wewqeq.idcbr.net(botnet hosted with United States Atlanta Global Net Access Llc)

Remote Host Port Number
207.210.96.152 6567 PASS s1m0n3t4

MODE [SI|USA|00|P|83827] -ix
JOIN #carro# c1rc0dus0leil
PONG Apple.Network
NICK [SI|USA|00|P|83827]
USER XP-2586 * 0 :COMPUTERNAME

* The following port was open in the system:

Port Protocol Process
1053 TCP conmysys.exe (%Windir%conmysys.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Service ares = “conmysys.exe”

so that conmysys.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Service ares = “conmysys.exe”

so that conmysys.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
conmysys.exe %Windir%conmysys.exe 335,872 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%conmysys.exe
[file and pathname of the sample #1] 102,400 bytes MD5: 0xC7C92FEDFB9560B01DD8A6DF43306182
SHA-1: 0xD5C3A17A4B98604859CA384105CAC6A98B2A31A6 Backdoor:Win32/IRCbot [Microsoft]
Gen.Trojan.Heur [Ikarus]

infos about hosting:
http://whois.domaintools.com/207.210.96.152

Categories: Uncategorized