Remote Host Port Number
125.17.135.163 6667 PASS blah
NICK fawrqd
USER pscebs “” “btj” :pscebs
PONG :EF4570FF
JOIN #cC-Team x0r
PONG :irc.flaw.net
Invisible Users: 786
Channels: 14 channels formed
Clients: I have 810 clients and 0 servers
Local users: Current Local Users: 810 Max: 1185
Global users: Current Global Users: 810 Max: 1052
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0d5C0-4FCB-11CF-AcX5-01401C608592}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0d5C0-4FCB-11CF-AcX5-01401C608592}]
+ StubPath = “c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe”
so that autorun.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
[file and pathname of the sample #1] 19 993 bytes MD5: 0x47C7E93DFE3F6BE2CB7FF7AE3993851B
SHA-1: 0x376CBB97AA5B76CADBA6FCEA2A817F5A2A5ACABB Trojan Horse [Symantec]
IRC-Worm.Win32.Small.gg [Kaspersky Lab]
Backdoor:Win32/IRCbot.dr [Microsoft]
Backdoor.IRC.ZGK [Ikarus]
Win-Trojan/IRCBot.16896 [AhnLab]
2 c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493Desktop.ini 64 bytes MD5: 0x12E455201A2D9CA663F97626C52E838E
SHA-1: 0x27406F548FDC1D43CE9D3087B07054C3AB55ACFD (not available)