Remote Host Port Number
66.252.13.208 17000
NICK XP|Cah2
USER laMer “” “flash.flassicensingservice.net” :
You Think i
aughty
USERHOST XP|Cah2
MODE XP|Cah2 +i
JOIN #lbl# lam
MODE #lbl#
PONG :i5387D082.versanet.de
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC
o HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent
o HKEY_CURRENT_USERSoftwaremIRC
o HKEY_CURRENT_USERSoftwaremIRCDateUsed
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ WinXPService = “%Windir%ie8mplayer.pif”
so that mplayer.pif runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallmIRC]
+ DisplayName = “mIRC”
+ UninstallString = “”%Windir%ie8mplayer.pif” -uninstall”
o [HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft Agent]
+ VoiceEnabled = 0x00000001
+ UseVoiceTips = 0x00000001
+ KeyHoldHotKey = 0x00000091
+ UseBeepSRPrompt = 0x00000001
+ SRTimerDelay = 0x000007D0
+ SRModeID = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ EnableSpeaking = 0x00000001
+ UseBalloon = 0x00000001
+ UseCharacterFont = 0x00000001
+ UseSoundEffects = 0x00000001
+ SpeakingSpeed = 0x00000005
+ PropertySheetX = 0x000F423F
+ PropertySheetY = 0x000F423F
+ PropertySheetWidth = 0x00000000
+ PropertySheetHeight = 0x00000000
+ PropertySheetPage = 0x00000000
+ CommandsWindowLeft = 0xFFFFFFFF
+ CommandsWindowTop = 0xFFFFFFFF
+ CommandsWindowWidth = 0x000000C8
+ CommandsWindowHeight = 0x000000C8
+ CommandsWindowLocationSet = 0x00000000
o [HKEY_CURRENT_USERSoftwaremIRCDateUsed]
+ (Default) = “1261776090”
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
mplayer.pif %Windir%ie8mplayer.pif 1 679 360 bytes
* The following directories were created:
o %Windir%ie8
o %Windir%ie8logs
o %Windir%ie8sounds
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%ie8dr67rf.zip 3 416 bytes MD5: 0x0988087B23F3D160BE8ACD8DA8A9DB9A
SHA-1: 0xBA1DD56646D0E54FAA6100135A652C889C502683 (not available)
2 %Windir%ie8ei7g.msp 86 bytes MD5: 0xC91CB1DBBA17D6FA2485F0EBD8BD1AA9
SHA-1: 0x0B2866D9DDF46E125A903825DDE0C736F367278C (not available)
3 %Windir%ie8hy5if.zip 24 521 bytes MD5: 0x685F924DA2F0D591CA05AC1244333F58
SHA-1: 0x02FC8C955843DF1058F2E17257727FF30DF84F87 Hacktool.Flooder [PCTools]
Hacktool.Flooder [Symantec]
Backdoor.IRC.Agent.q [Kaspersky Lab]
4 %Windir%ie8mplayer.pif 574 464 bytes MD5: 0xB3027DFFA9BBAC7E1999223CF737200B
SHA-1: 0x04F7BE390D135405B5D1925B205C0C871301B522 Backdoor.IRC.Flood [PCTools]
W32.IRCBot [Symantec]
not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
TROJ_BOTIRC.A [Trend Micro]
Troj/Multidr-FT [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Win-Trojan/MircPack.574464 [AhnLab]
packed with UPX [Kaspersky Lab]
5 %Windir%ie8o1o2o3o4 4 072 bytes MD5: 0xFEC2CBD8133F92A82E4E35D8126860B4
SHA-1: 0x4A37D34CB61F0B16EA8204138D470A042D314660 (not available)
6 %Windir%ie8p24.reg 126 bytes MD5: 0x5E5C1F777229F11CE7B1F1C247409810
SHA-1: 0xE893882FC1A5C30D94AA35A9549B3E61E8D1C627 (not available)
7 %Windir%ie8si3sj9.dll 40 960 bytes MD5: 0xA85A6F809B5500ADF9F163F60CBD9B25
SHA-1: 0x9B81D20E5FFBF9BAE4BB95595579B29A282DAB0F Backdoor.IRC.Flood [PCTools]
Hacktool.Flooder [Symantec]
IRC/Flood.tool [McAfee]
Troj/Flood-I [Sophos]
Trojan:Win32/Flood.L [Microsoft]
Win-Trojan/Flooder.45056.B [AhnLab]
8 %Windir%ie8vcr32.zip 21 100 bytes MD5: 0xFA5F4F2FEB0136838392597A6949656F
SHA-1: 0x2EE794D1130AE97762E4D83CE3C38138C57F4CC6 (not available)
9 [file and pathname of the sample #1] 889 569 bytes MD5: 0xBBB2C4E7F78479AC4F3431AC7172C471
SHA-1: 0x30BD2CC03199ABBB7516B0F37E77E32E143AF714 not-a-virus:Client-IRC.Win32.mIRC.603 [Kaspersky Lab]
W32/Spybot.worm!ci [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]