76f.no-ip.biz(malware hosted with

By Pig, December 21, 2010

DNS Lookup
Host Name IP Address
76f.no-ip.biz 173.0.3.196
api.ipinfodb.com 67.212.74.82
Download URLs
http://67.212.74.82/v2/ip_query_country.php?key=86c9c734428c1230cba1356dcf99dc882bc229bf93fbd6491db4e8776d6d9a88&timezone=off (api.ipinfodb.com)

Outgoing connection to remote server: 76f.no-ip.biz port 3333
Outgoing connection to remote server: api.ipinfodb.com TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsSrvIDID “UMUZZPIO31” = Spread
HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsINSTALLDATE “UMUZZPIO31” = December 21, 2010
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DoNotAllowExceptions” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe:*:Enabled:Windows Messanger
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:bot12.exe” = c:bot12.exe:*:Enabled:Windows Messanger
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DoNotAllowExceptions” = [REG_DWORD, value: 00000000]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsSrvIDID “UMUZZPIO31”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}1.0 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftAdvanced INF Setup “AdvpackLogFile”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DoNotAllowExceptions”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:bot12.exe”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “DoNotAllowExceptions”
Enums HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo

File Changes by all processes
New Files c:bot12.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatendata.dat
DeviceRasAcd
Opened Files C:WINDOWSRegistrationR000000000007.clb
c:bot12.exe
c:bot12.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSsystem32de-DEwshom.ocx.mui
C:WINDOWSsystem32wshom.ocx
C:WINDOWSsystem32MSVBVM60.DLL
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
Deleted Files
Chronological Order Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Find File: c:bot12.exe
Create/Open File: c:bot12.exe (OPEN_ALWAYS)
Open File: c:bot12.exe (OPEN_EXISTING)
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe
Open File: c:bot12.exe (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe (OPEN_EXISTING)
Set File Time: C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenbot.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatendata.dat
Create/Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatendata.dat (OPEN_ALWAYS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:WINDOWSsystem32de-DEwshom.ocx.mui (OPEN_EXISTING)
Open File: C:WINDOWSsystem32wshom.ocx (OPEN_EXISTING)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32MSVBVM60.DLL (OPEN_EXISTING)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:REG.*
Find File: c:REG
Find File: C:WINDOWSsystem32REG.*
Find File: C:WINDOWSsystem32reg.COM
Find File: C:WINDOWSsystem32reg.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32reg.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:REG.*
Find File: c:REG
Find File: C:WINDOWSsystem32REG.*
Find File: C:WINDOWSsystem32reg.COM
Find File: C:WINDOWSsystem32reg.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32reg.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:REG.*
Find File: c:REG
Find File: C:WINDOWSsystem32REG.*
Find File: C:WINDOWSsystem32reg.COM
Find File: C:WINDOWSsystem32reg.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32reg.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:REG.*
Find File: c:REG
Find File: C:WINDOWSsystem32REG.*
Find File: C:WINDOWSsystem32reg.COM
Find File: C:WINDOWSsystem32reg.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32reg.exe

infos about hosting:
http://www.who.is/whois-ip/ip-address/173.0.3.196/

Categories: Uncategorized