Remote Host Port Number 6667

NICK {XPUSA345887}
JOIN #hack
PONG irc.hackers.gov
MODE {XPUSA345887} +ix

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “servis.exe”

so that servis.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update = “%Temp%service2.exe”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
servis.exe %Temp%servis.exe 356 352 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Temp%servis.exe
[file and pathname of the sample #1] 24 576 bytes MD5: 0xCD7197E90BAAAB74166D468210D162C4
SHA-1: 0xBFD4DE9391DDA67DB5A83FA6B43DD4C127EC3C3D Trojan.IRCBot [PCTools]
W32.IRCBot.Gen [Symantec]
Backdoor.Win32.IRCBot.gen [Kaspersky Lab]
Mal/IRCBot-C [Sophos]
Backdoor.Win32.IRCBot [Ikarus]
Win32/IRCBot.worm.Gen [AhnLab]
packed with UPX [Kaspersky Lab]

Categories: Uncategorized