following ports were open in the system:

Port Protocol Process
1055 TCP wuaucpl.exe (%Windir%wuaucpl.exe)
17572 TCP wuaucpl.exe (%Windir%wuaucpl.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewall
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile
o HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE000
o HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE000Control
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal Service
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal ServiceSecurity
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal ServiceEnum
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE000
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE000Control
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal Service
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal ServiceSecurity
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal ServiceEnum

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShell Extensions]
+ ITime = “10/24/2010, 01:09 AM”
+ RuP = 0x0001DCAF
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate]
+ DoNotAllowXPSP2 = 0x00000001
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTWindows File Protection]
+ SFCDisable = 0xFFFFFF9D
+ SFCScan = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile]
+ EnableFirewall = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile]
+ EnableFirewall = 0x00000000
o [HKEY_LOCAL_MACHINESYSTEMControlSet001Control]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Local Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE000]
+ Service = “Local Service”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Local Service”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_LOCAL_SERVICE]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal ServiceEnum]
+ 0 = “RootLEGACY_LOCAL_SERVICE000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal ServiceSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLocal Service]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%Windir%wuaucpl.exe””
+ DisplayName = “Local Service”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables service messages issued by Windows-based programs and components. This service cannot be stopped.”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl]
+ WaitToKillServiceT = “5000”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE000Control]
+ *NewlyCreated* = 0x00000000
+ ActiveService = “Local Service”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE000]
+ Service = “Local Service”
+ Legacy = 0x00000001
+ ConfigFlags = 0x00000000
+ Class = “LegacyDriver”
+ ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
+ DeviceDesc = “Local Service”
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_LOCAL_SERVICE]
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal ServiceEnum]
+ 0 = “RootLEGACY_LOCAL_SERVICE000”
+ Count = 0x00000001
+ NextInstance = 0x00000001
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal ServiceSecurity]
+ Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLocal Service]
+ Type = 0x00000110
+ Start = 0x00000002
+ ErrorControl = 0x00000000
+ ImagePath = “”%Windir%wuaucpl.exe””
+ DisplayName = “Local Service”
+ ObjectName = “LocalSystem”
+ FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
+ Description = “Enables service messages issued by Windows-based programs and components. This service cannot be stopped.”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ AntiVirusOverride =
+ FirewallOverride =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlServiceCurrent]
+ (Default) =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlServiceCurrent]
+ (Default) =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
wuaucpl.exe %Windir%wuaucpl.exe 3 268 608 bytes

* There was a new service created in the system:

Service Name Display Name Status Service Filename
Local Service Local Service “Running” “%Windir%wuaucpl.exe”

* The following system services were modified:

Service Name Display Name New Status Service Filename
ALG Application Layer Gateway Service “Stopped” %System%alg.exe
RemoteRegistry Remote Registry “Stopped” %System%svchost.exe -k LocalService
SharedAccess Windows Firewall/Internet Connection Sharing (ICS) “Stopped” %System%svchost.exe -k netsvcs
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%wuaucpl.exe 415 232 bytes MD5: 0xA9FEE6230051027F41A74FFD0920F07C
SHA-1: 0x0CAFC0F6E38B3F6EBBC0951F1CC02A51BFD21743 Malware.Virut [PCTools]
W32.Virut.B [Symantec]
Packed.Win32.Black.a [Kaspersky Lab]
Generic.dx [McAfee]
Mal/Behav-285 [Sophos]
Trojan:Win32/Pakes [Microsoft]
Virus.Win32.SdBot.3700 [Ikarus]
Win-Trojan/Pakes.405504.C [AhnLab]

Categories: Uncategorized
Previous post