Remote Host Port Number
207.114.175.51 6667
NICK COMPUTERNAME16180
USER COMPUTERNAME16180 0 0 COMPUTERNAME16180COMPUTERNAME16180
JOIN #newaiuwhd
NICK COMPUTERNAME79226
USER COMPUTERNAME79226 0 0 COMPUTERNAME79226COMPUTERNAME79226
NICK COMPUTERNAME61492
USER COMPUTERNAME61492 0 0 COMPUTERNAME61492COMPUTERNAME61492
* The following ports were open in the system:
Port Protocol Process
1054 TCP 8jg53l4ojo74khk.exe (%Windir%8jg53l4ojo74khk.exe)
1056 TCP 8jg53l4ojo74khk.exe (%Windir%8jg53l4ojo74khk.exe)
1057 TCP 8jg53l4ojo74khk.exe (%Windir%8jg53l4ojo74khk.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ 8jg53l4ojo74khk.exe = “%Windir%8jg53l4ojo74khk.exe”
so that 8jg53l4ojo74khk.exe runs every time Windows starts
* The following Registry Value was deleted:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
+ NoDriveTypeAutoRun = 0x00000091
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
8jg53l4ojo74khk.exe %Windir%8jg53l4ojo74khk.exe 704,512 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%8jg53l4ojo74khk.exe
[file and pathname of the sample #1] 786,354 bytes MD5: 0x28CD5991CE7E5A62E35126C001B0BF38
SHA-1: 0x58FEAEE87068A857FA53B6163D540C82D1E00F01 Trojan.Win32.Autoit.aak [Kaspersky Lab]
Generic.dx!swc [McAfee]
Worm:Win32/Orbina!rts [Microsoft]
Trojan.Win32.Autoit [Ikarus]
packed with UPX [Kaspersky Lab]
infos about hosting:
http://whois.domaintools.com/207.114.175.51