Remote Host Port Number
moves.vaiosys.com 81
NICK [USA|XP]3955007
USER s “” “lol” :s
JOIN #newgen#
JOIN #USA (null)
NICK n[USA|XP]1780382
NICK [USA|XP]1860968
* To mark the presence in the system, the following Mutex object was created:
o 9n7v6v9n8v5bn8
* The following ports were open in the system:
Port Protocol Process
1034 TCP egun.exe (%AppData%egun.exe)
1035 TCP egun.exe (%AppData%egun.exe)
1036 TCP egun.exe (%AppData%egun.exe)
* The following Host Name was requested from a host database:
o moves.vaiosys.com
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows System Guard = “%AppData%egun.exe”
so that egun.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
egun.exe %AppData%egun.exe 65 536 bytes
[filename of the sample #1] [file and pathname of the sample #1] 212 992 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%egun.exe
[file and pathname of the sample #1] 212 992 bytes MD5: 0xAE75452022D20AA2C1D02F42AF2B1818
SHA-1: 0xECC883474EA71CFB7D17C45F19DBD273FA604602
2 %System%winsvncs.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
* The data identified by the following URLs was then requested from the remote web server:
o http://fastactionart.com/drvrd23434vrdvrv.php?w=v26MmjSySdagXTd07AUYFbNtPre/J4A4OtEMTid8fk4EXFSGikbVmTenB0qSdQXfhJic7Z4WeAiBMF4XBWbzfoyRtufQpaX+Mvtpvu7qlQ==
o http://216.246.99.115/install.52081.exe
o http://flashartssite.com/drvrd23434vrdvrv.php?w=v26MmjSySdagXTd07AUYFbNtPre/J4A4OtEMTid8fk4EXFSGikbVmTenB0qSdQXfhJic7Z4WeAiBMF4XBWbzfoyRtufQpaX+Mvtpvu7qlQ==
o http://givesgoodart.com/drvrd23434vrdvrv.php?w=v26MmjSySdagXTd07AUYFbNtPre/J4A4OtEMTid8fk4EXFSGikbVmTenB0qSdQXfhJic7Z4WeAiBMF4XBWbzfoyRtufQpaX+Mvtpvu7qlQ==