efy2.internetdsl.tpnet.pl(botnet hosted in Poland Krakow Static Ip)

By Pig, December 22, 2010

Remote Host Port Number
212.97.132.151 80
95.211.84.41 80
83.15.2.2 31092

NICK US|computername
USER yoxuruho UNIX UNIX :username
JOIN #all#

Resolved : [serv01.colo.owned.hu] To [83.15.2.2]
Resolved : [serv01.colo.owned.hu] To [83.233.167.103]
Resolved : [serv01.colo.owned.hu] To [81.219.80.126]
Resolved : [serv01.colo.owned.hu] To [196.46.191.100]

Other details

* The following ports were open in the system:

Port Protocol Process
1055 TCP taskhost.exe (%AppData%taskhost.exe)
1057 TCP taskhost.exe (%AppData%taskhost.exe)
1058 TCP taskhost.exe (%AppData%taskhost.exe)

Registry Modifications

* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREWindowsLive

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Task Host = “%AppData%taskhost.exe”

so that taskhost.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREWindowsLive]
+ version = “1057”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Task Host = “%AppData%taskhost.exe”

so that taskhost.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
taskhost.exe %AppData%taskhost.exe 2,191,360 bytes
viewDrive.exe c:viewdrive.exe 2,191,360 bytes
[filename of the sample #1] [file and pathname of the sample #1] 2,191,360 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 c:autorun.inf 147 bytes MD5: 0x29F4BC0B76C36E9B71214715E65E9984
SHA-1: 0x4447BCC507BE7AD624C02C18F3360CCE87E86E49
2 %AppData%taskhost.exe
c:viewDrive.exe
[file and pathname of the sample #1] 3,260,782 bytes MD5: 0xB78BDB0CDC0DD17CA719BA74E0B7D334
SHA-1: 0xF4ECB11F5E9F47BE0E17A6C4C6A3BCB557757D89
3 %Temp%tools.exefile5816.tmp 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
4 %Temp%uypji1zwqanz7.exe 335 bytes MD5: 0x7CF8E9B0CAD3E69E28272C35A1A6C04B
SHA-1: 0x27BBCA4213A617CB90E2A6F0CAC052146493BD33
5 %Temp%viewdrive 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709

infos about hosting:
http://whois.domaintools.com/83.15.2.2

Categories: Uncategorized