Remote Host Port Number
77.49.241.194 7000
NICK USA|77509
USER qhvby 0 0 :USA|77509
NICK USA|47927
USER qsypqt 0 0 :USA|47927
PONG :3F52D482
JOIN #rz# rZr
NICK USA|52914
USER ojheof 0 0 :USA|52914
PONG :247FE8D7
NICK USA|85862
USER wwpaiu 0 0 :USA|85862
PONG :A2A6394E
NICK USA|76343
USER stywtp 0 0 :USA|76343
PONG :A0F1525E
NICK USA|01481
USER vovbh 0 0 :USA|01481
NICK USA|05068
USER fixrl 0 0 :USA|05068
PONG :8C8B7565
NICK USA|57202
USER nedexnp 0 0 :USA|57202
PONG :763DEF37
Now talking in #rz#
Topic On 12: [ #rz# ] [ .sa -s ]
Topic By 12: [ l0 ]
Other details
* The following ports were open in the system:
Port Protocol Process
113 TCP udqmpj.exe (%System%udqmpj.exe)
1059 TCP udqmpj.exe (%System%udqmpj.exe)
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Media Player = “udqmpj.exe”
so that udqmpj.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Windows Media Player = “udqmpj.exe”
so that udqmpj.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Media Player = “udqmpj.exe”
so that udqmpj.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
udqmpj.exe %System%udqmpj.exe 1,101,824 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%System%udqmpj.exe 563,200 bytes MD5: 0xC2318B1FACBDF153C3457DACE82A59BF
SHA-1: 0xD147A6DEBC59D0A6B4ACCE88D2103C753CD3FFEF Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
Net-Worm.Win32.Kolab.nbu [Kaspersky Lab]
Backdoor:Win32/Rbot.gen [Microsoft]
Backdoor.Win32.Rbot [Ikarus]
Win-Trojan/Seint.563200 [AhnLab]
infos about hoster:
http://whois.domaintools.com/77.49.241.194