79.103.31.60(botnet hostet with Greece Adsl Llu Pools)

Remote Host Port Number
79.103.31.60 7000

Now talking in #rz#
Topic On: [ #rz# ] [ .sa -s ]
Topic By: [ Boar ]

Other details

* The following ports were open in the system:

Port Protocol Process
113 TCP dgufpw.exe (%System%dgufpw.exe)
1060 TCP dgufpw.exe (%System%dgufpw.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Media Player = “dgufpw.exe”

so that dgufpw.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Windows Media Player = “dgufpw.exe”

so that dgufpw.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Media Player = “dgufpw.exe”

so that dgufpw.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
dgufpw.exe %System%dgufpw.exe 1,101,824 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %System%dgufpw.exe
[file and pathname of the sample #1] 484,352 bytes MD5: 0x4E304B89A7EBBA62092686C7B683A1A8
SHA-1: 0xD54EAFF07D52DEC57F75AC6650D42D486D7A8CEE Backdoor.Trojan [PCTools]
Backdoor.Trojan [Symantec]
Net-Worm.Win32.Kolab.mto [Kaspersky Lab]
Generic.dx!uph [McAfee]
Backdoor:Win32/Rbot.gen [Microsoft]
Backdoor.Win32.Rbot [Ikarus]
Win-Trojan/Seint.484352.B [AhnLab]

infos about hosting:
http://whois.domaintools.com/79.103.31.60

Categories: Uncategorized

Previous postjava.KUTLUFAMILY.COM(botnet hosted with Turkey Radore Hosting Telekomunikasyon Hizmetleri San. Ve Tic. Ltd. Sti)

Next postgiuetuhje.com(Spy Eye hosted with China Daqing Daqing Software Center)