Remote Host Port Number
64.62.181.43 80
69.89.31.75 80
78.46.81.231 1866
NICK n[USA|XP|COMPUTERNAME]splmgpb
USER hh “” “lol” :hh
JOIN #!h!
PONG 422
* The data identified by the following URLs was then requested from the remote web server:
o http://64.62.181.43/dehe16/sysnt32.exe
o http://kissfendi.com/wp-content/uploads/karissa.jpg
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion]
+ Start Page = “http://redirecturls.info”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Java Update Manager = “%AppData%WIN-2045-7453-2214sysloop.exe”
+ Kernel Drivers = “%AppData%systemproc.exe”
so that sysloop.exe runs every time Windows starts
so that systemproc.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]
+ Start Page =
Memory Modifications
* Attention! The following process was intentionally hidden from the user:
Process Name Main Module Size
3873284.exe 45,056 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%B88JNglgm1.txt
%AppData%BHlEIAl61g.txt
%AppData%BLMD1kb88b.txt
%System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %AppData%systemproc.exe 61,440 bytes MD5: 0x8255A83E8902745EC77BCAA6B027230A
SHA-1: 0x2ED07A00B6D34231C4EB5FBF9D634184148524B8
3 %AppData%WIN-2045-7453-2214sysloop.exe
%Temp%qqj.exe 70,144 bytes MD5: 0x844F66FC1C89977A44A643463F000055
SHA-1: 0xD0A4D40A083CFC4EEB20C0A65897277CE74605F4
4 %Temp%DgHIGmdCkfg.txt
%Temp%GdDbfFkd6kjN80JjM1.txt
%Temp%KhCIdDLI8LiM1kK.txt 2,560 bytes MD5: 0xD3C30B4B46C128973B652BA2D5C0BAE2
SHA-1: 0xED0D7F7B3FAAD8F68476BB7A5387D5C83FC0F478
5 [file and pathname of the sample #1] 44,032 bytes MD5: 0x6D71B0CF1BA5F69F25A9046AA950A125
SHA-1: 0x36E11EE8B176E2E0E1D599A2BBFC2CDAE15E1F3A
infos about posting:
http://whois.domaintools.com/78.46.81.231