unknown.ord.scnet.net( botnet hosted in United States Chicago Hostforweb Inc)

Remote Host Port Number
64.202.102.234 50500

NICK {New}[USA-1244024-XP]
USER 6950797 “” “lol” :6950797
JOIN #LED
PONG 422

Topic On: [ #LED ] [ light emitting diode ]
Topic By: [ Switch ]

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ rgservs = “%Temp%rgservs.exe”

so that rgservs.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
rgservs.exe %Temp%rgservs.exe 32,768 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash
1 %Temp%rgservs.exe
[file and pathname of the sample #1] 17,408 bytes MD5: 0x431C502E6C7F880131D8A13B3210A9AE
SHA-1: 0x3D369077C71D348D5E598A298BCA68F6124975D4
2 %System%import53an35ygsfsgftdoc.tmp 11 bytes MD5: 0x104EF340476E58E072D5788178ECB2B4
SHA-1: 0x3F487D02B9FFFB5F763A7B0C9860390CFF17416E

infos about hosting:
http://whois.domaintools.com/64.202.102.234