Remote Host Port Number
216.45.58.150 80
92.243.28.194 5900 PASS Virus
NICK VirUs-sgpzxuis
USER VirUs “” “usk” :
2Black
3Box
2360.
JOIN #B2# Virus
PRIVMSG #B2# :ESHTAA
PONG :TESTING3.VirUs.HERE
NICK VirUs-kdxrzmeu
USER VirUs “” “yqs” :
8Coded
8VirUs..
JOIN #OgarD3# Virus
PRIVMSG #OgarD3# :Success.
* The data identified by the following URL was then requested from the remote web server:
o http://www.sitepalace.com/pregy/ENCS1p1.jpeg
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{23MAD6M8-1MAD-77AD-JIM1-73OP5G3369085}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{23MAD6M8-1MAD-77AD-JIM1-73OP5G3369085}]
+ StubPath = “c:ZolanderPolandabox.exe”
so that box.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %UserProfile%j3h3h67j2.exe 84 481 bytes MD5: 0x66BA65C0F92F7DD9D5E4F86187D37F7A
SHA-1: 0x7283305AB3840DD9C849A56075FB37B261FC3D9B HeurEngine.MaliciousPacker [PCTools]
Packed.Generic.307 [Symantec]
Trojan.Win32.Jorik.IRCbot.mb [Kaspersky Lab]
Generic.dx!uji [McAfee]
Mal/Generic-L [Sophos]
Virus.Win32.Vbcrypt.BL [Ikarus]
Win-Trojan/Agent.84481 [AhnLab]
packed with UPX [Kaspersky Lab]
2 [file and pathname of the sample #1]
c:ZolanderPolandabox.exe 278 528 bytes MD5: 0x8CA5F1A3D246382480FB752B60FF4D72
SHA-1: 0xB9927A229FF7091E3A95443E655FE90852F62886 Trojan.Generic [PCTools]
Trojan Horse [Symantec]
Worm.Win32.VBKrypt.v [Kaspersky Lab]
Mal/Inject-S [Sophos]
Worm:Win32/Autorun.XGD [Microsoft]
Virus.Win32.VBInject [Ikarus]
3 c:ZolanderPolandaDeSKtOp.InI 62 bytes MD5: 0x7457A5DF1FF47C957ACF1FA000D7D9AD
SHA-1: 0x69D2BBA827FD4DE0169419A0FDA280252B348514 (not available)