178.63.148.49 – Inside Your Botnet

Remote Host Port Number
178.63.148.49 6667

NICK n{USA|XP}693101
USER 4584 “” “TsGh” :4584
JOIN #Adam

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%winlogon.exe”
+ UserFaultCheck = “%System%dumprep 0 -u”

so that winlogon.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update System = “%AppData%winlogon.exe”

so that winlogon.exe runs every time Windows starts

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%winlogon.exe
[file and pathname of the sample #1] 13 312 bytes MD5: 0x9E83AC70A1C3F7EB40E57D313148EC9F
SHA-1: 0x99CA0D9F5ABE2842DC7E36C8814467464F3A83F3 Trojan.IRCBot [PCTools]
W32.IRCBot.Gen [Symantec]
Worm.Win32.AutoRun.boqr [Kaspersky Lab]
Mal/SillyFDC-A [Sophos]
packed with UPX [Kaspersky Lab]
2 %Temp%google_cache2.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891 (not available)