Remote Host Port Number
109.123.108.61 81 ircd here
200.54.145.171 81 ircd here
88.208.209.166 81 ircd here
67.195.140.222 80
Resolved : [updateserver.net] To [88.208.209.166]
Resolved : [updateserver.net] To [109.123.108.61]
PONG :hub.not.found
NICK n[USA|XP|COMPUTERNAME]ajudsuq
USER n “” “lol” :n
JOIN #biz#
PONG 422
NICK n[USA|XP]1167074
PONG :request2.not.found
USER s “” “lol” :s
JOIN #newbin#
* The data identified by the following URL was then requested from the remote web server:
o http://p8.hostingprod.com/@www-facebooki.com/biz.exe
* The following ports were open in the system:
Port Protocol Process
1055 TCP msnd.exe (%AppData%msnd.exe)
1056 UDP msnd.exe (%AppData%msnd.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%msnd.exe”
so that msnd.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsDriverControl = “%AppData%C-76947-8457-2745msnliveap.exe”
so that msnliveap.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
msnd.exe %AppData%msnd.exe 65 536 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%C-76947-8457-2745msnliveap.exe
%Temp%7464.exe 172 032 bytes MD5: 0x3DAF43463B3ED56714F3E1887969E825
SHA-1: 0xC92E87020D6A33C6FAA24A914223D1463F589D1B VirTool:Win32/VBInject.KR [Microsoft]
2 %AppData%msnd.exe
[file and pathname of the sample #1] 151 552 bytes MD5: 0x989CA08E8F06FABB885F04C318062CA9
SHA-1: 0xCF9E0EF3423BA164AC1F83CB01DB56437ACA9E9E Trojan.Win32.Jorik.Lolbot.ga [Kaspersky Lab]
Mal/Generic-L [Sophos]
VirTool:Win32/VBInject.JX [Microsoft]
Virus.Win32.VBInject [Ikarus]
3 %System%win32app.txt
%System%winlogon.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)