Remote Host Port Number
178.211.56.105 81
NICK [N00_USA_XP_8963745]
USER SP2-381 * 0 :COMPUTERNAME
MODE [N00_USA_XP_8963745]
@ -ix
JOIN #w
MODE #w -ix
PONG log.in.sys
Other details
* The following port was open in the system:
Port Protocol Process
1052 TCP BSwBT.exe (%System%driversBSwBT.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%System%driversBSwBT.exe”
so that BSwBT.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%System%driversBSwBT.exe”
so that BSwBT.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
BSwBT.exe %System%driversbswbt.exe 339,968 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%logfile32.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %System%driversBSwBT.exe
[file and pathname of the sample #1] 118,784 bytes MD5: 0x2109213A48EF57467E3FD3CE1F00E773
SHA-1: 0xCAF2710A15718A1CBE9A5D76E7DF97A7132F6EA8 Packed.Generic.307 [Symantec]
Worm.Win32.VBNA.b [Kaspersky Lab]
Mal/VBInject-D [Sophos]
VirTool:Win32/VBInject.gen!DQ [Microsoft]
Trojan.Win32.Kreeper [Ikarus]
infos about hosting:
http://whois.domaintools.com/178.211.56.105