184.82.37.136

Remote Host Port Number
184.82.37.136 6667

NICK tltknwytlm
USER ztetqtgovb 0 0 :tltknwytlm
JOIN #dickery hickery
USERHOST tltknwytlm
MODE tltknwytlm -xi+B
PONG :S.W.A.T

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
o HKEY_CURRENT_USERSoftwareMicrosoftOLE

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft = “vcpkgsrv.exe”

so that vcpkgsrv.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ Microsoft = “vcpkgsrv.exe”

so that vcpkgsrv.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftOLE]
+ Microsoft = “vcpkgsrv.exe”

* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle]
+ EnableDCOM =
o [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa]
+ restrictanonymous =
o [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa]
+ restrictanonymous =

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
vcpkgsrv.exe %System%vcpkgsrv.exe 622 592 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1]
%System%vcpkgsrv.exe 286 208 bytes MD5: 0x3AD0AE99647810CDDA80C10F86103B42
SHA-1: 0x2D101A18E4CE4AA1A941C9557518D9406ACF7589 Net-Worm.Spybot [PCTools]
W32.Spybot.Worm [Symantec]
Backdoor.Win32.Rbot.gen [Kaspersky Lab]
W32/Sdbot.worm.gen.g [McAfee]
W32/Rbot-Gen, Mal/IRCBot-B [Sophos]
Backdoor:Win32/Rbot.gen [Microsoft]
Win32/IRCBot.worm.Gen [AhnLab]

* Note:

Categories: Uncategorized
Previous post

1 Comment

Anonymous - July 5, 2010 at 4:56 am

Comments are closed