NICK acelya
USER ferda_54 “Cod” “dalga.co.cc” :Perihan^^^^
USERHOST acelya
JOIN #x birtanem
}.
MODE #x
NOTICE acelya :.VERSION mIRC v6.03 Khaled Mardam-Bey.
NOTICE acelya :.version mIRC v6.16 Khaled Mardam-Bey.
NOTICE IRC :.version mIRC v6.16 Khaled Mardam-Bey.
NOTICE Version :.version mIRC v6.16 Khaled Mardam-Bey.
PRIVMSG #x :Sahip , Sana Hizmete Haz.r.m ( v2 )
NICK Cansu4
* The following port was open in the system:
Port Protocol Process
113 TCP iceshock.exe (%System%iceshock.exe)
* The following Host Name was requested from a host database:
o dalga.co.cc
* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %System%iceshock.exe
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed
o HKEY_CURRENT_USERSoftwareWinRAR SFX
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%System%iceshock.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%System%iceshock.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “mIRC”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%System%iceshock.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%System%iceshock.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%System%iceshock.exe” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1286804149”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%windows% = “%Windir%”
* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
iceshock.exe %System%iceshock.exe 1 892 352 bytes
[filename of the sample #1] [file and pathname of the sample #1] 131 072 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %System%1156.reg
%System%1855.reg
%System%1896.reg
%System%591.reg
%System%790.reg
%System%791.reg 101 bytes MD5: 0xE3ED578D9718A37675E5404C52D3282A
SHA-1: 0xB4344FF4662CCFA11F96E0EAB5C167C6A75D1191 (not available)
2 %System%167.reg
%System%773.reg 111 bytes MD5: 0x3CA629E3B4FE208FEBE38F523EF8A52A
SHA-1: 0xA6F13753EBB725FFB019476724622D059C22CFE2 (not available)
3 %System%Chans.dll 395 bytes MD5: 0x7F1AB1CE3894297D4EEAE84C36D4A7E0
SHA-1: 0xBCB7E582190A44E0104329C6AD21E98D5A64BE47 Backdoor.Mircbased [Ikarus]
4 %System%demo.xt 20 629 bytes MD5: 0x9853052BEC08929C1AB678D04DD0B4F0
SHA-1: 0xAE48E3E98F306663981B91F58B73B2D7CD22AE29 IRC/Flood.dv [McAfee]
IRC_Generic [Trend Micro]
Trojan.IRC.Flood.DV [Ikarus]
5 %System%email.txt 19 080 bytes MD5: 0xA83C141FEC1D065165CF59F5DA00D893
SHA-1: 0xD8C1A50B8981B8EC9DD03B21C8B5CD60C0E24492 (not available)
6 %System%fn.xt 11 773 bytes MD5: 0x17E9E7690A3B7C5859B78679FD5D540B
SHA-1: 0xBF6892A1CCBDABC4BBCF002D4192241AED1F7780 (not available)
7 %System%fuckers.jpg 31 933 bytes MD5: 0xF61C75713E64D209764BC188A7B400F8
SHA-1: 0xAF6E5FFA97460DADE79056F8B0FA52EB72CE8CA5 Trojan.IRC-Mimic [PCTools]
IRC.Mimic [Symantec]
Net-Worm.Win32.Randon [Ikarus]
8 %System%iceshock.exe 1 790 464 bytes MD5: 0xA35434C25FB2ED3BA36A016C03CB636C
SHA-1: 0xB4E8103B52ABCC8DCD9D2B058E9EF105EFE508CC not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
9 %System%LigTv Izle!_1.ico 97 566 bytes MD5: 0x6413A4253D39C1212F1B665454F81FBD
SHA-1: 0x77BFB7F62BFF25980296EA5E5CB236D50630BE87 (not available)
10 %System%mirc.ini 2 594 bytes MD5: 0x5D582EC09F417D627229B02A96C4D501
SHA-1: 0xA7DF4D976F8708A92C8494083E92610DA6C69578 (not available)
11 %System%nHTMLn_2.95.dll 10 240 bytes MD5: 0x4EDD1B6C4745BFED1CA141A01F6A9FD2
SHA-1: 0x932ED7A74D9D048E99E5795FCA2CA7578FEC9CAE Troj/Merc-A [Sophos]
12 %System%remote.ini 67 bytes MD5: 0x34BA3A3E6D3D98FA297024D3DCC40681
SHA-1: 0x6D7BE35BEFDD6DF692F166987CA3914251318CA6 (not available)
13 [file and pathname of the sample #1] 791 503 bytes MD5: 0x10EDC4E6057BF54696BF648879F902A6
SHA-1: 0x83D8072884AA3E1CD519FF5B7B460590C1AD6A18 not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
Backdoor.Mircbased [Ikarus]
Dropper/Malware.791503 [AhnLab]
14 %System%server.dll 101 bytes MD5: 0x1F355A2B491452EFBBD7E52F75375833
SHA-1: 0x744E277E5C2B202D9BEF7B0A9FE11C06D882241C (not available)
15 %System%sysingB32.dll 59 bytes MD5: 0xFC20E3CFF32B029F836E60BD9E7226B1
SHA-1: 0x0F2AAA79668DF8303495AA7E208207E5B4E20E48 (not available)
16 %System%win.ini 477 bytes MD5: 0x8715347D6B7B2E3A7CFE5ADF2D510CE3
SHA-1: 0x36C55AE9BD5F13E601A9C2FCB79B3237032D4AA7 (not available)