205.234.174.55(botnet hosted with United States Chicago Hostforweb Inc)

By Pig, December 3, 2010

Remote Host Port Number
174.37.200.82 80

63.135.80.224 80

63.135.80.46 80

64.208.241.41 80

66.220.149.11 80

205.234.174.55 1234 PASS xxx

NICK NEW-[USA|00|P|00910]
USER XP-2112 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|00910] -ix
JOIN #!nn! test
PONG 22 MOTD

Other details

The following ports were open in the system:
Port Protocol Process
1058 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1059 TCP nvsvc32.exe (%Windir%nvsvc32.exe)
1060 TCP nvsvc32.exe (%Windir%nvsvc32.exe)

Registry Modifications

The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
NVIDIA driver monitor = “%Windir%nvsvc32.exe”

so that nvsvc32.exe runs every time Windows starts
The following Registry Value was modified:
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
Start Page =

Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%nvsvc32.exe 3,125,248 bytes

The following system service was modified:
Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

The following files were created in the system:
# Filename(s) File Size File Hash
1 %Windir%ndl.dl 2,253 bytes MD5: 0x02E4CE3F5F633732A531DE6E6262D2F8
SHA-1: 0x8EE396670FAAB2BFCEFE9B68CF33665FD42FD1C9
2 %Windir%nvsvc32.exe
[file and pathname of the sample #1] 57,344 bytes MD5: 0x817DF54DF8B358E8EF58BDA397149D15
SHA-1: 0xC2B10629459E810F97FE983FBD2FA72ADFEA0831
3 %Windir%wibrf.jpg 3,968 bytes MD5: 0xE246233F7DCFE923D7A54F29B63CC30E
SHA-1: 0xB512DA23F7D01E8BD23133583103A83DC6D5C787
4 %Windir%wiybr.png 3,416 bytes MD5: 0xD3A3A9391EA080EDFEF8BA202CC36D2E
SHA-1: 0xD771C5BA93DC6FC0438AF3FF1E909338F63EC283

infos about hosting :
http://whois.domaintools.com/205.234.174.55

Categories: Uncategorized