91.203.146.65

By Pig, November 20, 2010

Remote Host Port Number
173.193.205.116 8014
193.143.121.198 80
200.234.203.76 80
69.163.250.145 80
69.50.197.244 80
78.46.49.226 80
85.17.94.148 80
89.238.149.67 80
92.241.184.111 80
91.203.146.65 7276 ircd here

USER gtsufeod gtsufeod gtsufeod :ygzhjngb
NICK aSFamvBfc
MODE aSFamvBfc +xi
JOIN #maxi
USERHOST aSFamvBfc
PONG :lols.nope.com
MODE #maxi +smntu
Now talking in #maxi
Topic On: [ #maxi ] [ =IxgN+TVR/M3693AU+b3Zymnqh7XjJ1xl8jRu0jdcrmWRb9Cr2BZAVxeyjwZ5PinlmrfYQ071m7u5f6tl0MGpVffGThs1UcXWLPEB2izDaRPHN8sxZILY/zc1b9ShwEHRBfKIZHRzdVWFQLUQ74SpuICbyIMK9U9yfLFnFvRV2Q1ry1d9NFrF1qzxS1kgf9/MG+tReUpUCS70eGoaIVQBELe+h1jgUQOlu6bKkas6aD8ro4e/ZSuWsr90pUDny6j8vHGNx99a/dFEw/gHLDmso9qbVB ]
Topic By: [ njc44LYs ]

* The data identified by the following URLs was then requested from the remote web server:
o http://cache.wru.pl/skulls.php?net=gnutella2&get=1&client=RAZA2.5.0.0
o http://leite4.uni.cc/gwc.php?net=gnutella2&get=1&client=RAZA2.5.0.0
o http://cache.trillinux.org/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0
o http://69.50.197.244/ld/data.exe
o http://jayl.de/gweb/g2/bazooka.php?net=gnutella2&get=1&client=RAZA2.5.0.0
o http://gweb.4octets.co.uk/skulls.php?net=gnutella2&get=1&client=RAZA2.5.0.0

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupData
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet32

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupData]
+ data5 = 48 52 37 36 2C 11 58 93 F6 70 E8 43 85 E9 5F 91 F0 72 F2 41 DE 35 D4 BE A8 8F F4 77 E2 64 C6 33 2F 30 36 3E 33 17 5A 8B CA 43 8B 02 C5 AD 5B 82 F9 73 F5 78 D9 76 D4 E3 E7 CA F1 79 F4 65 CE 34 0C 08
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ g0dll = “%Temp%g0dllp.exe”
+ g0dllr = “%Temp%g0dllrp.exe”

so that g0dllp.exe runs every time Windows starts
so that g0dllrp.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet32]
+ DllName = “cryptnet32.dll”
+ Startup = “WinlogonStartupEv”
+ Logoff = “WinlogonLogoffEv”
+ Shutdown = “WinlogonLogoffEv”
+ Asynchronous = 0x00000001
+ Impersonate = 0x00000000

so that cryptnet32.dll is installed as a Winlogon notification package

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Shell =
+ Userinit =
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
+ load =

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
g0dllp.exe %Temp%g0dllp.exe 81 920 bytes
g0dllrp.exe %Temp%g0dllrp.exe 81 920 bytes

* There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Allocated Size
svchost.exe %System%svchost.exe 200 704 bytes
svchost.exe %System%svchost.exe 217 088 bytes
svchost.exe %System%svchost.exe 98 304 bytes
svchost.exe %System%svchost.exe 118 784 bytes
svchost.exe %System%svchost.exe 24 576 bytes
svchost.exe %System%svchost.exe 45 056 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%LmHosts.exe 143 360 bytes MD5: 0x6FEBA639A99C6EEEF9C089AF98B5771E
SHA-1: 0xF196B18C5C6B789C3011BEE6EF27C1931A9E76E3 HeurEngine.MaliciousPacker [PCTools]
Packed.Generic.307 [Symantec]
VirTool:Win32/VBInject.gen!DM [Microsoft]
Trojan.Win32.Malagent [Ikarus]
2 %Temp%g0dllp.exe 196 608 bytes MD5: 0xEDD97F4D2DBC47DADB0600C97F2BA3C1
SHA-1: 0xE3E47A8C876A623FA0A72D1E42FBBF221FF39EB2 Generic.dx!utg [McAfee]
VirTool:Win32/VBInject [Microsoft]
Virus.Win32.VBInject [Ikarus]
3 %Temp%g0dllrp.exe 196 608 bytes MD5: 0xD5BCEC2FBA53338D1EC69D04102B6245
SHA-1: 0x6C92E9C83B52CDF1DA9C20E83C883B74D48F4E73 Trojan.Gen [PCTools]
Trojan.Gen.2 [Symantec]
Generic.dx!utg [McAfee]
VirTool:Win32/VBInject [Microsoft]
Virus.Win32.VBInject [Ikarus]
4 %UserProfile%pwmph.exe 520 192 bytes MD5: 0xF60761D464AE87D8791E92C78E617EF3
SHA-1: 0x1FA71036065668242C2CDB4D8C3F94EC8209BCF5 Trojan.Gen [PCTools]
Trojan.Gen.2 [Symantec]
Virus.Win32.VBInject [Ikarus]
5 %UserProfile%upfnhf.exe 364 544 bytes MD5: 0xD4A52CD8F76EF97F0B2913D797C78368
SHA-1: 0x15A477DA6F69BCA3C5FA49A3F2D232BD4A85AB17 Trojan-Dropper.Delf.V [PCTools]
Downloader [Symantec]
Trojan.Win32.Delf.ahcb [Kaspersky Lab]
Generic.dx!ukd [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Meredrop [Microsoft]
Trojan-Dropper.Delf [Ikarus]
Win-Trojan/Agent.350115 [AhnLab]
6 %System%crt.dat 12 bytes MD5: 0x477EB275173789FE2F03C2A2B69B6663
SHA-1: 0x49C318C736682F6253CAA20AF48D47BDA79F1108 (not available)
7 %System%cryptnet32.dll 46 592 bytes MD5: 0x6BF89F21E40016AE9002512143B69055
SHA-1: 0xE77C8D2B90B84CD72BCEFBB703FB24CC5AF421B3 Trojan-Dropper.Delf.V [PCTools]
Trojan.Gen [Symantec]
Trojan.Win32.Delf.ahif [Kaspersky Lab]
Generic.dx!ukc [McAfee]
Trojan:Win32/Lukicsel.G [Microsoft]
Trojan-Dropper.Delf [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
8 %System%shimg.dll 295 554 bytes MD5: 0x1ADD3051C3C78101633623BF306ECC78
SHA-1: 0x069480E0CBCBD72AC131623CF577AA2D8D8E3700 (not available)

Categories: Uncategorized
Previous post
Next post