Remote Host Port Number
insidehighered.com 1034
* The following Internet Connection was established:
Server Name Server Port Connect as User Connection Password
browseusers.myspace.com 80 (null) (null)
* The following GET requests were made:
o Browse/Browse.aspx
o Browse/index.jpg
* The data identified by the following URL was then requested from the remote web server:
o http://4.45.182.239/index.php
Other details
* To mark the presence in the system, the following Mutex objects were created:
o Nvidia Drive Mon
o oleacc-msaa-loaded
o _!SHMSFTHISTORY!_
* The following Host Names were requested from a host database:
o astro.ic.ac.uk
o ale.pakibili.com
o versatek.com
o journalofaccountancy.com
o ds.phoenix-cc.net
o transnationale.org
o mas.0730ip.com
o stayontime.info
o www.shearman.com
o insidehighered.com
o ate.lacoctelera.net
o websitetrafficspy.com
o qun.51.com
o summer-uni-sw.eesp.ch
o shopstyle.com
o xxx.stopklatka.pl
o unclefed.com
o mcsp.lvengine.com
o deirdremccloskey.org
o journals.lww.com
o middleastpost.org
o mas.archivum.info
o scribbidyscrubs.com
o mas.mtime.com
o ols.systemofadown.com
o tripadvisor.com
o mas.tguia.cl
o albertoshistory.info
o mas.josbank.com
o erdbeerlounge.de
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”
so that nvsvc32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”
so that nvsvc32.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ NVIDIA driver monitor = “%Windir%nvsvc32.exe”
so that nvsvc32.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3 129 344 bytes
[filename of the sample #1] [file and pathname of the sample #1] 77 824 bytes
nvsvc32.exe %ProgramFiles%nvsvc32.exe 3 129 344 bytes
* The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %ProgramFiles%nvsvc32.exe
%Windir%nvsvc32.exe
[file and pathname of the sample #1] 58 880 bytes MD5: 0x08E2F9F6BFAAB01036D290B44B3122C7
SHA-1: 0x09748780FD29FAC49BB2D14B5700CA9692575F9D Trojan.Win32.Jorik.IRCbot.io [Kaspersky Lab]
Backdoor:Win32/IRCbot [Microsoft]
Win-Trojan/Seint.58880.B [AhnLab]