Remote Host Port Number
ds32v7k3.knaqu.eu 4244
PASS letmein
NICK [00|USA|492973]
USER XP-1626 * 0 :COMPUTERNAME
* To mark the presence in the system, the following Mutex object was created:
o LiNbagGgsag
* The following ports were open in the system:
Port Protocol Process
1033 TCP F1reFox32.exe (%Windir%F1reFox32.exe)
1034 TCP f1refox32.exe (%Windir%f1refox32.exe)
* The following Host Name was requested from a host database:
o ds32v7k3.knaqu.eu
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows UDP Control Center = “F1reFox32.exe”
so that F1reFox32.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
F1reFox32.exe %Windir%f1refox32.exe 311 296 bytes
hh.exe %Temp%ixp000.tmphh.exe 40 961 bytes
[filename of the sample #1] [file and pathname of the sample #1] 114 688 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %Temp%IXP000.TMPhh.exe
%Windir%F1reFox32.exe 65 064 bytes MD5: 0xB191CEFCE37D7374419A181AAB3C585A
SHA-1: 0x2DB4B5D5147690B35543EFBC3F0B0B62689B08F8
2 [file and pathname of the sample #1] 99 840 bytes MD5: 0x43BB5791ABFFE86E9C48F80915D3B749
SHA-1: 0x314960383E000D745033ECC478482984A60AFD83
* Notes:
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:Documents and Settings[UserName]Local SettingsTemp (Windows NT/2000/XP).
o %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
* The following directory was created:
o %Temp%IXP000.TMP