Remote Host Port Number
193.106.173.153 6667
NICK n{USA|XP}156462
USER 1564 “” “TsGh” :1564
JOIN #dotz
Registry Modifications
* The following Registry Keys were created:
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
o HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindows
o HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem]
+ EnableLUA = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%winlogon.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”
so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
+ EnableLUA = 0x00000000
+ DisableRegistryTools = 0x00000001
+ DisableTaskMgr = 0x00000001
to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
to prevent users from starting Task Manager (Taskmgr.exe)
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%winlogon.exe”
so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem]
+ DisableCMD = 0x00000002
to disable command prompt Cmd.exe, and batch files (.cmd and .bat)
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%winlogon.exe
[file and pathname of the sample #1] 1 049 088 bytes MD5: 0x91741BE015CFBFC0AC5B9DCCCFAD299B
SHA-1: 0xB9D785387CA2D7B661354375534CFA6A999E519E
2 %Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891