serv01.colo.owned.hu

Remote Host Port Number
serv01.colo.owned.hu 31092
serv01.colo.owned.hu 31091
serv01.colo.owned.hu 31090

NICK NEW-computername
USER dvhwyjfe UNIX UNIX :username
JOIN #test# syslock
NICK computername
USER zznidihe UNIX UNIX :username

Now talking in #test#
Topic On: [ #test# ] [encISBzaWxlbmNlOyEgZGx4IHRvcHZpZGVvLnNpLy5odGFjYy9tYWthaC5leGU= ]
Modes On: [ #test# ] [ +smntMu ]

* To mark the presence in the system, the following Mutex object was created:
o _SHuassist.mtx

* The following port was open in the system:

Port Protocol Process
1034 TCP WindowsLive.exe (%AppData%WindowsLive.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREWindowsLive
o HKEY_CURRENT_USERSoftwareWinRAR SFX

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Live = “%AppData%WindowsLive.exe”

so that WindowsLive.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREWindowsLive]
+ version = “180”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Live = “%AppData%WindowsLive.exe”

so that WindowsLive.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareWinRAR SFX]
+ C%%DOCUME~1%%UserName%%LOCALS~1%Temp = “%UserProfile%LOCALS~1Temp”

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
WindowsLive.exe %AppData%windowslive.exe 2 191 360 bytes
[filename of the sample #1] [file and pathname of the sample #1] 143 360 bytes
winserv.exe %Temp%winserv.exe 2 191 360 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%WindowsLive.exe
%Temp%winserv.exe 3 345 391 bytes MD5: 0xB78170F4DE8FC6B54A11B2F951774078
SHA-1: 0x4EA7E3EB153C8E4A2ACD0DBBD5CAF5C58C46627E W32/RealBot-C [Sophos]
Win32.SuspectCrc [Ikarus]
2 %Temp%WindowsLive 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
3 [file and pathname of the sample #1] 1 033 820 bytes MD5: 0x756D57A89A2D0289D8D764C2951C346C
SHA-1: 0x2CA945A68F73CA330D67530EE23E3A0350D5A395 (not available)

Categories: Uncategorized
Previous post