Worm.Win32.FFAuto.uy

Exe file:
http://123back.com/1.EXE

Java drive by:
http://123back.com/

* The following Host Names were requested from a host database:
o sam.chatsmate.com
o ms.tvchatz.com
o chatsmate.com
o justchatz.com
o tvchatz.com

sam.chatsmate.com
ms.tvchatz.com
chatsmate.com
justchatz.com
UDP Connections
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3001 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
Reads HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman”

File Changes by all processes
New Files DeviceRasAcd
C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
Opened Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
.PIPElsarpc
Deleted Files C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
Chronological Order Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
Copy File: c:1.EXE to C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenhgfrhf.exe (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)

hosting infos:
http://whois.domaintools.com/173.248.136.153

Categories: Uncategorized