Remote Host Port Number
109.169.40.186 9600 PASS (null)
NICK {N}|USA|XP|COMPUTERNAME|615267
USER ktzwiz “” “ntfj” :COMPUTERNAME
JOIN #baddy
PRIVMSG #baddy :New Servant.
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Live Firawall = “%ProgramFiles%winlogon.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”
so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Live Firawall = “%ProgramFiles%winlogon.exe”
so that winlogon.exe runs every time Windows starts
* The following directories were created:
o c:My Downloads
o %ProgramFiles%KAZAA
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%google_i76s[[8tu]-75kj_x.tmp
%Temp%google__i76s[[8tu]-75kj_x.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %ProgramFiles%winlogon.exe
[file and pathname of the sample #1] 143 360 bytes MD5: 0x4339593289CB7D73D9443CB11C440403
SHA-1: 0xF53D66CAF1D942E706D732D9E26A05CAE296DF49 Packed.Generic.307 [Symantec]
Worm.Win32.VBNA.b [Kaspersky Lab]