Remote Host Port Number
74.208.43.209 5000
JOIN ##[ENG]
JOIN #msn#
PONG :4DFB1F08
NICK [V2][ENG][COMPUTERNAME]9523
PING :redc00de.no-ip.biz
00000000 | 5041 5353 200D 0A55 7365 7220 6B6B 6B20 | PASS ..User kkk
00000010 | 6B6B 6B20 6B6B 6B20 6B6B 6B20 3A6B 6B6B | kkk kkk kkk :kkk
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Realtek Sound Software = “%AppData%Realteksounds.exe”
so that sounds.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Realtek Sound Software = “%AppData%Realteksounds.exe”
so that sounds.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%Realteksounds.exe
[file and pathname of the sample #1] 81 408 bytes MD5: 0xCC47049FB9EE4125B29E6A5960996B7F
SHA-1: 0x186DDF84FAD3C5034B164A79CD9FFDF2554F746B Trojan.IRCBot!rem [PCTools]
W32.IRCBot [Symantec]
Backdoor.MSIL.IrcBot.ba [Kaspersky Lab]
Mal/MSIL-A [Sophos]
Worm:MSIL/Tawsebot.A [Microsoft]
Backdoor.MSIL [Ikarus]
Win32/Ircbot.worm.variant [AhnLab]