Remote Host Port Number
194.109.20.90 6664
bircd.w0rms.ro 2008
69.16.172.40 6668
69.16.172.40 7000
NICK jonasg
USER truman “” “194.109.20.90” :mined
USERHOST nick
PART channel
USER truman “” “bircd.w0rms.ro” :mined
SILENCE +*!*@*,~*!*@*undernet.org
MODE jonasg +iwx
NICK soowona
USER tandy “” “194.109.20.90” :alex
USER tandy “” “bircd.w0rms.ro” :alex
MODE soowona +iwx
MODE nick +iwx
USER tandy “” “69.16.172.40” :alex
* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %Windir%tempspoolsvspoolsv.exe
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREClasses.cha
o HKEY_LOCAL_MACHINESOFTWAREClasses.chat
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFile
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShell
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREClassesirc
o HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon
o HKEY_LOCAL_MACHINESOFTWAREClassesircShell
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopen
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec
o HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_LOCAL_MACHINESYSTEMControlSet001Servicessvchost
o HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchost
o HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCChannels
o HKEY_CURRENT_USERSoftwaremIRCLicense
o HKEY_CURRENT_USERSoftwaremIRCLockOptions
o HKEY_CURRENT_USERSoftwaremIRC%UserName%
o HKEY_CURRENT_USERSoftwareWinRAR SFX
* Notes:
o %UserName% is a variable that refers to the current user name.
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREClasses.cha]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClasses.chat]
+ (Default) = “ChatFile”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFileDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesChatFile]
+ (Default) = “Chat File”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecTopic]
+ (Default) = “Connect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecifexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexecApplication]
+ (Default) = “svchost”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopenddeexec]
+ (Default) = “%1”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircShellopencommand]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe” -noconnect”
o [HKEY_LOCAL_MACHINESOFTWAREClassesircDefaultIcon]
+ (Default) = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESOFTWAREClassesirc]
+ (Default) = “URL:IRC Protocol”
+ EditFlags = 02 00 00 00
+ URL Protocol = “”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ spoolsv = “”%Windir%tempspoolsvspoolsv.exe””
so that spoolsv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%tempspoolsvspoolsv.exe” -uninstall”
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicessvchostParameters]
+ Application = “”%Windir%tempspoolsvspoolsv.exe””
+ AppDirectory = “”%Windir%tempspoolsvspoolsv.exe””
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRC%UserName%]
+ (Default) = “WhiteHat”
o [HKEY_CURRENT_USERSoftwaremIRCLockOptions]
+ (Default) = “0,4096”
o [HKEY_CURRENT_USERSoftwaremIRCLicense]
+ (Default) = “5662-546732”
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%WINDOWS%Temp = “%Windir%Temp”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 135 168 bytes
* The following directories were created:
o %Windir%Tempspoolsv
o %Windir%Tempspoolsvdownload
o %Windir%Tempspoolsvlogs
o %Windir%Tempspoolsvsounds
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 779 111 bytes MD5: 0xC670165AE6DFA8318F0EA795B1D3AD55
SHA-1: 0xD5DFD0AF3E5EDC55F9706CB3ACA2F5B98132C3F1 Backdoor.IRC.Zapchast.h, not-a-virus:Client-IRC.Win32.mIRC.603, Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Mal/Zapchas-A [Sophos]
IRC.Cloner [Ikarus]
Dropper/Malware.779111 [AhnLab]
2 %Windir%Tempspoolsva.reg 1 260 bytes MD5: 0x3A6124B67B70CFC076115D6C03A46555
SHA-1: 0xFF32EA635FBC7E246EDB1EF30FD2146702137200 Trojan.RunKeys [PCTools]
IRC.Backdoor.Trojan [Symantec]
Backdoor.IRC.Zapchast.zwrc [Kaspersky Lab]
Reg/IRCSpoolsv [McAfee]
REG_ZAPCHAST.ED [Trend Micro]
Backdoor.IRC.Zapchast [Ikarus]
3 %Windir%Tempspoolsvaliases.ini 11 bytes MD5: 0x2218DF9CDFFC814A3DC25C81DD8619DD
SHA-1: 0x0290F796218937F61331ADC8803788E7CD4C2299 (not available)
4 %Windir%Tempspoolsvcom.mrc 15 593 bytes MD5: 0x10D5633BE4C6DCE3CBC9739BF9A26F14
SHA-1: 0xB3AB426669DBA4F0A05DE09E3C9D9E14236C1270 (not available)
5 %Windir%Tempspoolsvcontrol.ini 5 918 bytes MD5: 0x69DA93DD383B22EB3387B86C5035E497
SHA-1: 0xD0152DDA9FCDD22FF2F182381E7B4BAE288FE1E0 (not available)
6 %Windir%TempspoolsvDesktop.ini 77 bytes MD5: 0x624E33C2611C3507D3C8D6663A5BAED6
SHA-1: 0xCDE4B249382CE6A7903DFA1CF8D3F68CA424AB02 (not available)
7 %Windir%Tempspoolsvident.txt 54 974 bytes MD5: 0x807C70E89735A428AA39BE765F8ED758
SHA-1: 0x019960FAA02B3EBE6475E64785E72B1EB7AC9FB7 IRC.Cloner [Ikarus]
8 %Windir%Tempspoolsvidiot.jpg 30 982 bytes MD5: 0x3051A61EEF5E111B90316B0AA6530DC9
SHA-1: 0x12395ACDD9EB20C5429DF3A6F48A8A4A93ED2E39 (not available)
9 %Windir%Tempspoolsvmirc.ico 5 694 bytes MD5: 0xE09AA9787AF5CC53FD7525DD6693CF10
SHA-1: 0x57445D0779A66C61741822C0A7988573EFEE13D7 (not available)
10 %Windir%Tempspoolsvmirc.ini 3 209 bytes MD5: 0xF7FAB87E2F971BF2BC40534FB2E35A76
SHA-1: 0x74540CB57276BA0404DB6A4BE32AB3D1BE5B8A3B Backdoor.IRC.Zapchast.h [Kaspersky Lab]
IRC/Flood.gen.b [McAfee]
Mal/Zapchas-C [Sophos]
11 %Windir%Tempspoolsvpopups.txt 2 639 bytes MD5: 0xACCBAA68AFB41C0FAED208B8D8CC7F37
SHA-1: 0x5203AC8199C044A9C17F71AA31D8B4885A36D08E (not available)
12 %Windir%Tempspoolsvremote.ini 1 961 bytes MD5: 0x46A0041B61FB818A9A64F672CB0908B1
SHA-1: 0x8877A860149994C5F38748503170F0C60451FF21 (not available)
13 %Windir%Tempspoolsvrun.bat 195 bytes MD5: 0xB2EB520E60CD7827E91FE15169A6BF0B
SHA-1: 0xC616C667E8B893D8F6E4E21152DABA3B15E321BB Backdoor.IRC.Zapchast!ct [PCTools]
Backdoor.IRC.Flood [Symantec]
Backdoor.IRC.Zapchast [Ikarus]
14 %Windir%Tempspoolsvservers.ini 1 444 bytes MD5: 0x88925AB8AB16EC1A24A9964070B1D60E
SHA-1: 0x324C5CB1EC7086CDFA29927CB2C5E3F247786353 (not available)
15 %Windir%Tempspoolsvspoolsv.exe 1 790 464 bytes MD5: 0xB766003F431CAD186BD115F5761592D1
SHA-1: 0x33CDFE6F7FA6B321F9A51CC051C32BA924164B10 Backdoor.IRCBot [PCTools]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
IRC/Client [McAfee]
not-a-virus:Client-IRC.Win32.mIRC [Ikarus]
Win-Trojan/MircPack.1790464 [AhnLab]
16 %Windir%Tempspoolsvusers.ini 238 bytes MD5: 0xC393C37D50192E286C45E664CB2BC0DD
SHA-1: 0x57B41F894C63F7AD69A58A2242BBEDDF9B3708DA (not available)