gs.unicatz.com

By Pig, November 24, 2010

Remote Host Port Number
74.117.174.82 2010

NICK XPUiw3
USER laMer “” “gs.unicatz.com” :
You Think i
aughty
USERHOST XPUiw3
MODE XPUiw3 +i
JOIN #tcp# d0s
MODE #tcp#
PONG :s11.cpe.netcabo.uk

* The following ports were open in the system:

Port Protocol Process
1052 TCP Winter.pif (%System%dllcacheWinter.pif)
32403 TCP Winter.pif (%System%dllcacheWinter.pif)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinXPService = “%System%dllcacheWinter.pif”

so that Winter.pif runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%System%dllcacheWinter.pif” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1290554992”

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
Winter.pif %System%dllcachewinter.pif 1 679 360 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %System%dllcachedev2si.zip 12 512 bytes MD5: 0xAF1FBB7661BC09A7B906B60A5F16AF1A
SHA-1: 0x5C28AD5089762B83A27E5858196FB6000A503E8D Backdoor.IRC.Agent.q [Kaspersky Lab]
Backdoor.IRC.Agent [Ikarus]
2 %System%dllcachedr67rf.zip 3 416 bytes MD5: 0x0988087B23F3D160BE8ACD8DA8A9DB9A
SHA-1: 0xBA1DD56646D0E54FAA6100135A652C889C502683 (not available)
3 %System%dllcacheei7g.msp 74 bytes MD5: 0xE1FCCDF93D2A037E2A2232B40E047D5B
SHA-1: 0xCD58A8312C2C8A1DF5608419B0CB9388B2B38AE0 (not available)
4 %System%dllcachel3ik7.zip 17 074 bytes MD5: 0xB1B803258C43CA239FB9CF50C5726B28
SHA-1: 0xB5D1AB8D9CDAC8CC570DBC394A57C728896C7ABB Hacktool.Flooder [PCTools]
Hacktool.Flooder [Symantec]
Backdoor.IRC.Agent.q [Kaspersky Lab]
Backdoor.IRC.Agent [Ikarus]
5 %System%dllcachen80.reg 140 bytes MD5: 0x5C00611205E39B78A23D855BF0C00F58
SHA-1: 0xC756E3389627809EBDB01D0C9F435822EB2AEA97 (not available)
6 %System%dllcacheo1o2o3o4 4 093 bytes MD5: 0x5D5260891E6F999977608E16E7A69B65
SHA-1: 0x54830A96F8D43B24672630F2DC15BC0BE0C20436 (not available)
7 %System%dllcachesi3sj9.dll 40 960 bytes MD5: 0xA85A6F809B5500ADF9F163F60CBD9B25
SHA-1: 0x9B81D20E5FFBF9BAE4BB95595579B29A282DAB0F Backdoor.IRC.Flood [PCTools]
Hacktool.Flooder [Symantec]
IRC/Flood.tool [McAfee]
Troj/Flood-I [Sophos]
Trojan:Win32/Flood.L [Microsoft]
IRC.Flood [Ikarus]
Win-Trojan/Flooder.45056.B [AhnLab]
8 %System%dllcachevcr32.zip 21 100 bytes MD5: 0xFA5F4F2FEB0136838392597A6949656F
SHA-1: 0x2EE794D1130AE97762E4D83CE3C38138C57F4CC6 (not available)
9 %System%dllcacheWinter.pif 574 464 bytes MD5: 0xB3027DFFA9BBAC7E1999223CF737200B
SHA-1: 0x04F7BE390D135405B5D1925B205C0C871301B522 Backdoor.IRC.Flood [PCTools]
W32.IRCBot [Symantec]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
TROJ_BOTIRC.A [Trend Micro]
Troj/Multidr-FT [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.574464 [AhnLab]
packed with UPX [Kaspersky Lab]
10 [file and pathname of the sample #1] 890 383 bytes MD5: 0x74486B93F0583EFF04A3D3976238F49B
SHA-1: 0x6D789E65010CD8084A85C19953AFAF022811C34F Backdoor.IRCBot.GEN [PCTools]
Heuristic.ADH [Symantec]
Backdoor.IRC.Agent.q, not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
W32/Spybot.worm!cq [McAfee]
Mal/Generic-A [Sophos]
Trojan:Win32/Malat [Microsoft]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]

Categories: Uncategorized