Remote Host Port Number
193.104.27.98 80
218.61.22.10 1863
* The data identified by the following URLs was then requested from the remote web server:
o http://193.104.27.98/pizda.php
o http://193.104.27.98/fox.bin
o http://www.ip-adress.com/
MODE [N00_USA_XP_7947582]8
@ -ix
PONG eee.4088.com
JOIN #superman open
MODE #superman -ix
* The following ports were open in the system:
Port Protocol Process
1053 UDP livemessn.exe (%Windir%livemessn.exe)
1055 TCP livemessn.exe (%Windir%livemessn.exe)
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7}
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{334613DB-50C1-B3BE-95ED-E9915A134FF1}
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}
o HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
o HKEY_USERS.DEFAULTSoftwareMicrosoftProtected Storage System Provider
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%livemessn.exe”
so that livemessn.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%livemessn.exe”
so that livemessn.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork]
+ UID = “%ComputerName%_B4DF7611BB99FF8A”
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7}]
+ {23343233-2C66-3B33-3432-343233343233} = FA 0C F5 0E
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
+ {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
+ {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
+ {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}]
+ {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
+ {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
+ {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}]
+ {3039636B-5F3D-6C64-6675-696870667265} = F7 09 F2 0D
+ {33373039-3132-3864-6B30-303233343434} = F7 09 F2 0D
+ {6E633338-267E-2A79-6830-386668666866} = F7 09 F2 0D
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000
o [HKEY_CURRENT_USERSoftwareMicrosoft]
+ (Default) = 0x00000001
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ History =
* There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Allocated Size
services.exe %System%services.exe 155 648 bytes
lsass.exe %System%lsass.exe 155 648 bytes
svchost.exe %System%svchost.exe 155 648 bytes
svchost.exe %System%svchost.exe 155 648 bytes
svchost.exe %System%svchost.exe 155 648 bytes
svchost.exe %System%svchost.exe 155 648 bytes
svchost.exe %System%svchost.exe 155 648 bytes
alg.exe %System%alg.exe 155 648 bytes
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
livemessn.exe %Windir%livemessn.exe 339 968 bytes
* Attention! The following hidden file was created in the system:
# Filename(s) File Size File Hash
1 %System%lowseclocal.ds 56 376 bytes MD5: 0x65A17887EEC609D94FA3F0C97E6FFB6A
SHA-1: 0x381E414E80D219DED43BD75C296ED02C3CCB5947
* Attention! The following hidden directory was created:
o %System%lowsec
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %Temp%tmp1.tmp
%Windir%logfile32.txt
%System%lowsecuser.ds 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %Temp%tmp2.tmp
%System%sdra64.exe 127 488 bytes MD5: 0x22C20E54A28AE80A48028D01283B064B
SHA-1: 0x31F8CB03C71FEF21CDED5D455C7FF584706A30F4 Trojan.Zbot [PCTools]
Trojan.Zbot!gen3 [Symantec]
Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab]
Generic PWS.y!bzc [McAfee]
Mal/Generic-A [Sophos]
Packed.Win32.Krap [Ikarus]
3 %Windir%livemessn.exe
[file and pathname of the sample #1] 51 712 bytes MD5: 0xCAFDD2AC17F97E9BF6124B3C68924286
SHA-1: 0xEF0C455B37DD63164C8759D4AF25F3A689405BC1 Trojan.IRCBot [PCTools]
W32.IRCBot [Symantec]
Backdoor.Win32.IRCBot.nhu [Kaspersky Lab]
W32/Spybot.worm!dg [McAfee]
Mal/Generic-A [Sophos]
Backdoor:Win32/IRCbot [Microsoft]
Backdoor.Win32.IRCBot [Ikarus]
Win32/Ircbot.worm.variant [AhnLab]