– DNS Queries:
Name Query Type Query Result Successful Protocol
x1x4x0.net DNS_TYPE_A 216.246.124.50 YES udp
winhostmanager.net DNS_TYPE_A 127.0.0.1 YES udp
winupdatecontrol.net DNS_TYPE_A 216.246.124.50 YES udp
Remote Host Port Number
216.246.124.50 5500
NICK |US|INF|12|6|55|737|
USER 55768 |US|.com 216.246.124.50 :55768 |US|
PONG :422
JOIN #win#
PONG :leaf1.not.found
Now talking in #win#
Topic On: [ #win# ] [ , ]
Topic By: [ n ]
ACTION!> s slaps |US|INF|10|7|5|923| around a bit with a large trout
* The data identified by the following URLs was then requested from the remote web server:
o http://webyeeworx.com/b.exe
o http://www.facebook.sercaag.com/b.exe
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsLiveUpdateServices = “%AppData%Microsoft-Update-Service-2568-6479-5400winrsnmgr.exe”
so that winrsnmgr.exe runs every time Windows starts
Memory Modifications
* There was a new memory page created in the address space of the system process(es):
Process Name Process Filename Allocated Size
winrsnmgr.exe %AppData%microsoft-update-service-2568-6479-5400winrsnmgr.exe 188,416 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%Microsoft-Update-Service-2568-6479-5400winrsnmgr.exe
[file and pathname of the sample #1] 57,344 bytes MD5: 0x14FE34D930F74A1C0B5C4AD67089E685
SHA-1: 0xDF095C2117514AE5312C24815E22482CBF059750 packed with UPX [Kaspersky Lab]
2 %AppData%wincbdrv32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
infos about hosting:
http://whois.domaintools.com/216.246.124.50