Remote Host Port Number
boxdeccode.vaiosys.com 1234
Resolved : [boxdeccode.vaiosys.com] To [85.234.144.237]
Resolved : [boxdeccode.vaiosys.com] To [216.246.99.115]
Resolved : [boxdeccode.vaiosys.com] To [212.117.166.201]
NICK {NEW}[USA][XP-SP2]678388
USER 5100 “” “lol” :5100
JOIN #b#
NICK [USA][XP-SP2]229885
USER 3392 “” “lol” :3392
NICK [USA][XP-SP2]567630
USER 9099 “” “lol” :9099
NICK [USA][XP-SP2]336902
USER 8944 “” “lol” :8944
Other details
* To mark the presence in the system, the following Mutex object was created:
o kOiJjfhjtgK
* The following port was open in the system:
Port Protocol Process
1036 TCP lssas.exe (%Temp%lssas.exe)
* The following Host Name was requested from a host database:
o boxdeccode.vaiosys.com
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Google Updater = “%Temp%lssas.exe”
so that lssas.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
lssas.exe %Temp%lssas.exe 69 632 bytes
[filename of the sample #1] [file and pathname of the sample #1] 135 168 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Temp%google_cache94.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
2 %Temp%lssas.exe
[file and pathname of the sample #1] 135 168 bytes MD5: 0x2895EB4E712E760EFF7AA821FE867B92
SHA-1: 0x1A145C2E131B979E0FE4B8D75A7C5F1E18A73468
* Note:
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:Documents and Settings[UserName]Local SettingsTemp (Windows NT/2000/XP).