Remote Host Port Number
213.155.29.56 6667 PASS (SelamS234)
NICK {NEW}[USA][XP-SP2]981503
USER 7657 “” “lol” :7657
JOIN #1111
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%lsass.exe”
so that lsass.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Firewall = “%Temp%lsass.exe”
so that lsass.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
lsass.exe %Temp%lsass.exe 77,824 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%google_cache118.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)
2 %Temp%lsass.exe
[file and pathname of the sample #1] 98,304 bytes MD5: 0x3D27365600909FD7899524672FD4D182
SHA-1: 0x40CBD0B393A5D1EBDC636144B1FB4286219B5EE5 Trojan.IRCBot!rem [PCTools]
W32.IRCBot [Symantec]
Trojan.Win32.VBKrypt.eei [Kaspersky Lab]
W32/IRCbot.gen.a [McAfee]
Mal/Generic-L [Sophos]
Trojan:Win32/Dynamer!dtc [Microsoft]
Trojan.Win32.VBKrypt [Ikarus]
Win-Trojan/Xema.98304.F [AhnLab]
infos about hosting:
http://whois.domaintools.com/213.155.29.56