75.102.24.35

Remote Host Port Number
204.0.5.40 80
204.0.5.41 80
204.0.5.42 80
204.0.5.48 80
204.0.5.51 80
204.0.5.56 80
204.0.5.57 80
207.46.148.31 80
63.135.80.58 80
63.135.86.25 80
75.102.24.35 1234 PASS xxx ircd here

NICK NEW-[USA|00|P|83449]
USER XP-3848 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|83449] -ix
JOIN #jakarta test
PONG irc.priv8net.com

* The data identified by the following URLs was then requested from the remote web server:
o http://c1.ac-images.myspacecdn.com/images02/67/s_31eb9d57d74f41d6a155b7d2e1b07404.jpg
o http://c1.ac-images.myspacecdn.com/images02/131/s_582d0fea5f904cb0a37832c6958fce7c.jpg
o http://c1.ac-images.myspacecdn.com/images02/130/s_8d12c0ecea4c4856b1f2be59e2158858.jpg
o http://c1.ac-images.myspacecdn.com/images02/134/s_eb241eeb4656490d87d5a6c1e62a5604.jpg
o http://c1.ac-images.myspacecdn.com/images02/138/s_57662eed3f414f7aa05fbebda7beb51c.jpg
o http://c1.ac-images.myspacecdn.com/images02/133/s_46ef1f3be11a42638480264ce3a6eeb0.jpg
o http://c1.ac-images.myspacecdn.com/images01/116/s_50617184e7c4e5f179e9226caff02a0c.jpg
o http://c1.ac-images.myspacecdn.com/images02/50/s_f55a7bbce38c40e1be693f2e35ab330c.jpg
o http://c1.ac-images.myspacecdn.com/images02/72/s_c76f3d93457647ccbb7bd281b1c23af4.jpg
o http://c1.ac-images.myspacecdn.com/images02/122/s_09d2b992394648e1b1e16138ade15044.jpg
o http://x.myspacecdn.com/modules/common/static/css/uploadcontrol_ioe1imsn.css
o http://x.myspacecdn.com/modules/common/static/img/header/header-ie6.gif
o http://x.myspacecdn.com/Modules/Splash/Static/img/bgSheet.png
o http://x.myspacecdn.com/modules/browse/static/img/btnicons_tiled.gif
o http://x.myspacecdn.com/modules/common/static/css/global_l1a8iub5.css
o http://c2.ac-images.myspacecdn.com/images02/126/s_791c2ab2dd814d5d8bb414fda851f655.jpg
o http://c2.ac-images.myspacecdn.com/images01/91/s_4bdb560bc8b08111a105a7ef1f2383d5.jpg
o http://x.myspacecdn.com/modules/browse/static/css/browse_qzzglnfy.css
o http://c2.ac-images.myspacecdn.com/images02/89/s_346bdff2f8a14e248613284bc771bf29.jpg
o http://c2.ac-images.myspacecdn.com/images02/145/s_38b0a5f241a54ed79a13a77bb714a5e5.jpg
o http://c2.ac-images.myspacecdn.com/images02/75/s_d1b7fb69788b4e8d9610e990d6edcbb1.jpg
o http://x.myspacecdn.com/modules/common/static/img/spacer.gif
o http://x.myspacecdn.com/modules/common/static/img/onlinenow2.gif
o http://x.myspacecdn.com/modules/common/static/img/header/SearchButtonsGradients.png
o http://x.myspacecdn.com/modules/splash/static/img/moduleBg.gif
o http://x.myspacecdn.com/Modules/Common/Static/img/cornersSheet3.png
o http://c3.ac-images.myspacecdn.com/images01/81/s_341858c0ba5551647ac22adfd1a576f2.jpg
o http://c3.ac-images.myspacecdn.com/images02/59/s_c4846c39f413447fa287217fb4c2787e.jpg
o http://c3.ac-images.myspacecdn.com/images02/126/s_bb991588055243d29e96378c1a6c602e.jpg
o http://c3.ac-images.myspacecdn.com/images02/150/s_b02632daf5154e6a9643ce777da8ebf2.jpg
o http://c3.ac-images.myspacecdn.com/images02/77/s_791d96ed88b0421cac3208c73cc79fce.jpg
o http://c3.ac-images.myspacecdn.com/images02/121/s_7133f024c95742adb662d9d319649f36.png
o http://c3.ac-images.myspacecdn.com/images02/40/s_0f7a233d015a4234a2822c64d2d5177e.jpg
o http://c3.ac-images.myspacecdn.com/images02/20/s_3a1df3d72ca441d780e9940c71f2fcca.jpg
o http://c3.ac-images.myspacecdn.com/images02/30/s_99fd5b0153794c3f82c6a29af2b5b786.jpg
o http://c3.ac-images.myspacecdn.com/images01/98/s_0e991adf1148661700486f8f8efbd1c2.jpg
o http://c3.ac-images.myspacecdn.com/images02/114/s_436883bf9bdb453292d45d039c694042.jpg
o http://c3.ac-images.myspacecdn.com/images02/121/s_4527c60a5b2345d6953190615e4a816e.gif
o http://c3.ac-images.myspacecdn.com/images02/113/s_f3118d673d1b49d0b74ec1e7a3dc65ee.jpg
o http://cms.myspacecdn.com/cms/Headerlogo/header_ms.png
o http://cms.myspacecdn.com/cms/js/ad_wrapper0148.js
o http://js.myspacecdn.com/modules/common/static/js/msglobal_bikjy0bb.js
o http://js.myspacecdn.com/modules/browse/static/js/browsebundle_kwg2eboy.js
o http://js.myspacecdn.com/modules/common/static/js/quickpost_qa31tnlg.js
o http://spe.atdmt.com/ds/NMMRTUMA1MR1/100204_Designed_For_You/FY10_MR1_IE8_Designed_Green_Upgrade_728x90.jpg?ver=1
o http://js.myspacecdn.com/modules/common/static/js/richtexteditor_xwrirr_5.js
o http://c4.ac-images.myspacecdn.com/images02/128/s_43e5c48c45d14d23a6c26d8a166d54a3.jpg
o http://c4.ac-images.myspacecdn.com/images02/143/s_3cdf7a2c9f0b4e88b76e584b393fdd37.jpg
o http://c4.ac-images.myspacecdn.com/images02/7/s_99448a4fedf94f01a6458375592608f3.jpg
o http://c4.ac-images.myspacecdn.com/images02/117/s_2b6dba82ac554d7fbbbb2b45692dcd83.jpg
o http://c4.ac-images.myspacecdn.com/images02/60/s_a86d083cce174029b38c1b9e901fb72f.jpg
o http://c4.ac-images.myspacecdn.com/images02/82/s_92f6c2701ff54e22a59ed38ec076ef63.jpg
o http://c4.ac-images.myspacecdn.com/images02/143/s_7fbe0dbaeee841279df3b70bf6f1a177.jpg
o http://c4.ac-images.myspacecdn.com/images02/136/s_8dde1d9e6c4244f0aa958c141ec299fb.jpg
o http://c4.ac-images.myspacecdn.com/images02/124/s_899e5e74dd2046f5ad7813c6f43ce7cf.jpg
o http://c4.ac-images.myspacecdn.com/images02/122/s_3cb71f16701b4dbe8234cef874bebb4f.jpg
o http://c4.ac-images.myspacecdn.com/images02/76/s_55dca8845a6d47dd8645a33ea92a4e2b.jpg
o http://c4.ac-images.myspacecdn.com/images01/71/s_abd7ffb42173967d43df3675c00616d3.jpg
o http://1.download.advertise.myspace.com/08/d8/48/9dd8480b7a5162deadbdfb762fde495d_final.jpg
o http://view.atdmt.com/MRT/iview/213992507/direct;wi.728;hi.90/01/20100519122754/?click=http://media.fastclick.net/w/click.here?cid=223257;mid=417703;sid=54674;m=1;c=0;forced_click=
o http://delb.opt.fimserve.com/adopt/?r=h&l=24000000&pos=leaderboard&rnd=063462763
o http://desk.opt.fimserve.com/adopt/?r=h&l=24000000&pos=skyscraper&rnd=063462763
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n
o http://media.fastclick.net/w/get.media?sid=54674&tp=5&d=j&t=n&no_cj_c=1&upsid=838620377000
o http://rd.apmebf.com/w/get.media?sid=54674&tp=5&d=j&t=n&host=media.fastclick.net
o http://fim.adnxs.com/fpt?id=3594&size=160×600&flash=1&cookies=1&callback=C1Ei8Fd4Va0K.b0Th8Ei4Fd0V&referrer=www.foxaudiencenetwork.com&age=&gender=&cb=1274278607305
o http://bid.ace.advertising.com/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Bl6Ky7Xg1C.b0Wi6Bn7Kh1X/bnum=1274278607242
o http://bid.ace.advertising.com/ctst=1/bid/ebs=1/site=744646/size=728090/tags=1/callback=C1Bl6Ky7Xg1C.b0Wi6Bn7Kh1X/bnum=1274278607242
o http://www.google-analytics.com/ga.js
o http://googleads.g.doubleclick.net/pagead/test_domain.js
o http://pagead2.googlesyndication.com/pagead/show_ads.js
o http://pagead2.googlesyndication.com/pagead/render_ads.js
o http://ad.yieldmanager.com/getbid?Z=160×600&s=796240&_salt=1274278607305&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Ei8Fd4Va0K.b1Va8Ku4Wg0J&cookie=1&flash=1&bvs=&hvs=BBJRUOOP
o http://ad.yieldmanager.com/getbid?Z=728×90&s=796250&_salt=1274278607242&u=http://www.foxaudiencenetwork.com&r=1&callback=C1Bl6Ky7Xg1C.b1Bl6Ky7Xg1C&cookie=1&flash=1&bvs=&hvs=BBJRUOOP

Other details

* The following ports were open in the system:

Port Protocol Process
1075 TCP infocard.exe (%Windir%infocard.exe)
1090 TCP infocard.exe (%Windir%infocard.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Firewall Administrating = “%Windir%infocard.exe”

so that infocard.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
infocard.exe %Windir%infocard.exe 3 121 152 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%infocard.exe
[file and pathname of the sample #1] 96 910 bytes MD5: 0x1852C4E432F3DE91ADCD00FDF4DEC001
SHA-1: 0x176B4D91D1497E2E28972213CF7FE03E1A329311 Malware.Yimfoca [PCTools]
W32.Yimfoca [Symantec]
Mal/Generic-L [Sophos]
Worm:Win32/Pushbot.RR [Microsoft]
Win-Trojan/Bypassagent.96910 [AhnLab]
2 %Windir%mdll.dll 1 415 bytes MD5: 0x092F4B624AA3B9C1A80724B78D73C405
SHA-1: 0x8CE1E4A5D0281E121F2FA6205D40D1B1E14E6992 (not available)
3 %Windir%wintybrd.jpg 3 871 bytes MD5: 0xDC83CBCD1AAFCB790FBB9B3DF9545DF3
SHA-1: 0x55C1A8BC90B7DB7CBB753CD23C68E693BF2B22ED (not available)

Categories: Uncategorized
Previous post
Next post