* There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host Port Number
z00000000.inluver.com 47221
There was an outbound traffic produced on port 47221:
00000000 | 5041 5353 206C 6574 6D65 696E 0D0A 4E49 | PASS letmein..NI
00000010 | 434B 205B 4E30 305F 5553 415F 5850 5F35 | CK [N00_USA_XP_5
00000020 | 3438 3236 3030 5D18 E740 0D0A 5553 4552 | 482600]..@..USER
00000030 | 2053 5032 2D31 3334 202A 2030 203A 434F | SP2-134 * 0 :CO
00000040 | 4D50 5554 4552 4E41 4D45 0D0A | MPUTERNAME..
Other details
* To mark the presence in the system, the following Mutex object was created:
o jftx822crn2fcs
* The following ports were open in the system:
Port Protocol Process
1034 TCP ccdrive32.exe (%Windir%ccdrive32.exe)
1035 TCP ccdrive32.exe (%Windir%ccdrive32.exe)
* The following Host Name was requested from a host database:
o z00000000.inluver.com
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%ccdrive32.exe”
so that ccdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%ccdrive32.exe”
so that ccdrive32.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
ccdrive32.exe %Windir%ccdrive32.exe 339 968 bytes
[filename of the sample #1] [file and pathname of the sample #1] 339 968 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %Windir%ccdrive32.exe
[file and pathname of the sample #1] 184 839 bytes MD5: 0x678F04B2E18FA49B4E0B9B1DA8837AD5
SHA-1: 0xF079BCB097C09098DF0AC197A8B4D791EF866DB2 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Trojan-Downloader.Win32.CodecPack.knx [Kaspersky Lab]
Downloader-CEV [McAfee]
Mal/Wintrim-A [Sophos]
Worm:Win32/Rimecud [Microsoft]
Win-Trojan/Downloader.184839 [AhnLab]
Now talking in #dpi
Topic On: [ #dpi ] [ finito ]
Topic By: [ b4762 ]
Modes On: [ #dpi ] [ +smntSMCu ]