Remote Host Port Number
78.46.21.247 6680
PING hell1410.zapto.org
USER [NEW|7755] False * :kBotv5
NICK [NEW|7755]
JOIN #cutugno
PONG :You have not registered
JOIN ##USA
Registry Modifications
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ dll = “%AppData%dllsvchost.exe”
so that svchost.exe runs every time Windows starts
* The following Registry Value was modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Userinit =
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%dllhere.txt
%AppData%temp4876969.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 %AppData%dllsvchost.exe
[file and pathname of the sample #1] 89 600 bytes MD5: 0x7B46B5BF10D40B5758ADECC7F671D1B4
SHA-1: 0x4D3C0F656D716A2638F3E42FAEC4778EFFF61554 Backdoor.MSIL.IrcBot.ct [Kaspersky Lab]
Worm:MSIL/Tawsebot.A [Microsoft]
宜欣 - June 24, 2010 at 12:49 pm
^^~~輕輕鬆鬆的逛部落格,多謝有您的分享哦~~~ .................................................................