Remote Host Port Number
64.89.27.36 51987
NICK pLagUe{USA}{LAN}27954
MODE pLagUe{USA}{LAN}27954 -ix
JOIN #trees
PRIVMSG #trees :
PONG irc.lulz.ee
USER pLagUe * ok
TeaM UniX b0at 0.4
New Infection – Morpheous Stub
Other details
* The following port was open in the system:
Port Protocol Process
1050 TCP raidhost.exe (%Windir%raidhost.exe)
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ raidhost = “raidhost.exe”
so that raidhost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
raidhost.exe %Windir%raidhost.exe 344 064 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Windir%raidhost.exe
[file and pathname of the sample #1] 33 280 bytes MD5: 0x1DBDDAD46127CDAC06A5F6E0D05780AE
SHA-1: 0xCDDD71704D139BA7A845608BFC4DF42BA3CD2981
2 %System%YoItzVlad.tmp 5 bytes MD5: 0xD356C81C0BDF1FE2059EABDA720CA0D4
SHA-1: 0x6A09BBFD26586342F7A9F19B82EBBE5AAB023E06