Remote Host Port Number
201.40.117.44 6667
NICK n-123107
USER enuiknr 0 0 :n-123107
USERHOST n-123107
MODE n-123107 -x+B
JOIN #teste
NICK n-813308
USER natauv 0 0 :n-813308
USERHOST n-813308
MODE n-813308 -x+B
Other details
* The following ports were open in the system:
Port Protocol Process
113 TCP rgysir.exe (%System%rgysir.exe)
1054 TCP rgysir.exe (%System%rgysir.exe)
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “rgysir.exe”
so that rgysir.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft Update Machine = “rgysir.exe”
so that rgysir.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Microsoft Update Machine = “rgysir.exe”
so that rgysir.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
rgysir.exe %System%rgysir.exe 3 096 576 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %System%rgysir.exe
[file and pathname of the sample #1] 1 375 232 bytes MD5: 0xADD57E59536C73B1F3D49FB9378DE6D5
SHA-1: 0x64F47B80AA375098666119EDF014EC6DBEBFD582 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Packed.Win32.Black.a [Kaspersky Lab]
Mal/Behav-285 [Sophos]
packed with ASPack [Kaspersky Lab]