dell.special.jp

By Pig, November 2, 2010

dell.special.jp 210.168.252.109

Opened listening TCP connection on port: 113
C&C Server: 210.168.252.109:17402
Server Password:
Username: fdlea
Nickname: DEU|77874
Channel: ##new## (Password: gatesgates)
Channeltopic: :.asc asn445 100 0 2555 -a -b -r

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Service Agent” = agl23.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices “Windows Service Agent” = agl23.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Service Agent” = agl23.exe
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSsystem32agl23.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
Opened Files .Ip
C:WINDOWSexplorer.exe
C:WINDOWSsystem32agl23.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.Ip
.PIPElsarpc
Deleted Files c:h1dd3n1.exe
Chronological Order Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32agl23.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:h1dd3n1.exe to C:WINDOWSsystem32agl23.exe
Open File: C:WINDOWSexplorer.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32agl23.exe (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32agl23.exe
Set File Attributes: C:WINDOWSsystem32agl23.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32agl23.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Delete File: c:h1dd3n1.exe
Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

Categories: Uncategorized
Previous post
Next post