mrssimonquispe.enladisco.com(botnet hosted in United States Forney Networld Internet Services)

Remote Host Port Number
206.123.89.191 6567 PASS s1m0n3t4

MODE [SI|USA|00|P|61978] -ix
JOIN #iausto# c1rc0dus0leil
PONG Coupe2.Network
NICK [SI|USA|00|P|61978]
USER XP-6042 * 0 :COMPUTERNAME

* The following port was open in the system:

Port Protocol Process
1053 TCP tanga.exe (%Windir%tanga.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Service ares = “tanga.exe”

so that tanga.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Service ares = “tanga.exe”

so that tanga.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
tanga.exe %Windir%tanga.exe 335,872 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 [file and pathname of the sample #1]
%Windir%tanga.exe 106,496 bytes MD5: 0x8477BDC25C1D7CB74B423791CEFD8FE5
SHA-1: 0xA95A1F8DFC77D4C64136D0B57FD216B9209524C8

infos about hosting:
http://whois.domaintools.com/206.123.89.191